SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#6733

PIX 'established' and 'conduit' command may have unexpected interactions

Overview

A somewhat common configuration of Cisco PIX firewalls may permit a window of opportunity in which an intruder can bypass the firewall. This problem was first publicly described in July, 1998.

I. Description

Cisco PIX firewalls protecting servers which offer service to the internet-at-large are generally configured to provide a "static" NAT mapping to the servers. "Conduits" are specified, allowing inbound traffic to specific services on specific ports.

If the firewall is configured to allow "established" TCP connections, and an outside machine initiates a connection to an inside machine on a TCP port for which a conduit is set up (i.e. an allowed connection), that outside machine will subsequently, be allowed to connect to ANY TCP port on the inside machine (i.e. ports not specifically allowed in the firewall configuration). Note that the connection to the allowed port does not need to succeed - there does not need to be a service running on the port on the inside machine, it is enough that the connection is attempted to trigger the vulnerability.

Cisco described this problem in July, 1998, in a Cisco Tech Note. Quoting from that document,

    A common administrative error may create security vulnerabilities in networks protected by Cisco PIX Firewalls. Specifically, if a firewall has been configured by an administrator who does not correctly understand the action
    of the     established command, that firewall may give outside users greater access to inside systems than the administrator may have expected. Some customers have found the behaviour of the established command
    in the presence of static conduits to be counterintuitive.

    If a PIX Firewall contains both the established command and a static conduit giving outside users access to a specific TCP or UDP port on an inside server, then an interaction between the two configuration settings may allow outside users to make connections to any port on that inside server. This applies even if the port to which an outside user connects is not specified in the configuration of the conduit. It is possible to restrict the ports available using the     permitto and permitfrom keywords on the established command; if this is done, only the permitted ports are affected.

II. Impact

If a PIX firewall is configured to allow "established" connections, an intruder who can establish a connection to any port on a machine behind the firewall can, for at least a few minutes, establish a connection to ANY port on that machine, thus defeating the purpose of the firewall in the first place. Further quoting from the Cisco Tech Note:

    The existence of any connection between an inside and an outside host is sufficient for the established command to permit connections from the outside host to the inside host. The direction in which the original connection was made is not checked.
This is particularly concerning if an intruder can establish an ftp connection to an ftp server that supports the PORT command. This may enable an intruder to establish a connection to virtually any machine behind the firewall if any machine behind the firewall has a vulnerable ftp server, and runs a publicly available service. For more information, CERT Advisory 1997-27.

III. Solution

Systems Affected

VendorStatusDate NotifiedDate Updated
CiscoVulnerable14-Dec-2001

References


http://www.cisco.com/warp/public/707/pixest-pub.shtml
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v41/pixcfg41/pix41cmd.htm#xtocid1978512

Credit

Our thanks to Cameron MacKinnon who reported this vulnerability to us, and to Cisco, for the information contained in their Tech Note.

This document was written by Shawn V Hernan.

Other Information

Date Public:98-07-15
Date First Published:2002-01-03
Date Last Updated:2002-01-03
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:18.00
Document Revision:3

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2002 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader