Date: Mon, 31 Aug 1998 07:47:42 -0500
From: Brett Oliphant <Brett_M_Oliphant/Lafayette_Life@LLNOTES.LLIC.COM>
To: BUGTRAQ@netspace.org
Subject: Another Cisco PIX Firewall Vulnerability
Overview:
Cisco's management software for the PIX Firewall does not perform
proper checking of urls. The compromise is any file on the management
server can be viewed with a web browser. This could lead to other more
educated attacks against the network.
Who is Affected?:
Any site that allows anybody to build a connection to port 8080 of the
PIX Firewall Management server. It is not uncommon for sites to have a
conduit open through the firewall to reach this box, for the purpose of
remote administration. I doubt this setup is recommended, but it does
happen.
Details of Exploit:
The exact details of the exploit will be withheld until Cisco releases
the official advisory, which should be in a few days.
Fix:
They have confirmed this bug to exist, yet have not informed me their
plan of attack. A simple temporary solution for this would be if a conduit
does exist from the outside world to the server - remove it. Secondly,
only run the Cisco Management service when you plan on doing configuration
changes. Which if you can, the second idea is not a bad one to live by
even after Cisco releases a fix.
Brett Oliphant
Manager - Corporate Computer Security
Lafayette Life Insurance Company
