1. About This Report
1.1.
Organisation
1.2.
Conventions
2. Security Audit
2.1.
Introduction
2.2.
Software Version
2.3.
Dictionary-based Password / Key
2.4.
Weak Password / Key
2.5.
Simple Network Management Protocol
2.6.
SSH Protocol Version
2.7.
Conclusions
3. Device Configuration
3.1.
Introduction
3.2.
General
3.3.
Services
3.4.
User Accounts and Privilages
3.5.
Simple Network Management Protocol
3.6.
Secure Shell
3.7.
HyperText Transfer Protocol
3.8.
Interfaces
3.9.
Protocol Inspection
4. Appendix
4.1.
Abbreviations
4.2.
Common Ports
4.3.
Logging Severity Levels
4.4.
Time Zones
4.5.
Nipper Details
1. About This Report
This Cisco Private Internet Exchange (PIX) Firewall chicken report was produced by Nipper on Saturday 22 March 2008. The report contains the following sections:
- a security audit report section that details any identified security-related issues. Each security issue includes a description of the issue, its impact, how easy it would be to exploit and a recommendation. The recommendations include, where appropriate, the command(s) to resolve the issue;
- a configuration report section that details the configuration settings;
- an abbreviations appendix section that expands any abbreviations used within the report;
- a common ports appendix section that details the TCP and UDP port numbers for the common services outlined within the report;
- an appendix section detailing the logging severity levels used by the logging facility;
- a time zones appendix section that details a number of the most commonly used time zones;
- an appendix section detailing the software used to produce this report.
This report makes use of the text conventions outlined in Table 1.
Table 1: Report text conventions
| Convention |
Description |
command | This text style represents the Cisco PIX Firewall command text that has to be entered literally. |
string | This text style represents the Cisco PIX Firewall command text that the you have to enter. |
[ ] | Used to enclose a Cisco PIX Firewall command option. |
{ } | Used to enclose a Cisco PIX Firewall command requirement. |
| | Divides command option or requirement choices. |
Nipper performed a security audit of the Cisco PIX Firewall chicken on Saturday 22 March 2008. This section details the findings of the security audit together with the impact and recommendations.
Observation: It is critically important that software be regularly maintained with patches and upgrades in order to help mitigate the risk of an attacker exploiting a known software vulnerability. Furthermore, additional security features and other functionality are normally added or extended with each software revision.
Nipper determined that the Cisco PIX Firewall chicken was running the out of date software PIX version 6.3(5).
Nipper identified a potential vulnerability in PIX version 6.3(5) which is described in various vulnerability databases as "Multiple remote denial of service" (CVE reference CVE-2007-0962 and Bugtraq ID 22561).It is worth noting that Nipper used the version number detailed in the device configuration to identify the potential vulnerabilities, and patches may have already been applied. Additionally, a specific device configuration may be required in order for the device to become vulnerable.
Impact: The vulnerability outlined above could allow an attacker to perform a Denial of Service (DoS) attack.
Ease: Exploit code is widely available on the Internet for known Cisco PIX Firewall vulnerabilities.
Recommendation: Nipper strongly recommends that the software be updated and patched to the latest software version. Furthermore, Nipper recommends that the current patch policy be reviewed.
Observation: Attackers will often have dictionaries of words that contain names, places, default passwords and other common passwords. If a password or key is likely to be contained within an attacker's dictionary, they could gain access to the system.
The passwords and keys of the device chicken were tested against a small dictionary and one password / key was identified. The read-only Simple Network Management Protocol (SNMP) community string was public.
Impact: An attacker who was able to identify a password or key would be able to gain a level of access to the device, based on what service the password / key was used for.
Ease: Tools are available on the Internet that can perform dictionary-based password guessing against a number of network services.
Recommendation: Nipper strongly recommends that the password identified be immediately changed to something that is more difficult to guess. Nipper recommends that passwords be made up of at least eight characters in length and contain either uppercase or lowercase characters and numbers.
Observation: Strong passwords tend to contain a number of different types of character, such as uppercase and lowercase letters, numbers and punctuation characters. Weaker passwords tend not to contain a mixture of character types. Additionally, weaker passwords tend to be short in length.
Nipper identified one password / key that did not meet the minimum password complexity requirements. The read-only SNMP community string was public.
Impact: If an attacker were able to gain a password or key, either through dictionary-based guessing techniques or by a brute-force method, the attacker could gain a level of access to chicken.
Ease: A number of dictionary-based password guessing and password brute-force tools are available on the Internet.
