Holes Found in Cisco Firewalls

Holes Found in Cisco Firewalls

A bug has cropped up in Cisco Systems Inc.'s firewall products that could allow unauthorised network access.

The Cisco Secure PIX Firewall interprets FTP commands out of context and inappropriately opens temporary access through the firewall, according to a field notice on Cisco's Web site. The notice can be found at

The field notice says that there are two vulnerabilities related to the FTP problem. The first occurs when the firewall receives an error message from an internal FTP server containing an encapsulated command. The firewall interprets it as a distinct command and thus opens a separate connection through the firewall.

The second vulnerability happens when a client inside the firewall browses to an external server and selects a link that the firewall interprets as two or more FTP commands. The client begins an FTP connection as expected and at the same time unexpectedly executes another command opening a separate connection through the firewall.

Either vulnerability can be exploited to transmit information through the firewall without authorisation, the field notice says.

All users of Cisco Secure PIX Firewalls with software versions up to and including 4.2(5), 4.4(4), and 5.0(3) that provide access to FTP services are at risk from both vulnerabilities, Cisco says.

Cisco Secure PIX Firewall with software Version 5.1(1) is affected by the second vulnerability only.

Fixed software and workarounds are available to address the first vulnerability, Cisco says. Fixed software is not yet available for the second vulnerability, but Cisco is providing a workaround.

The fixes and workarounds are described on the field notice. A memory hardware upgrade may be required for some of the software fixes, the field notice says.

Cisco is offering free software upgrades to remedy this vulnerability for all affected customers.

The networking company says it has had no reports of malicious exploitation of this vulnerability.

Cisco Systems Inc., in San Jose, California, is at

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.


EDGE 2023

EDGE is the leading technology conference for business leaders in Australia and New Zealand, built on the foundations of collaboration, education and advancement.


ARN has celebrated gender diversity and recognised female excellence across the Australian tech channel since first launching WIICTA in 2012, acknowledging the achievements of a talented group of female front runners who have become influential figures across the local industry.

ARN Innovation Awards 2023

Innovation Awards is the market-leading awards program for celebrating ecosystem innovation and excellence across the technology sector in Australia.

Brand Post

Channel Roadmap

The Channel Roadmap is a bespoke content hub housing strategic priorities from technology vendors for 2022 and beyond, partners can find the guidance on the key technologies and markets to pursue, to help build a blueprint for future success.

Show Comments