Details of VAR-200012-0083

ID

VAR-200012-0083

CVE

CVE-2000-1022

TITLE

Cisco Secure PIX Firewall Vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-200012-055

DESCRIPTION

The mailguard feature in Cisco Secure PIX Firewall 5.2(2) and earlier does not properly restrict access to SMTP commands, which allows remote attackers to execute restricted commands by sending a DATA command before sending the restricted commands. Like other firewalls, the Cisco PIX Firewall implements technology that reads the contents of packets passing through it for application-level filtering. In the case of SMTP, it can be configured so only certain smtp commands can be allowed through (for example, dropping extra functionality, such as HELP or commands that could be a security concern, like EXPN or VRFY). When recieving messages, it allows all text through between "data" and "<CR><LF><CR><LF>.<CR><LF>", as this is where the body of the message would normally go and there could be words in it that are smtp commands which shouldn't be filtered. Due to the nature of SMTP and flaws in exceptional condition handling of PIX, it is reportedly possible to evade the smtp command restrictions by tricking the firewall into thinking the body of the message is being sent when it isn't. During communication with an smtp server, if the "data" command is sent before the more important information is sent, such as "rcpt to", the smtp server will return error 503, saying that rcpt was required. The firewall, however, thinks everything is alright and will let everything through until recieving "<CR><LF><CR><LF>.<CR><LF>". It is then possible for the attacker to do whatever he wishes on the email server. An old vulnerability that allowed for bypassing of SMTP content filtering has been re-introduced into PIX firmware. This vulnerability is archived in the SecurityFocus vulnerability database as Bugtraq ID: 1698

Trust: 1.53

sources: NVD: CVE-2000-1022 // BID: 1698 // BID: 3365 // VULHUB: VHN-2592

AFFECTED PRODUCTS

vendor:	cisco	model:	pix firewall software	scope:	eq	version:	4.2\(2\)	Trust: 1.6
vendor:	cisco	model:	pix firewall software	scope:	eq	version:	4.2\(5\)	Trust: 1.6
vendor:	cisco	model:	pix firewall software	scope:	eq	version:	5.1	Trust: 1.0
vendor:	cisco	model:	pix firewall software	scope:	eq	version:	4.3	Trust: 1.0
vendor:	cisco	model:	pix firewall software	scope:	eq	version:	5.2	Trust: 1.0
vendor:	cisco	model:	pix firewall software	scope:	eq	version:	4.2\(1\)	Trust: 1.0
vendor:	cisco	model:	pix firewall software	scope:	eq	version:	4.4\(4\)	Trust: 1.0
vendor:	cisco	model:	pix firewall software	scope:	eq	version:	5.0	Trust: 1.0
vendor:	cisco	model:	pix firewall	scope:	eq	version:	5.2	Trust: 0.9
vendor:	cisco	model:	pix firewall	scope:	eq	version:	5.1	Trust: 0.9
vendor:	cisco	model:	pix firewall	scope:	eq	version:	5.0	Trust: 0.9
vendor:	cisco	model:	pix firewall	scope:	eq	version:	4.3	Trust: 0.9
vendor:	cisco	model:	pix firewall	scope:	eq	version:	4.4(4)	Trust: 0.6
vendor:	cisco	model:	pix firewall	scope:	eq	version:	4.4\(4\)	Trust: 0.6
vendor:	cisco	model:	pix firewall	scope:	eq	version:	4.2\(5\)	Trust: 0.6
vendor:	cisco	model:	pix firewall	scope:	eq	version:	4.2\(2\)	Trust: 0.6
vendor:	cisco	model:	pix firewall	scope:	eq	version:	4.2\(1\)	Trust: 0.6
vendor:	cisco	model:	pix firewall	scope:	eq	version:	4.2.2	Trust: 0.3
vendor:	cisco	model:	pix firewall	scope:	eq	version:	4.2.1	Trust: 0.3
vendor:	cisco	model:	pix firewall	scope:	eq	version:	4.2(5)	Trust: 0.3
vendor:	cisco	model:	pix firewall	scope:	eq	version:	6.0(1)	Trust: 0.3
vendor:	cisco	model:	pix firewall	scope:	eq	version:	5.2(3.210)	Trust: 0.3
vendor:	cisco	model:	pix firewall	scope:	eq	version:	5.1(4.206)	Trust: 0.3
vendor:	cisco	model:	pix firewall	scope:	eq	version:	4.4(7.202)	Trust: 0.3

sources: BID: 1698 // BID: 3365 // CNNVD: CNNVD-200012-055 // NVD: CVE-2000-1022

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2000-1022
value:	HIGH
Trust: 1.0
CNNVD:	CNNVD-200012-055
value:	HIGH
Trust: 0.6
VULHUB:	VHN-2592
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2000-1022
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
VULHUB:	VHN-2592
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-2592 // CNNVD: CNNVD-200012-055 // NVD: CVE-2000-1022

