CVE-2001-1098

Vulnerability

Cisco PIX Firewall Manager (PFM) version 4.3(2)g stores the enable password for the managed PIX firewall in plaintext in the pfm.log file on the Windows NT management workstation [1]. No encryption or obfuscation is applied to the password before logging [1].

Exploitation

An attacker must first obtain access to a local user account on the Windows NT workstation running PFM [1]. Once logged in, the attacker can read the pfm.log file, which is stored in a location accessible to all local users [1]. Retrieving the plaintext enable password grants the attacker the ability to authenticate to the target Cisco PIX firewall [1].

Impact

A local attacker who successfully reads the enable password from the log file can gain full administrative access to the Cisco PIX firewall [1]. With this privileged access, the attacker can perform any action that the legitimate firewall administrator could perform, including modifying firewall rules, disabling security policies, or exfiltrating network traffic [1].

Mitigation

Cisco recommends using PIX Device Manager instead of PFM for management [1]. Additionally, PIX firewalls running software version 6.0 or later are not affected by this vulnerability [1]. Organizations that must continue using PFM should restrict local access to the management workstation and ensure that pfm.log file permissions are set to limit readability to only authorized administrators [1].