[原文]By design, the "established" command on the Cisco PIX firewall allows connections from one host to arbitrary ports of a target host if an alternative conduit has already been allowed, which can cause administrators to configure less restrictive access controls than intended if they do not understand this functionality.
Cisco PIX Firewall established Command Alternative Conduit Restriction Bypass
Remote / Network Access
Loss of Integrity
Cisco PIX Firewall contains a flaw that may allow a malicious remote user to connect to any port on a system where limited connections are explicitly allowed. The issue is triggered when the "established" command is used along with a normal conduit. The conduit is used to allow inbound traffic to a specific port on a host, for example port 25 on a mail server. The "established" command provides support for multiconnection protocols, where a host makes connection to an external host on one port, and the external host responds with an inbound connection on another port. If the firewall is configured with both a conduit and an "established" command for a host, it would be possible for a remote attacker to make a connection to the allowed port through the conduit, and then make a connection to any other port, bypassing normal firewall restrictions. If an attacker is able to make a connection to an FTP server that supports the PORT command, it is possible that the flaw may allow subsequent connections to any host behind the firewall, resulting in a potential loss of integrity.
Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): Cisco recommends that all customers whose PIX Firewall configuration files contain both conduits and the established command review their configurations to make sure that those configurations implement the expected security policies.
The established command was meant as a special measure for users with relatively unusual situations, and Cisco does not recommend its routine use. If the established command is used, port ranges should almost always be specified using the permitto and/or permitfrom keywords.