VARIoT IoT vulnerabilities database
| VAR-201203-0226 | CVE-2012-0371 | Cisco Wireless LAN Controller Device configuration vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Cisco Wireless LAN Controller (WLC) devices with software 4.x, 5.x, 6.0, and 7.0 before 7.0.220.4, when CPU-based ACLs are enabled, allow remote attackers to read or modify the configuration via unspecified vectors, aka Bug ID CSCtu56709. The problem is Bug ID CSCtu56709 It is a problem.The setting may be read or changed by a third party. The Cisco Wireless LAN Controller is responsible for system-wide wireless LAN functions such as security policy, intrusion protection, RF management, quality of service, and mobility. Allows unauthenticated attackers to view and modify the configuration on the Cisco WLC affected by this vulnerability. Wireless controllers configured with CPU-based ACLs are more affected by this vulnerability, and an attacker can connect to TCP port 1023 to exploit this vulnerability.
This issue is being tracked by Cisco Bug ID CSCtu56709. Workarounds are available that mitigate some of these
vulnerabilities.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120229-wlc
Affected Products
=================
The Cisco WLC product family is affected by multiple vulnerabilities.
Vulnerable Products
+------------------
For specific version information, refer to the Software Versions and
Fixes section of this advisory.
Each of the following products is affected by at least one of the
vulnerabilities covered in this Security Advisory:
* Cisco 2000 Series WLC
* Cisco 2100 Series WLC
* Cisco 2500 Series WLC
* Cisco 4100 Series WLC
* Cisco 4400 Series WLC
* Cisco 5500 Series WLC
* Cisco 500 Series Wireless Express Mobility Controllers
* Cisco Wireless Services Modules (WiSM)
* Cisco Wireless Services Modules version 2 (WiSM version 2)
* Cisco NME-AIR-WLC Modules for Integrated Services Routers (ISRs)
* Cisco NM-AIR-WLC Modules for Integrated Services Routers (ISRs)
* Cisco Catalyst 3750G Integrated WLCs
* Cisco Flex 7500 Series Cloud Controllers
Note: The Cisco 2000 Series WLCs, Cisco 4100 Series WLCs, Cisco
NM-AIR-WLC, and Cisco 500 Series Wireless Express Mobility
Controllers, have reached end-of-software maintenance. The following
table includes the end-of-life document URL for each model:
+-------------------------------------------------------------------+
|Model |End of Life Document URL |
|----------------------+--------------------------------------------|
|Cisco 2000 Series WLC |http://www.cisco.com/en/US/prod/collateral/ |
| |wireless/ps6302/ps8322/ps6308/ |
| |prod_end-of-life_notice0900aecd805d22b0.html|
|----------------------+--------------------------------------------|
|Cisco 4100 Series WLC |http://www.cisco.com/en/US/prod/collateral/ |
| |wireless/ps6302/ps8322/ps6307/ |
| |prod_end-of-life_notice0900aecd803387a9.html|
|----------------------+--------------------------------------------|
|Cisco NM-AIR-WLC |http://www.cisco.com/en/US/prod/collateral/ |
|Modules for ISR |modules/ps2797/ |
| |prod_end-of-life_notice0900aecd806aeb34.html|
|----------------------+--------------------------------------------|
|Cisco 500 Series |http://www.cisco.com/en/US/prod/collateral/ |
|Wireless Express |wireless/ps7306/ps7320/ps7339/ |
|Mobility Controllers |end_of_life_c51-568040.html |
+-------------------------------------------------------------------+
Determination of Software Versions
+---------------------------------
To determine the WLC version that is running in a given environment,
use one of the following methods:
* In the web interface, choose the Monitor tab, click Summary in
the left pane, and note the Software Version field.
* In the command-line interface, issue the show sysinfo command as
shown in the following example:
(Cisco Controller)> show sysinfo
Manufacturer's Name.. Cisco Systems Inc.
Product Name......... Cisco Controller
Product Version...... 5.1.151.0
RTOS Version......... Linux-2.6.10_mvl401
Bootloader Version... 4.0.207.0
Build Type........... DATA + WPS
<output suppressed>
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
These devices communicate with controller-based access points over any
Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the
Lightweight Access Point Protocol (LWAPP) and the Control and
Provisioning of Wireless Access Points (CAPWAP) protocol.
This vulnerability can be exploited from both wired and wireless
segments. Only
the Cisco 4400 Series WLCs, WiSM version 1, and Cisco Catalyst 3750G
Integrated WLCs are affected by this vulnerability.
Vulnerability Scoring Details
=============================
Cisco has scored the vulnerabilities in this advisory based on the
Common Vulnerability Scoring System (CVSS). The CVSS scoring in this
security advisory is in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps organizations determine the urgency and priority of
a response.
Cisco has provided a base and temporal score. Customers can also
compute environmental scores that help determine the impact of the
vulnerability in their own networks.
Cisco has provided additional information regarding CVSS at the
following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to compute the environmental
impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCts81997 - Cisco Wireless LAN Controllers HTTP Denial of Service Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtt07949 - Cisco Wireless LAN Controllers IPv6 Denial of Service Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtt47435 - Cisco Wireless LAN Controllers WebAuth Denial of Service Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtu56709 - Cisco Wireless LAN Controllers Unauthorized Access Vulnerability
CVSS Base Score - 9.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the DoS vulnerabilities could allow an
unauthenticated attacker to cause an affected device to reload.
Repeated exploitation could result in a sustained DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, customers are advised to consult
the Cisco Security Advisories and Responses archive at:
http://www.cisco.com/go/psirt
Review subsequent advisories to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and
software configurations will continue to be supported properly by the
new release. If the information is not clear, customers are advised to
contact the Cisco Technical Assistance Center (TAC) or their
contracted maintenance providers.
If a given release train is vulnerable, then the earliest possible
releases that contain the fix (along with the anticipated date of
availability for each, if applicable) are listed in the "First Fixed
Release" column of the table. A device running a release in the given
train that is earlier than the release in a specific column (less than
the First Fixed Release) is known to be vulnerable.
+-------------------------------------------------------------------+
| Vulnerability/Bug ID | Affected | First Fixed Release |
| | Release | |
|------------------------------+------------+-----------------------|
| | 4.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| HTTP DoS Vulnerability | 5.0 | Vulnerable; Migrate |
| (CSCts81997) | | to 7.0 or later |
| |------------+-----------------------|
| | 5.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 5.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 6.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 7.0 | 7.0.220.0 |
| |------------+-----------------------|
| | 7.1 | 7.1.91.0 |
| |------------+-----------------------|
| | 7.2 | 7.2.103.0 |
|------------------------------+------------+-----------------------|
| | 4.0 | Not Vulnerable |
| |------------+-----------------------|
| | 4.1 | Not Vulnerable |
| |------------+-----------------------|
| | 4.1M | Not Vulnerable |
| |------------+-----------------------|
| | 4.2 | Not Vulnerable |
| |------------+-----------------------|
| | 4.2M | Not Vulnerable |
| |------------+-----------------------|
| | 5.0 | Not Vulnerable |
| |------------+-----------------------|
| IPv6DoS Vulnerability | 5.1 | Not Vulnerable |
|(CSCtt07949) |------------+-----------------------|
| | 5.2 | Not Vulnerable |
| |------------+-----------------------|
| | 6.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 7.0 | 7.0.220.0 |
| |------------+-----------------------|
| | 7.1 | 7.1.91.0 |
| |------------+-----------------------|
| | 7.2 | 7.2.103.0 |
|------------------------------+------------+-----------------------|
| | 4.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| WebAuth DoS Vulnerability | 5.0 | Vulnerable; Migrate |
| (CSCtt47435) | | to 7.0 or later |
| |------------+-----------------------|
| | 5.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 5.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 6.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 7.0 | 7.0.220.0 |
| |------------+-----------------------|
| | 7.1 | 7.1.91.0 |
| |------------+-----------------------|
| | 7.2 | Not Vulnerable |
|------------------------------+------------+-----------------------|
| | 4.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| Unauthorized Access | 5.0 | Vulnerable; Migrate |
| Vulnerability (CSCtu56709) | | to 7.0 or later |
| |------------+-----------------------|
| | 5.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 5.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 6.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 7.0 | 7.0.220.4 |
| |------------+-----------------------|
| | 7.1 | Not Vulnerable |
| |------------+-----------------------|
| | 7.2 | Not Vulnerable |
+-------------------------------------------------------------------+
Recommended Releases
+-------------------
The "Recommended Release" table lists the releases which have fixes
for all the published vulnerabilities at the time of this Advisory.
