VARIoT IoT vulnerabilities database
| VAR-201007-0247 | CVE-2010-2659 | Opera Vulnerability where important information is obtained |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Opera before 10.50 on Windows, before 10.52 on Mac OS X, and before 10.60 on UNIX platforms makes widget properties accessible to third-party domains, which allows remote attackers to obtain potentially sensitive information via a crafted web site. Opera Web Browser is prone to multiple security vulnerabilities, including:
Multiple denial-of-service vulnerabilities
A security-bypass vulnerability
An information-disclosure vulnerability
An attacker can exploit these issues to cause a denial-of-service condition, gain access to sensitive information and bypass certain security restrictions. Other attacks are also possible.
Versions prior to Opera 10.60 are vulnerable. It supports multi-window browsing and a customizable user interface. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201206-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Opera: Multiple vulnerabilities
Date: June 15, 2012
Bugs: #264831, #283391, #290862, #293902, #294208, #294680,
#308069, #324189, #325199, #326413, #332449, #348874,
#352750, #367837, #373289, #381275, #386217, #387137,
#393395, #409857, #415379, #421075
ID: 201206-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Opera, the worst of which
allow for the execution of arbitrary code.
Background
==========
Opera is a fast web browser that is available free of charge.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-client/opera < 12.00.1467 >= 12.00.1467
Description
===========
Multiple vulnerabilities have been discovered in Opera. Please review
the CVE identifiers referenced below for details.
Impact
======
A remote attacker could entice a user to open a specially crafted web
page, possibly resulting in execution of arbitrary code with the
privileges of the process or a Denial of Service condition. A remote
attacker may be able to: trick users into downloading and executing
arbitrary files, bypass intended access restrictions, spoof trusted
content, spoof URLs, bypass the Same Origin Policy, obtain sensitive
information, force subscriptions to arbitrary feeds, bypass the popup
blocker, bypass CSS filtering, conduct cross-site scripting attacks, or
have other unknown impact.
A local attacker could perform symlink attacks to overwrite arbitrary
files with the privileges of the user running the application or
possibly obtain sensitive information.
A physically proximate attacker may be able to access an email account.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Opera users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/opera-12.00.1467"
References
==========
[ 1 ] CVE-2009-1234
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1234
[ 2 ] CVE-2009-2059
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2059
[ 3 ] CVE-2009-2063
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2063
[ 4 ] CVE-2009-2067
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2067
[ 5 ] CVE-2009-2070
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2070
[ 6 ] CVE-2009-3013
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3013
[ 7 ] CVE-2009-3044
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3044
[ 8 ] CVE-2009-3045
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3045
[ 9 ] CVE-2009-3046
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3046
[ 10 ] CVE-2009-3047
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3047
[ 11 ] CVE-2009-3048
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3048
[ 12 ] CVE-2009-3049
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3049
[ 13 ] CVE-2009-3831
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3831
[ 14 ] CVE-2009-4071
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4071
[ 15 ] CVE-2009-4072
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4072
[ 16 ] CVE-2010-0653
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0653
[ 17 ] CVE-2010-1349
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1349
[ 18 ] CVE-2010-1989
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1989
[ 19 ] CVE-2010-1993
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1993
[ 20 ] CVE-2010-2121
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2121
[ 21 ] CVE-2010-2421
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2421
[ 22 ] CVE-2010-2455
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2455
[ 23 ] CVE-2010-2576
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2576
[ 24 ] CVE-2010-2658
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2658
[ 25 ] CVE-2010-2659
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2659
[ 26 ] CVE-2010-2660
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2660
[ 27 ] CVE-2010-2661
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2661
[ 28 ] CVE-2010-2662
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2662
[ 29 ] CVE-2010-2663
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2663
[ 30 ] CVE-2010-2664
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2664
[ 31 ] CVE-2010-2665
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2665
[ 32 ] CVE-2010-3019
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3019
[ 33 ] CVE-2010-3020
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3020
[ 34 ] CVE-2010-3021
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3021
[ 35 ] CVE-2010-4579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4579
[ 36 ] CVE-2010-4580
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4580
[ 37 ] CVE-2010-4581
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4581
[ 38 ] CVE-2010-4582
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4582
[ 39 ] CVE-2010-4583
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4583
[ 40 ] CVE-2010-4584
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4584
[ 41 ] CVE-2010-4585
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4585
[ 42 ] CVE-2010-4586
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4586
[ 43 ] CVE-2011-0681
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0681
[ 44 ] CVE-2011-0682
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0682
[ 45 ] CVE-2011-0683
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0683
[ 46 ] CVE-2011-0684
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0684
[ 47 ] CVE-2011-0685
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0685
[ 48 ] CVE-2011-0686
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0686
[ 49 ] CVE-2011-0687
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0687
[ 50 ] CVE-2011-1337
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1337
[ 51 ] CVE-2011-1824
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1824
[ 52 ] CVE-2011-2609
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2609
[ 53 ] CVE-2011-2610
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2610
[ 54 ] CVE-2011-2611
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2611
[ 55 ] CVE-2011-2612
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2612
[ 56 ] CVE-2011-2613
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2613
[ 57 ] CVE-2011-2614
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2614
[ 58 ] CVE-2011-2615
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2615
[ 59 ] CVE-2011-2616
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2616
[ 60 ] CVE-2011-2617
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2617
[ 61 ] CVE-2011-2618
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2618
[ 62 ] CVE-2011-2619
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2619
[ 63 ] CVE-2011-2620
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2620
[ 64 ] CVE-2011-2621
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2621
[ 65 ] CVE-2011-2622
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2622
[ 66 ] CVE-2011-2623
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2623
[ 67 ] CVE-2011-2624
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2624
[ 68 ] CVE-2011-2625
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2625
[ 69 ] CVE-2011-2626
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2626
[ 70 ] CVE-2011-2627
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2627
[ 71 ] CVE-2011-2628
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2628
[ 72 ] CVE-2011-2629
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2629
[ 73 ] CVE-2011-2630
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2630
[ 74 ] CVE-2011-2631
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2631
[ 75 ] CVE-2011-2632
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2632
[ 76 ] CVE-2011-2633
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2633
[ 77 ] CVE-2011-2634
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2634
[ 78 ] CVE-2011-2635
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2635
[ 79 ] CVE-2011-2636
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2636
[ 80 ] CVE-2011-2637
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2637
[ 81 ] CVE-2011-2638
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2638
[ 82 ] CVE-2011-2639
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2639
[ 83 ] CVE-2011-2640
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2640
[ 84 ] CVE-2011-2641
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2641
[ 85 ] CVE-2011-3388
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3388
[ 86 ] CVE-2011-4065
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4065
[ 87 ] CVE-2011-4681
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4681
[ 88 ] CVE-2011-4682
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4682
[ 89 ] CVE-2011-4683
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4683
[ 90 ] CVE-2012-1924
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1924
[ 91 ] CVE-2012-1925
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1925
[ 92 ] CVE-2012-1926
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1926
[ 93 ] CVE-2012-1927
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1927
[ 94 ] CVE-2012-1928
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1928
[ 95 ] CVE-2012-1930
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1930
[ 96 ] CVE-2012-1931
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1931
[ 97 ] CVE-2012-3555
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3555
[ 98 ] CVE-2012-3556
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3556
[ 99 ] CVE-2012-3557
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3557
[ 100 ] CVE-2012-3558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3558
[ 101 ] CVE-2012-3560
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3560
[ 102 ] CVE-2012-3561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3561
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201206-03.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201006-0505 | No CVE | NETGEAR WG602v4 Management Password Remote Stack Buffer Overflow Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
NETGEAR WG602v4 is a wireless router device. The verification process in the WEB interface of the NETGEAR WG602v4 device has a buffer overflow, and an attacker can exploit the vulnerability to stop the device from responding. The auth_authorize() function handles this process by submitting an administrator password of more than 128 characters to trigger a buffer overflow. The NETGEAR WG602v4 is prone to a remote stack-based buffer-overflow vulnerability because the device fails to perform adequate boundary checks on user-supplied data.
Attackers can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Failed exploit attempts will result in a denial-of-service condition
| VAR-201101-0004 | CVE-2009-5037 |
Cisco Adaptive Security Appliances Service disruption on devices (DoS) Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-201005-1242 |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco Adaptive Security Appliances (ASA) 5500 series devices with software before 8.2(3) allow remote attackers to cause a denial of service (ASDM syslog outage) via a long URL, aka Bug IDs CSCsm11264 and CSCtb92911. The problem is Bug IDs CSCsm11264 and CSCtb92911 It is a problem.Too long by a third party URL Through service disruption (DoS) There is a possibility of being put into a state.
An attacker can exploit this issue to cause the affected device to reload, denying service to legitimate users.
This issue is documented in Cisco bug IDs CSCsm11264 and CSCtb92911
| VAR-201005-0138 | CVE-2010-2082 | Cisco Scientific Atlanta WebSTAR DPC2100R2 Cable modem Web Privileged vulnerability in interface |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The web interface on the Cisco Scientific Atlanta WebSTAR DPC2100R2 cable modem with firmware 2.0.2r1256-060303 has a default administrative password (aka SAPassword) of W2402, which makes it easier for remote attackers to obtain privileged access. The Cisco DPC2100 is a small cable modem
| VAR-201005-0064 | CVE-2010-0595 | Cisco Mediator Framework Vulnerabilities that gain access privileges |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Cisco Mediator Framework 1.5.1 before 1.5.1.build.14-eng, 2.2 before 2.2.1.dev.1, and 3.0 before 3.0.9.release.1 on the Cisco Network Building Mediator NBM-2400 and NBM-4800 and the Richards-Zeta Mediator 2500 has a default password for the administrative user account and unspecified other accounts, which makes it easier for remote attackers to obtain privileged access, aka Bug ID CSCtb83495. The problem is Bug ID : CSCtb83495 It is a problem.Access rights may be obtained by a third party. Cisco Network Building Mediator (NBM) products are affected by multiple vulnerabilities that could allow an attacker to gain control of a vulnerable device or to cause a denial of service. The Cisco Network Building Mediator is a smart, interconnected building solution that intelligently interconnects and operates heating, ventilation and cooling systems (HVAC), lighting, power, security, and renewable energy systems over IP networks. There are several security vulnerabilities in Cisco Network Building Mediator, as follows: - Default Authentication Credentials (CVE-2010-0595): Multiple predefined users on the device, including administrator user accounts using default authentication information, any network access device Users can log in to the control system as an administrator.-Privilege Escalation (CVE-2010-0596, CVE-2010-0597): Vulnerability allows unauthorized users to read and modify device configurations, malicious users must be able to successfully authenticate, but do not require administrator privileges Or modify the device configuration if you know the administrator to verify the credentials. Both vulnerabilities need to be attacked via HTTP or HTTPS transport protocol. In addition, Cisco bug ID CSCtb83618 (CVE-2010-0597) vulnerability can be used for heavy-duty devices, continuous exploitation of vulnerabilities Can lead to denial of service attacks. - Unauthorized information interception (CVE-2010-0598, CVE-2010-0599): Operator workstation Cisco Network Building Mediator did not protect unauthorized interception of sessions, malicious users could intercept sessions, obtain arbitrary authentication information, and use this information to control devices. CVE-2010-0598 related vulnerabilities allow malicious users to intercept HTTP session access The administrator verifies the credentials. CVE-2010-0599 related vulnerabilities allow malicious users to intercept XML RPC session access administrator authentication credentials. - Unauthorized Information Access (CVE-2010-0600): Malicious users can read system configuration files, configuration files Contains user account information, including passwords. Attackers can perform attacks and read configuration files via XML RPC or XML RCP over the HTTPS protocol.
