Guest

Product Support

PIX Firewall "established" Command

Advisory ID: cisco-sa-19980715-pixest

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-19980715-pixest

Revision 1.0

For Public Release 1998 July 15 15:00  UTC (GMT)


Summary

A common administrative error may create security vulnerabilities in networks protected by Cisco PIX Firewalls. Specifically, if a firewall has been configured by an administrator who does not correctly understand the action of the established command, that firewall may give outside users greater access to inside systems than the administrator may have expected. Some customers have found the behavior of the established command in the presence of static conduits to be counterintuitive.

If a PIX Firewall contains both the established command and a static conduit giving outside users access to a specific TCP or UDP port on an inside server, then an interaction between the two configuration settings may allow outside users to make connections to any port on that inside server. This applies even if the port to which an outside user connects is not specified in the configuration of the conduit. It is possible to restrict the ports available using the permitto and permitfrom keywords on the established command; if this is done, only the permitted ports are affected.

This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-19980715-pixest.

Affected Products

This section provides details on affected products.

Vulnerable Products

Users whose configurations contain static commands, conduit commands, and the established command may be affected, depending on whether they properly anticipated the combined effects of these configuration commands.

Products Confirmed Not Vulnerable

Users who do not have both static conduits and established commands in their configuration files are not affected; neither can produce the effect without the other.

Users of Cisco products other than the PIX Firewall are not affected. There is no connection between the PIX established command and the established keyword in Cisco IOS access lists.

No other Cisco products are currently known to be affected by these vulnerabilities.

Details

Many protocols require multiple TCP connections or multiple UDP data streams. In some protocols, the host playing the role of "server" makes connections to the host playing the role of "client"; although the client generally initiates the first connection, the server may initiate subsequent connections. For many commonly used protocols, such as FTP, the PIX Firewall scans the application layer data to find the ports on which connections may be opened from server to client, and selectively permits the connections that have been negotiated in the protocol. However, the PIX Firewall software does not have support for every possible protocol.

The established command allows the PIX Firewall to deliver traffic associated with protocols for which the firewall software does not have specific support. When the established command is in force, an outside server can make a TCP or UDP connection to any inside host with which it already has a TCP or UDP connection established. The assumption is that the new connection is part of an unknown multiconnection protocol. The permitto and permitfrom parameters to the established command can be used to control which ports on the inside host can be reached from the outside, but there is no way to designate specific inside hosts to which the established command should or should not apply.

The established command creates a relatively wide opening in the firewall. If there is any existing connection between an inside and an outside host, additional connections may be created in either direction. Unless the permitto and/or permitfrom keywords have been used, these connections may use any port number on either host.

Conduits, created with the static and conduit commands, provide a way for the firewall administrator to permit access from outside the firewall to selected ports on hosts inside the firewall. A conduit might, for example, be used to provide access to a mail server by allowing outside hosts to connect to TCP port 25 on the mail host.

The two features interact in a way that has surprised some firewall administrators. Suppose that a PIX Firewall has the established tcp command in its configuration file, and that a conduit has been created to allow outside hosts to connect to port 25 on an inside mail server, host A. If outside host B takes advantage of this conduit to connect to host A's mail service, a TCP connection will be created. As long as this TCP connection to A's mail port is active, the established command will permit host B to make additional connections to other ports on host A. Since host B can initiate mail connections at will, and can hold those connections open for as long as it wants, the net effect is that host B can make a TCP connection to any port on host A at any time.

Users who make this configuration error are generally under one of two misconceptions about the established command. The facts are that:

  1. The existence of any connection between an inside and an outside host is sufficient for the established command to permit connections from the outside host to the inside host. The direction in which the original connection was made is not checked.
  2. The established command has its full effect even if the existing connection was made to a well-known port. Even though the original connection may involve a protocol that is supported by the PIX Firewall software, the established command will still permit subsequent connections.

Cisco will update the PIX Firewall documentation to clarify these points.

User Remediation

Because the reasons for using the established command differ from installation to installation, there is no configuration change that will work for all users. Cisco recommends that all customers whose PIX Firewall configuration files contain both conduits and the established command review their configurations to make sure that those configurations implement the expected security policies.

The established command was meant as a special measure for users with relatively unusual situations, and Cisco does not recommend its routine use. If the established command is used, port ranges should almost always be specified using the permitto and/or permitfrom keywords.

Vulnerability Scoring Details

Cisco did not provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS) at time of this publication.

Impact

If a firewall administrator has made this configuration error, outside users will be able to make connections to services that the administrator will not have expected outsiders to be able to reach. Since the administrator will not be aware that outsiders can connect to these services, the services may not have been properly secured. Depending on the services offered by the affected hosts, this may enable outsiders to conduct a variety of security attacks.

Only services on hosts to which conduits have been established are affected; the misconfiguration does not provide any special access to services on other hosts.

Software Versions and Fixes

This misconfiguration is possible with any PIX Firewall software version that recognizes the established command.

Workarounds

There are no workarounds for this issue.

Obtaining Fixed Software

Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html , or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml .

Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades

Customers with Service Contracts

Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com.

Customers using Third Party Support Organizations

Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed.

Customers without Service Contracts

Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows.

  • +1 800 553 2447 (toll free from within North America)
  • +1 408 526 7209 (toll call from anywhere in the world)
  • e-mail: tac@cisco.com

Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC.

Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages.

Exploitation and Public Announcements

Cisco has had no reports of malicious exploitation of this misconfiguration.

Although Cisco has always considered the behavior of the established command, and the behavior of conduits, to be public information, Cisco knows of no public discussions of the possibility or impact of this specific misconfiguration before the date of this notice. Cisco has received reports of customers being surprised by this behavior.

Any TELNET client or other program capable of making a TCP connection or starting a UDP data exchange can be used to exploit this misconfiguration. Once an attacker gains access to an unprotected server, other programs may be needed to exploit security vulnerabilities in that server.

Status of this Notice: Final

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.


Distribution

This advisory is posted on Cisco's worldwide website at:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-19980715-pixest

In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients.

  • cust-security-announce@cisco.com
  • first-teams@first.org
  • bugtraq@securityfocus.com
  • vulnwatch@vulnwatch.org
  • cisco@spot.colorado.edu
  • cisco-nsp@puck.nether.net
  • full-disclosure@lists.grok.org.uk
  • comp.dcom.sys.cisco@newsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.


Revision History

Revision 1.0

1998-July-15

Initial released version

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.