Vulnerability Note VU#6733
PIX 'established' and 'conduit' command may have unexpected interactions
A somewhat common configuration of Cisco PIX firewalls may permit a window of opportunity in which an intruder can bypass the firewall. This problem was first publicly described in July, 1998.
Cisco PIX firewalls protecting servers which offer service to the internet-at-large are generally configured to provide a "static" NAT mapping to the servers. "Conduits" are specified, allowing inbound traffic to specific services on specific ports.
Cisco described this problem in July, 1998, in a Cisco Tech Note. Quoting from that document,
of the established command, that firewall may give outside users greater access to inside systems than the administrator may have expected. Some customers have found the behaviour of the established command
in the presence of static conduits to be counterintuitive.
If a PIX Firewall contains both the established command and a static conduit giving outside users access to a specific TCP or UDP port on an inside server, then an interaction between the two configuration settings may allow outside users to make connections to any port on that inside server. This applies even if the port to which an outside user connects is not specified in the configuration of the conduit. It is possible to restrict the ports available using the permitto and permitfrom keywords on the established command; if this is done, only the permitted ports are affected.
If a PIX firewall is configured to allow "established" connections, an intruder who can establish a connection to any port on a machine behind the firewall can, for at least a few minutes, establish a connection to ANY port on that machine, thus defeating the purpose of the firewall in the first place. Further quoting from the Cisco Tech Note:
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Cisco||Affected||12 May 1998||14 Dec 2001|
CVSS Metrics (Learn More)
Our thanks to Cameron MacKinnon who reported this vulnerability to us, and to Cisco, for the information contained in their Tech Note.
This document was written by Shawn V Hernan.
- CVE IDs: Unknown
- Date Public: 15 Jul 98
- Date First Published: 03 Jan 2002
- Date Last Updated: 03 Jan 2002
- Severity Metric: 18.00
- Document Revision: 3
If you have feedback, comments, or additional information about this vulnerability, please send us email.