Advisory ID: cisco-sa-19980715-pixest
For Public Release 1998 July 15 15:00 UTC (GMT)
Vulnerability Scoring Details
Software Versions and Fixes
Obtaining Fixed Software
Exploitation and Public Announcements
Status of This Notice: Final
Cisco Security Procedures
A common administrative error may create security vulnerabilities in networks protected by Cisco PIX Firewalls. Specifically, if a firewall has been configured by an administrator who does not correctly understand the action of the established command, that firewall may give outside users greater access to inside systems than the administrator may have expected. Some customers have found the behavior of the established command in the presence of static conduits to be counterintuitive.
If a PIX Firewall contains both the established command and a static conduit giving outside users access to a specific TCP or UDP port on an inside server, then an interaction between the two configuration settings may allow outside users to make connections to any port on that inside server. This applies even if the port to which an outside user connects is not specified in the configuration of the conduit. It is possible to restrict the ports available using the permitto and permitfrom keywords on the established command; if this is done, only the permitted ports are affected.This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-19980715-pixest.
Users who do not have both static conduits and established commands in their configuration files are not affected; neither can produce the effect without the other.
Users of Cisco products other than the PIX Firewall are not affected. There is no connection between the PIX established command and the established keyword in Cisco IOS access lists.
No other Cisco products are currently known to be affected by these vulnerabilities.
Many protocols require multiple TCP connections or multiple UDP data streams. In some protocols, the host playing the role of "server" makes connections to the host playing the role of "client"; although the client generally initiates the first connection, the server may initiate subsequent connections. For many commonly used protocols, such as FTP, the PIX Firewall scans the application layer data to find the ports on which connections may be opened from server to client, and selectively permits the connections that have been negotiated in the protocol. However, the PIX Firewall software does not have support for every possible protocol.
The established command allows the PIX Firewall to deliver traffic associated with protocols for which the firewall software does not have specific support. When the established command is in force, an outside server can make a TCP or UDP connection to any inside host with which it already has a TCP or UDP connection established. The assumption is that the new connection is part of an unknown multiconnection protocol. The permitto and permitfrom parameters to the established command can be used to control which ports on the inside host can be reached from the outside, but there is no way to designate specific inside hosts to which the established command should or should not apply.
The established command creates a relatively wide opening in the firewall. If there is any existing connection between an inside and an outside host, additional connections may be created in either direction. Unless the permitto and/or permitfrom keywords have been used, these connections may use any port number on either host.
Conduits, created with the static and conduit commands, provide a way for the firewall administrator to permit access from outside the firewall to selected ports on hosts inside the firewall. A conduit might, for example, be used to provide access to a mail server by allowing outside hosts to connect to TCP port 25 on the mail host.
The two features interact in a way that has surprised some firewall administrators. Suppose that a PIX Firewall has the established tcp command in its configuration file, and that a conduit has been created to allow outside hosts to connect to port 25 on an inside mail server, host A. If outside host B takes advantage of this conduit to connect to host A's mail service, a TCP connection will be created. As long as this TCP connection to A's mail port is active, the established command will permit host B to make additional connections to other ports on host A. Since host B can initiate mail connections at will, and can hold those connections open for as long as it wants, the net effect is that host B can make a TCP connection to any port on host A at any time.
Users who make this configuration error are generally under one of two misconceptions about the established command. The facts are that:
- The existence of any connection between an inside and an outside host is sufficient for the established command to permit connections from the outside host to the inside host. The direction in which the original connection was made is not checked.
- The established command has its full effect even if the existing connection was made to a well-known port. Even though the original connection may involve a protocol that is supported by the PIX Firewall software, the established command will still permit subsequent connections.
Cisco will update the PIX Firewall documentation to clarify these points.
Because the reasons for using the established command differ from installation to installation, there is no configuration change that will work for all users. Cisco recommends that all customers whose PIX Firewall configuration files contain both conduits and the established command review their configurations to make sure that those configurations implement the expected security policies.
The established command was meant as a special measure for users with relatively unusual situations, and Cisco does not recommend its routine use. If the established command is used, port ranges should almost always be specified using the permitto and/or permitfrom keywords.
If a firewall administrator has made this configuration error, outside users will be able to make connections to services that the administrator will not have expected outsiders to be able to reach. Since the administrator will not be aware that outsiders can connect to these services, the services may not have been properly secured. Depending on the services offered by the affected hosts, this may enable outsiders to conduct a variety of security attacks.
Only services on hosts to which conduits have been established are affected; the misconfiguration does not provide any special access to services on other hosts.
This misconfiguration is possible with any PIX Firewall software version that recognizes the established command.
Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html , or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml .
Do not contact email@example.com or firstname.lastname@example.org for software upgrades
The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed.
Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain software patches and bug fixes by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows.
+1 800 553 2447 (toll free from within North America)
+1 408 526 7209 (toll call from anywhere in the world)
Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a software patch or bug fix. Customers without service contracts should request a software patch or bug fix through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages.
Cisco has had no reports of malicious exploitation of this misconfiguration.
Although Cisco has always considered the behavior of the established command, and the behavior of conduits, to be public information, Cisco knows of no public discussions of the possibility or impact of this specific misconfiguration before the date of this notice. Cisco has received reports of customers being surprised by this behavior.
Any TELNET client or other program capable of making a TCP connection or starting a UDP data exchange can be used to exploit this misconfiguration. Once an attacker gains access to an unprotected server, other programs may be needed to exploit security vulnerabilities in that server.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.
This advisory is posted on Cisco's worldwide website at:
In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients.
Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.
Initial released version
Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.