-
The Cisco PIX Firewall product is shipped with a management application known as PIX Firewall Manager, or PFM. PFM is a Worldwide-Web-based application, and includes a limited HTTP server. The PFM HTTP server runs on Windows NT computers. A vulnerability in the PFM HTTP server allows any attacker who can connect to the server to retrieve any file known in advance to exist on the Windows NT host. In almost all cases, this means that the host is vulnerable to attack by any user inside the firewall, but not by users outside the firewall.
This vulnerability was discovered and reported by Brett M. Oliphant, Manager of Corporate Computer Security at Lafayette Life Insurance Company.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-19980902-pix-mgr-file.
-
This section provides details on affected products.
Vulnerable Products
If you are running Cisco PIX Firewall Manager software for Windows NT, as shipped with PIX Firewall versions up to and including 4.2(1), and if untrusted users can make TCP connections to port 8080 on your PFM server, you are affected by this vulnerability.
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
This vulnerability has been assigned Cisco Bug ID CSCdk39378.
-
Because a software fix is available, Cisco believes that the best response for the vast majority of customers is to upgrade to repaired software. These workarounds are offered only for customers who are unable to upgrade for unusual reasons.
We believe that many customers have installed the PIX Firewall Manager product on their NT workstations, but have finalized their PIX Firewall configurations and are no longer actively using PFM. The most effective workaround for these customers is simply to uninstall PFM, and to reinstall a repaired version later if necessary.
Another possible workaround is to use firewall devices, such as the PIX Firewall itself, to prevent untrusted users from making connections to port 8080 on the NT host on which PFM in installed. Depending on the customer configuration, it may be desirable to move the NT host to the PIX Firewall's DMZ network to prevent access by unauthorized inside users; the security of the other systems on the DMZ network should be carefully considered in making this decision.
It is not possible to stop the PFM HTTP server from using the NT "administrator" account.
-
This vulnerability affects all releases of Cisco PIX Firewall Manager up to, and including, release 4.2(1). 4.2(2) beta releases are also affected. Fixed versions are available for both 4.1-based and 4.2-based versions of PFM.
The fixed version for 4.1 is 4.1( 6b). To use PFM version 4.1(6b), you must install software version 4.1(6) on the PIX Firewall itself.
The fixed version for 4.2 is 4.2(2), which will be released along with 4.2(2) software for the PIX Firewall itself. 4.2(1) PIX Firewall software is under line stop because of software quality issues, and is not recommended for use or installation. Therefore, there will be no PFM fix for 4.2(1) PIX Firewall software. Customers who are using 4.2(1) are advised to downgrade to version 4.1(6) on their PIX Firewalls, and to install PFM 4.1(6b). If this is not possible, customers should use the workarounds listed below.
All releases subsequent to these repaired releases will also include the fix. There will be no future vulnerable PFM releases.
-
Cisco has had no reports of malicious exploitation of this vulnerability. However, such exploitation may reasonably be expected to begin in the near future.
The existence of this vulnerability was publicly announced on the "bugtraq@netspace.org" mailing list on Monday, August 31, 1998, and should be considered to be widely known to exist. Exploitation details were not given.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.