Cisco recommends upgrading to a release equal to or later than the
release in the "Recommended Releases" table.
+-------------------------------------------------------------------+
| Affected Release | Recommended Release |
|------------------------------+------------------------------------|
| 7.0 | 7.0.230.0 |
|------------------------------+------------------------------------|
| 7.1 | 7.1.91.0 |
|------------------------------+------------------------------------|
| 7.2 | 7.2.103.0 |
+-------------------------------------------------------------------+
Workarounds
===========
This Cisco Security Advisory describes multiple distinct
vulnerabilities. These vulnerabilities and their respective
workarounds are independent of each other. After ACLs are defined, they can be applied to the
management interface, the access point manager (AP-manager) interface,
or any of the dynamic interfaces for client data traffic or to the
Network Processing Unit (NPU) interface for traffic to the controller
CPU.
Additional mitigations that can be deployed on Cisco devices in the
network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory, which is available at the
following link:
http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20120229-wlc
Obtaining Fixed Software
========================
Cisco has released free software updates that address the
vulnerabilities described in this advisory. Prior to deploying
software, customers are advised to consult their maintenance providers
or check the software for feature set compatibility and known issues
that are specific to their environments.
Customers may only install and expect support for feature sets they
have purchased. By installing, downloading, accessing, or otherwise
using such software upgrades, customers agree to follow the terms of
the Cisco software license at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
Or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, upgrades should be
obtained through the Software Center on Cisco.com at:
http://www.cisco.com
Customers Using Third-Party Support Organizations
+------------------------------------------------
Customers with Cisco products that are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers,
should contact that organization for assistance with the appropriate
course of action.
The effectiveness of any workaround or fix depends on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Because of the variety of
affected products and releases, customers should consult their service
providers or support organizations to ensure that any applied
workaround or fix is the most appropriate in the intended network
before it is deployed.
Customers Without Service Contracts
+----------------------------------
Customers who purchase directly from Cisco but do not hold a Cisco
service contract and customers who make purchases through third-party
vendors but are unsuccessful in obtaining fixed software through their
point of sale should obtain upgrades by contacting the Cisco Technical
Assistance Center (TAC):
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have the product serial number available and be
prepared to provide the URL of this advisory as evidence of
entitlement to a free upgrade. Customers without service contracts
should request free upgrades through the TAC.
Refer to Cisco Worldwide Contacts at:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
For additional TAC contact information, including localized telephone
numbers, instructions, and e-mail addresses for support in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco Product Security Incident Response Team (PSIRT) is not aware
of any public announcements or malicious use of the vulnerabilities
that are described in this advisory.
These vulnerabilities were found during internal testing and during
the troubleshooting of customer service requests.
Status of This Notice: Final
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco Security Intelligence Operations at
the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120229-wlc
Additionally, a text version of this advisory is clear signed with
the Cisco PSIRT PGP key and circulated among the following e-mail
addresses:
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
Future updates of this advisory, if any, will reside on Cisco.com but
may not be announced on mailing lists. Users can monitor this
advisory's URL for any updates.
Revision History
================
+-------------------------------------------------------------------+
| Revision 1.0 | 2012-February-29 | Initial public release. |
+-------------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information about reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco is available
on Cisco.com at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This web page includes instructions for press inquiries regarding
Cisco Security Advisories. All Cisco Security Advisories are available
at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2012 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iF4EAREIAAYFAk9NNsMACgkQQXnnBKKRMNAT9QD/eiMEVJB+F+vzCBMq6lCKbhxM
fvIvDvBx2ZAMARO9pK8A/Rg0q1bR1eL4gblRgg8swazzbV/Pz0A3G4UtSx+gfXBz
=lRis
-----END PGP SIGNATURE-----
| VAR-201203-0224 | CVE-2012-0369 |
Cisco Wireless LAN Controller Service disruption on devices ( Device reload ) Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-201202-0457 |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco Wireless LAN Controller (WLC) devices with software 6.0 and 7.0 before 7.0.220.0, 7.1 before 7.1.91.0, and 7.2 before 7.2.103.0 allow remote attackers to cause a denial of service (device reload) via a sequence of IPv6 packets, aka Bug ID CSCtt07949. Allows an unauthenticated attacker to send a series of IPv6 messages to the controller, which can overload the device.
An unauthenticated attacker can exploit this issue to cause an affected device to reload, denying service to legitimate users.
This issue is tracked by Cisco Bug ID CSCtt07949.
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsq24002. Workarounds are available that mitigate some of these
vulnerabilities.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120229-wlc
Affected Products
=================
The Cisco WLC product family is affected by multiple vulnerabilities.
Affected versions of Cisco ASA Software vary depending on the specific
vulnerability.
Vulnerable Products
+------------------
For specific version information, refer to the Software Versions and
Fixes section of this advisory.
Each of the following products is affected by at least one of the
vulnerabilities covered in this Security Advisory:
* Cisco 2000 Series WLC
* Cisco 2100 Series WLC
* Cisco 2500 Series WLC
* Cisco 4100 Series WLC
* Cisco 4400 Series WLC
* Cisco 5500 Series WLC
* Cisco 500 Series Wireless Express Mobility Controllers
* Cisco Wireless Services Modules (WiSM)
* Cisco Wireless Services Modules version 2 (WiSM version 2)
* Cisco NME-AIR-WLC Modules for Integrated Services Routers (ISRs)
* Cisco NM-AIR-WLC Modules for Integrated Services Routers (ISRs)
* Cisco Catalyst 3750G Integrated WLCs
* Cisco Flex 7500 Series Cloud Controllers
Note: The Cisco 2000 Series WLCs, Cisco 4100 Series WLCs, Cisco
NM-AIR-WLC, and Cisco 500 Series Wireless Express Mobility
Controllers, have reached end-of-software maintenance. The following
table includes the end-of-life document URL for each model:
+-------------------------------------------------------------------+
|Model |End of Life Document URL |
|----------------------+--------------------------------------------|
|Cisco 2000 Series WLC |http://www.cisco.com/en/US/prod/collateral/ |
| |wireless/ps6302/ps8322/ps6308/ |
| |prod_end-of-life_notice0900aecd805d22b0.html|
|----------------------+--------------------------------------------|
|Cisco 4100 Series WLC |http://www.cisco.com/en/US/prod/collateral/ |
| |wireless/ps6302/ps8322/ps6307/ |
| |prod_end-of-life_notice0900aecd803387a9.html|
|----------------------+--------------------------------------------|
|Cisco NM-AIR-WLC |http://www.cisco.com/en/US/prod/collateral/ |
|Modules for ISR |modules/ps2797/ |
| |prod_end-of-life_notice0900aecd806aeb34.html|
|----------------------+--------------------------------------------|
|Cisco 500 Series |http://www.cisco.com/en/US/prod/collateral/ |
|Wireless Express |wireless/ps7306/ps7320/ps7339/ |
|Mobility Controllers |end_of_life_c51-568040.html |
+-------------------------------------------------------------------+
Determination of Software Versions
+---------------------------------
To determine the WLC version that is running in a given environment,
use one of the following methods:
* In the web interface, choose the Monitor tab, click Summary in
the left pane, and note the Software Version field.
