Holes Found in Cisco Firewalls
- 27 March, 2000 12:49
A bug has cropped up in Cisco Systems Inc.'s firewall products that could allow unauthorised network access.
The Cisco Secure PIX Firewall interprets FTP commands out of context and inappropriately opens temporary access through the firewall, according to a field notice on Cisco's Web site. The notice can be found at http://www.cisco.com/warp/public/707/pixftp-pub.shtml.
The field notice says that there are two vulnerabilities related to the FTP problem. The first occurs when the firewall receives an error message from an internal FTP server containing an encapsulated command. The firewall interprets it as a distinct command and thus opens a separate connection through the firewall.
The second vulnerability happens when a client inside the firewall browses to an external server and selects a link that the firewall interprets as two or more FTP commands. The client begins an FTP connection as expected and at the same time unexpectedly executes another command opening a separate connection through the firewall.
Either vulnerability can be exploited to transmit information through the firewall without authorisation, the field notice says.
All users of Cisco Secure PIX Firewalls with software versions up to and including 4.2(5), 4.4(4), and 5.0(3) that provide access to FTP services are at risk from both vulnerabilities, Cisco says.
Cisco Secure PIX Firewall with software Version 5.1(1) is affected by the second vulnerability only.
Fixed software and workarounds are available to address the first vulnerability, Cisco says. Fixed software is not yet available for the second vulnerability, but Cisco is providing a workaround.
The fixes and workarounds are described on the field notice. A memory hardware upgrade may be required for some of the software fixes, the field notice says.
Cisco is offering free software upgrades to remedy this vulnerability for all affected customers.
The networking company says it has had no reports of malicious exploitation of this vulnerability.
Cisco Systems Inc., in San Jose, California, is at http://www.cisco.com/.
