Vulnerability Note VU#328867
Multiple vendors' firewalls do not adequately keep state of FTP traffic
Firewalls and other systems that inspect FTP application layer traffic may not adequately maintain the state of FTP commands and responses. As a result, an attacker could establish arbitrary TCP connections to FTP servers or clients located behind a vulnerable firewall.
Many firewalls perform stateful inspection of application layer traffic, allowing them to support passive FTP and other applications that make connections using dynamically chosen ports. In the case of a passive FTP connection to an FTP server located behind a firewall, the firewall examines the application layer of the FTP control channel and interprets FTP commands and responses in order to determine what TCP ports the server is using for data connections. When a client requests a passive FTP connection by issuing the PASV command, the FTP server responds positively with a string like "227 Entering Passive Mode h1,h2,h3,h4,p1,p2", instructing the client to initiate a TCP connection to IP address h1,h2,h3,h4 on port p1,p2. The firewall monitors this string and creates a dynamic rule allowing an inbound TCP connection from the client to the server on the specified port.
Some firewalls create dynamic rules without assuring that the PASV response string is part of a legitimate FTP connection.
It is possible that similar vulnerabilities exist in the way firewalls handle other applications that use dynamic ports. FTP application layer gateways and proxy servers may also be affected.
An FTP server or FTP client running on an operating system that does not accept partial acknowledgement of TCP data segments is not susceptible to this specific attack.
FTP servers that do not pad 3-digit numbers within multi-line responses exacerbate this problem by making it difficult for firewalls to recognize legitimate FTP status codes (VU#288905). From section 4.2 of RFC 959:
In rare cases where these routines are able to generate three digits and a Space at the beginning of any line, the beginning of each text line should be offset by some neutral text, like Space.
A remote attacker may be able to access TCP ports on an FTP server or client that is behind a vulnerable firewall system, which could expose other network services to attack.
Apply Patch or Upgrade
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|IP Filter||Affected||-||16 Oct 2002|
|NetBSD||Affected||-||11 Nov 2002|
|WatchGuard||Affected||-||10 Oct 2002|
|Alcatel||Not Affected||23 Jul 2002||08 Oct 2002|
|Apple Computer Inc.||Not Affected||23 Jul 2002||08 Oct 2002|
|Avaya||Not Affected||26 Sep 2002||05 Mar 2003|
|Borderware||Not Affected||-||15 Oct 2002|
|Check Point||Not Affected||08 Aug 2002||27 Aug 2002|
|Cisco Systems Inc.||Not Affected||23 Jul 2002||10 Oct 2002|
|Clavister||Not Affected||-||14 Oct 2002|
|Cray Inc.||Not Affected||23 Jul 2002||08 Oct 2002|
|eSoft||Not Affected||-||09 Oct 2002|
|Global Technology Associates||Not Affected||-||16 Oct 2002|
|GNU netfilter||Not Affected||-||14 Oct 2002|
|Hewlett-Packard Company||Not Affected||23 Jul 2002||16 Oct 2002|
CVSS Metrics (Learn More)
This document was written by Art Manion.
- CVE IDs: Unknown
- Date Public: 07 Oct 2002
- Date First Published: 08 Oct 2002
- Date Last Updated: 07 Mar 2003
- Severity Metric: 24.10
- Document Revision: 74
If you have feedback, comments, or additional information about this vulnerability, please send us email.