* In the command-line interface, issue the show sysinfo command as
shown in the following example:
(Cisco Controller)> show sysinfo
Manufacturer's Name.. Cisco Systems Inc.
Product Name......... Cisco Controller
Product Version...... 5.1.151.0
RTOS Version......... Linux-2.6.10_mvl401
Bootloader Version... 4.0.207.0
Build Type........... DATA + WPS
<output suppressed>
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
These devices communicate with controller-based access points over any
Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the
Lightweight Access Point Protocol (LWAPP) and the Control and
Provisioning of Wireless Access Points (CAPWAP) protocol.
This vulnerability can be exploited from both wired and wireless
segments. A TCP three-way handshake is needed in order to exploit
this vulnerability. An attacker can exploit this
vulnerability by connecting to the controller over TCP port 1023. Only
the Cisco 4400 Series WLCs, WiSM version 1, and Cisco Catalyst 3750G
Integrated WLCs are affected by this vulnerability.
Vulnerability Scoring Details
=============================
Cisco has scored the vulnerabilities in this advisory based on the
Common Vulnerability Scoring System (CVSS). The CVSS scoring in this
security advisory is in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps organizations determine the urgency and priority of
a response.
Cisco has provided a base and temporal score. Customers can also
compute environmental scores that help determine the impact of the
vulnerability in their own networks.
Cisco has provided additional information regarding CVSS at the
following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to compute the environmental
impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCts81997 - Cisco Wireless LAN Controllers HTTP Denial of Service Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtt07949 - Cisco Wireless LAN Controllers IPv6 Denial of Service Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtt47435 - Cisco Wireless LAN Controllers WebAuth Denial of Service Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtu56709 - Cisco Wireless LAN Controllers Unauthorized Access Vulnerability
CVSS Base Score - 9.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the DoS vulnerabilities could allow an
unauthenticated attacker to cause an affected device to reload.
Repeated exploitation could result in a sustained DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, customers are advised to consult
the Cisco Security Advisories and Responses archive at:
http://www.cisco.com/go/psirt
Review subsequent advisories to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and
software configurations will continue to be supported properly by the
new release. If the information is not clear, customers are advised to
contact the Cisco Technical Assistance Center (TAC) or their
contracted maintenance providers.
If a given release train is vulnerable, then the earliest possible
releases that contain the fix (along with the anticipated date of
availability for each, if applicable) are listed in the "First Fixed
Release" column of the table. A device running a release in the given
train that is earlier than the release in a specific column (less than
the First Fixed Release) is known to be vulnerable.
+-------------------------------------------------------------------+
| Vulnerability/Bug ID | Affected | First Fixed Release |
| | Release | |
|------------------------------+------------+-----------------------|
| | 4.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| HTTP DoS Vulnerability | 5.0 | Vulnerable; Migrate |
| (CSCts81997) | | to 7.0 or later |
| |------------+-----------------------|
| | 5.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 5.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 6.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 7.0 | 7.0.220.0 |
| |------------+-----------------------|
| | 7.1 | 7.1.91.0 |
| |------------+-----------------------|
| | 7.2 | 7.2.103.0 |
|------------------------------+------------+-----------------------|
| | 4.0 | Not Vulnerable |
| |------------+-----------------------|
| | 4.1 | Not Vulnerable |
| |------------+-----------------------|
| | 4.1M | Not Vulnerable |
| |------------+-----------------------|
| | 4.2 | Not Vulnerable |
| |------------+-----------------------|
| | 4.2M | Not Vulnerable |
| |------------+-----------------------|
| | 5.0 | Not Vulnerable |
| |------------+-----------------------|
| IPv6DoS Vulnerability | 5.1 | Not Vulnerable |
|(CSCtt07949) |------------+-----------------------|
| | 5.2 | Not Vulnerable |
| |------------+-----------------------|
| | 6.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 7.0 | 7.0.220.0 |
| |------------+-----------------------|
| | 7.1 | 7.1.91.0 |
| |------------+-----------------------|
| | 7.2 | 7.2.103.0 |
|------------------------------+------------+-----------------------|
| | 4.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| WebAuth DoS Vulnerability | 5.0 | Vulnerable; Migrate |
| (CSCtt47435) | | to 7.0 or later |
| |------------+-----------------------|
| | 5.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 5.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 6.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 7.0 | 7.0.220.0 |
| |------------+-----------------------|
| | 7.1 | 7.1.91.0 |
| |------------+-----------------------|
| | 7.2 | Not Vulnerable |
|------------------------------+------------+-----------------------|
| | 4.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| Unauthorized Access | 5.0 | Vulnerable; Migrate |
| Vulnerability (CSCtu56709) | | to 7.0 or later |
| |------------+-----------------------|
| | 5.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 5.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 6.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 7.0 | 7.0.220.4 |
| |------------+-----------------------|
| | 7.1 | Not Vulnerable |
| |------------+-----------------------|
| | 7.2 | Not Vulnerable |
+-------------------------------------------------------------------+
Recommended Releases
+-------------------
The "Recommended Release" table lists the releases which have fixes
for all the published vulnerabilities at the time of this Advisory.
Cisco recommends upgrading to a release equal to or later than the
release in the "Recommended Releases" table.
+-------------------------------------------------------------------+
| Affected Release | Recommended Release |
|------------------------------+------------------------------------|
| 7.0 | 7.0.230.0 |
|------------------------------+------------------------------------|
| 7.1 | 7.1.91.0 |
|------------------------------+------------------------------------|
| 7.2 | 7.2.103.0 |
+-------------------------------------------------------------------+
Workarounds
===========
This Cisco Security Advisory describes multiple distinct
vulnerabilities. These vulnerabilities and their respective
workarounds are independent of each other.
Cisco Wireless LAN Controllers Unauthorized Access Vulnerability CPU
based ACLs can be configured to block access to the affected WLC on
TCP port 1023. After ACLs are defined, they can be applied to the
management interface, the access point manager (AP-manager) interface,
or any of the dynamic interfaces for client data traffic or to the
Network Processing Unit (NPU) interface for traffic to the controller
CPU.
Additional mitigations that can be deployed on Cisco devices in the
network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory, which is available at the
following link:
http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20120229-wlc
Obtaining Fixed Software
========================
Cisco has released free software updates that address the
vulnerabilities described in this advisory. Prior to deploying
software, customers are advised to consult their maintenance providers
or check the software for feature set compatibility and known issues
that are specific to their environments.
Customers may only install and expect support for feature sets they
have purchased. By installing, downloading, accessing, or otherwise
using such software upgrades, customers agree to follow the terms of
the Cisco software license at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
Or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, upgrades should be
obtained through the Software Center on Cisco.com at:
http://www.cisco.com
Customers Using Third-Party Support Organizations
+------------------------------------------------
Customers with Cisco products that are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers,
should contact that organization for assistance with the appropriate
course of action.
The effectiveness of any workaround or fix depends on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Because of the variety of
affected products and releases, customers should consult their service
providers or support organizations to ensure that any applied
workaround or fix is the most appropriate in the intended network
before it is deployed.
Customers Without Service Contracts
+----------------------------------
Customers who purchase directly from Cisco but do not hold a Cisco
service contract and customers who make purchases through third-party
vendors but are unsuccessful in obtaining fixed software through their
point of sale should obtain upgrades by contacting the Cisco Technical
Assistance Center (TAC):
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have the product serial number available and be
prepared to provide the URL of this advisory as evidence of
entitlement to a free upgrade. Customers without service contracts
should request free upgrades through the TAC.
Refer to Cisco Worldwide Contacts at:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
For additional TAC contact information, including localized telephone
numbers, instructions, and e-mail addresses for support in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco Product Security Incident Response Team (PSIRT) is not aware
of any public announcements or malicious use of the vulnerabilities
that are described in this advisory.