Recommendation: Nipper strongly recommends that the weak password be immediately changed to one that is stronger. Nipper recommends that passwords be made up of at least eight characters in length and contain either uppercase or lowercase characters and numbers.
Observation: Cisco PIX Firewall devices support only SNMP protocol versions 1 and 2c. Nipper determined that SNMP was configured on chicken.
Impact: Due to the unencrypted nature of SNMP protocol versions 1 and 2c, an attacker who was able to monitor network traffic could capture device configuration settings, including authentication details.
Ease: Network packet monitoring and capture tools are widely available on the Internet and SNMP tools are included as standard with some operating systems.
Observation: On Cisco PIX Firewall devices, SNMP version 3 with auth and priv authentication cannot be configured. Therefore, Nipper recommends that, if not required, SNMP be disabled. SNMP access to chicken can be disabled with the following command:
no snmp-server enable
Observation: The Secure Shell (SSH) service is commonly used for encrypted command-based remote device management. There are multiple SSH protocol versions and SSH servers will often support multiple versions to maintain backwards compatibility. Although flaws have been identified in implementations of version 2 of the SSH protocol, fundamental flaws exist in SSH protocol version 1.
Nipper determined that support for version 1 of the SSH protocol was supported on chicken.
Impact: An attacker who was able to intercept SSH protocol version 1 traffic would be able to perform a man-in-the-middle style attack. The attacker could then capture network traffic and possibly authentication credentials.
Ease: Although vulnerabilities are widely known, exploiting the vulnerabilities in the SSH protocol can be difficult.
Recommendation: Nipper recommends that the SSH service be configured to support only version 2 of the SSH protocol. Version 2 of the SSH protocol can be configured with the following command:
ssh version 2
However, it is worth noting that this command was introduced with Cisco PIX Firewall software version 7.0(1) and therefore a software upgrade may be required.
Nipper performed a security audit of the Cisco PIX Firewall device chicken on Saturday 22 March 2008 and identified five security-related issues. Nipper determined that:
- the software version was out of date;
- dictionary-based passwords / keys were in use;
- weak passwords / keys were identified;
- clear-text remote administration was enabled using SNMP;
- SSH protocol version 1 was configured.
This section details the configuration settings of the Cisco PIX Firewall device chicken.
Table 2: General device settings
| Description |
Setting |
| Hostname | chicken |
| Domain Name | titania.co.uk |
| PIX Version | 6.3(5) |
| Transparent Firewall | No |
| Flood Guard | Enabled |
Table 3: Device services
| Service |
Status |
| SNMP Server | Enabled |
| HTTPS Server | Enabled |
The configured logon password was encrypted as 2KFQnbNIdI.2KYOU.
Table 4: Enable Passwords
| Level |
Encrypted Password |
| 15 | 8Ry2YjIyt7RRXU24 |
SNMP is widely used to assist network administrators in monitoring and managing a variety of network devices. There are three main versions of SNMP in use. Versions 1 and 2 of SNMP are secured with a community string, both authenticate and transmit network packets with no encryption. SNMP version 3 provides three authentication methods. SNMP version 3 No-Auth access requires a username to authenticate and provides no encryption. SNMP version 3 Auth access requires a username and the auth keyword, authentication is encrypted but SNMP network packets are transmitted with no encryption. SNMP version 3 Auth and Priv access requires a username, auth and priv keywords. SNMP version 3 Auth and Priv access provides complete encryption of authentication and SNMP network packets. However, Cisco PIX Firewall currently only support SNMP versions 1 and 2.
Table 5: General SNMP service configuration
| Description |
Setting |
| SNMP Server | Enabled |
| UDP Port | 161 |
| Community String | public |
| Contact | |
| Location | |
Table 6: SNMP traps
| Type |
Trap |
| snmp | authentication |
| snmp | linkup |
| snmp | linkdown |
| snmp | coldstart |
Table 7: SSH configuration
| Description |
Setting |
| Protocol Version | 1 |
| Session Timeout | five minutes |
Table 8: HTTP configuration
| Description |
Setting |
| HTTPS Server | Enabled |
| HTTPS Server Port | 443 |
| HTTP Redirect | Disabled |
Table 9: Interfaces
| Interface |
Name |
Shutdown |
IP Address |
Net Mask |
Security |
uRPF |
In ACL |
Out ACL |
| ethernet0 | outside | No | 10.20.0.70 | 255.255.255.0 | 0 | No | | |
| ethernet1 | inside | No | 192.168.0.10 | 255.255.255.0 | 100 | No | | |
Cisco firewall devices are capable of inspecting protocol traffic such as Domain Name System (DNS), HTTP and Simple Mail Transfer Protocol (SMTP). This allows traffic to be filtered based on the protocol and can prevent a number of attacks. For example, the SMTP filter can prevent certain SMTP commands from being executed.
