PIX 'established' and 'conduit' command may have unexpected interactions
Vulnerability Note VU#6733
Original Release Date: 2002-01-04 | Last Revised: 2002-01-04
A somewhat common configuration of Cisco PIX firewalls may permit a window of opportunity in which an intruder can bypass the firewall. This problem was first publicly described in July, 1998.
Cisco PIX firewalls protecting servers which offer service to the internet-at-large are generally configured to provide a "static" NAT mapping to the servers. "Conduits" are specified, allowing inbound traffic to specific services on specific ports.
If the firewall is configured to allow "established" TCP connections, and an outside machine initiates a connection to an inside machine on a TCP port for which a conduit is set up (i.e. an allowed connection), that outside machine will subsequently, be allowed to connect to ANY TCP port on the inside machine (i.e. ports not specifically allowed in the firewall configuration). Note that the connection to the allowed port does not need to succeed - there does not need to be a service running on the port on the inside machine, it is enough that the connection is attempted to trigger the vulnerability.
Cisco described this problem in July, 1998, in a Cisco Tech Note. Quoting from that document,
A common administrative error may create security vulnerabilities in networks protected by Cisco PIX Firewalls. Specifically, if a firewall has been configured by an administrator who does not correctly understand the action of the established command, that firewall may give outside users greater access to inside systems than the administrator may have expected. Some customers have found the behaviour of the establishedcommand in the presence of static conduits to be counterintuitive.
If a PIX Firewall contains both the established command and a static conduit giving outside users access to a specific TCP or UDP port on an inside server, then an interaction between the two configuration settings may allow outside users to make connections to any port on that inside server. This applies even if the port to which an outside user connects is not specified in the configuration of the conduit. It is possible to restrict the ports available using the permitto and permitfrom keywords on the established command; if this is done, only the permitted ports are affected.
If a PIX firewall is configured to allow "established" connections, an intruder who can establish a connection to any port on a machine behind the firewall can, for at least a few minutes, establish a connection to ANY port on that machine, thus defeating the purpose of the firewall in the first place. Further quoting from the Cisco Tech Note:
The existence of any connection between an inside and an outside host is sufficient for the established command to permit connections from the outside host to the inside host. The direction in which the original connection was made is not checked.
This is particularly concerning if an intruder can establish an ftp connection to an ftp server that supports the PORT command. This may enable an intruder to establish a connection to virtually any machine behind the firewall if any machine behind the firewall has a vulnerable ftp server, and runs a publicly available service. For more information, CERT Advisory 1997-27.