[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Cisco Secure PIX Firewall Mailguard Vulnerability

Title: Cisco Secure PIX Firewall Mailguard Vulnerability
Released by: Cisco
Date: 27th September 2000
Printable version: Click here

               Cisco Secure PIX Firewall Mailguard Vulnerability

Revision 1.0

  For public release 2000 Sept 27 08:00 AM US/Pacific (UTC+0700)



   The Cisco Secure PIX firewall feature "mailguard," which limits SMTP

   commands to a specified minimum set of commands, can be bypassed.

   This vulnerability can be exploited to bypass SMTP command filtering.

   This vulnerability has been assigned Cisco bug ID CSCdr91002 and


   The complete advisory is available at


Affected Products

   All users of Cisco Secure PIX Firewalls with software versions up to

   and including 4.4(5), 5.0(3), 5.1(2) and 5.2(1) that provide access to

   SMTP Mail services are at risk.

   The IOS Firewall featureset is not affected by either of the above



   The behavior is a failure of the command "fixup protocol smtp

   [portnum]", which is enabled by default on the Cisco Secure PIX


   If you do not have protected Mail hosts with the accompanying

   configuration (configuration example below) you are not affected by

   this vulnerability.

   To exploit this vulnerability, attackers must be able to make

   connections to an SMTP mail server protected by the PIX Firewall.  If

   your Cisco Secure PIX Firewall has configuration lines similar to the


             fixup protocol smtp 25

   and either

             conduit permit tcp host eq 25 any


             conduit permit tcp eq 25 any


             access-list 100 permit tcp any host eq 25

             access-group 100 in interface outside

   The expected filtering of the Mailguard feature can be circumvented by

   an attacker.


   The Mailguard feature is intended to help protect weakly secured mail

   servers.  The workaround for this issue is to secure the mail servers

   themselves, or upgrade to fixed PIX firewall code.

   In order to exploit this vulnerability, an attacker would need to also

   exploit the mailserver that is currently protected by the PIX.  If

   that server is already well configured, and has the latest security

   patches and fixes from the SMTP vendor, that will minimize the

   potential for exploitation of this vulnerability.

Software Versions and Fixes

  Getting Fixed Software

   Cisco is offering free software upgrades to remedy this vulnerability

   for all affected customers. Customers with service contracts may

   upgrade to any software version. Customers without contracts may

   upgrade only within a single row of the table below, except that any

   available fixed software will be provided to any customer who can use

   it and for whom the standard fixed software is not yet available. As

   always, customers may install only the feature sets they have



   |                                     | Fixed Regular Release available  |

   | Version Affected                    | now; fix will carry forward into |

   |                                     | all later releases               |


   | All versions of Cisco Secure PIX up |                                  |

   | to version 4.4(5) (including 2.7,   | 4.4(6)                           |

   | 3.0, 3.1, 4.0, 4.1)                 |                                  |


   | Version 5.0.x up to and including   |                                  |

   | version 5.0(3)                      | 5.1(3)                           |


   | All 5.1.x up to and including       |                                  |

   | version 5.1(2)*                     | 5.1(3)                           |


   | Version 5.2(1)                      | 5.2(2)                           |


   *For customers who may have engineering releases addressing specific

   unrelated defects, designated as 5.1(2)2xx, version 5.1(3) only

   includes the SMTP security fixes and does not include any other

   bugfixes. Customers requiring engineering releases to address specific

   unrelated defects will need to use 5.1(2)207 or higher, which also

   includes the SMTP security fixes.

   Customers with contracts should obtain upgraded software through their

   regular update channels. For most customers, this means that upgrades

   should be obtained via the Software Center on Cisco's Worldwide Web

   site at http://www.cisco.com.

   Customers without contracts should get their upgrades by contacting

   the Cisco Technical Assistance Center (TAC). TAC contacts are as


     * +1 800 553 2447 (toll-free from within North America)

     * +1 408 526 7209 (toll call from anywhere in the world)

     * e-mail: tac@cisco.com

   Give the URL of this notice as evidence of your entitlement to a free

   upgrade. Free upgrades for non-contract customers must be requested

   through the TAC. Please do not contact either "psirt@cisco.com" or

   "security-alert@cisco.com" for software upgrades.


   There is not a direct work around for this vulnerability.  The

   potential for exploitation can be lessened by ensuring that mail

   servers are secured without relying on the PIX functionality.

Exploitation and Public Announcements

   This vulnerability was first reported to Cisco by a customer.  This

   vulnerability has been discussed on public forums.

Status of This Notice: FINAL

   This is a final field notice. Although Cisco cannot guarantee the

   accuracy of all statements in this notice, all of the facts have been

   checked to the best of our ability.   Cisco does not anticipate

   issuing updated versions of this notice unless there is some material

   change in the facts. Should there be a significant change in the

   facts, Cisco may update this notice.


   This notice will be posted on Cisco's Worldwide Web site at


   In addition to Worldwide Web posting, a text version of this notice is

   clear-signed with the Cisco PSIRT PGP key and is posted to the

   following e-mail and Usenet news recipients:

     * cust-security-announce@cisco.com

     * bugtraq@securityfocus.com

     * first-teams@first.org (includes CERT/CC)

     * cisco@spot.colorado.edu

     * comp.dcom.sys.cisco

     * firewalls@lists.gnac.com

     * Various internal Cisco mailing lists

   Future updates of this notice, if any, will be placed on Cisco's

   Worldwide Web server, but may or may not be actively announced on

   mailing lists or newsgroups. Users concerned about this problem are

   encouraged to check the URL given above for any updates.

Revision History

   Revision 1.0  27-SEP-2000  Initial Public Release

Cisco Security Procedures

   Complete information on reporting security vulnerabilities in Cisco

   products, obtaining assistance with security incidents, and

   registering to receive security information from Cisco, is available

   on Cisco's Worldwide Web site at

   http://www.cisco.com/warp/public/707/sec_incident_response.html. This

   includes instructions for press inquiries regarding Cisco security



   This notice is copyright 2000 by Cisco Systems, Inc. This notice may

   be redistributed freely after the release date given at the top of the

   text, provided that redistributed copies are complete and unmodified,

   including all date and version information.



Version: PGP 6.0.2









(C) 1999-2000 All rights reserved.