Cisco patches firewall security hole

Cisco has been forced to alert users to a potentially devastating problem with its firewall product only days after launching a new security programme.

The networking giant said a software problem involving its Secure PIX Firewall allows a filter designed to protect mail servers behind a firewall to be bypassed.

The admission of the vulnerability comes less than a fortnight after Cisco announced its so-called Safe security strategy, which it is positioning as a "flexible security blueprint" to help organisations reliably and cost-effectively engage in ebusiness. Embarrassingly, a key component of the strategy is the at-risk PIX Firewall.

All users of Cisco Secure PIX Firewalls with software versions up to and including 4.4(6), 5.0(3), 5.1(3) and 5.2(2) that provide access to SMTP (Simple Mail Transfer Protocol) services are at risk.

There is no direct workaround for the problem, which was first reported to Cisco by a customer, but the company is offering users a free software upgrade which will address the vulnerability.

The vulnerability exists because, in certain configurations, the expected filtering of the Mailguard feature of the firewall, which limits SMTP commands, can be circumvented by an attacker.

In a security alert, Cisco said: "The Mailguard feature is intended to help protect weakly secured mail servers. The workaround for this issue is to secure the mail servers themselves, or upgrade to fixed PIX firewall code.

"The potential for exploitation can be lessened by ensuring that mail servers are secured without relying on the PIX functionality."

Deri Jones, of security testers NTA Monitor, said: "Email servers are not under the spotlight in the same way as web servers, and security could be overlooked. It's a common area of security vulnerabilities."

He added that in a recent survey, NTA Monitor found that 38 of mail servers in .gov domains had security weaknesses.

Organisations might use a Cisco firewall to protect a mail server because SMTP protection is not standard but with this problem, Jones explained, they would be given "a warm feeling of safety which isn't real".