These vulnerabilities were found during internal testing and during
the troubleshooting of customer service requests.
Status of This Notice: Final
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco Security Intelligence Operations at
the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120229-wlc
Additionally, a text version of this advisory is clear signed with
the Cisco PSIRT PGP key and circulated among the following e-mail
addresses:
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
Future updates of this advisory, if any, will reside on Cisco.com but
may not be announced on mailing lists. Users can monitor this
advisory's URL for any updates.
Revision History
================
+-------------------------------------------------------------------+
| Revision 1.0 | 2012-February-29 | Initial public release. |
+-------------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information about reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco is available
on Cisco.com at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This web page includes instructions for press inquiries regarding
Cisco Security Advisories. All Cisco Security Advisories are available
at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2012 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iF4EAREIAAYFAk9NNsMACgkQQXnnBKKRMNAT9QD/eiMEVJB+F+vzCBMq6lCKbhxM
fvIvDvBx2ZAMARO9pK8A/Rg0q1bR1eL4gblRgg8swazzbV/Pz0A3G4UtSx+gfXBz
=lRis
-----END PGP SIGNATURE-----
| VAR-201203-0013 | CVE-2011-4487 | Cisco Unified Communications Manager and Cisco Business Edition In SQL Injection vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
SQL injection vulnerability in Cisco Unified Communications Manager (CUCM) with software 6.x and 7.x before 7.1(5b)su5, 8.0 before 8.0(3a)su3, and 8.5 and 8.6 before 8.6(2a)su1 and Cisco Business Edition 3000 with software before 8.6.3 and 5000 and 6000 with software before 8.6(2a)su1 allows remote attackers to execute arbitrary SQL commands via a crafted SCCP registration, aka Bug ID CSCtu73538. The problem is Bug ID CSCtu73538 It is a problem.Skillfully crafted by a third party SCCP Through any registration SQL The command may be executed.
Exploiting this issue could allow an authenticated attacker to compromise the affected device, access or modify data, or exploit latent vulnerabilities in the underlying database.
This issue is tracked by Cisco Bug ID CSCtu73538. This component features scalable, distributed, and highly available enterprise Voice over IP call processing. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Unified Communications Manager Skinny Client Control Protocol Vulnerabilities
Advisory ID: cisco-sa-20120229-cucm
Revision 1.0
For Public Release 2012 February 29 16:00 UTC (GMT)
Summary
=======
Cisco Unified Communications Manager devices may allow a remote,
unauthenticated attacker with the ability to send crafted Skinny
Client Control Protocol (SCCP) messages to an affected device to cause
a reload or execute attacker-controlled SQL code.
Cisco has released free software updates that address these
vulnerabilities.
Workarounds that mitigate these vulnerabilities are available.
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
Cisco Unified Communications Manager is the call processing component
of the Cisco IP Telephony solution that extends enterprise telephony
features and functions to packet telephony network devices, such as IP
phones, media processing devices, VoIP gateways, and multimedia
applications. Both SCCP ports (TCP ports 2000 and
2443) are affected. Successful exploitation could cause
a loss of all voice services that are being handled by the affected
device. After the device restarts, voice services will be restored.
Vulnerability Scoring Details
=============================
Cisco has scored the vulnerabilities in this advisory based on the
Common Vulnerability Scoring System (CVSS). The CVSS scoring in this
security advisory is in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps organizations determine the urgency and priority of
a response.
Cisco has provided a base and temporal score. Customers can also
compute environmental scores that help determine the impact of the
vulnerability in their own networks.
Cisco has provided additional information regarding CVSS at the
following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to compute the environmental
impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtu73538 - Cisco Unified Communications Manager SCCP Registration may Cause Reload
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtu73538 - Cisco Unified Communications Manager Vulnerable to Blind SQL
Injection During Registration
CVSS Base Score - 5.8
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - None
Integrity Impact - Partial
Availability Impact - Partial
CVSS Temporal Score - 4.8
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities that are described in
this advisory could allow an unauthenticated, remote attacker to
trigger a device reload or execute SQL commands against the back-end
database. A successful SQL injection could result in the retrieval or
modification of data or a persistent denial of service (DoS) condition
on the affected device. In the case of a device reload, Cisco Unified
Communications Manager will restart the affected processes, but
repeated attacks may result in a sustained DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, customers are advised to consult
the Cisco Security Advisories and Responses archive at:
http://www.cisco.com/go/psirt
Review subsequent advisories to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and
software configurations will continue to be supported properly by the
new release. If the information is not clear, customers are advised to
contact the Cisco Technical Assistance Center (TAC) or their
contracted maintenance providers.
Additional mitigation techniques that can be deployed on Cisco devices
within the network are available in the Cisco Applied Mitigation
Bulletin companion document for this advisory:
http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20120229-cucm
Obtaining Fixed Software
========================
Cisco has released free software updates that address the
vulnerabilities described in this advisory. Prior to deploying
software, customers are advised to consult their maintenance providers
or check the software for feature set compatibility and known issues
that are specific to their environments.
Customers may only install and expect support for feature sets they
have purchased. By installing, downloading, accessing, or otherwise
using such software upgrades, customers agree to follow the terms of
the Cisco software license at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
Or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
- --------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, upgrades should be
obtained through the Software Center on Cisco.com at:
http://www.cisco.com
Customers Using Third-Party Support Organizations
- -------------------------------------------------
Customers with Cisco products that are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers,
should contact that organization for assistance with the appropriate
course of action.
The effectiveness of any workaround or fix depends on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Because of the variety of
affected products and releases, customers should consult their service
providers or support organizations to ensure that any applied
workaround or fix is the most appropriate in the intended network
before it is deployed.
Customers Without Service Contracts
- -----------------------------------
Customers who purchase directly from Cisco but do not hold a Cisco
service contract and customers who make purchases through third-party
vendors but are unsuccessful in obtaining fixed software through their
point of sale should obtain upgrades by contacting the Cisco Technical
Assistance Center (TAC):
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have the product serial number available and be
prepared to provide the URL of this advisory as evidence of
entitlement to a free upgrade. Customers without service contracts
should request free upgrades through the TAC.
Refer to Cisco Worldwide Contacts at:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
For additional TAC contact information, including localized telephone
numbers, instructions, and e-mail addresses for support in various
languages.
Exploitation and Public Announcements
=====================================
These vulnerabilities were publicly disclosed on Bugtraq on November
8, 2011. The Cisco Product Security Incident Response Team (PSIRT) is
not aware of any malicious use of the vulnerabilities described in
this advisory.
These vulnerabilities were reported to Cisco by Felix Lindner of
Recurity Labs GmbH and discovered by Sandro Gauci.
Status of This Notice: Final
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an uncontrolled
copy, and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco Security Intelligence Operations at
the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120229-cucm
Additionally, a text version of this advisory is clear signed with
the Cisco PSIRT PGP key and circulated among the following e-mail
addresses:
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
Future updates of this advisory, if any, will reside on Cisco.com but
may not be announced on mailing lists. Users can monitor this
advisory's URL for any updates.
Revision History
================
+-------------------------------------------------------------------+
| Revision 1.0 | 2012-February-29 | Initial public release. |
+-------------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information about reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco is available
on Cisco.com at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This web page includes instructions for press inquiries regarding
Cisco Security Advisories. All Cisco Security Advisories are available
at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2012 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iF4EAREIAAYFAk9NNqIACgkQQXnnBKKRMNBgiwD/VfOphiCJTL6Xr02s2BRqsbFZ
YO1PFL1hH7CQ7g5l0OYA/3hfhS/3G6Fxm7we72icPhrmtT2Vq0OkPOaKChoXgmM6
=5Cwc
-----END PGP SIGNATURE-----
| VAR-201203-0012 | CVE-2011-4486 | Cisco Unified Communications Manager and Cisco Business Edition Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco Unified Communications Manager (CUCM) with software 6.x and 7.x before 7.1(5b)su5, 8.0 before 8.0(3a)su3, and 8.5 and 8.6 before 8.6(2a)su1 and Cisco Business Edition 3000 with software before 8.6.3 and 5000 and 6000 with software before 8.6(2a)su1 allow remote attackers to cause a denial of service (device reload) via a crafted SCCP registration, aka Bug ID CSCtu73538. The problem is Bug ID CSCtu73538 It is a problem.Skillfully crafted by a third party SCCP Service disruption through the registration of ( Device reload ) There is a possibility of being put into a state.