An attacker can exploit this issue to gain unauthorized administrative access to the affected device. Successful exploits will result in the complete compromise of the affected device. These vulnerabilities also affect the legacy
Richards-Zeta Mediator products. This security advisory outlines
details of the following vulnerabilities:
* Default credentials
* Privilege escalation
* Unauthorized information interception
* Unauthorized information access
Cisco has released free software updates that address these
vulnerabilities. Workarounds that mitigate some of the listed
vulnerabilities are available. All Mediator Framework software releases prior to 3.1.1 are
affected by all vulnerabilities listed in this security advisory.
This table provides information about affected software releases:
+---------------------------------------+
| Cisco Bug | Affects Software |
| ID | Releases |
|-------------+-------------------------|
| CSCtb83495 | 1.5.1, 2.2, 3.0.8 |
|-------------+-------------------------|
| CSCtb83607 | 2.2, 3.0.8 |
|-------------+-------------------------|
| CSCtb83618 | 1.5.1, 2.2, 3.0.8 |
|-------------+-------------------------|
| CSCtb83631 | 1.5.1, 2.2, 3.0.8 |
|-------------+-------------------------|
| CSCtb83505 | 1.5.1, 2.2, 3.0.8 |
|-------------+-------------------------|
| CSCtb83512 | 1.5.1, 2.2, 3.0.8 |
+---------------------------------------+
Vulnerable Products
+------------------
Users can determine the version of the Mediator Framework running on
a device by logging into the device. After a successful login, the
device will display the version of Mediator Framework running on the
device. This ability
enables the Cisco Network Building Mediator to perform any-to-any
protocol translation and to provide information to the end user in a
uniform presentation. These vulnerabilities are independent of each other.
Default credentials
+------------------
Default credentials are assigned for several predefined user accounts
on the device including the administrative user account.
* CSCtb83495 ( registered customers only) has been assigned the CVE
identifier CVE-2010-0595.
* CSCtb83607 ( registered customers only) (registered customers
only) has been assigned the CVE identifier CVE-2010-0596.
This vulnerability could enable any user to read and modify
device configuration.
* CSCtb83618 ( registered customers only) has been assigned the CVE
identifier CVE-2010-0597. A malicious user
able to intercept the sessions could learn any credentials used
during intercepted sessions (for administrators and
non-administrators alike) and could subsequently take full control of
the device.
* CSCtb83631 ( registered customers only) has been assigned CVE
identifier CVE-2010-0598.
* CSCtb83505 ( registered customers only) has been assigned CVE
identifier CVE-2010-0599.
* CSCtb83512 ( registered customers only) has been assigned CVE
identifier CVE-2010-0600.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this security advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCtb83495 - Default credentials present on the system
CVSS Base Score - 10
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 8.3
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83607 - Privilege escalation possible over HTTP protocol
CVSS Base Score - 9
Access Vector Network
Access Complexity Low
Authentication Single
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83618 - Privilege escalation possible over XML RPC protocol
CVSS Base Score - 9
Access Vector Network
Access Complexity Low
Authentication Single
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83631 - Possible intercept of unencrypted HTTP sessions
CVSS Base Score - 9.3
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.7
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83505 - Possible intercept of unencrypted XML RPC sessions
CVSS Base Score - 9.3
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.7
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83512 - Access to sensitive information over XML RPC
CVSS Base Score - 10
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 8.3
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
Impact
======
Successful exploitation of any of these vulnerabilities could result
in a malicious user taking complete control over an affected device.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the software table below names a Mediator Framework
software release. If a given software release is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. Cisco recommends
upgrading to the latest available release where possible. All
vulnerabilities are fixed in Mediator Framework release 3.1.1 and
above. Mediator Framework release 3.1.1 is the recommended migration
path for all Mediator Framework releases.
Vulnerabilities do not affect Mediator Operating Environment.
To obtain fixed 1.5.1 and 2.2 Mediator Framework software and
configTOOL version 3.1.0b1 contact Cisco TAC.
Privilege escalation
+-------------------
There are no workarounds for these vulnerabilities.
Unauthorized information interception
+------------------------------------
The following workaround is applicable only to the vulnerability
related to HTTP protocol. There is no workaround for the
vulnerability that affects XML RPC service. The HTTPS service is enabled and running by
default and no further actions are needed to enable it. The HTTP
service can be disabled with configTOOL. Inside the Node tree pane, expand theservices tab, and
then expand tab the network tab. Click the http_server tab, and then
click the Enabled to uncheck it.
Unauthorized information access
+------------------------------
There is no workaround for this vulnerability. In
the following examples it is assumed that the operator console has IP
address 192.0.2.1. The 192.0.2.1 address must be changed to match the
IP address used by the designated operator console. The following
code must be entered on the console. Please refer to section 2.4 in
the user guide at
http://www.cisco.com/en/US/docs/security/physical_security/cnbm/User/guide/CNBM__UG.pdf
for information on how to connect to the serial port using
hyper-terminal.
# The following rule establishes a default policy for INPUT rule chain.
# The default policy is to drop all packets unless they are explicitly
# permitted by a rule in the INPUT chain
iptables -P INPUT DROP
# This rule will allow all traffic from operator console with
# IP address of 192.0.2.1 to the Cisco NBM
#
# Change 192.0.2.1 to match IP address used by your operators console.
iptables -I INPUT 1 --source 192.0.2.1 -j ACCEPT
# Repeat the previous command if you have more than one operator console.
# Increment the number after the "INPUT" keyword for each console you
# are adding.
#
# This command will allow second operator console with IP address
# of 192.0.2.2 to access the Cisco NBM
iptables -I INPUT 2 --source 192.0.2.2 -j ACCEPT
When applying rules form the above example care must be taken to
allow access to ports or protocols that are used by sensors and other
devices deployed in the system that are monitored and controlled by
the Cisco Network Building Mediator. Failure to do so will break
connectivity to these sensors and devices.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20100526-mediator.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2010-May-26 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAkv9S00ACgkQ86n/Gc8U/uDJRQCcCCww9H/6P7BHqAZ9k29Tq4hj
EWQAn3eEfS/iAcbfn5ERow7JQO4QmnPg
=bCsA
-----END PGP SIGNATURE-----
| VAR-201005-0905 | CVE-2010-0595 | Cisco Network Building Mediator products contain multiple vulnerabilities |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Cisco Mediator Framework 1.5.1 before 1.5.1.build.14-eng, 2.2 before 2.2.1.dev.1, and 3.0 before 3.0.9.release.1 on the Cisco Network Building Mediator NBM-2400 and NBM-4800 and the Richards-Zeta Mediator 2500 has a default password for the administrative user account and unspecified other accounts, which makes it easier for remote attackers to obtain privileged access, aka Bug ID CSCtb83495. Cisco Network Building Mediator (NBM) products are affected by multiple vulnerabilities that could allow an attacker to gain control of a vulnerable device or to cause a denial of service. The problem is Bug ID : CSCtb83495 It is a problem.Access rights may be obtained by a third party. The Cisco Network Building Mediator is a smart, interconnected building solution that intelligently interconnects and operates heating, ventilation and cooling systems (HVAC), lighting, power, security, and renewable energy systems over IP networks. There are several security vulnerabilities in Cisco Network Building Mediator, as follows: - Default Authentication Credentials (CVE-2010-0595): Multiple predefined users on the device, including administrator user accounts using default authentication information, any network access device Users can log in to the control system as an administrator.-Privilege Escalation (CVE-2010-0596, CVE-2010-0597): Vulnerability allows unauthorized users to read and modify device configurations, malicious users must be able to successfully authenticate, but do not require administrator privileges Or modify the device configuration if you know the administrator to verify the credentials. Both vulnerabilities need to be attacked via HTTP or HTTPS transport protocol. In addition, Cisco bug ID CSCtb83618 (CVE-2010-0597) vulnerability can be used for heavy-duty devices, continuous exploitation of vulnerabilities Can lead to denial of service attacks. - Unauthorized information interception (CVE-2010-0598, CVE-2010-0599): Operator workstation Cisco Network Building Mediator did not protect unauthorized interception of sessions, malicious users could intercept sessions, obtain arbitrary authentication information, and use this information to control devices. CVE-2010-0598 related vulnerabilities allow malicious users to intercept HTTP session access The administrator verifies the credentials. CVE-2010-0599 related vulnerabilities allow malicious users to intercept XML RPC session access administrator authentication credentials. - Unauthorized Information Access (CVE-2010-0600): Malicious users can read system configuration files, configuration files Contains user account information, including passwords. Attackers can perform attacks and read configuration files via XML RPC or XML RCP over the HTTPS protocol.
An attacker can exploit this issue to gain unauthorized administrative access to the affected device. Successful exploits will result in the complete compromise of the affected device. Remote attackers can easily gain access. These vulnerabilities also affect the legacy
Richards-Zeta Mediator products. This security advisory outlines
details of the following vulnerabilities:
* Default credentials
* Privilege escalation
* Unauthorized information interception
* Unauthorized information access
Cisco has released free software updates that address these
vulnerabilities. Workarounds that mitigate some of the listed
vulnerabilities are available. All Mediator Framework software releases prior to 3.1.1 are
affected by all vulnerabilities listed in this security advisory.
This table provides information about affected software releases:
+---------------------------------------+
| Cisco Bug | Affects Software |
| ID | Releases |
|-------------+-------------------------|
| CSCtb83495 | 1.5.1, 2.2, 3.0.8 |
|-------------+-------------------------|
| CSCtb83607 | 2.2, 3.0.8 |
|-------------+-------------------------|
| CSCtb83618 | 1.5.1, 2.2, 3.0.8 |
|-------------+-------------------------|
| CSCtb83631 | 1.5.1, 2.2, 3.0.8 |
|-------------+-------------------------|
| CSCtb83505 | 1.5.1, 2.2, 3.0.8 |
|-------------+-------------------------|
| CSCtb83512 | 1.5.1, 2.2, 3.0.8 |
+---------------------------------------+
Vulnerable Products
+------------------
Users can determine the version of the Mediator Framework running on
a device by logging into the device. After a successful login, the
device will display the version of Mediator Framework running on the
device. This ability
enables the Cisco Network Building Mediator to perform any-to-any
protocol translation and to provide information to the end user in a
uniform presentation. These vulnerabilities are independent of each other.
