-
The Cisco PIX Firewall provides robust, enterprise-class security services including stateful inspection firewalling, standards-based IP Security (IPsec) Virtual Private Networking (VPN), intrusion protection and much more in cost-effective, easy to deploy solutions.
Two vulnerabilities have been resolved for the PIX firewall for which fixes are available. These vulnerabilities are documented as Cisco bug ID CSCdv83490 and CSCdx35823.
There are no workarounds available to mitigate the effects of these vulnerabilities.
Cisco has released software updates that address these vulnerabilities.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20021120-pix-vulnerability.
-
Vulnerable Products
All PIX Firewall units running the vulnerable releases and using the specific features are affected by these vulnerabilities.
DDTs—Description
Affected Release
CSCdv83490—While processing initial contact notify messages the PIX does not delete duplicate Internet Security Authentication Key Management Protocol Security Associations (ISAKMP SAs) with the peer.
6.0.3 and earlier
6.1.3 and earlier
CSCdx35823—Buffer overflow while doing HTTP traffic authentication using Terminal Access Controller Access Control System Plus (TACACS+) or Remote Authentication Dial-In User Service (RADIUS).
5.2.8 and earlier
6.0.3 and earlier
6.1.3 and earlier
6.2.1 and earlier
To determine your software revision, type show version at the command line prompt.
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
CSCdv83490
When a user establishes a VPN session upon successful peer and user authentication, the PIX creates an ISAKMP SA associating the user and his IP address.
If an attacker is now able to block the logged-in user's connection and establish a connection to the PIX using the same IP address as that of the user, he will be able to establish a VPN session with the PIX, using only peer authentication, provided he already has access to the peer authentication key also known as the group pre-shared key (PSK) or group password key.
CSCdx35823
A user starting a connection via FTP, Telnet, or over the World Wide Web (HTTP) is prompted for their user name and password. If the user name and password are verified by the designated TACACS+ or RADIUS authentication server, the PIX Firewall unit will allow further traffic between the authentication server and the connection to interact independently through the PIX Firewall unit's "cut-through proxy" feature.
The PIX may crash and reload due to a buffer overflow vulnerability while processing HTTP traffic requests for authentication using TACACS+ or RADIUS.
The Internetworking Terms and Acronyms online guide can be found at http://www.cisco.com/univercd/cc/td/doc/cisintwk/ita/index.htm. The Cisco Systems Terms and Acronyms online guide can be found at http://www.cisco.com/univercd/cc/td/doc/cisintwk/ita/cisco12.htm.
These vulnerabilities are documented in the Bug Toolkit as Bug IDs CSCdv83490 and CSCdx35823, and can be viewed after 2002 November 21 at 1600 UTC. To access this tool, you must be a registered user and you must be logged in.
-
There are no workarounds for these vulnerabilities. The Cisco PSIRT recommends that affected users upgrade to a fixed software version of code.
-
DDTs—Description
Fixed Releases
CSCdv83490—While processing initial contact notify messages the PIX does not delete duplicate ISAKMP SAs with the peer.
6.0.4 and later
6.1.4 and later
6.2.1 and later
CSCdx35823—Buffer overflow while doing HTTP traffic authentication using TACACS+ or RADIUS.
5.2.9 and later
6.0.4 and later
6.1.4 and later
6.2.2 and later
The procedure to upgrade to the fixed software version is detailed at http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/index.htm.
-
The Cisco PSIRT is not aware of any malicious use of the vulnerabilities described in this advisory.
These vulnerabilities were reported to PSIRT by Cisco engineering and customers.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.0
2002-Nov-20
Initial public release
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.