Cisco PIX Firewall Lets Remote Users Deny Service and Remote Authenticated Users Gain Elevated Privileges
SecurityTracker Alert ID: 1017652SecurityTracker URL: http://securitytracker.com/id?1017652
CVE Reference: GENERIC-MAP-NOMATCH
Date: Feb 14 2007
Impact: Denial of service via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Advisory: Cisco Security Advisory
Version(s): prior to 6.3(5.115), 7.0(5.2), 7.1(2.5), and 7.2(2.10)
Description: A vulnerability was reported in Cisco PIX Firewall. A remote authenticated user can obtain administrative privileges on the target system. A remote user can cause denial of service conditions.
A remote user can send specially crafted data to cause the target device to reload under certain conditions.
The vulnerability can be triggered by specific Hypertext Transfer Protocol (HTTP), Session Initiation Protocol (SIP), and Transmission Control Protocol (TCP) traffic.
The vulnerability occurs only when HTTP inspection is enabled via a specific HTTP map in the configuration file, when SIP fixup or inspect is enabled, or when any of the following TCP-based protocols are inspected:
* Computer Telephony Interface Quick Buffer Encoding (CITQBE)
* Distributed Computing Environment/Remote Procedure Call (DCE/RPC)
* Domain Name Service (DNS)
* Extended Simple Mail Transfer Protocol (ESMTP)
* File Transfer Protocol (FTP)
* H.323 protocol
* Hyper Text Transfer Protocol (HTTP)
* Internet Locator Server (ILS)
* Instant Messaging (IM)
* Point-to-Point Tunneling Protocol (PPTP)
* Remote Shell (RSH)
* Real Time Streaming Protocol (RTSP)
* Session Initiation Protocol (SIP)
* Skinny (or Simple) Client Control Protocol (SCCP)
* Simple Mail Transfer Protocol (SMTP)
* Oracle SQL*Net
* Sun RPC
Cisco has assigned Cisco Bug IDs CSCsd75794, CSCse27708, CSCsd97077, and CSCsh12711 to this vulnerability.
When the LOCAL method is used for user authentication, a remote authenticated user that is defined in the local database with a privilege of zero can obtain elevated privileges (to and including level 15, administrative privileges).
Cisco has assigned Cisco Bug IDs CSCsh33287 to this vulnerability.
Impact: A remote user can cause denial of service conditions.
A remote authenticated user can obtain administrative privileges in certain configurations.
Solution: Cisco has issued fixed versions (6.3(5.115), 7.0(5.2), 7.1(2.5), and 7.2(2.10)), available at:
http://www.cisco.com/pcgi-bin/tablebuild.pl/pix
The Cisco advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20070214-pix.shtml
Vendor URL: www.cisco.com/warp/public/707/cisco-sa-20070214-pix.shtml
<< Home