Cisco Security Advisory-
A common administrative error may create security vulnerabilities in networks protected by Cisco PIX Firewalls. Specifically, if a firewall has been configured by an administrator who does not correctly understand the action of the established command, that firewall may give outside users greater access to inside systems than the administrator may have expected. Some customers have found the behavior of the established command in the presence of static conduits to be counterintuitive.
If a PIX Firewall contains both the established command and a static conduit giving outside users access to a specific TCP or UDP port on an inside server, then an interaction between the two configuration settings may allow outside users to make connections to any port on that inside server. This applies even if the port to which an outside user connects is not specified in the configuration of the conduit. It is possible to restrict the ports available using the permitto and permitfrom keywords on the established command; if this is done, only the permitted ports are affected.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-19980715-pixest.
-
This section provides details on affected products.
Vulnerable Products
Users whose configurations contain static commands, conduit commands, and the established command may be affected, depending on whether they properly anticipated the combined effects of these configuration commands.Products Confirmed Not Vulnerable
Users who do not have both static conduits and established commands in their configuration files are not affected; neither can produce the effect without the other.
Users of Cisco products other than the PIX Firewall are not affected. There is no connection between the PIX established command and the established keyword in Cisco IOS access lists.
No other Cisco products are currently known to be affected by these vulnerabilities.
-
Many protocols require multiple TCP connections or multiple UDP data streams. In some protocols, the host playing the role of "server" makes connections to the host playing the role of "client"; although the client generally initiates the first connection, the server may initiate subsequent connections. For many commonly used protocols, such as FTP, the PIX Firewall scans the application layer data to find the ports on which connections may be opened from server to client, and selectively permits the connections that have been negotiated in the protocol. However, the PIX Firewall software does not have support for every possible protocol.
The established command allows the PIX Firewall to deliver traffic associated with protocols for which the firewall software does not have specific support. When the established command is in force, an outside server can make a TCP or UDP connection to any inside host with which it already has a TCP or UDP connection established. The assumption is that the new connection is part of an unknown multiconnection protocol. The permitto and permitfrom parameters to the established command can be used to control which ports on the inside host can be reached from the outside, but there is no way to designate specific inside hosts to which the established command should or should not apply.
The established command creates a relatively wide opening in the firewall. If there is any existing connection between an inside and an outside host, additional connections may be created in either direction. Unless the permitto and/or permitfrom keywords have been used, these connections may use any port number on either host.
Conduits, created with the static and conduit commands, provide a way for the firewall administrator to permit access from outside the firewall to selected ports on hosts inside the firewall. A conduit might, for example, be used to provide access to a mail server by allowing outside hosts to connect to TCP port 25 on the mail host.
The two features interact in a way that has surprised some firewall administrators. Suppose that a PIX Firewall has the established tcp command in its configuration file, and that a conduit has been created to allow outside hosts to connect to port 25 on an inside mail server, host A. If outside host B takes advantage of this conduit to connect to host A's mail service, a TCP connection will be created. As long as this TCP connection to A's mail port is active, the established command will permit host B to make additional connections to other ports on host A. Since host B can initiate mail connections at will, and can hold those connections open for as long as it wants, the net effect is that host B can make a TCP connection to any port on host A at any time.
Users who make this configuration error are generally under one of two misconceptions about the established command. The facts are that:
- The existence of any connection between an inside and an outside host is sufficient for the established command to permit connections from the outside host to the inside host. The direction in which the original connection was made is not checked.
- The established command has its full effect even if the existing connection was made to a well-known port. Even though the original connection may involve a protocol that is supported by the PIX Firewall software, the established command will still permit subsequent connections.
Cisco will update the PIX Firewall documentation to clarify these points.
User Remediation
Because the reasons for using the established command differ from installation to installation, there is no configuration change that will work for all users. Cisco recommends that all customers whose PIX Firewall configuration files contain both conduits and the established command review their configurations to make sure that those configurations implement the expected security policies.
The established command was meant as a special measure for users with relatively unusual situations, and Cisco does not recommend its routine use. If the established command is used, port ranges should almost always be specified using the permitto and/or permitfrom keywords.
-
There are no workarounds for this issue.
-
This misconfiguration is possible with any PIX Firewall software version that recognizes the established command.
-
Cisco has had no reports of malicious exploitation of this misconfiguration.
Although Cisco has always considered the behavior of the established command, and the behavior of conduits, to be public information, Cisco knows of no public discussions of the possibility or impact of this specific misconfiguration before the date of this notice. Cisco has received reports of customers being surprised by this behavior.
Any TELNET client or other program capable of making a TCP connection or starting a UDP data exchange can be used to exploit this misconfiguration. Once an attacker gains access to an unprotected server, other programs may be needed to exploit security vulnerabilities in that server.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show LessRevision 1.0
1998-July-15
Initial released version
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.