Default credentials
+------------------
Default credentials are assigned for several predefined user accounts
on the device including the administrative user account.
* CSCtb83495 ( registered customers only) has been assigned the CVE
identifier CVE-2010-0595.
* CSCtb83607 ( registered customers only) (registered customers
only) has been assigned the CVE identifier CVE-2010-0596.
This vulnerability could enable any user to read and modify
device configuration.
* CSCtb83618 ( registered customers only) has been assigned the CVE
identifier CVE-2010-0597. A malicious user
able to intercept the sessions could learn any credentials used
during intercepted sessions (for administrators and
non-administrators alike) and could subsequently take full control of
the device.
* CSCtb83631 ( registered customers only) has been assigned CVE
identifier CVE-2010-0598.
* CSCtb83505 ( registered customers only) has been assigned CVE
identifier CVE-2010-0599.
* CSCtb83512 ( registered customers only) has been assigned CVE
identifier CVE-2010-0600.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this security advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCtb83495 - Default credentials present on the system
CVSS Base Score - 10
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 8.3
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83607 - Privilege escalation possible over HTTP protocol
CVSS Base Score - 9
Access Vector Network
Access Complexity Low
Authentication Single
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83618 - Privilege escalation possible over XML RPC protocol
CVSS Base Score - 9
Access Vector Network
Access Complexity Low
Authentication Single
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83631 - Possible intercept of unencrypted HTTP sessions
CVSS Base Score - 9.3
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.7
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83505 - Possible intercept of unencrypted XML RPC sessions
CVSS Base Score - 9.3
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.7
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83512 - Access to sensitive information over XML RPC
CVSS Base Score - 10
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 8.3
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
Impact
======
Successful exploitation of any of these vulnerabilities could result
in a malicious user taking complete control over an affected device.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the software table below names a Mediator Framework
software release. If a given software release is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. Cisco recommends
upgrading to the latest available release where possible. All
vulnerabilities are fixed in Mediator Framework release 3.1.1 and
above. Mediator Framework release 3.1.1 is the recommended migration
path for all Mediator Framework releases.
Vulnerabilities do not affect Mediator Operating Environment.
To obtain fixed 1.5.1 and 2.2 Mediator Framework software and
configTOOL version 3.1.0b1 contact Cisco TAC.
Privilege escalation
+-------------------
There are no workarounds for these vulnerabilities.
Unauthorized information interception
+------------------------------------
The following workaround is applicable only to the vulnerability
related to HTTP protocol. There is no workaround for the
vulnerability that affects XML RPC service. The HTTPS service is enabled and running by
default and no further actions are needed to enable it. The HTTP
service can be disabled with configTOOL. Inside the Node tree pane, expand theservices tab, and
then expand tab the network tab. Click the http_server tab, and then
click the Enabled to uncheck it.
Unauthorized information access
+------------------------------
There is no workaround for this vulnerability. In
the following examples it is assumed that the operator console has IP
address 192.0.2.1. The 192.0.2.1 address must be changed to match the
IP address used by the designated operator console. The following
code must be entered on the console. Please refer to section 2.4 in
the user guide at
http://www.cisco.com/en/US/docs/security/physical_security/cnbm/User/guide/CNBM__UG.pdf
for information on how to connect to the serial port using
hyper-terminal.
# The following rule establishes a default policy for INPUT rule chain.
# The default policy is to drop all packets unless they are explicitly
# permitted by a rule in the INPUT chain
iptables -P INPUT DROP
# This rule will allow all traffic from operator console with
# IP address of 192.0.2.1 to the Cisco NBM
#
# Change 192.0.2.1 to match IP address used by your operators console.
iptables -I INPUT 1 --source 192.0.2.1 -j ACCEPT
# Repeat the previous command if you have more than one operator console.
# Increment the number after the "INPUT" keyword for each console you
# are adding.
#
# This command will allow second operator console with IP address
# of 192.0.2.2 to access the Cisco NBM
iptables -I INPUT 2 --source 192.0.2.2 -j ACCEPT
When applying rules form the above example care must be taken to
allow access to ports or protocols that are used by sensors and other
devices deployed in the system that are monitored and controlled by
the Cisco Network Building Mediator. Failure to do so will break
connectivity to these sensors and devices.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20100526-mediator.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2010-May-26 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAkv9S00ACgkQ86n/Gc8U/uDJRQCcCCww9H/6P7BHqAZ9k29Tq4hj
EWQAn3eEfS/iAcbfn5ERow7JQO4QmnPg
=bCsA
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Stay Compliant
Alerts, Technical Descriptions, PoC, Links to patches, CVSS, CVE, Changelogs, Alternative Remediation Strategies, and much more provided in the Secunia Vulnerability Intelligence solutions
Free Trial
http://secunia.com/products/corporate/evm/trial/
----------------------------------------------------------------------
TITLE:
Cisco Network Building Mediator Products Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA39904
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/39904/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=39904
RELEASE DATE:
2010-05-27
DISCUSS ADVISORY:
http://secunia.com/advisories/39904/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/39904/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=39904
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco Network Building
Mediator, which can be exploited by malicious users to gain escalated
privileges and by malicious people to gain knowledge of sensitive
information.
2) Certain sensitive information (e.g. credentials) is passed via
HTTP and XML-RPC over HTTP and may, therefore, be intercepted by a
third party.
SOLUTION:
Update to a fixed version.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0904 | CVE-2010-0596 | Cisco Network Building Mediator products contain multiple vulnerabilities |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in Cisco Mediator Framework 2.2 before 2.2.1.dev.1 and 3.0 before 3.0.9.release.1 on the Cisco Network Building Mediator NBM-2400 and NBM-4800 and the Richards-Zeta Mediator 2500 allows remote authenticated users to read or modify the device configuration, and gain privileges, via a (1) HTTP or (2) HTTPS request, aka Bug ID CSCtb83607. The Cisco Network Building Mediator is a smart, interconnected building solution that intelligently interconnects and operates heating, ventilation and cooling systems (HVAC), lighting, power, security, and renewable energy systems over IP networks. Both vulnerabilities need to be attacked via HTTP or HTTPS transport protocol. In addition, Cisco bug ID CSCtb83618 (CVE-2010-0597) vulnerability can be used for heavy-duty devices, continuous exploitation of vulnerabilities Can lead to denial of service attacks. - Unauthorized information interception (CVE-2010-0598, CVE-2010-0599): Operator workstation Cisco Network Building Mediator did not protect unauthorized interception of sessions, malicious users could intercept sessions, obtain arbitrary authentication information, and use this information to control devices. CVE-2010-0598 related vulnerabilities allow malicious users to intercept HTTP session access The administrator verifies the credentials. CVE-2010-0599 related vulnerabilities allow malicious users to intercept XML RPC session access administrator authentication credentials. - Unauthorized Information Access (CVE-2010-0600): Malicious users can read system configuration files, configuration files Contains user account information, including passwords. Attackers can perform attacks and read configuration files via XML RPC or XML RCP over the HTTPS protocol. This issue is tracked by Cisco Bug ID CSCtb83607.
An authenticated attacker can exploit this issue to read and modify configuration settings, gaining elevated privileges. This may lead to a full compromise of the affected computer or aid in further attacks. These vulnerabilities also affect the legacy
Richards-Zeta Mediator products. This security advisory outlines
details of the following vulnerabilities:
* Default credentials
* Privilege escalation
* Unauthorized information interception
* Unauthorized information access
Cisco has released free software updates that address these
vulnerabilities. Workarounds that mitigate some of the listed
vulnerabilities are available. After a successful login, the
device will display the version of Mediator Framework running on the
device. This ability
enables the Cisco Network Building Mediator to perform any-to-any
protocol translation and to provide information to the end user in a
uniform presentation. These vulnerabilities are independent of each other.
Default credentials
+------------------
Default credentials are assigned for several predefined user accounts
on the device including the administrative user account.
* CSCtb83495 ( registered customers only) has been assigned the CVE
identifier CVE-2010-0595.
* CSCtb83607 ( registered customers only) (registered customers
only) has been assigned the CVE identifier CVE-2010-0596.
This vulnerability could enable any user to read and modify
device configuration.
* CSCtb83618 ( registered customers only) has been assigned the CVE
identifier CVE-2010-0597. Additionally, this
vulnerability can be exploited to reload the affected device. A malicious user
able to intercept the sessions could learn any credentials used
during intercepted sessions (for administrators and
non-administrators alike) and could subsequently take full control of
the device.
* CSCtb83631 ( registered customers only) has been assigned CVE
identifier CVE-2010-0598.
* CSCtb83505 ( registered customers only) has been assigned CVE
identifier CVE-2010-0599.
* CSCtb83512 ( registered customers only) has been assigned CVE
identifier CVE-2010-0600.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this security advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCtb83495 - Default credentials present on the system
CVSS Base Score - 10
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 8.3
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83607 - Privilege escalation possible over HTTP protocol
CVSS Base Score - 9
Access Vector Network
Access Complexity Low
Authentication Single
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83618 - Privilege escalation possible over XML RPC protocol
CVSS Base Score - 9
Access Vector Network
Access Complexity Low
Authentication Single
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83631 - Possible intercept of unencrypted HTTP sessions
CVSS Base Score - 9.3
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.7
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83505 - Possible intercept of unencrypted XML RPC sessions
CVSS Base Score - 9.3
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.7
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83512 - Access to sensitive information over XML RPC
CVSS Base Score - 10
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 8.3
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
Impact
======
Successful exploitation of any of these vulnerabilities could result
in a malicious user taking complete control over an affected device.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the software table below names a Mediator Framework
software release. If a given software release is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. Cisco recommends
upgrading to the latest available release where possible. All
vulnerabilities are fixed in Mediator Framework release 3.1.1 and
above. Mediator Framework release 3.1.1 is the recommended migration
path for all Mediator Framework releases.
Vulnerabilities do not affect Mediator Operating Environment.
To obtain fixed 1.5.1 and 2.2 Mediator Framework software and
configTOOL version 3.1.0b1 contact Cisco TAC.
Privilege escalation
+-------------------
There are no workarounds for these vulnerabilities.
Unauthorized information interception
+------------------------------------
The following workaround is applicable only to the vulnerability
related to HTTP protocol. There is no workaround for the
vulnerability that affects XML RPC service. The HTTPS service is enabled and running by
default and no further actions are needed to enable it. The HTTP
service can be disabled with configTOOL. Inside the Node tree pane, expand theservices tab, and
then expand tab the network tab. Click the http_server tab, and then
click the Enabled to uncheck it.
