mailing list archives
Cisco Security Notice: Cisco Secure PIX Firewall FTP Vulnerabilities
From: security-alert () CISCO COM (security-alert () CISCO COM)
Date: Thu, 16 Mar 2000 21:16:22 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Cisco Secure PIX Firewall FTP Vulnerabilities
For public release 2000 March 16 05:00 PM US/Pacific (UTC+0800)
The Cisco Secure PIX Firewall interprets FTP (File Transfer Protocol)
commands out of context and inappropriately opens temporary access through
the firewall. This is an interim notice describing two related
The first vulnerability is exercised when the firewall receives an error
message from an internal FTP server containing an encapsulated command such
that the firewall interprets it as a distinct command. This vulnerability
can be exploited to open a separate connection through the firewall. This
vulnerability is documented as Cisco Bug ID CSCdp86352.
The second vulnerability is exercised when a client inside the firewall
browses to an external server and selects a link that the firewall
interprets as two or more FTP commands. The client begins an FTP connection
as expected and at the same time unexpectedly executes another command
opening a separate connection through the firewall. This vulnerability is
documented as Cisco Bug ID CSCdr09226.
Either vulnerability can be exploited to transmit information through the
firewall without authorization.
Fixed software and workarounds are available to address the first
vulnerability. Fixed software is not yet available for the second
vulnerability but a workaround is provided.
Who Is Affected
All users of Cisco Secure PIX Firewalls with software versions up to and
including 4.2(5), 4.4(4), and 5.0(3) that provide access to FTP services are
at risk from both vulnerabilities.
Cisco Secure PIX Firewall with software version 5.1(1) is affected by the
second vulnerability only.
Cisco Secure Integrated Software (formerly Cisco IOS® Software Firewall
Feature Set) is not affected by either vulnerability.
Any Cisco Secure PIX Firewall that has enabled the fixup protocol ftp
command is at risk of unauthorized transmission of data through the
The first vulnerability has been assigned Cisco bug ID CSCdp86352. The
second vulnerability has been assigned Cisco bug ID CSCdr09226.
The behavior is due to the command fixup protocol ftp [portnum], which is
enabled by default on the Cisco Secure PIX Firewall.
If you do not have protected FTP hosts with the accompanying configuration
(configuration example below) you are not vulnerable to the attack which
causes a server to send a valid command, encapsulated within an error
message, and causes the firewall to read the encapsulated partial command as
a valid command (CSCdp86352).
To exploit this vulnerability, attackers must be able to make connections to
an FTP server protected by the PIX Firewall. If your Cisco Secure PIX
Firewall has configuration lines similar to the following:
fixup protocol ftp 21
conduit permit tcp host 192.168.0.1 eq 21 any
conduit permit tcp 192.168.0.1 255.255.255.0 eq 21 any
It is possible to fool the PIX stateful inspection into opening up arbitrary
TCP ports, which could allow attackers to circumvent defined security
If you permit internal clients to make arbitrary FTP connections outbound,
you may be vulnerable to the second vulnerability (CSCdr09226). This is an
attack based on CERT advisory "CA-2000-02: Malicious HTML Tags Embedded in
Client Web Requests"<http://www.cert.org/advisories/CA-2000-02.html> and
detailed in the BUGTRAQ post: "Extending the FTP 'ALG' vulnerability to any
FTP client"<38C8C8EE.544524B1 () enternet
se">http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-03-08&msg=38C8C8EE.544524B1 () enternet
The recommendation in the workarounds section of this document will provide
protection against this vulnerability.
Response for the first vulnerability (CSCdp86352)
The following changes have been made to the "fixup protocol FTP" behavior of
the PIX Firewall:
* Enforce that only the server can generate a reply indicating the PASV
command was accepted.
* Enforce that only the client can generate a PORT command.
* Enforce that data channel is initiated from the expected side in an FTP
* Verify that the "227" reply code and the PORT command are complete
commands and not part of a "500" error code string broken into
* Enforce that the port is not 0 or in the range between [1,1024]
These or equivalent changes will be carried forward into all PIX Firewall
software versions after version 5.1(1).
Response for the second vulnerability (CSCdr09226)
Cisco is working on a fix for this issue. This notice will be updated when
we have produced a fix.
Software Versions and Fixes
Getting Fixed Software
Cisco is offering free software upgrades to remedy this vulnerability for
all affected customers. Customers with service contracts may upgrade to any
software version. Customers without contracts may upgrade only within a
single row of the table below, except that any available fixed software will
be provided to any customer who can use it and for whom the standard fixed
software is not yet available. As always, customers may install only the
feature sets they have purchased.
will carry forward into Projected first fixed
Version Affected all later versions) regular release (fix
will carry forward into
Available Now through all later versions)
All versions of Cisco
Secure PIX up to
version 4.2(5) 4.2(5)205** 4.2(6) Currently not
(including 2.7, 3.0, scheduled.*
3.1, 4.0, 4.1)
All 4.3.x and 4.4.x up 4.4(5) Estimated date
to and including 4.4(4)202** available: 2000 April
version 4.4(4) 15*
All 5.0.x up to and 5.0(4) Estimated date
including version 5.0(3)202** available: 2000 April
Version 5.1(1) - not
affected- unaffected Currently available
* All dates are tentative and subject to change
** Interim releases are subjected to less internal testing and verification
than are regular releases, may have serious bugs, and should be installed
with great care.
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades should
be obtained via the Software Center on Cisco's Worldwide Web site at
Customers without contracts should get their upgrades by contacting the
Cisco Technical Assistance Center (TAC). TAC contacts are as follows:
* +1 800 553 2447 (toll-free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac () cisco com
Give the URL of this notice as evidence of your entitlement to a free
upgrade. Free upgrades for non-contract customers must be requested through
the TAC. Please do not contact either "psirt () cisco com" or
"security-alert () cisco com" for software upgrades.
If version 4.3 or 4.4 is utilized on a PIX 'Classic' (excludes PIX10000,
PIX-510, PIX-520, and PIX-515)
If version 5.0 is utilized on a PIX 'Classic', PIX10000, or PIX-510
(excludes PIX-520 and PIX-515)
A 128MB upgrade for the PIX Firewall is necessary. As with any new software
installation, customers planning to upgrade should carefully read the
release notes and other relevant documentation before beginning any upgrade.
Also, it is important to be certain that the new version of Cisco Secure PIX
Firewall software is supported by your hardware, and especially that enough
memory is available.
The behaviors described in this document are a result of the default command
"fixup protocol ftp [portnum]". To disable this functionality, enter the
command "no fixup protocol ftp". This will disable support of the fixup of
the FTP protocol in the PIX, and will eliminate the vulnerabilities. The
command "fixup protocol ftp 21" is the default setting of this feature, and
is enabled by default on the Cisco Secure PIX Firewall.
This workaround will force your clients to use FTP in passive mode, and
inbound FTP service will not be supported. Outbound standard FTP will not
work without fixup protocol ftp 21, however, passive FTP will function
correctly with no fixup protocol ftp configured.
Exploitation and Public Announcements
This vulnerability was proposed on the BUGTRAQ list, and in follow-ups to
the article, the Cisco Secure PIX Firewall was also identified as
susceptible. As the vulnerabilities have been widely discussed, Cisco is
posting this advisory prior to having a full fix. We will update this
notice again, when we have a full fix available.
Cisco has had no reports of malicious exploitation of this vulnerability.
However, versions of exploit scripts have been posted to various security
This vulnerability was reported to Cisco via several sources, shortly after
the time of the original supposition.
Status of This Notice
This is an interim field notice. Although Cisco cannot guarantee the
accuracy of all statements in this notice, all the facts have been checked
to the best of our ability. Cisco anticipates issuing updated versions of
this notice within two weeks.
This notice will be posted on Cisco's Worldwide Web site at
http://www.cisco.com/warp/public/707/pixftp-pub.shtml. In addition to
Worldwide Web posting, the initial version of this notice is being sent to
the following e-mail and Usenet news recipients:
* cust-security-announce () cisco com
* bugtraq () securityfocus com
* first-teams () first org (includes CERT/CC)
* cisco () spot colorado edu
* firewalls () lists gnac com
* Various internal Cisco mailing lists
Future updates of this notice, if any, will be placed on Cisco's Worldwide
Web server, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
URL given above for any updates.
Revision 1.02000 March 16 08:00 AM US/Pacific (UTC+0800)- Initial public
Revision 1.12000 March 16 08:00 AM US/Pacific (UTC+0800) - Link
corrections, table head clarification.
Revision 1.32000 March 16 14:00 PM US/Pacific (UTC+0800) - Addition of 2nd
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering to
receive security information from Cisco, is available on Cisco's Worldwide
Web site at
includes instructions for press inquiries regarding Cisco security notices.
This notice is copyright 2000 by Cisco Systems, Inc. This notice may be
redistributed freely after the release date given at the top of the text,
provided that redistributed copies are complete and unmodified, including
all date and version information.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
-----END PGP PUBLIC KEY BLOCK-----