Novacoast has discovered a vulnerability in the Cisco PIX Firewall Manager software that exposes and records the enable password of the managed PIX device in plaintext. Attackers may use this vulnerability to obtain full access to the PIX firewall.
The tested version is PFM 4.3(2)g. Although the vulnerability is not dependent on the version of the PIX Firewall, this exploit was found with a PIX 5.2(1).
The PIX Firewall Manager (PFM) is a software product that allows the configuration of Cisco PIX
Firewall devices via a web-based GUI. PFM is installed and run on a standard Windows NT workstation or server that serves as the management station. There is a flaw in PFM that upon successful connection to a PIX device, the enable password is saved in plaintext on the management station. The password is recorded in an unencrypted log file stored in a directory created by the install, which by default has no access restrictions. If the management station is compromised, the attacker can retrieve the enable password. This, of course, can be then be used to grant full access to the PIX Firewall.
1) Install PFM as instructed.
2) Run PFM, and connect to the PIX firewall with the correct IP and enable password.
3) Wait for PFM to finish gathering data from the firewall.
4) A PFM.LOG file is created, by default in C:\Program Files\Cisco\PIX Firewall Manager\protect.
5) The enable password is stored in plaintext in an entry that looks like:
Aug 01 2001 14:59:18 - 9004
192.168.1.100 0 0 0 1 5 **enable_pswd_here**
Cisco has stated that PFM should be replaced by the PIX Device Manager product, and thus a fix for this exploit will not be made available. Further product information is located here: http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/pixdm_ds.htm
Note that an attacker can only successfully use this exploit if they can compromise the management station on which PFM is installed. Administrators should take care that the PFM station, and the inside network on which it resides, should be properly protected behind the PIX firewall. Steps should also be taken to lockdown the management station as best as possible as there exists a number of exploits for the NT platform. If PFM is to be used, restrict the access rights for the directory in which PFM.LOG resides. After connecting to a PIX using PFM, edit the PFM.LOG, search for your PIX enable password, and manually delete it. (Alternatively, delete the file itself, as it does not appear to be essential for the proper function of PFM).
The response from Cisco Product Security IRT:
Cisco strongly recommends that users of its security and other products maintain a process to update the software on their devices and track security related developments concerning their network environment to maintain and improve their security posture.
In regards to this specific exploit, Cisco recommends the following:
Upgrade the software on the PIX device to the version 6.0 or higher. Uninstall PIX Firewall Manager from the NT workstation. Begin using PIX Device Manager for GUI management of the PIX device.
- If, for any reason, a customer is not willing or able to upgrade for whatever reason, we suggest the following:
- Secure the NT workstation running PFM as described above.
Regardless of steps taken to address this specific issue, Cisco *strongly* recommends that all organizations restrict physical and electronic access to all network management stations of any sort as a standard operational process. While a management station may be on a network protected by an Internet Firewall such as PIX, all internal systems should as a rule be additionally protected from other avenues of attack including but not limited to social engineering, internal threats and external access by means other than the firewalled Internet gateway (i.e. modem pools, network fax machines...).
The information has been provided by Florencio Umel.