Unauthorized information access
+------------------------------
There is no workaround for this vulnerability. In
the following examples it is assumed that the operator console has IP
address 192.0.2.1. The 192.0.2.1 address must be changed to match the
IP address used by the designated operator console. The following
code must be entered on the console. Please refer to section 2.4 in
the user guide at
http://www.cisco.com/en/US/docs/security/physical_security/cnbm/User/guide/CNBM__UG.pdf
for information on how to connect to the serial port using
hyper-terminal.
# The following rule establishes a default policy for INPUT rule chain.
# The default policy is to drop all packets unless they are explicitly
# permitted by a rule in the INPUT chain
iptables -P INPUT DROP
# This rule will allow all traffic from operator console with
# IP address of 192.0.2.1 to the Cisco NBM
#
# Change 192.0.2.1 to match IP address used by your operators console.
iptables -I INPUT 1 --source 192.0.2.1 -j ACCEPT
# Repeat the previous command if you have more than one operator console.
# Increment the number after the "INPUT" keyword for each console you
# are adding.
#
# This command will allow second operator console with IP address
# of 192.0.2.2 to access the Cisco NBM
iptables -I INPUT 2 --source 192.0.2.2 -j ACCEPT
When applying rules form the above example care must be taken to
allow access to ports or protocols that are used by sensors and other
devices deployed in the system that are monitored and controlled by
the Cisco Network Building Mediator. Failure to do so will break
connectivity to these sensors and devices.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20100526-mediator.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2010-May-26 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAkv9S00ACgkQ86n/Gc8U/uDJRQCcCCww9H/6P7BHqAZ9k29Tq4hj
EWQAn3eEfS/iAcbfn5ERow7JQO4QmnPg
=bCsA
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Stay Compliant
Alerts, Technical Descriptions, PoC, Links to patches, CVSS, CVE, Changelogs, Alternative Remediation Strategies, and much more provided in the Secunia Vulnerability Intelligence solutions
Free Trial
http://secunia.com/products/corporate/evm/trial/
----------------------------------------------------------------------
TITLE:
Cisco Network Building Mediator Products Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA39904
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/39904/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=39904
RELEASE DATE:
2010-05-27
DISCUSS ADVISORY:
http://secunia.com/advisories/39904/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/39904/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=39904
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco Network Building
Mediator, which can be exploited by malicious users to gain escalated
privileges and by malicious people to gain knowledge of sensitive
information.
2) Certain sensitive information (e.g. credentials) is passed via
HTTP and XML-RPC over HTTP and may, therefore, be intercepted by a
third party.
SOLUTION:
Update to a fixed version.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0903 | CVE-2010-0597 | Cisco Network Building Mediator products contain multiple vulnerabilities |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in Cisco Mediator Framework 1.5.1 before 1.5.1.build.14-eng, 2.2 before 2.2.1.dev.1, and 3.0 before 3.0.9.release.1 on the Cisco Network Building Mediator NBM-2400 and NBM-4800 and the Richards-Zeta Mediator 2500 allows remote authenticated users to read or modify the device configuration, and gain privileges or cause a denial of service (device reload), via a (1) XML RPC or (2) XML RPC over HTTPS request, aka Bug ID CSCtb83618. The Cisco Network Building Mediator is a smart, interconnected building solution that intelligently interconnects and operates heating, ventilation and cooling systems (HVAC), lighting, power, security, and renewable energy systems over IP networks. Both vulnerabilities need to be attacked via HTTP or HTTPS transport protocol. In addition, Cisco bug ID CSCtb83618 (CVE-2010-0597) vulnerability can be used for heavy-duty devices, continuous exploitation of vulnerabilities Can lead to denial of service attacks. - Unauthorized information interception (CVE-2010-0598, CVE-2010-0599): Operator workstation Cisco Network Building Mediator did not protect unauthorized interception of sessions, malicious users could intercept sessions, obtain arbitrary authentication information, and use this information to control devices. CVE-2010-0598 related vulnerabilities allow malicious users to intercept HTTP session access The administrator verifies the credentials. CVE-2010-0599 related vulnerabilities allow malicious users to intercept XML RPC session access administrator authentication credentials. - Unauthorized Information Access (CVE-2010-0600): Malicious users can read system configuration files, configuration files Contains user account information, including passwords. Attackers can perform attacks and read configuration files via XML RPC or XML RCP over the HTTPS protocol. This issue is tracked by Cisco Bug ID CSCtb83618.
An authenticated attacker can exploit this issue to read and modify configuration settings, gaining elevated privileges. This may lead to a full compromise of the affected device. In addition, attackers can leverage this issue to cause the device to reload; successive attacks will result in a prolonged denial-of-service. These vulnerabilities also affect the legacy
Richards-Zeta Mediator products. This security advisory outlines
details of the following vulnerabilities:
* Default credentials
* Privilege escalation
* Unauthorized information interception
* Unauthorized information access
Cisco has released free software updates that address these
vulnerabilities. Workarounds that mitigate some of the listed
vulnerabilities are available. After a successful login, the
device will display the version of Mediator Framework running on the
device. This ability
enables the Cisco Network Building Mediator to perform any-to-any
protocol translation and to provide information to the end user in a
uniform presentation. These vulnerabilities are independent of each other.
Default credentials
+------------------
Default credentials are assigned for several predefined user accounts
on the device including the administrative user account.
* CSCtb83495 ( registered customers only) has been assigned the CVE
identifier CVE-2010-0595.
* CSCtb83607 ( registered customers only) (registered customers
only) has been assigned the CVE identifier CVE-2010-0596.
This vulnerability could enable any user to read and modify
device configuration.
* CSCtb83618 ( registered customers only) has been assigned the CVE
identifier CVE-2010-0597. A malicious user
able to intercept the sessions could learn any credentials used
during intercepted sessions (for administrators and
non-administrators alike) and could subsequently take full control of
the device.
* CSCtb83631 ( registered customers only) has been assigned CVE
identifier CVE-2010-0598.
* CSCtb83505 ( registered customers only) has been assigned CVE
identifier CVE-2010-0599.
* CSCtb83512 ( registered customers only) has been assigned CVE
identifier CVE-2010-0600.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this security advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCtb83495 - Default credentials present on the system
CVSS Base Score - 10
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 8.3
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83607 - Privilege escalation possible over HTTP protocol
CVSS Base Score - 9
Access Vector Network
Access Complexity Low
Authentication Single
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83618 - Privilege escalation possible over XML RPC protocol
CVSS Base Score - 9
Access Vector Network
Access Complexity Low
Authentication Single
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83631 - Possible intercept of unencrypted HTTP sessions
CVSS Base Score - 9.3
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.7
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83505 - Possible intercept of unencrypted XML RPC sessions
CVSS Base Score - 9.3
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.7
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83512 - Access to sensitive information over XML RPC
CVSS Base Score - 10
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 8.3
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
Impact
======
Successful exploitation of any of these vulnerabilities could result
in a malicious user taking complete control over an affected device.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the software table below names a Mediator Framework
software release. If a given software release is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. Cisco recommends
upgrading to the latest available release where possible. All
vulnerabilities are fixed in Mediator Framework release 3.1.1 and
above. Mediator Framework release 3.1.1 is the recommended migration
path for all Mediator Framework releases.
Vulnerabilities do not affect Mediator Operating Environment.
To obtain fixed 1.5.1 and 2.2 Mediator Framework software and
configTOOL version 3.1.0b1 contact Cisco TAC.
Privilege escalation
+-------------------
There are no workarounds for these vulnerabilities.
Unauthorized information interception
+------------------------------------
The following workaround is applicable only to the vulnerability
related to HTTP protocol. There is no workaround for the
vulnerability that affects XML RPC service. The HTTPS service is enabled and running by
default and no further actions are needed to enable it. The HTTP
service can be disabled with configTOOL. Inside the Node tree pane, expand theservices tab, and
then expand tab the network tab. Click the http_server tab, and then
click the Enabled to uncheck it.
Unauthorized information access
+------------------------------
There is no workaround for this vulnerability. In
the following examples it is assumed that the operator console has IP
address 192.0.2.1. The 192.0.2.1 address must be changed to match the
IP address used by the designated operator console. The following
code must be entered on the console. Please refer to section 2.4 in
the user guide at
http://www.cisco.com/en/US/docs/security/physical_security/cnbm/User/guide/CNBM__UG.pdf
for information on how to connect to the serial port using
hyper-terminal.
# The following rule establishes a default policy for INPUT rule chain.
# The default policy is to drop all packets unless they are explicitly
# permitted by a rule in the INPUT chain
iptables -P INPUT DROP
# This rule will allow all traffic from operator console with
# IP address of 192.0.2.1 to the Cisco NBM
#
# Change 192.0.2.1 to match IP address used by your operators console.
iptables -I INPUT 1 --source 192.0.2.1 -j ACCEPT
# Repeat the previous command if you have more than one operator console.
# Increment the number after the "INPUT" keyword for each console you
# are adding.
#
# This command will allow second operator console with IP address
# of 192.0.2.2 to access the Cisco NBM
iptables -I INPUT 2 --source 192.0.2.2 -j ACCEPT
When applying rules form the above example care must be taken to
allow access to ports or protocols that are used by sensors and other
devices deployed in the system that are monitored and controlled by
the Cisco Network Building Mediator. Failure to do so will break
connectivity to these sensors and devices.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20100526-mediator.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2010-May-26 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAkv9S00ACgkQ86n/Gc8U/uDJRQCcCCww9H/6P7BHqAZ9k29Tq4hj
EWQAn3eEfS/iAcbfn5ERow7JQO4QmnPg
=bCsA
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Stay Compliant
Alerts, Technical Descriptions, PoC, Links to patches, CVSS, CVE, Changelogs, Alternative Remediation Strategies, and much more provided in the Secunia Vulnerability Intelligence solutions
Free Trial
http://secunia.com/products/corporate/evm/trial/
----------------------------------------------------------------------
TITLE:
Cisco Network Building Mediator Products Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA39904
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/39904/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=39904
RELEASE DATE:
2010-05-27
DISCUSS ADVISORY:
http://secunia.com/advisories/39904/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/39904/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=39904
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco Network Building
Mediator, which can be exploited by malicious users to gain escalated
privileges and by malicious people to gain knowledge of sensitive
information.
2) Certain sensitive information (e.g. credentials) is passed via
HTTP and XML-RPC over HTTP and may, therefore, be intercepted by a
third party.