An attacker can exploit this issue to cause an interruption in voice services or cause the affected device to reload, denying service to legitimate users.
This issue is tracked by Cisco Bug ID CSCtu73538.
Cisco has released free software updates that address these
vulnerabilities.
Workarounds that mitigate these vulnerabilities are available.
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
Cisco Unified Communications Manager is the call processing component
of the Cisco IP Telephony solution that extends enterprise telephony
features and functions to packet telephony network devices, such as IP
phones, media processing devices, VoIP gateways, and multimedia
applications. Both SCCP ports (TCP ports 2000 and
2443) are affected. After the device restarts, voice services will be restored. Successful exploitation could allow the attacker to modify
certain sections of the SQL database that are utilized by the device.
Vulnerability Scoring Details
=============================
Cisco has scored the vulnerabilities in this advisory based on the
Common Vulnerability Scoring System (CVSS). The CVSS scoring in this
security advisory is in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps organizations determine the urgency and priority of
a response.
Cisco has provided a base and temporal score. Customers can also
compute environmental scores that help determine the impact of the
vulnerability in their own networks.
Cisco has provided additional information regarding CVSS at the
following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to compute the environmental
impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtu73538 - Cisco Unified Communications Manager SCCP Registration may Cause Reload
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtu73538 - Cisco Unified Communications Manager Vulnerable to Blind SQL
Injection During Registration
CVSS Base Score - 5.8
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - None
Integrity Impact - Partial
Availability Impact - Partial
CVSS Temporal Score - 4.8
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities that are described in
this advisory could allow an unauthenticated, remote attacker to
trigger a device reload or execute SQL commands against the back-end
database. A successful SQL injection could result in the retrieval or
modification of data or a persistent denial of service (DoS) condition
on the affected device.
Software Versions and Fixes
===========================
When considering software upgrades, customers are advised to consult
the Cisco Security Advisories and Responses archive at:
http://www.cisco.com/go/psirt
Review subsequent advisories to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and
software configurations will continue to be supported properly by the
new release. If the information is not clear, customers are advised to
contact the Cisco Technical Assistance Center (TAC) or their
contracted maintenance providers.
Additional mitigation techniques that can be deployed on Cisco devices
within the network are available in the Cisco Applied Mitigation
Bulletin companion document for this advisory:
http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20120229-cucm
Obtaining Fixed Software
========================
Cisco has released free software updates that address the
vulnerabilities described in this advisory. Prior to deploying
software, customers are advised to consult their maintenance providers
or check the software for feature set compatibility and known issues
that are specific to their environments.
Customers may only install and expect support for feature sets they
have purchased. By installing, downloading, accessing, or otherwise
using such software upgrades, customers agree to follow the terms of
the Cisco software license at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
Or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
- --------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, upgrades should be
obtained through the Software Center on Cisco.com at:
http://www.cisco.com
Customers Using Third-Party Support Organizations
- -------------------------------------------------
Customers with Cisco products that are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers,
should contact that organization for assistance with the appropriate
course of action.
The effectiveness of any workaround or fix depends on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Because of the variety of
affected products and releases, customers should consult their service
providers or support organizations to ensure that any applied
workaround or fix is the most appropriate in the intended network
before it is deployed.
Customers Without Service Contracts
- -----------------------------------
Customers who purchase directly from Cisco but do not hold a Cisco
service contract and customers who make purchases through third-party
vendors but are unsuccessful in obtaining fixed software through their
point of sale should obtain upgrades by contacting the Cisco Technical
Assistance Center (TAC):
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have the product serial number available and be
prepared to provide the URL of this advisory as evidence of
entitlement to a free upgrade. Customers without service contracts
should request free upgrades through the TAC.
Refer to Cisco Worldwide Contacts at:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
For additional TAC contact information, including localized telephone
numbers, instructions, and e-mail addresses for support in various
languages.
Exploitation and Public Announcements
=====================================
These vulnerabilities were publicly disclosed on Bugtraq on November
8, 2011. The Cisco Product Security Incident Response Team (PSIRT) is
not aware of any malicious use of the vulnerabilities described in
this advisory.
These vulnerabilities were reported to Cisco by Felix Lindner of
Recurity Labs GmbH and discovered by Sandro Gauci.
Status of This Notice: Final
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an uncontrolled
copy, and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco Security Intelligence Operations at
the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120229-cucm
Additionally, a text version of this advisory is clear signed with
the Cisco PSIRT PGP key and circulated among the following e-mail
addresses:
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
Future updates of this advisory, if any, will reside on Cisco.com but
may not be announced on mailing lists. Users can monitor this
advisory's URL for any updates.
Revision History
================
+-------------------------------------------------------------------+
| Revision 1.0 | 2012-February-29 | Initial public release. |
+-------------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information about reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco is available
on Cisco.com at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This web page includes instructions for press inquiries regarding
Cisco Security Advisories. All Cisco Security Advisories are available
at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2012 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iF4EAREIAAYFAk9NNqIACgkQQXnnBKKRMNBgiwD/VfOphiCJTL6Xr02s2BRqsbFZ
YO1PFL1hH7CQ7g5l0OYA/3hfhS/3G6Fxm7we72icPhrmtT2Vq0OkPOaKChoXgmM6
=5Cwc
-----END PGP SIGNATURE-----
| VAR-201203-0227 | CVE-2012-0366 | Cisco Unity Connection Vulnerabilities in changing administrator passwords |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
Cisco Unity Connection before 7.1.3b(Su2) allows remote authenticated users to change the administrative password by leveraging the Help Desk Administrator role, aka Bug ID CSCtd45141. Cisco Unity Connection Contains a vulnerability where the administrator password can be changed. This issue is tracked by Cisco Bug ID CSCtd45141.
An authenticated attacker can exploit this issue to gain administrative access to the affected application. This may lead to a full compromise of the affected computer or aid in further attacks.
Exploitation of the Cisco Unity Connection Denial of Service
Vulnerability may allow an unauthenticated, remote attacker to cause
system services to terminate unexpectedly, which may result in a
denial of service condition.
Cisco has released free software updates that address these
vulnerabilities. There are no workarounds that mitigate these
vulnerabilities.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120229-cuc
Affected Products
=================
Vulnerable Products
+------------------
Cisco Unity Connection Privilege Escalation Vulnerability
The following versions of Cisco Unity Connection are vulnerable:
+---------------------------------------+
| Version | Affected |
|----------------------+----------------|
| Prior to 7.1 | Yes |
|----------------------+----------------|
| 7.1 | Yes |
|----------------------+----------------|
| 8.0 | No |
|----------------------+----------------|
| 8.5 | No |
|----------------------+----------------|
| 8.6 | No |
+---------------------------------------+
Note: Cisco Unity Connection versions prior to 7.1 reached end of
software maintenance. Customers running versions prior to 7.1 should
contact their Cisco support team for assistance in upgrading to a
supported version of Cisco Unity Connection. Customers running versions prior to 7.1 should
contact their Cisco support team for assistance in upgrading to a
supported version of Cisco Unity Connection.
Information About Cisco Business Edition
Cisco Business Edition, Cisco Business Edition 5000, and Cisco
Business Edition 6000 are affected by these vulnerabilities if the
Cisco Unity Connection version that is used is among the affected
versions in the tables reported in the "Vulnerable Products" section
of the security advisory.
