发布时间 :1998-07-15 00:00:00
修订时间 :2008-09-05 16:19:52

[原文]By design, the "established" command on the Cisco PIX firewall allows connections from one host to arbitrary ports of a target host if an alternative conduit has already been allowed, which can cause administrators to configure less restrictive access controls than intended if they do not understand this functionality.

[CNNVD]Cisco PIX防火墙"established"命令一台主机连接到目标主机的任意端口漏洞(CNNVD-199807-017)

        Cisco PIX防火墙的"established"命令中存在漏洞。按照设计,如果替代通道已被允许,该命令会导致一台主机连接到目标主机的任意端口,如果管理员不明白这个功能,那么管理员将比预期更少地配置访问控制的限制级别。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  XF  cisco-pix-established-bypass(8052)
(UNKNOWN)  CISCO  19980715 PIX Firewall "established" Command

- 漏洞信息

Cisco PIX防火墙"established"命令一台主机连接到目标主机的任意端口漏洞
高危 未知
1998-07-15 00:00:00 2006-04-03 00:00:00
        Cisco PIX防火墙的"established"命令中存在漏洞。按照设计,如果替代通道已被允许,该命令会导致一台主机连接到目标主机的任意端口,如果管理员不明白这个功能,那么管理员将比预期更少地配置访问控制的限制级别。

- 公告与补丁


- 漏洞信息

Cisco PIX Firewall established Command Alternative Conduit Restriction Bypass
Remote / Network Access Infrastructure
Loss of Integrity
Exploit Public

- 漏洞描述

Cisco PIX Firewall contains a flaw that may allow a malicious remote user to connect to any port on a system where limited connections are explicitly allowed. The issue is triggered when the "established" command is used along with a normal conduit. The conduit is used to allow inbound traffic to a specific port on a host, for example port 25 on a mail server. The "established" command provides support for multiconnection protocols, where a host makes connection to an external host on one port, and the external host responds with an inbound connection on another port. If the firewall is configured with both a conduit and an "established" command for a host, it would be possible for a remote attacker to make a connection to the allowed port through the conduit, and then make a connection to any other port, bypassing normal firewall restrictions. If an attacker is able to make a connection to an FTP server that supports the PORT command, it is possible that the flaw may allow subsequent connections to any host behind the firewall, resulting in a potential loss of integrity.

- 时间线

1998-07-15 Unknow
1998-07-15 Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): Cisco recommends that all customers whose PIX Firewall configuration files contain both conduits and the established command review their configurations to make sure that those configurations implement the expected security policies. The established command was meant as a special measure for users with relatively unusual situations, and Cisco does not recommend its routine use. If the established command is used, port ranges should almost always be specified using the permitto and/or permitfrom keywords.

- 相关参考

- 漏洞作者

Unknown or Incomplete