SOLUTION:
Update to a fixed version.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0902 | CVE-2010-0599 | Cisco Network Building Mediator products contain multiple vulnerabilities |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Cisco Mediator Framework 1.5.1 before 1.5.1.build.14-eng, 2.2 before 2.2.1.dev.1, and 3.0 before 3.0.9.release.1 on the Cisco Network Building Mediator NBM-2400 and NBM-4800 and the Richards-Zeta Mediator 2500 does not encrypt XML RPC sessions from operator workstations, which allows remote attackers to discover Administrator credentials by sniffing the network, aka Bug ID CSCtb83505. Cisco Network Building Mediator (NBM) products are affected by multiple vulnerabilities that could allow an attacker to gain control of a vulnerable device or to cause a denial of service. The problem is Bug ID : CSCtb83505 It is a problem.Intercepted by a third party Administrator Authentication information may be overlooked. The Cisco Network Building Mediator is a smart, interconnected building solution that intelligently interconnects and operates heating, ventilation and cooling systems (HVAC), lighting, power, security, and renewable energy systems over IP networks. There are several security vulnerabilities in Cisco Network Building Mediator, as follows: - Default Authentication Credentials (CVE-2010-0595): Multiple predefined users on the device, including administrator user accounts using default authentication information, any network access device Users can log in to the control system as an administrator.-Privilege Escalation (CVE-2010-0596, CVE-2010-0597): Vulnerability allows unauthorized users to read and modify device configurations, malicious users must be able to successfully authenticate, but do not require administrator privileges Or modify the device configuration if you know the administrator to verify the credentials. Both vulnerabilities need to be attacked via HTTP or HTTPS transport protocol. In addition, Cisco bug ID CSCtb83618 (CVE-2010-0597) vulnerability can be used for heavy-duty devices, continuous exploitation of vulnerabilities Can lead to denial of service attacks. CVE-2010-0598 related vulnerabilities allow malicious users to intercept HTTP session access The administrator verifies the credentials. CVE-2010-0599 related vulnerabilities allow malicious users to intercept XML RPC session access administrator authentication credentials. - Unauthorized Information Access (CVE-2010-0600): Malicious users can read system configuration files, configuration files Contains user account information, including passwords. Attackers can perform attacks and read configuration files via XML RPC or XML RCP over the HTTPS protocol.
An attacker can exploit this issue to obtain sensitive information that may lead to further attacks and possibly a full compromise of the affected device.
This issue is tracked by Cisco Bug ID CSCtb83618. These vulnerabilities also affect the legacy
Richards-Zeta Mediator products. This security advisory outlines
details of the following vulnerabilities:
* Default credentials
* Privilege escalation
* Unauthorized information interception
* Unauthorized information access
Cisco has released free software updates that address these
vulnerabilities. Workarounds that mitigate some of the listed
vulnerabilities are available. After a successful login, the
device will display the version of Mediator Framework running on the
device. This ability
enables the Cisco Network Building Mediator to perform any-to-any
protocol translation and to provide information to the end user in a
uniform presentation. These vulnerabilities are independent of each other.
Default credentials
+------------------
Default credentials are assigned for several predefined user accounts
on the device including the administrative user account.
* CSCtb83495 ( registered customers only) has been assigned the CVE
identifier CVE-2010-0595.
* CSCtb83607 ( registered customers only) (registered customers
only) has been assigned the CVE identifier CVE-2010-0596.
This vulnerability could enable any user to read and modify
device configuration.
* CSCtb83618 ( registered customers only) has been assigned the CVE
identifier CVE-2010-0597. Additionally, this
vulnerability can be exploited to reload the affected device. A malicious user
able to intercept the sessions could learn any credentials used
during intercepted sessions (for administrators and
non-administrators alike) and could subsequently take full control of
the device.
* CSCtb83631 ( registered customers only) has been assigned CVE
identifier CVE-2010-0598.
* CSCtb83505 ( registered customers only) has been assigned CVE
identifier CVE-2010-0599.
* CSCtb83512 ( registered customers only) has been assigned CVE
identifier CVE-2010-0600.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this security advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCtb83495 - Default credentials present on the system
CVSS Base Score - 10
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 8.3
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83607 - Privilege escalation possible over HTTP protocol
CVSS Base Score - 9
Access Vector Network
Access Complexity Low
Authentication Single
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83618 - Privilege escalation possible over XML RPC protocol
CVSS Base Score - 9
Access Vector Network
Access Complexity Low
Authentication Single
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83631 - Possible intercept of unencrypted HTTP sessions
CVSS Base Score - 9.3
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.7
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83505 - Possible intercept of unencrypted XML RPC sessions
CVSS Base Score - 9.3
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.7
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83512 - Access to sensitive information over XML RPC
CVSS Base Score - 10
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 8.3
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
Impact
======
Successful exploitation of any of these vulnerabilities could result
in a malicious user taking complete control over an affected device.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the software table below names a Mediator Framework
software release. If a given software release is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. Cisco recommends
upgrading to the latest available release where possible. All
vulnerabilities are fixed in Mediator Framework release 3.1.1 and
above. Mediator Framework release 3.1.1 is the recommended migration
path for all Mediator Framework releases.
Vulnerabilities do not affect Mediator Operating Environment.
To obtain fixed 1.5.1 and 2.2 Mediator Framework software and
configTOOL version 3.1.0b1 contact Cisco TAC.
Privilege escalation
+-------------------
There are no workarounds for these vulnerabilities.
Unauthorized information interception
+------------------------------------
The following workaround is applicable only to the vulnerability
related to HTTP protocol. There is no workaround for the
vulnerability that affects XML RPC service. The HTTPS service is enabled and running by
default and no further actions are needed to enable it. The HTTP
service can be disabled with configTOOL. Inside the Node tree pane, expand theservices tab, and
then expand tab the network tab. Click the http_server tab, and then
click the Enabled to uncheck it.
Unauthorized information access
+------------------------------
There is no workaround for this vulnerability. In
the following examples it is assumed that the operator console has IP
address 192.0.2.1. The 192.0.2.1 address must be changed to match the
IP address used by the designated operator console. The following
code must be entered on the console. Please refer to section 2.4 in
the user guide at
http://www.cisco.com/en/US/docs/security/physical_security/cnbm/User/guide/CNBM__UG.pdf
for information on how to connect to the serial port using
hyper-terminal.
# The following rule establishes a default policy for INPUT rule chain.
# The default policy is to drop all packets unless they are explicitly
# permitted by a rule in the INPUT chain
iptables -P INPUT DROP
# This rule will allow all traffic from operator console with
# IP address of 192.0.2.1 to the Cisco NBM
#
# Change 192.0.2.1 to match IP address used by your operators console.
iptables -I INPUT 1 --source 192.0.2.1 -j ACCEPT
# Repeat the previous command if you have more than one operator console.
# Increment the number after the "INPUT" keyword for each console you
# are adding.
#
# This command will allow second operator console with IP address
# of 192.0.2.2 to access the Cisco NBM
iptables -I INPUT 2 --source 192.0.2.2 -j ACCEPT
When applying rules form the above example care must be taken to
allow access to ports or protocols that are used by sensors and other
devices deployed in the system that are monitored and controlled by
the Cisco Network Building Mediator. Failure to do so will break
connectivity to these sensors and devices.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20100526-mediator.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2010-May-26 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAkv9S00ACgkQ86n/Gc8U/uDJRQCcCCww9H/6P7BHqAZ9k29Tq4hj
EWQAn3eEfS/iAcbfn5ERow7JQO4QmnPg
=bCsA
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Stay Compliant
Alerts, Technical Descriptions, PoC, Links to patches, CVSS, CVE, Changelogs, Alternative Remediation Strategies, and much more provided in the Secunia Vulnerability Intelligence solutions
Free Trial
http://secunia.com/products/corporate/evm/trial/
----------------------------------------------------------------------
TITLE:
Cisco Network Building Mediator Products Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA39904
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/39904/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=39904
RELEASE DATE:
2010-05-27
DISCUSS ADVISORY:
http://secunia.com/advisories/39904/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/39904/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=39904
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco Network Building
Mediator, which can be exploited by malicious users to gain escalated
privileges and by malicious people to gain knowledge of sensitive
information.
2) Certain sensitive information (e.g. credentials) is passed via
HTTP and XML-RPC over HTTP and may, therefore, be intercepted by a
third party.
SOLUTION:
Update to a fixed version.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0901 | CVE-2010-0598 | Cisco Network Building Mediator products contain multiple vulnerabilities |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Cisco Mediator Framework 1.5.1 before 1.5.1.build.14-eng, 2.2 before 2.2.1.dev.1, and 3.0 before 3.0.9.release.1 on the Cisco Network Building Mediator NBM-2400 and NBM-4800 and the Richards-Zeta Mediator 2500 does not encrypt HTTP sessions from operator workstations, which allows remote attackers to discover Administrator credentials by sniffing the network, aka Bug ID CSCtb83631. Cisco Network Building Mediator (NBM) products are affected by multiple vulnerabilities that could allow an attacker to gain control of a vulnerable device or to cause a denial of service. The problem is Bug ID : CSCtb83631 Problem.Network intercepted by a third party Administrator May be able to find your credentials. The Cisco Network Building Mediator is a smart, interconnected building solution that intelligently interconnects and operates heating, ventilation and cooling systems (HVAC), lighting, power, security, and renewable energy systems over IP networks. There are several security vulnerabilities in Cisco Network Building Mediator, as follows: - Default Authentication Credentials (CVE-2010-0595): Multiple predefined users on the device, including administrator user accounts using default authentication information, any network access device Users can log in to the control system as an administrator.-Privilege Escalation (CVE-2010-0596, CVE-2010-0597): Vulnerability allows unauthorized users to read and modify device configurations, malicious users must be able to successfully authenticate, but do not require administrator privileges Or modify the device configuration if you know the administrator to verify the credentials. Both vulnerabilities need to be attacked via HTTP or HTTPS transport protocol. In addition, Cisco bug ID CSCtb83618 (CVE-2010-0597) vulnerability can be used for heavy-duty devices, continuous exploitation of vulnerabilities Can lead to denial of service attacks. CVE-2010-0598 related vulnerabilities allow malicious users to intercept HTTP session access The administrator verifies the credentials. CVE-2010-0599 related vulnerabilities allow malicious users to intercept XML RPC session access administrator authentication credentials. - Unauthorized Information Access (CVE-2010-0600): Malicious users can read system configuration files, configuration files Contains user account information, including passwords. Attackers can perform attacks and read configuration files via XML RPC or XML RCP over the HTTPS protocol.
An attacker can exploit this issue to obtain sensitive information that may lead to further attacks and possibly a full compromise of the affected device.
This issue is tracked by Cisco Bug ID CSCtb83631. These vulnerabilities also affect the legacy
Richards-Zeta Mediator products. This security advisory outlines
details of the following vulnerabilities:
* Default credentials
* Privilege escalation
* Unauthorized information interception
* Unauthorized information access
Cisco has released free software updates that address these
vulnerabilities. Workarounds that mitigate some of the listed
vulnerabilities are available. After a successful login, the
device will display the version of Mediator Framework running on the
device. This ability
enables the Cisco Network Building Mediator to perform any-to-any
protocol translation and to provide information to the end user in a
uniform presentation. These vulnerabilities are independent of each other.