Cisco Business Edition 3000 is not affected by the vulnerabilities
included in this security advisory.
Determine the Software Version
+-----------------------------
To determine the Cisco Unity Connection software version that an
appliance is running, administrators can access the Cisco Unity
Connection web interface and click the "About" link at the top right.
Optionally administrators can log in to the command-line interface,
and access the main menu. The software version can be identified by
using the show version active command. The following example shows
Cisco Unity Connection running version 8.6.2:
Welcome to the Platform Command Line Interface
admin:show version active
Active Master Version: 8.6.2.10000-30
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities. Cisco Unified Communication Manager and Cisco
Business Edition 3000 are not vulnerable to these vulnerabilities.
Details
=======
Cisco Unity Connection is a feature-rich voice messaging platform
that runs on the same Linux-based Cisco Unified Communications
Operating System that is used by Cisco Unified Communications
Manager.
The vulnerability is due to improper handling of TCP segments. An
attacker could exploit this vulnerability by sending a sequence of
TCP segments to the affected system.
Vulnerability Scoring Details
+----------------------------
Cisco has scored the vulnerabilities in this advisory based on the
Common Vulnerability Scoring System (CVSS). The CVSS scoring in this
security advisory is in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps organizations determine the urgency and priority
of a response.
Cisco has provided a base and temporal score. Customers can also
compute environmental scores that help determine the impact of the
vulnerability in their own networks.
Cisco has provided additional information regarding CVSS at the
following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to compute the
environmental impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtd45141 - Cisco Unity Privilege Escalation Vulnerability
CVSS Base Score - 9.0
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtq67899 - Cisco Unity Denial Of Service Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Cisco Unity Connection Privilege Escalation Vulnerability
+--------------------------------------------------------
Successful exploitation of the privilege escalation vulnerability may
allow an authenticated, remote attacker to elevate privileges and
obtain full access to the affected system.
Cisco Unity Connection Denial of Service Vulnerability
+-----------------------------------------------------
Successful exploitation of the DoS vulnerability may allow an
unauthenticated, remote attacker to cause system services to
terminate unexpectedly, which may result in a denial of service
condition.
Software Versions and Fixes
===========================
Cisco has released free software updates that address these
vulnerabilities.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and
software configurations will continue to be supported properly by the
new release. If the information is not clear, customers are advised
to contact the Cisco Technical Assistance Center (TAC) or their
contracted maintenance providers.
Workarounds
===========
There are no workarounds that mitigate these vulnerabilities.
Obtaining Fixed Software
========================
Cisco has released free software updates that address the
vulnerabilities described in this advisory. Prior to deploying
software, customers are advised to consult their maintenance
providers or check the software for feature set compatibility and
known issues that are specific to their environments.
Customers may only install and expect support for feature sets they
have purchased. By installing, downloading, accessing, or otherwise
using such software upgrades, customers agree to follow the terms of
the Cisco software license at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, upgrades should be
obtained through the Software Center on Cisco.com at:
http://www.cisco.com
Customers Using Third-Party Support Organizations
+------------------------------------------------
Customers with Cisco products that are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers,
should contact that organization for assistance with the appropriate
course of action.
The effectiveness of any workaround or fix depends on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Because of the variety of
affected products and releases, customers should consult their
service providers or support organizations to ensure that any applied
workaround or fix is the most appropriate in the intended network
before it is deployed.
Customers Without Service Contracts
+----------------------------------
Customers who purchase directly from Cisco but do not hold a Cisco
service contract and customers who make purchases through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should obtain upgrades by contacting the Cisco
Technical Assistance Center (TAC):
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have the product serial number available and be
prepared to provide the URL of this advisory as evidence of
entitlement to a free upgrade. Customers without service contracts
should request free upgrades through the TAC.
Refer to Cisco Worldwide Contacts at:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, instructions, and e-mail addresses for support in
various languages.
Exploitation and Public Announcements
=====================================
The Cisco Product Security Incident Response Team (PSIRT) is not
aware of any public announcements or malicious use of the
vulnerability that is described in this advisory.
The vulnerabilities described in this advisory were found during
internal testing or discovered during the resolution of customer
support cases.
Status of This Notice: Final
+---------------------------
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco Security Intelligence Operations at
the following link
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120229-cuc
Additionally, a text version of this advisory is clear signed with
the Cisco PSIRT PGP key and circulated among the following e-mail
addresses:
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
Future updates of this advisory, if any, will reside on Cisco.com but
may not be announced on mailing lists. Users can monitor this
advisory's URL for any updates.
Revision History
================
+----------------------------------------+
| Revision | | Initial |
| 1.0 | 2012-February-29 | public |
| | | release. |
+----------------------------------------+
Cisco Security Procedures
=========================
Complete information about reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco is available
on Cisco.com at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This web page includes instructions for press inquiries regarding
Cisco Security Advisories.
All Cisco Security Advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2012 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFPTZscQXnnBKKRMNARCFZnAP9cYfs9Aj8NtYgM+dLJjq6HPE5CBT/DXrIA
oajBxN2sqgD/SdLpRzBACGUh9MKqqtxv9uyIINNPD8wv7k17M39/2Uo=
=KbMY
-----END PGP SIGNATURE-----
| VAR-201203-0052 | CVE-2012-0330 | Cisco TelePresence Video Communication Server Denial of service in Japan (DoS) Vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco TelePresence Video Communication Server with software before X7.0.1 allows remote attackers to cause a denial of service (device crash) via a malformed SIP message, aka Bug ID CSCtr20426.
The issues are documented by Cisco Bug IDs CSCtr20426 and CSCtq73319.
Cisco has released free software updates that address these
vulnerabilities. There are no workarounds that mitigate these
vulnerabilities.
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
These vulnerabilities are triggered by a crafted Session Initiation
Protocol (SIP) packet that is sent to an affected device on either
TCP and UDP ports 5060 or 5061.
These vulnerabilities are documented in Cisco bug ID CSCtr20426 (
registered customers only) and CSCtq73319 (registered customers
only), and have been assigned Common Vulnerability and Exposure (CVE)
IDs CVE-2012-0330 and CVE-2012-0331, respectively.
Vulnerability Scoring Details
+----------------------------
Cisco has scored the vulnerabilities in this advisory based on the
Common Vulnerability Scoring System (CVSS). The CVSS scoring in this
security advisory is in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps organizations determine the urgency and priority
of a response.
Cisco has provided a base and temporal score. Customers can also
compute environmental scores that help determine the impact of the
vulnerability in their own networks.
Cisco has provided additional information regarding CVSS at the
following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to compute the
environmental impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtr20426 - Error while processing malformed SIP message
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtq73319 - Tandberg SIP INVITE vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of these vulnerabilities could result in a
system crash that may lead to a DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, customers are advised to consult
the Cisco Security Advisories and Responses archive at:
http://www.cisco.com/go/psirt and review subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and
software configurations will continue to be supported properly by the
new release. If the information is not clear, customers are advised
to contact the Cisco Technical Assistance Center (TAC) or their
contracted maintenance providers.
These vulnerabilities have been fixed in the X7.0.1 version of the
software.
Workarounds
===========
There are no workarounds available that mitigate these
vulnerabilities.
Additional mitigations that can be deployed on Cisco devices within
the network are available in the Cisco Applied Intelligence companion
document for this advisory:
http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20120229-vcs
In order to improve the security posture of their installations,
users are recommended to consult the Cisco TelePresence Hardening
Guide, which is available at:
http://www.cisco.com/web/about/security/intelligence/TP_Harden_Guide_wp.html
Obtaining Fixed Software
========================
Cisco has released free software updates that address vulnerabilities
described in this advisory. Prior to deploying software, customers
are advised to consult their maintenance providers or check the
software for feature set compatibility and known issues that are
specific to their environments.
