Date:	Mon, 31 Aug 1998 07:47:42 -0500
From:	Brett Oliphant <Brett_M_Oliphant/Lafayette_Life@LLNOTES.LLIC.COM>
Subject:      Another Cisco PIX Firewall Vulnerability
To:	BUGTRAQ@NETSPACE.ORG

Overview:
     Cisco's management software for the PIX Firewall does not perform
proper checking of urls.  The compromise is any file on the management
server can be viewed with a web browser.  This could lead to other more
educated attacks against the network.

Who is Affected?:
     Any site that allows anybody to build a connection to port 8080 of the
PIX Firewall Management server.  It is not uncommon for sites to have a
conduit open through the firewall to reach this box, for the purpose of
remote administration.  I doubt this setup is recommended, but it does
happen.

Details of Exploit:
     The exact details of the exploit will be withheld until Cisco releases
the official advisory, which should be in a few days.

Fix:
     They have confirmed this bug to exist, yet have not informed me their
plan of attack.  A simple temporary solution for this would be if a conduit
does exist from the outside world to the server - remove it.  Secondly,
only run the Cisco Management service when you plan on doing configuration
changes.  Which if you can, the second idea is not a bad one to live by
even after Cisco releases a fix.


Brett Oliphant
Manager - Corporate Computer Security
Lafayette Life Insurance Company