Default credentials
+------------------
Default credentials are assigned for several predefined user accounts
on the device including the administrative user account.
* CSCtb83495 ( registered customers only) has been assigned the CVE
identifier CVE-2010-0595.
* CSCtb83607 ( registered customers only) (registered customers
only) has been assigned the CVE identifier CVE-2010-0596.
This vulnerability could enable any user to read and modify
device configuration.
* CSCtb83618 ( registered customers only) has been assigned the CVE
identifier CVE-2010-0597. Additionally, this
vulnerability can be exploited to reload the affected device. A malicious user
able to intercept the sessions could learn any credentials used
during intercepted sessions (for administrators and
non-administrators alike) and could subsequently take full control of
the device.
* CSCtb83631 ( registered customers only) has been assigned CVE
identifier CVE-2010-0598.
* CSCtb83505 ( registered customers only) has been assigned CVE
identifier CVE-2010-0599.
* CSCtb83512 ( registered customers only) has been assigned CVE
identifier CVE-2010-0600.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this security advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCtb83495 - Default credentials present on the system
CVSS Base Score - 10
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 8.3
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83607 - Privilege escalation possible over HTTP protocol
CVSS Base Score - 9
Access Vector Network
Access Complexity Low
Authentication Single
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83618 - Privilege escalation possible over XML RPC protocol
CVSS Base Score - 9
Access Vector Network
Access Complexity Low
Authentication Single
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83631 - Possible intercept of unencrypted HTTP sessions
CVSS Base Score - 9.3
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.7
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83505 - Possible intercept of unencrypted XML RPC sessions
CVSS Base Score - 9.3
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.7
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83512 - Access to sensitive information over XML RPC
CVSS Base Score - 10
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 8.3
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
Impact
======
Successful exploitation of any of these vulnerabilities could result
in a malicious user taking complete control over an affected device.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the software table below names a Mediator Framework
software release. If a given software release is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. Cisco recommends
upgrading to the latest available release where possible. All
vulnerabilities are fixed in Mediator Framework release 3.1.1 and
above. Mediator Framework release 3.1.1 is the recommended migration
path for all Mediator Framework releases.
Vulnerabilities do not affect Mediator Operating Environment.
To obtain fixed 1.5.1 and 2.2 Mediator Framework software and
configTOOL version 3.1.0b1 contact Cisco TAC.
Privilege escalation
+-------------------
There are no workarounds for these vulnerabilities.
Unauthorized information interception
+------------------------------------
The following workaround is applicable only to the vulnerability
related to HTTP protocol. There is no workaround for the
vulnerability that affects XML RPC service. The HTTPS service is enabled and running by
default and no further actions are needed to enable it. The HTTP
service can be disabled with configTOOL. Inside the Node tree pane, expand theservices tab, and
then expand tab the network tab. Click the http_server tab, and then
click the Enabled to uncheck it.
Unauthorized information access
+------------------------------
There is no workaround for this vulnerability. In
the following examples it is assumed that the operator console has IP
address 192.0.2.1. The 192.0.2.1 address must be changed to match the
IP address used by the designated operator console. The following
code must be entered on the console. Please refer to section 2.4 in
the user guide at
http://www.cisco.com/en/US/docs/security/physical_security/cnbm/User/guide/CNBM__UG.pdf
for information on how to connect to the serial port using
hyper-terminal.
# The following rule establishes a default policy for INPUT rule chain.
# The default policy is to drop all packets unless they are explicitly
# permitted by a rule in the INPUT chain
iptables -P INPUT DROP
# This rule will allow all traffic from operator console with
# IP address of 192.0.2.1 to the Cisco NBM
#
# Change 192.0.2.1 to match IP address used by your operators console.
iptables -I INPUT 1 --source 192.0.2.1 -j ACCEPT
# Repeat the previous command if you have more than one operator console.
# Increment the number after the "INPUT" keyword for each console you
# are adding.
#
# This command will allow second operator console with IP address
# of 192.0.2.2 to access the Cisco NBM
iptables -I INPUT 2 --source 192.0.2.2 -j ACCEPT
When applying rules form the above example care must be taken to
allow access to ports or protocols that are used by sensors and other
devices deployed in the system that are monitored and controlled by
the Cisco Network Building Mediator. Failure to do so will break
connectivity to these sensors and devices.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20100526-mediator.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2010-May-26 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAkv9S00ACgkQ86n/Gc8U/uDJRQCcCCww9H/6P7BHqAZ9k29Tq4hj
EWQAn3eEfS/iAcbfn5ERow7JQO4QmnPg
=bCsA
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Stay Compliant
Alerts, Technical Descriptions, PoC, Links to patches, CVSS, CVE, Changelogs, Alternative Remediation Strategies, and much more provided in the Secunia Vulnerability Intelligence solutions
Free Trial
http://secunia.com/products/corporate/evm/trial/
----------------------------------------------------------------------
TITLE:
Cisco Network Building Mediator Products Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA39904
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/39904/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=39904
RELEASE DATE:
2010-05-27
DISCUSS ADVISORY:
http://secunia.com/advisories/39904/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/39904/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=39904
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco Network Building
Mediator, which can be exploited by malicious users to gain escalated
privileges and by malicious people to gain knowledge of sensitive
information.
2) Certain sensitive information (e.g.
SOLUTION:
Update to a fixed version.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0069 | CVE-2010-0600 | Cisco Network Building Mediator products contain multiple vulnerabilities |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Cisco Mediator Framework 1.5.1 before 1.5.1.build.14-eng, 2.2 before 2.2.1.dev.1, and 3.0 before 3.0.9.release.1 on the Cisco Network Building Mediator NBM-2400 and NBM-4800 and the Richards-Zeta Mediator 2500 does not properly restrict network access to an unspecified configuration file, which allows remote attackers to read passwords and unspecified other account details via a (1) XML RPC or (2) XML RPC over HTTPS session, aka Bug ID CSCtb83512. Cisco Network Building Mediator (NBM) products are affected by multiple vulnerabilities that could allow an attacker to gain control of a vulnerable device or to cause a denial of service. The Cisco Network Building Mediator is a smart, interconnected building solution that intelligently interconnects and operates heating, ventilation and cooling systems (HVAC), lighting, power, security, and renewable energy systems over IP networks. There are several security vulnerabilities in Cisco Network Building Mediator, as follows: - Default Authentication Credentials (CVE-2010-0595): Multiple predefined users on the device, including administrator user accounts using default authentication information, any network access device Users can log in to the control system as an administrator.-Privilege Escalation (CVE-2010-0596, CVE-2010-0597): Vulnerability allows unauthorized users to read and modify device configurations, malicious users must be able to successfully authenticate, but do not require administrator privileges Or modify the device configuration if you know the administrator to verify the credentials. Both vulnerabilities need to be attacked via HTTP or HTTPS transport protocol. In addition, Cisco bug ID CSCtb83618 (CVE-2010-0597) vulnerability can be used for heavy-duty devices, continuous exploitation of vulnerabilities Can lead to denial of service attacks. - Unauthorized information interception (CVE-2010-0598, CVE-2010-0599): Operator workstation Cisco Network Building Mediator did not protect unauthorized interception of sessions, malicious users could intercept sessions, obtain arbitrary authentication information, and use this information to control devices. CVE-2010-0598 related vulnerabilities allow malicious users to intercept HTTP session access The administrator verifies the credentials. CVE-2010-0599 related vulnerabilities allow malicious users to intercept XML RPC session access administrator authentication credentials. - Unauthorized Information Access (CVE-2010-0600): Malicious users can read system configuration files, configuration files Contains user account information, including passwords. Information obtained will allow attackers to gain administrative access to the affected device.
This issue is being tracked by Cisco Bugid CSCtb83512. These vulnerabilities also affect the legacy
Richards-Zeta Mediator products. This security advisory outlines
details of the following vulnerabilities:
* Default credentials
* Privilege escalation
* Unauthorized information interception
* Unauthorized information access
Cisco has released free software updates that address these
vulnerabilities. Workarounds that mitigate some of the listed
vulnerabilities are available. All Mediator Framework software releases prior to 3.1.1 are
affected by all vulnerabilities listed in this security advisory.
This table provides information about affected software releases:
+---------------------------------------+
| Cisco Bug | Affects Software |
| ID | Releases |
|-------------+-------------------------|
| CSCtb83495 | 1.5.1, 2.2, 3.0.8 |
|-------------+-------------------------|
| CSCtb83607 | 2.2, 3.0.8 |
|-------------+-------------------------|
| CSCtb83618 | 1.5.1, 2.2, 3.0.8 |
|-------------+-------------------------|
| CSCtb83631 | 1.5.1, 2.2, 3.0.8 |
|-------------+-------------------------|
| CSCtb83505 | 1.5.1, 2.2, 3.0.8 |
|-------------+-------------------------|
| CSCtb83512 | 1.5.1, 2.2, 3.0.8 |
+---------------------------------------+
Vulnerable Products
+------------------
Users can determine the version of the Mediator Framework running on
a device by logging into the device. After a successful login, the
device will display the version of Mediator Framework running on the
device. This ability
enables the Cisco Network Building Mediator to perform any-to-any
protocol translation and to provide information to the end user in a
uniform presentation. These vulnerabilities are independent of each other.
Default credentials
+------------------
Default credentials are assigned for several predefined user accounts
on the device including the administrative user account.
* CSCtb83495 ( registered customers only) has been assigned the CVE
identifier CVE-2010-0595.
* CSCtb83607 ( registered customers only) (registered customers
only) has been assigned the CVE identifier CVE-2010-0596.
This vulnerability could enable any user to read and modify
device configuration.
* CSCtb83618 ( registered customers only) has been assigned the CVE
identifier CVE-2010-0597. Additionally, this
vulnerability can be exploited to reload the affected device. A malicious user
able to intercept the sessions could learn any credentials used
during intercepted sessions (for administrators and
non-administrators alike) and could subsequently take full control of
the device.
* CSCtb83631 ( registered customers only) has been assigned CVE
identifier CVE-2010-0598.
* CSCtb83505 ( registered customers only) has been assigned CVE
identifier CVE-2010-0599.