Table 10: Protocols inspected
| Protocol |
Inspect |
Option |
| dns | Yes | maximum-length 512 |
| ftp | Yes | 21 |
| h323 | Yes | h225 1720 |
| h323 | Yes | ras 1718-1719 |
| http | Yes | 80 |
| rsh | Yes | 514 |
| rtsp | Yes | 554 |
| sip | Yes | 5060 |
| sip | Yes | udp 5060 |
| skinny | Yes | 2000 |
| smtp | Yes | 25 |
| sqlnet | Yes | 1521 |
| tftp | Yes | 69 |
| ACL | Access Control List |
| BID | Bugtraq ID |
| CVE | Common Vulnerabilities and Exposures |
| DNS | Domain Name System |
| DoS | Denial of Service |
| FTP | File Transfer Protocol |
| HTTP | HyperText Transfer Protocol |
| HTTPS | HyperText Transfer Protocol over SSL |
| IP | Internet Protocol |
| MTU | Maximum Transmission Unit |
| PIX | Private Internet Exchange |
| SIP | Session Initiation Protocol |
| SNMP | Simple Network Management Protocol |
| SMTP | Simple Mail Transfer Protocol |
| SQLNet | Structured Query Language Network |
| SSH | Secure Shell |
| SSL | Secure Sockets Layer |
| TFTP | Trivial File Transfer Protocol |
Table 11: Common ports
| Service |
Port |
| FTP | 21 |
| SSH | 22 |
| SMTP | 25 |
| TFTP | 69 |
| HTTP | 80 |
| SNMP | 161 |
| HTTPS | 443 |
| RSH | 514 |
| SQLNet | 1521 |
| H323 | 1720 |
Table 12: Logging message severity levels
| Level |
Level Name |
Description |
| 0 | Emergencies | System is unstable |
| 1 | Alerts | Immediate action is required |
| 2 | Critical | Critical conditions |
| 3 | Errors | Error conditions |
| 4 | Warnings | Warning conditions |
| 5 | Notifications | Significant conditions |
| 6 | Informational | Informational messages |
| 7 | Debugging | Debugging messages |
Table 13: Common time zone acronyms
| Region |
Acronym |
Time Zone |
UTC Offset |
| Australia | CST | Central Standard Time | +9.5 hours |
| Australia | EST | Eastern Standard/Summer Time | +10 hours |
| Australia | WST | Western Standard Time | +8 hours |
| Europe | BST | British Summer Time | +1 hour |
| Europe | CEST | Central Europe Summer Time | +2 hours |
| Europe | CET | Central Europe Time | +1 hour |
| Europe | EEST | Eastern Europe Summer Time | +3 hours |
| Europe | EST | Eastern Europe Time | +2 hours |
| Europe | GMT | Greenwich Mean Time | |
| Europe | IST | Irish Summer Time | +1 hour |
| Europe | MSK | Moscow Time | +3 hours |
| Europe | WEST | Western Europe Summer Time | +1 hour |
| Europe | WET | Western Europe Time | +1 hour |
| USA and Canada | ADT | Atlantic Daylight Time | -3 hours |
| USA and Canada | AKDT | Alaska Standard Daylight Saving Time | -8 hours |
| USA and Canada | AKST | Alaska Standard Time | -9 hours |
| USA and Canada | AST | Atlantic Standard Time | -4 hours |
| USA and Canada | CDT | Central Daylight Saving Time | -5 hours |
| USA and Canada | CST | Central Standard Time | -6 hours |
| USA and Canada | EDT | Eastern Daylight Time | -4 hours |
| USA and Canada | EST | Eastern Standard Time | -5 hours |
| USA and Canada | HST | Hawaiian Standard Time | -10 hours |
| USA and Canada | MDT | Mountain Daylight Time | -6 hours |
| USA and Canada | MST | Mountain Standard Time | -7 hours |
| USA and Canada | PDT | Pacific Daylight Time | -7 hours |
| USA and Canada | PST | Pacific Standard Time | -3 hours |
This report was generated using Nipper version 0.11.5. Nipper is an Open Source tool designed to assist security professionals and network system administrators securely configure network infrastructure devices. The latest version of Nipper can be found at the following URL:
http://nipper.sourceforge.net.