Cisco PIX Firewall SMTP Content Filtering Evasion Vulnerability
Description
The Cisco PIX Firewall implements technology that reads the contents of packets passing through it for application-level filtering. In the case of SMTP, it can be configured so only certain SMTP commands can be allowed through (for example, dropping extra functionality, such as HELP or commands that could be a security concern, like EXPN or VRFY).
During communication with the Cisco PIX SMTP proxy server, if the "DATA" command is sent before the more important information is sent, such as "RCPT TO", the proxy will return error 503, saying that RCPT was required. After this, the proxy incorrectly lets all commands through through until recieving the end-of-message indicator. It is then possible for the attacker to issue commands directly to the mail server behind the firewall.
Solution(s)
- smtp-ciscopix-0001
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center