* CSCtb83512 ( registered customers only) has been assigned CVE
identifier CVE-2010-0600.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this security advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCtb83495 - Default credentials present on the system
CVSS Base Score - 10
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 8.3
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83607 - Privilege escalation possible over HTTP protocol
CVSS Base Score - 9
Access Vector Network
Access Complexity Low
Authentication Single
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83618 - Privilege escalation possible over XML RPC protocol
CVSS Base Score - 9
Access Vector Network
Access Complexity Low
Authentication Single
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83631 - Possible intercept of unencrypted HTTP sessions
CVSS Base Score - 9.3
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.7
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83505 - Possible intercept of unencrypted XML RPC sessions
CVSS Base Score - 9.3
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 7.7
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtb83512 - Access to sensitive information over XML RPC
CVSS Base Score - 10
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
CVSS Temporal Score - 8.3
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
Impact
======
Successful exploitation of any of these vulnerabilities could result
in a malicious user taking complete control over an affected device.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the software table below names a Mediator Framework
software release. If a given software release is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. Cisco recommends
upgrading to the latest available release where possible. All
vulnerabilities are fixed in Mediator Framework release 3.1.1 and
above. Mediator Framework release 3.1.1 is the recommended migration
path for all Mediator Framework releases.
Vulnerabilities do not affect Mediator Operating Environment.
To obtain fixed 1.5.1 and 2.2 Mediator Framework software and
configTOOL version 3.1.0b1 contact Cisco TAC.
Privilege escalation
+-------------------
There are no workarounds for these vulnerabilities.
Unauthorized information interception
+------------------------------------
The following workaround is applicable only to the vulnerability
related to HTTP protocol. There is no workaround for the
vulnerability that affects XML RPC service. The HTTPS service is enabled and running by
default and no further actions are needed to enable it. The HTTP
service can be disabled with configTOOL. Inside the Node tree pane, expand theservices tab, and
then expand tab the network tab. Click the http_server tab, and then
click the Enabled to uncheck it.
Unauthorized information access
+------------------------------
There is no workaround for this vulnerability. In
the following examples it is assumed that the operator console has IP
address 192.0.2.1. The 192.0.2.1 address must be changed to match the
IP address used by the designated operator console. The following
code must be entered on the console. Please refer to section 2.4 in
the user guide at
http://www.cisco.com/en/US/docs/security/physical_security/cnbm/User/guide/CNBM__UG.pdf
for information on how to connect to the serial port using
hyper-terminal.
# The following rule establishes a default policy for INPUT rule chain.
# The default policy is to drop all packets unless they are explicitly
# permitted by a rule in the INPUT chain
iptables -P INPUT DROP
# This rule will allow all traffic from operator console with
# IP address of 192.0.2.1 to the Cisco NBM
#
# Change 192.0.2.1 to match IP address used by your operators console.
iptables -I INPUT 1 --source 192.0.2.1 -j ACCEPT
# Repeat the previous command if you have more than one operator console.
# Increment the number after the "INPUT" keyword for each console you
# are adding.
#
# This command will allow second operator console with IP address
# of 192.0.2.2 to access the Cisco NBM
iptables -I INPUT 2 --source 192.0.2.2 -j ACCEPT
When applying rules form the above example care must be taken to
allow access to ports or protocols that are used by sensors and other
devices deployed in the system that are monitored and controlled by
the Cisco Network Building Mediator. Failure to do so will break
connectivity to these sensors and devices.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20100526-mediator.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2010-May-26 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAkv9S00ACgkQ86n/Gc8U/uDJRQCcCCww9H/6P7BHqAZ9k29Tq4hj
EWQAn3eEfS/iAcbfn5ERow7JQO4QmnPg
=bCsA
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Stay Compliant
Alerts, Technical Descriptions, PoC, Links to patches, CVSS, CVE, Changelogs, Alternative Remediation Strategies, and much more provided in the Secunia Vulnerability Intelligence solutions
Free Trial
http://secunia.com/products/corporate/evm/trial/
----------------------------------------------------------------------
TITLE:
Cisco Network Building Mediator Products Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA39904
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/39904/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=39904
RELEASE DATE:
2010-05-27
DISCUSS ADVISORY:
http://secunia.com/advisories/39904/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/39904/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=39904
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco Network Building
Mediator, which can be exploited by malicious users to gain escalated
privileges and by malicious people to gain knowledge of sensitive
information.
2) Certain sensitive information (e.g. credentials) is passed via
HTTP and XML-RPC over HTTP and may, therefore, be intercepted by a
third party.
SOLUTION:
Update to a fixed version.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0438 | No CVE | U.S.Robotics USR5463 firmware '/cgi-bin/setup_ddns.exe' cross-site request forgery vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
U.S.Robotics USR5463 is a popular router device in foreign countries. The application device does not properly perform any legal verification of the request, allowing the user to perform partial management operations through HTTP requests. If you build malicious parameters passed to the /cgi-bin/setup_ddns.exe script and entice the user to click, you can change the device configuration and more. U.S.Robotics USR5463 firmware is prone to a cross-site request-forgery vulnerability.
Successful exploits may allow attackers to perform unauthorized actions on the affected device in the context of a logged-in user. This may allow attackers to gain access to or modify sensitive information and perform HTML-injection attacks.
U.S.Robotics USR5463 firmware versions 0.01 through 0.06 are vulnerable. ----------------------------------------------------------------------
Stay Compliant
Alerts, Technical Descriptions, PoC, Links to patches, CVSS, CVE, Changelogs, Alternative Remediation Strategies, and much more provided in the Secunia Vulnerability Intelligence solutions
Free Trial
http://secunia.com/products/corporate/evm/trial/
----------------------------------------------------------------------
TITLE:
USR5463 802.11g Wireless Router Cross-Site Request Forgery
SECUNIA ADVISORY ID:
SA39889
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/39889/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=39889
RELEASE DATE:
2010-05-25
DISCUSS ADVISORY:
http://secunia.com/advisories/39889/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/39889/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=39889
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
David K. has reported a vulnerability in the USR5463 802.11g Wireless
Router, which can be exploited by malicious people to conduct
cross-site request forgery attacks. This can be exploited to e.g. conduct script insertion
attacks via specially crafted parameters passed to the
/cgi-bin/setup_ddns.exe script.
SOLUTION:
Do not browse untrusted websites or follow untrusted links while
logged-in to the device.
PROVIDED AND/OR DISCOVERED BY:
David K.
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0134 | CVE-2010-2116 | McAfee Email Gateway of Web Vulnerability in which write permission is acquired in the interface |
CVSS V2: 6.5 CVSS V3: - Severity: MEDIUM |
The web interface in McAfee Email Gateway (formerly IronMail) 6.7.1 allows remote authenticated users, with only Read privileges, to gain Write privileges to modify configuration via the save action in a direct request to admin/systemWebAdminConfig.do. Secure Mail is prone to a remote security vulnerability. ----------------------------------------------------------------------
Stay Compliant
Alerts, Technical Descriptions, PoC, Links to patches, CVSS, CVE, Changelogs, Alternative Remediation Strategies, and much more provided in the Secunia Vulnerability Intelligence solutions
Free Trial
http://secunia.com/products/corporate/evm/trial/
----------------------------------------------------------------------
TITLE:
McAfee Email Gateway Web Access Security Bypass Vulnerability
SECUNIA ADVISORY ID:
SA39881
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/39881/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=39881
RELEASE DATE:
2010-05-24
DISCUSS ADVISORY:
http://secunia.com/advisories/39881/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/39881/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=39881
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Nahuel Grisol\xeda has reported a vulnerability in McAfee Email Gateway,
which can be exploited by malicious users to bypass certain security
restrictions.
The vulnerability is caused due to the Web Access interface
performing insufficient checks for requests received from
unprivileged users. This can be exploited by a user without write
privileges to make configuration changes and e.g. add an
administrative user.
The vulnerability is reported in version 6.7.1. Other versions may
also be affected.
SOLUTION:
Restrict access to the Web Access console to trusted users only.
PROVIDED AND/OR DISCOVERED BY:
Nahuel Grisol\xeda, Cybsec
ORIGINAL ADVISORY:
Cybsec:
http://www.cybsec.com/vuln/cybsec_advisory_2010_0501_Ironmail_Advisory_Web_Access_Broken.pdf
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0198 | CVE-2010-2025 |
Cisco Scientific Atlanta WebSTAR DPC2100R2 Debug Demodulator Cross-Site Request Forgery Vulnerability
Related entries in the VARIoT exploits database: VAR-E-201005-0342 |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Multiple cross-site request forgery (CSRF) vulnerabilities in the web interface on the Cisco Scientific Atlanta WebSTAR DPC2100R2 cable modem with firmware 2.0.2r1256-060303 allow remote attackers to hijack the authentication of administrators for requests that (1) reset the modem, (2) erase the firmware, (3) change the administrative password, (4) install modified firmware, or (5) change the access level, as demonstrated by a request to goform/_aslvl. The Cisco DPC2100R2 is a cable TV CABLE MODEM. - Cross-site request forgery attacks. Multiple functions provided by the WEB interface cannot establish a session correctly and restrict access by authorized users. - The Cisco DPC2100R2 device has access control mechanisms of 0-2 (some devices are 0-3). Due to the lack of proper checking for some operations that require authorization, the attacker submits a specially constructed POST request without any verification reset. Equipment and installation of new software. Other attacks are also possible.
Firmware versions prior to 2.0.2.r1256-100324as are vulnerable. \xa0Testing was
performed on a DPC2100R2 modem, with firmware v2.0.2r1256-060303.
1. \xa0An attacker may create a
malicious website that, when visited by a victim, updates these settings on the
victim's modem on the victim's behalf without their authorization or need for
any additional user interaction. \xa0This issue has been assigned CVE-2010-2025.
2. Insufficient authentication. The modem's access control scheme, which has
levels numbered from 0-2 (or 0-3 on some other models), is not properly checked
before performing operations that should require authentication, including
resetting the modem and installing new firmware. The modem requires the proper
access level to access web interface pages containing forms that allow a user
to perform these actions, but does not properly authenticate the pages that
actually carry out these actions. By sending a POST request directly to these
pages, these actions may be performed without any authentication. Attacks may
be performed by an attacker on the local network or by leveraging the CSRF
vulnerability. This issue has been assigned CVE-2010-2026.
==Identifying Vulnerable Installations==
Most home installations of this modem will feature a web interface that is
accessible at "http://192.168.100.1". \xa0The following proof-of-concept code may
be used to test for vulnerability. \xa0It leverages the CSRF vulnerability to
change the access level of your modem to the most restrictive settings (a
harmless action). \xa0If your modem is vulnerable, then you will be presented with
a message stating that your settings have been successfully updated. \xa0If you
are greeted with a page stating there was a "Password confirmation error", then
your modem password has been changed from the default but you are still
vulnerable. \xa0If you are greeted with an HTTP authentication form or other
message, then your model is not vulnerable.
<html>
<head>
<title>Test for CSRF vulnerability in WebSTAR modems</title>
</head>
<body>
<form name="csrf" method="post" action="http://192.168.100.1/goform/_aslvl">
<input type="hidden" name="SAAccessLevel" value="0">
<input type="hidden" name="SAPassword" value="W2402">
</form>
<script>document.csrf.submit()</script>
</body>
</html>
==Solution==
In most cases, home users will be unable to update vulnerable firmware without
assistance from their cable providers. \xa0For
the DPC2100R2 modems, the latest version string is
dpc2100R2-v202r1256-100324as.