Customers may only install and expect support for feature sets they
have purchased. By installing, downloading, accessing, or otherwise
using such software upgrades, customers agree to follow the terms of
the Cisco software license at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, upgrades should be
obtained through the Software Center on Cisco.com at:
http://www.cisco.com
Customers Using Third-Party Support Organizations
+------------------------------------------------
Customers with Cisco products that are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers,
should contact that organization for assistance with the appropriate
course of action.
The effectiveness of any workaround or fix depends on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Because of the variety of
affected products and releases, customers should consult their
service providers or support organizations to ensure that any applied
workaround or fix is the most appropriate in the intended network
before it is deployed.
Customers Without Service Contracts
+----------------------------------
Customers who purchase directly from Cisco but do not hold a Cisco
service contract and customers who make purchases through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should obtain upgrades by contacting the Cisco
Technical Assistance Center (TAC):
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have the product serial number available and be
prepared to provide the URL of this advisory as evidence of
entitlement to a free upgrade. Customers without service contracts
should request free upgrades through the TAC.
Refer to Cisco Worldwide Contacts at:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, instructions, and e-mail addresses for support in various languages.
Exploitation and Public Announcements
=====================================
The Cisco Product Security Incident Response Team (PSIRT) is not
aware of any public announcements or malicious use of the
vulnerabilities that are described in this advisory.
These vulnerabilities were found during internal testing.
Status of This Notice: Final
+---------------------------
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco Security Intelligence Operations at
the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120229-vcs
Additionally, a text version of this advisory is clear signed with
the Cisco PSIRT PGP key and circulated among the following e-mail
addresses:
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
Future updates of this advisory, if any, will reside on Cisco.com but
may not be announced on mailing lists. Users can monitor this
advisory's URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2012-February-29 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information about reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco is available
on Cisco.com at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This web page includes instructions for press inquiries regarding
Cisco Security Advisories.
All Cisco Security Advisories are available at http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2012 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFPTli6QXnnBKKRMNARCFtaAP0UFJN+xj8Fh/q8wqP3YjlK06bYXdQyp+me
6EWUQbIjtAD/ci+VvBfObulEF0DjT040PuddY7/L6zfdeBVT2XYdMMw=
=ibGU
-----END PGP SIGNATURE-----
| VAR-201203-0053 | CVE-2012-0331 | Cisco TelePresence Video Communication Server Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Cisco TelePresence Video Communication Server with software before X7.0.1 allows remote attackers to cause a denial of service (device crash) via a crafted SIP packet, as demonstrated by a SIP INVITE message from a Tandberg device, aka Bug ID CSCtq73319.
An attacker can exploit these issues to cause the device to crash, denying service to legitimate users.
The issues are documented by Cisco Bug IDs CSCtr20426 and CSCtq73319.
Cisco has released free software updates that address these
vulnerabilities. There are no workarounds that mitigate these
vulnerabilities.
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
Software versions prior to X7.0.1 contain vulnerabilities that could
cause a crash of the affected device and result in a DoS condition.
These vulnerabilities are triggered by a crafted Session Initiation
Protocol (SIP) packet that is sent to an affected device on either
TCP and UDP ports 5060 or 5061.
These vulnerabilities are documented in Cisco bug ID CSCtr20426 (
registered customers only) and CSCtq73319 (registered customers
only), and have been assigned Common Vulnerability and Exposure (CVE)
IDs CVE-2012-0330 and CVE-2012-0331, respectively.
Vulnerability Scoring Details
+----------------------------
Cisco has scored the vulnerabilities in this advisory based on the
Common Vulnerability Scoring System (CVSS). The CVSS scoring in this
security advisory is in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps organizations determine the urgency and priority
of a response.
Cisco has provided a base and temporal score. Customers can also
compute environmental scores that help determine the impact of the
vulnerability in their own networks.
Cisco has provided additional information regarding CVSS at the
following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to compute the
environmental impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtr20426 - Error while processing malformed SIP message
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtq73319 - Tandberg SIP INVITE vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of these vulnerabilities could result in a
system crash that may lead to a DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, customers are advised to consult
the Cisco Security Advisories and Responses archive at:
http://www.cisco.com/go/psirt and review subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and
software configurations will continue to be supported properly by the
new release. If the information is not clear, customers are advised
to contact the Cisco Technical Assistance Center (TAC) or their
contracted maintenance providers.
These vulnerabilities have been fixed in the X7.0.1 version of the
software.
Workarounds
===========
There are no workarounds available that mitigate these
vulnerabilities.
Additional mitigations that can be deployed on Cisco devices within
the network are available in the Cisco Applied Intelligence companion
document for this advisory:
http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20120229-vcs
In order to improve the security posture of their installations,
users are recommended to consult the Cisco TelePresence Hardening
Guide, which is available at:
http://www.cisco.com/web/about/security/intelligence/TP_Harden_Guide_wp.html
Obtaining Fixed Software
========================
Cisco has released free software updates that address vulnerabilities
described in this advisory. Prior to deploying software, customers
are advised to consult their maintenance providers or check the
software for feature set compatibility and known issues that are
specific to their environments.
Customers may only install and expect support for feature sets they
have purchased. By installing, downloading, accessing, or otherwise
using such software upgrades, customers agree to follow the terms of
the Cisco software license at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, upgrades should be
obtained through the Software Center on Cisco.com at:
http://www.cisco.com
Customers Using Third-Party Support Organizations
+------------------------------------------------
Customers with Cisco products that are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers,
should contact that organization for assistance with the appropriate
course of action.
The effectiveness of any workaround or fix depends on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Because of the variety of
affected products and releases, customers should consult their
service providers or support organizations to ensure that any applied
workaround or fix is the most appropriate in the intended network
before it is deployed.
Customers Without Service Contracts
+----------------------------------
Customers who purchase directly from Cisco but do not hold a Cisco
service contract and customers who make purchases through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should obtain upgrades by contacting the Cisco
Technical Assistance Center (TAC):
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have the product serial number available and be
prepared to provide the URL of this advisory as evidence of
entitlement to a free upgrade. Customers without service contracts
should request free upgrades through the TAC.
Refer to Cisco Worldwide Contacts at:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, instructions, and e-mail addresses for support in various languages.
Exploitation and Public Announcements
=====================================
The Cisco Product Security Incident Response Team (PSIRT) is not
aware of any public announcements or malicious use of the
vulnerabilities that are described in this advisory.
These vulnerabilities were found during internal testing.
Status of This Notice: Final
+---------------------------
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco Security Intelligence Operations at
the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120229-vcs
Additionally, a text version of this advisory is clear signed with
the Cisco PSIRT PGP key and circulated among the following e-mail
addresses:
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
Future updates of this advisory, if any, will reside on Cisco.com but
may not be announced on mailing lists. Users can monitor this
advisory's URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2012-February-29 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information about reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco is available
on Cisco.com at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This web page includes instructions for press inquiries regarding
Cisco Security Advisories.
All Cisco Security Advisories are available at http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2012 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFPTli6QXnnBKKRMNARCFtaAP0UFJN+xj8Fh/q8wqP3YjlK06bYXdQyp+me
6EWUQbIjtAD/ci+VvBfObulEF0DjT040PuddY7/L6zfdeBVT2XYdMMw=
=ibGU
-----END PGP SIGNATURE-----
| VAR-201203-0223 | CVE-2012-0368 |
Cisco Wireless LAN Controller Denial of service on device ( Device crash ) Vulnerability
Related entries in the VARIoT exploits database: VAR-E-201202-0006 |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The administrative management interface on Cisco Wireless LAN Controller (WLC) devices with software 4.x, 5.x, 6.0, and 7.0 before 7.0.220.0, 7.1 before 7.1.91.0, and 7.2 before 7.2.103.0 allows remote attackers to cause a denial of service (device crash) via a malformed URL in an HTTP request, aka Bug ID CSCts81997. Allows an unauthenticated attacker to send a specially crafted URL to the management interface to crash the device.