PROBLEMTYPE DATA

problemtype:

NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2000-1022

THREAT TYPE

network

Trust: 0.6

sources: BID: 1698 // BID: 3365

TYPE

Failure to Handle Exceptional Conditions

Trust: 0.6

sources: BID: 1698 // BID: 3365

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-2592

EXTERNAL IDS

db:	BID	id:	1698	Trust: 2.3
db:	NVD	id:	CVE-2000-1022	Trust: 1.7
db:	CNNVD	id:	CNNVD-200012-055	Trust: 0.7
db:	CISCO	id:	20001005 CISCO SECURE PIX FIREWALL MAILGUARD VULNERABILITY	Trust: 0.6
db:	XF	id:	5277	Trust: 0.6
db:	BUGTRAQ	id:	20000919 CISCO PIX FIREWALL (SMTP CONTENT FILTERING HACK)	Trust: 0.6
db:	BUGTRAQ	id:	20000920 RE: CISCO PIX FIREWALL (SMTP CONTENT FILTERING HACK) - VERSION 4.2(1) NOT EXPLOITABLE	Trust: 0.6
db:	BID	id:	3365	Trust: 0.3
db:	SEEBUG	id:	SSVID-74116	Trust: 0.1
db:	EXPLOIT-DB	id:	20231	Trust: 0.1
db:	VULHUB	id:	VHN-2592	Trust: 0.1

sources: VULHUB: VHN-2592 // BID: 1698 // BID: 3365 // CNNVD: CNNVD-200012-055 // NVD: CVE-2000-1022

REFERENCES

url:	http://www.securityfocus.com/bid/1698	Trust: 1.7
url:	http://archives.neohapsis.com/archives/bugtraq/2000-09/0222.html	Trust: 1.7
url:	http://archives.neohapsis.com/archives/bugtraq/2000-09/0241.html	Trust: 1.7
url:	http://www.cisco.com/warp/public/707/pixfirewallsmtpfilter-pub.shtml	Trust: 1.7
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/5277	Trust: 1.1
url:	http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/	Trust: 0.6
url:	http://xforce.iss.net/static/5277.php	Trust: 0.6
url:	http://www.cisco.com/warp/public/707/sec_incident_response.shtml	Trust: 0.3
url:	http://www5.securityfocus.com/bid/1698	Trust: 0.3
url:	http://www.cisco.com/warp/public/707/pixfirewallsmtpfilter-regression-pub.shtml	Trust: 0.3

sources: VULHUB: VHN-2592 // BID: 1698 // BID: 3365 // CNNVD: CNNVD-200012-055 // NVD: CVE-2000-1022

CREDITS

Issue (SMTP Conent-filtering evasion) first brought up on Bugtraq by Lincoln Yeoh <lyeoh@pop.jaring.my> on July 9, 2000. First PIX specific information posted to Bugtraq by naif <naif@inet.it> on September 19, 2000.

Trust: 0.3

sources: BID: 1698

SOURCES

db:	VULHUB	id:	VHN-2592
db:	BID	id:	1698
db:	BID	id:	3365
db:	CNNVD	id:	CNNVD-200012-055
db:	NVD	id:	CVE-2000-1022

LAST UPDATE DATE

2024-08-14T14:59:34.966000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-2592	date:	2018-10-30T00:00:00
db:	BID	id:	1698	date:	2000-09-19T00:00:00
db:	BID	id:	3365	date:	2001-09-26T00:00:00
db:	CNNVD	id:	CNNVD-200012-055	date:	2005-05-02T00:00:00
db:	NVD	id:	CVE-2000-1022	date:	2018-10-30T16:26:17.700

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-2592	date:	2000-12-11T00:00:00
db:	BID	id:	1698	date:	2000-09-19T00:00:00
db:	BID	id:	3365	date:	2001-09-26T00:00:00
db:	CNNVD	id:	CNNVD-200012-055	date:	2000-12-11T00:00:00
db:	NVD	id:	CVE-2000-1022	date:	2000-12-11T05:00:00