Computerworld

Cisco admits to a hole in PIX firewall

Cisco late last week confirmed a vulnerability in a server it ships with its popular PIX firewall that enables internal users to hack in to the Windows NT host and retrieve any files that they know in advance reside there.

Although Cisco has shipped several thousand PIX firewalls over the years, a Cisco spokeswoman said the vendor doesn't know how many users are being put at risk because of the problem "Hackers must know or discover the names and locations of the files they wish to read," Cisco said in a posting on its Web site.

The vulnerability affects all releases of PIX Firewall Manager up to and including Release 4.2(1). Cisco is offering free software upgrades to all customers that use the product, regardless of contract status, said the posting, which added that subsequent releases will include a fix.

This vulnerability represents Cisco's second firewall-related black eye since June of this year, when the vendor disclosed a problem with the encryption functionality on the PIX firewall.