To prevent exploitation of CSRF vulnerabilities, users are always encouraged
to practice safe browsing habits and avoid visiting unknown or untrusted
websites.
==Credits==
These vulnerabilities were discovered by Dan Rosenberg
(dan.j.rosenberg@gmail.com).
Thanks to Matthew Bergin for suggesting I should look at cable modems.
==Timeline==
1/26/10 - Vulnerability reported to Cisco
1/26/10 - Response, issue assigned internal tracking number
2/26/10 - Status update requested
2/26/10 - Response
5/15/10 - Status update requested
5/17/10 - Response, confirmation that newest firmware resolves issues
5/17/10 - Disclosure date set
5/24/10 - Disclosure
==References==
CVE identifiers CVE-2010-2025 and CVE-2010-2026 have been assigned to these
issues
| VAR-201005-0199 | CVE-2010-2026 |
Cisco Scientific Atlanta WebSTAR DPC2100R2 Cable modem Web Vulnerabilities that bypass authentication in the interface
Related entries in the VARIoT exploits database: VAR-E-201005-0342 |
CVSS V2: 6.4 CVSS V3: - Severity: MEDIUM |
The web interface on the Cisco Scientific Atlanta WebSTAR DPC2100R2 cable modem with firmware 2.0.2r1256-060303 allows remote attackers to bypass authentication, and reset the modem or replace the firmware, via a direct request to an unspecified page. The Cisco DPC2100R2 is a cable TV CABLE MODEM. - Cross-site request forgery attacks. Multiple functions provided by the WEB interface cannot establish a session correctly and restrict access by authorized users. The attacker builds a malicious WEB site, entice the user to click, and can be authorized to change the administrator password, reset the device, install new firmware, and so on. - The Cisco DPC2100R2 device has access control mechanisms of 0-2 (some devices are 0-3). Due to the lack of proper checking for some operations that require authorization, the attacker submits a specially constructed POST request without any verification reset. Equipment and installation of new software. Cisco DPC2100 (formerly Scientific Atlanta DPC2100) is prone to multiple security-bypass and cross-site request-forgery vulnerabilities. Other attacks are also possible.
Firmware versions prior to 2.0.2.r1256-100324as are vulnerable. \xa0Testing was
performed on a DPC2100R2 modem, with firmware v2.0.2r1256-060303.
1. \xa0An attacker may create a
malicious website that, when visited by a victim, updates these settings on the
victim's modem on the victim's behalf without their authorization or need for
any additional user interaction. \xa0This issue has been assigned CVE-2010-2025.
2. Insufficient authentication. The modem's access control scheme, which has
levels numbered from 0-2 (or 0-3 on some other models), is not properly checked
before performing operations that should require authentication, including
resetting the modem and installing new firmware. The modem requires the proper
access level to access web interface pages containing forms that allow a user
to perform these actions, but does not properly authenticate the pages that
actually carry out these actions. By sending a POST request directly to these
pages, these actions may be performed without any authentication. Attacks may
be performed by an attacker on the local network or by leveraging the CSRF
vulnerability. This issue has been assigned CVE-2010-2026.
==Identifying Vulnerable Installations==
Most home installations of this modem will feature a web interface that is
accessible at "http://192.168.100.1". \xa0The following proof-of-concept code may
be used to test for vulnerability. \xa0It leverages the CSRF vulnerability to
change the access level of your modem to the most restrictive settings (a
harmless action). \xa0If your modem is vulnerable, then you will be presented with
a message stating that your settings have been successfully updated. \xa0If you
are greeted with a page stating there was a "Password confirmation error", then
your modem password has been changed from the default but you are still
vulnerable. \xa0If you are greeted with an HTTP authentication form or other
message, then your model is not vulnerable.
<html>
<head>
<title>Test for CSRF vulnerability in WebSTAR modems</title>
</head>
<body>
<form name="csrf" method="post" action="http://192.168.100.1/goform/_aslvl">
<input type="hidden" name="SAAccessLevel" value="0">
<input type="hidden" name="SAPassword" value="W2402">
</form>
<script>document.csrf.submit()</script>
</body>
</html>
==Solution==
In most cases, home users will be unable to update vulnerable firmware without
assistance from their cable providers. \xa0For
the DPC2100R2 modems, the latest version string is
dpc2100R2-v202r1256-100324as.
To prevent exploitation of CSRF vulnerabilities, users are always encouraged
to practice safe browsing habits and avoid visiting unknown or untrusted
websites.
==Credits==
These vulnerabilities were discovered by Dan Rosenberg
(dan.j.rosenberg@gmail.com).
Thanks to Matthew Bergin for suggesting I should look at cable modems.
==Timeline==
1/26/10 - Vulnerability reported to Cisco
1/26/10 - Response, issue assigned internal tracking number
2/26/10 - Status update requested
2/26/10 - Response
5/15/10 - Status update requested
5/17/10 - Response, confirmation that newest firmware resolves issues
5/17/10 - Disclosure date set
5/24/10 - Disclosure
==References==
CVE identifiers CVE-2010-2025 and CVE-2010-2026 have been assigned to these
issues
| VAR-201005-0334 | CVE-2010-1513 | Ziproxy of src/image.c Integer overflow vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Multiple integer overflows in src/image.c in Ziproxy before 3.0.1 allow remote attackers to execute arbitrary code via (1) a large JPG image, related to the jpg2bitmap function or (2) a large PNG image, related to the png2bitmap function, leading to heap-based buffer overflows. Ziproxy is a forwarded, non-cached, compressed HTTP proxy server. Ziproxy can compress images into low quality JPEG files or JPEG 2000 and compress (gzip or) HTML and other text-like data. Ziproxy has an integer overflow, and a remote attacker can exploit the vulnerability to execute arbitrary instructions with application privileges. Ziproxy is prone to multiple integer-overflow vulnerabilities because it fails to properly validate user-supplied data. Failed exploit attempts will likely result in denial-of-service conditions.
Ziproxy 3.0 is vulnerable; other versions may also be affected. ======================================================================
Secunia Research 24/05/2010
- Ziproxy Two Integer Overflow Vulnerabilities -
======================================================================
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10
======================================================================
1) Affected Software
* Ziproxy 3.0.0
NOTE: Other versions may also be affected.
======================================================================
2) Severity
Rating: Highly critical
Impact: System access
Where: Remote
======================================================================
3) Vendor's Description of Software
"Ziproxy is forwarding, non-caching, compressing HTTP proxy server.
Product Link:
http://ziproxy.sourceforge.net/
======================================================================
4) Description of Vulnerability
Secunia Research has discovered two vulnerabilities in Ziproxy, which
can be exploited by malicious people to compromise a vulnerable
system.
======================================================================
5) Solution
Update to version 3.0.1.
======================================================================
6) Time Table
19/05/2010 - Vendor notified.
19/05/2010 - Vendor response.
20/05/2010 - Vendor issues fixed version.
24/05/2010 - Public disclosure.
======================================================================
7) Credits
Discovered by Stefan Cornelius, Secunia Research.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2010-1513 for the vulnerabilities.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2010-75/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
Stay Compliant
Alerts, Technical Descriptions, PoC, Links to patches, CVSS, CVE, Changelogs, Alternative Remediation Strategies, and much more provided in the Secunia Vulnerability Intelligence solutions
Free Trial
http://secunia.com/products/corporate/evm/trial/
----------------------------------------------------------------------
TITLE:
Ziproxy Two Integer Overflow Vulnerabilities
SECUNIA ADVISORY ID:
SA39941
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/39941/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=39941
RELEASE DATE:
2010-05-25
DISCUSS ADVISORY:
http://secunia.com/advisories/39941/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/39941/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=39941
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Secunia Research has discovered some vulnerabilities in Ziproxy,
which can be exploited by malicious people to compromise a vulnerable
system.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-75/
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0619 | No CVE | Rumba FTP Client 'FTPSFtp.dll' ActiveX Control Buffer Overflow Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Rumba FTP client ActiveX control is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
Successful exploits may allow an attacker to execute arbitrary code in the context of a user running the affected application. Failed attempts will likely result in denial-of-service conditions.
The issue affects Rumba FTP client version 4.2.0.0.
| VAR-201005-0429 | No CVE | IIS source code leak and file type parsing error |
CVSS V2: - CVSS V3: - Severity: - |
Vulnerability Introduction: IIS is a webserver launched by Microsoft. It is widely used. It supports ASP/asp.net and supports other languages such as PHP. However, 80sec found that there is a serious security problem in the higher version of IIS. According to the default configuration provided on the network, the server may leak the server-side script source code, or it may mistakenly use any type of file in PHP mode. Parsing, so that a malicious attacker may compromise the IIS server that supports PHP, especially the virtual host user may be affected. Vulnerability Analysis: IIS supports running PHP in CGI mode, but in this mode, IIS processing requests may cause some of the same problems as the nginx security vulnerabilities mentioned in 80sec. Any user can remotely use any type of file as PHP. The way to parse, you can see the way PHP supports in Phpinfo, which may be the problem if it is CGI/FAST-CGI.
| VAR-201005-0434 | No CVE | U.S.Robotics USR5463 firmware 'setup_ddns.exe' HTML injection vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
U.S.Robotics USR5463 is a popular router device in foreign countries. The 'setup_ddns.exe' script included in USRobotics USR5463 firmware does not handle user input correctly. Remote attackers can exploit vulnerabilities for cross-site scripting attacks. After enticing the target users to view, they can obtain sensitive information such as COOKIE and hijack the target user session. U.S.Robotics USR5463 firmware is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied data.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
U.S.Robotics firmware USR5463 0.06 is vulnerable
| VAR-201005-0437 | No CVE | Nginx file type error parsing vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Nginx is a high-performance web server that is widely used. It is not only often used as a reverse proxy, but also very well supported for PHP. 80sec found that there is a more serious security problem. By default, any type of file may be parsed in PHP by server error. The attacker can execute arbitrary PHP code with WEB permission. Nginx supports php running by default in cgi mode, such as location ~ \\.php$ {root html; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;include fastcgi_params; The } method supports the parsing of php. When the location selects the request, it uses the URI environment variable to select. The key variable SCRIPT_FILENAME passed to the backend Fastcgi is determined by the $fastcgi_script_name generated by nginx, and the analysis can be seen by $fastcgi_script_name It is directly controlled by the URI environment variable, here is the point where the problem occurs. In order to better support the extraction of PATH_INFO, the cgi.fix_pathinfo option exists in the PHP configuration options, the purpose is to extract the real script name from SCRIPT_FILENAME. So suppose there is a http://www.80sec.com/80sec.jpg, you can visit http://www.80sec.com/80sec.jpg/80sec.php in the following way. nginx is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks.
The issue affects nginx 0.6.36 and prior