Date: Mon, 31 Aug 1998 07:47:42 -0500 From: Brett Oliphant <Brett_M_Oliphant/Lafayette_Life@LLNOTES.LLIC.COM> Subject: Another Cisco PIX Firewall Vulnerability To: BUGTRAQ@NETSPACE.ORG Overview: Cisco's management software for the PIX Firewall does not perform proper checking of urls. The compromise is any file on the management server can be viewed with a web browser. This could lead to other more educated attacks against the network. Who is Affected?: Any site that allows anybody to build a connection to port 8080 of the PIX Firewall Management server. It is not uncommon for sites to have a conduit open through the firewall to reach this box, for the purpose of remote administration. I doubt this setup is recommended, but it does happen. Details of Exploit: The exact details of the exploit will be withheld until Cisco releases the official advisory, which should be in a few days. Fix: They have confirmed this bug to exist, yet have not informed me their plan of attack. A simple temporary solution for this would be if a conduit does exist from the outside world to the server - remove it. Secondly, only run the Cisco Management service when you plan on doing configuration changes. Which if you can, the second idea is not a bad one to live by even after Cisco releases a fix. Brett Oliphant Manager - Corporate Computer Security Lafayette Life Insurance Company