Date: 11 Oct 2001 02:48:02 -0000
From: Florencio Umel <fumel@novacoast.com.>
To: bugtraq@securityfocus.com
Subject: Vulnerability: Cisco PIX Firewall Manager
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Security Alert
Cisco PIX Firewall Manager Vulnerability
10 October 2001
Synopsis:
Novacoast has discovered a vulnerability in the Cisco
PIX Firewall Manager software that exposes and
records the enable password of the managed PIX
device in plaintext. Attackers may use this
vulnerability to obtain full access to the PIX firewall.
Description:
The PIX Firewall Manager (PFM) is a software
product that allows the configuration of Cisco PIX
Firewall devices via a web-based GUI. PFM is
installed and run on a standard Windows NT
workstation or server that serves as the management
station. There is a flaw in PFM that upon successful
connection to a PIX device, the enable password is
saved in plaintext on the management station. The
password is recorded in an unencrypted log file
stored in a directory created by the install, which by
default has no access restrictions. If the
management station is compromised, the attacker
can retrieve the enable password. This, of course,
can be then be used to grant full access to the PIX
Firewall.
Affected Versions:
The tested version is PFM 4.3(2)g. Although the
vulnerability is not dependent on the version of the
PIX Firewall, this exploit was found with a PIX 5.2(1).
Exploit:
1) Install PFM as instructed.
2) Run PFM, and connect to the PIX firewall with the
correct IP and enable password.
3) Wait for PFM to finish gathering data from the
firewall.
4) A PFM.LOG file is created, by default in C:\Program
Files\Cisco\PIX Firewall Manager\protect.
5) The enable password is stored in plaintext in an
entry that looks like:
Aug 01 2001 14:59:18 <Receiving msg> - 9004
192.168.1.100 0 0 0 1 5 **enable_pswd_here**
Recommended Solution:
Cisco has stated that PFM should be replaced by the
PIX Device Manager product, and thus a fix for this
exploit will not be made available. Further product
information is located
here:http://www.cisco.com/warp/public/cc/pd/fw/sqfw
500/prodlit/pixdm_ds.htm
Note that an attacker can only successfully use this
exploit if they can compromise the management
station on which PFM is installed. Admins should take
care that the PFM station, and the inside network on
which it resides, should be properly protected behind
the PIX firewall. Steps should also be taken to
lockdown the management station as best as
possible as there exists a number of exploits for the
NT platform. If PFM is to be used, restrict the access
rights for the directory in which PFM.LOG resides.
After connecting to a PIX using PFM, edit the
PFM.LOG, search for your PIX enable password, and
manually delete it. (Or delete the file itself as it does
not appear to be essential for the proper function of
PFM).
Status:
This bug has been submitted to and acknowledged
by the Cisco product security incident response
team. Cisco will release a report regarding this
vulnerability to its customers.
The response from Cisco Product Security IRT:
Cisco strongly recommends that users of its security
and other products maintain a process to update the
software on their devices and track security related
developments in regard to their network environment
to maintain and improve their security posture.
In regards to this specific exploit, Cisco recommends
the following response:
Upgrade the software on the PIX device to the version
6.0 or higher.
Deinstall PIX Firewall Manager from the NT
workstation. Begin using PIX Device Manager for GUI
management of the PIX device.
- - If, for any reason, a customer is not willing or able
to upgrade for whatever reason, we suggest the
following:
- - Secure the NT workstation running PFM as
described above.
Regardless of steps taken to address this specific
issue, Cisco *strongly* recommends that all
organizations restrict physical and electronic access
to all network management stations of any sort as a
standard operational process. While a management
station may be on a network protected by an Internet
Firewall such as PIX, all internal systems should as a
rule be additionally protected from other avenues of
attack including but not limited to social engineering,
internal threats and external access by means other
than the firewalled Internet gateway (i.e. modem
pools, network fax machines...).
Disclaimer:
Novacoast accepts no liability or responsibility for the
content of this report, or for the consequences of any
actions taken on the basis of the information provided
within. Dissemination of this information is granted
provided it is presented in its entirety. Modifications
may not be made without the explicit permission of
Novacoast.
- - Florencio Umel, Jr., Engineer
- - Novacoast International Inc.
Email: fumel@novacoast.com
Web: http://www.novacoast.com
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1
iQA/AwUBO8UHedteKEr+r8z4EQISbACgnrkDrwKLp
hj0ot4mNytCWri/vv4AoM+5
aQ8jtxzRJPF63GqYMrSIuqYU
=DIx/
-----END PGP SIGNATURE-----
