-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Security Alert Cisco PIX Firewall Manager Vulnerability 10 October 2001 Synopsis: Novacoast has discovered a vulnerability in the Cisco PIX Firewall Manager software that exposes and records the enable password of the managed PIX device in plaintext. Attackers may use this vulnerability to obtain full access to the PIX firewall. Description: The PIX Firewall Manager (PFM) is a software product that allows the configuration of Cisco PIX Firewall devices via a web-based GUI. PFM is installed and run on a standard Windows NT workstation or server that serves as the management station. There is a flaw in PFM that upon successful connection to a PIX device, the enable password is saved in plaintext on the management station. The password is recorded in an unencrypted log file stored in a directory created by the install, which by default has no access restrictions. If the management station is compromised, the attacker can retrieve the enable password. This, of course, can be then be used to grant full access to the PIX Firewall. Affected Versions: The tested version is PFM 4.3(2)g. Although the vulnerability is not dependent on the version of the PIX Firewall, this exploit was found with a PIX 5.2(1). Exploit: 1) Install PFM as instructed. 2) Run PFM, and connect to the PIX firewall with the correct IP and enable password. 3) Wait for PFM to finish gathering data from the firewall. 4) A PFM.LOG file is created, by default in C:\Program Files\Cisco\PIX Firewall Manager\protect. 5) The enable password is stored in plaintext in an entry that looks like: Aug 01 2001 14:59:18 <Receiving msg> - 9004 192.168.1.100 0 0 0 1 5 **enable_pswd_here** Recommended Solution: Cisco has stated that PFM should be replaced by the PIX Device Manager product, and thus a fix for this exploit will not be made available. Further product information is located here:http://www.cisco.com/warp/public/cc/pd/fw/sqfw 500/prodlit/pixdm_ds.htm Note that an attacker can only successfully use this exploit if they can compromise the management station on which PFM is installed. Admins should take care that the PFM station, and the inside network on which it resides, should be properly protected behind the PIX firewall. Steps should also be taken to lockdown the management station as best as possible as there exists a number of exploits for the NT platform. If PFM is to be used, restrict the access rights for the directory in which PFM.LOG resides. After connecting to a PIX using PFM, edit the PFM.LOG, search for your PIX enable password, and manually delete it. (Or delete the file itself as it does not appear to be essential for the proper function of PFM). Status: This bug has been submitted to and acknowledged by the Cisco product security incident response team. Cisco will release a report regarding this vulnerability to its customers. The response from Cisco Product Security IRT: Cisco strongly recommends that users of its security and other products maintain a process to update the software on their devices and track security related developments in regard to their network environment to maintain and improve their security posture. In regards to this specific exploit, Cisco recommends the following response: Upgrade the software on the PIX device to the version 6.0 or higher. Deinstall PIX Firewall Manager from the NT workstation. Begin using PIX Device Manager for GUI management of the PIX device. - - If, for any reason, a customer is not willing or able to upgrade for whatever reason, we suggest the following: - - Secure the NT workstation running PFM as described above. Regardless of steps taken to address this specific issue, Cisco *strongly* recommends that all organizations restrict physical and electronic access to all network management stations of any sort as a standard operational process. While a management station may be on a network protected by an Internet Firewall such as PIX, all internal systems should as a rule be additionally protected from other avenues of attack including but not limited to social engineering, internal threats and external access by means other than the firewalled Internet gateway (i.e. modem pools, network fax machines...). Disclaimer: Novacoast accepts no liability or responsibility for the content of this report, or for the consequences of any actions taken on the basis of the information provided within. Dissemination of this information is granted provided it is presented in its entirety. Modifications may not be made without the explicit permission of Novacoast. - - Florencio Umel, Jr., Engineer - - Novacoast International Inc. Email: fumel@novacoast.com Web: http://www.novacoast.com -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.1 iQA/AwUBO8UHedteKEr+r8z4EQISbACgnrkDrwKLp hj0ot4mNytCWri/vv4AoM+5 aQ8jtxzRJPF63GqYMrSIuqYU =DIx/ -----END PGP SIGNATURE-----