An unauthenticated attacker can exploit this issue to cause an affected device to reload, denying service to legitimate users.
This issue is tracked by Cisco Bug ID CSCts81997.
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsq24002. Workarounds are available that mitigate some of these
vulnerabilities.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120229-wlc
Affected Products
=================
The Cisco WLC product family is affected by multiple vulnerabilities.
Affected versions of Cisco ASA Software vary depending on the specific
vulnerability.
Vulnerable Products
+------------------
For specific version information, refer to the Software Versions and
Fixes section of this advisory.
Each of the following products is affected by at least one of the
vulnerabilities covered in this Security Advisory:
* Cisco 2000 Series WLC
* Cisco 2100 Series WLC
* Cisco 2500 Series WLC
* Cisco 4100 Series WLC
* Cisco 4400 Series WLC
* Cisco 5500 Series WLC
* Cisco 500 Series Wireless Express Mobility Controllers
* Cisco Wireless Services Modules (WiSM)
* Cisco Wireless Services Modules version 2 (WiSM version 2)
* Cisco NME-AIR-WLC Modules for Integrated Services Routers (ISRs)
* Cisco NM-AIR-WLC Modules for Integrated Services Routers (ISRs)
* Cisco Catalyst 3750G Integrated WLCs
* Cisco Flex 7500 Series Cloud Controllers
Note: The Cisco 2000 Series WLCs, Cisco 4100 Series WLCs, Cisco
NM-AIR-WLC, and Cisco 500 Series Wireless Express Mobility
Controllers, have reached end-of-software maintenance. The following
table includes the end-of-life document URL for each model:
+-------------------------------------------------------------------+
|Model |End of Life Document URL |
|----------------------+--------------------------------------------|
|Cisco 2000 Series WLC |http://www.cisco.com/en/US/prod/collateral/ |
| |wireless/ps6302/ps8322/ps6308/ |
| |prod_end-of-life_notice0900aecd805d22b0.html|
|----------------------+--------------------------------------------|
|Cisco 4100 Series WLC |http://www.cisco.com/en/US/prod/collateral/ |
| |wireless/ps6302/ps8322/ps6307/ |
| |prod_end-of-life_notice0900aecd803387a9.html|
|----------------------+--------------------------------------------|
|Cisco NM-AIR-WLC |http://www.cisco.com/en/US/prod/collateral/ |
|Modules for ISR |modules/ps2797/ |
| |prod_end-of-life_notice0900aecd806aeb34.html|
|----------------------+--------------------------------------------|
|Cisco 500 Series |http://www.cisco.com/en/US/prod/collateral/ |
|Wireless Express |wireless/ps7306/ps7320/ps7339/ |
|Mobility Controllers |end_of_life_c51-568040.html |
+-------------------------------------------------------------------+
Determination of Software Versions
+---------------------------------
To determine the WLC version that is running in a given environment,
use one of the following methods:
* In the web interface, choose the Monitor tab, click Summary in
the left pane, and note the Software Version field.
* In the command-line interface, issue the show sysinfo command as
shown in the following example:
(Cisco Controller)> show sysinfo
Manufacturer's Name.. Cisco Systems Inc.
Product Name......... Cisco Controller
Product Version...... 5.1.151.0
RTOS Version......... Linux-2.6.10_mvl401
Bootloader Version... 4.0.207.0
Build Type........... DATA + WPS
<output suppressed>
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
These devices communicate with controller-based access points over any
Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the
Lightweight Access Point Protocol (LWAPP) and the Control and
Provisioning of Wireless Access Points (CAPWAP) protocol.
This vulnerability can be exploited from both wired and wireless
segments. A TCP three-way handshake is needed in order to exploit
this vulnerability. An attacker can exploit this
vulnerability by connecting to the controller over TCP port 1023. Only
the Cisco 4400 Series WLCs, WiSM version 1, and Cisco Catalyst 3750G
Integrated WLCs are affected by this vulnerability.
Vulnerability Scoring Details
=============================
Cisco has scored the vulnerabilities in this advisory based on the
Common Vulnerability Scoring System (CVSS). The CVSS scoring in this
security advisory is in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps organizations determine the urgency and priority of
a response.
Cisco has provided a base and temporal score. Customers can also
compute environmental scores that help determine the impact of the
vulnerability in their own networks.
Cisco has provided additional information regarding CVSS at the
following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to compute the environmental
impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCts81997 - Cisco Wireless LAN Controllers HTTP Denial of Service Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtt07949 - Cisco Wireless LAN Controllers IPv6 Denial of Service Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtt47435 - Cisco Wireless LAN Controllers WebAuth Denial of Service Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtu56709 - Cisco Wireless LAN Controllers Unauthorized Access Vulnerability
CVSS Base Score - 9.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the DoS vulnerabilities could allow an
unauthenticated attacker to cause an affected device to reload.
Repeated exploitation could result in a sustained DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, customers are advised to consult
the Cisco Security Advisories and Responses archive at:
http://www.cisco.com/go/psirt
Review subsequent advisories to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and
software configurations will continue to be supported properly by the
new release. If the information is not clear, customers are advised to
contact the Cisco Technical Assistance Center (TAC) or their
contracted maintenance providers.
If a given release train is vulnerable, then the earliest possible
releases that contain the fix (along with the anticipated date of
availability for each, if applicable) are listed in the "First Fixed
Release" column of the table. A device running a release in the given
train that is earlier than the release in a specific column (less than
the First Fixed Release) is known to be vulnerable.
+-------------------------------------------------------------------+
| Vulnerability/Bug ID | Affected | First Fixed Release |
| | Release | |
|------------------------------+------------+-----------------------|
| | 4.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| HTTP DoS Vulnerability | 5.0 | Vulnerable; Migrate |
| (CSCts81997) | | to 7.0 or later |
| |------------+-----------------------|
| | 5.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 5.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 6.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 7.0 | 7.0.220.0 |
| |------------+-----------------------|
| | 7.1 | 7.1.91.0 |
| |------------+-----------------------|
| | 7.2 | 7.2.103.0 |
|------------------------------+------------+-----------------------|
| | 4.0 | Not Vulnerable |
| |------------+-----------------------|
| | 4.1 | Not Vulnerable |
| |------------+-----------------------|
| | 4.1M | Not Vulnerable |
| |------------+-----------------------|
| | 4.2 | Not Vulnerable |
| |------------+-----------------------|
| | 4.2M | Not Vulnerable |
| |------------+-----------------------|
| | 5.0 | Not Vulnerable |
| |------------+-----------------------|
| IPv6DoS Vulnerability | 5.1 | Not Vulnerable |
|(CSCtt07949) |------------+-----------------------|
| | 5.2 | Not Vulnerable |
| |------------+-----------------------|
| | 6.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 7.0 | 7.0.220.0 |
| |------------+-----------------------|
| | 7.1 | 7.1.91.0 |
| |------------+-----------------------|
| | 7.2 | 7.2.103.0 |
|------------------------------+------------+-----------------------|
| | 4.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| WebAuth DoS Vulnerability | 5.0 | Vulnerable; Migrate |
| (CSCtt47435) | | to 7.0 or later |
| |------------+-----------------------|
| | 5.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 5.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 6.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 7.0 | 7.0.220.0 |
| |------------+-----------------------|
| | 7.1 | 7.1.91.0 |
| |------------+-----------------------|
| | 7.2 | Not Vulnerable |
|------------------------------+------------+-----------------------|
| | 4.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.1M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 4.2M | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| Unauthorized Access | 5.0 | Vulnerable; Migrate |
| Vulnerability (CSCtu56709) | | to 7.0 or later |
| |------------+-----------------------|
| | 5.1 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 5.2 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 6.0 | Vulnerable; Migrate |
| | | to 7.0 or later |
| |------------+-----------------------|
| | 7.0 | 7.0.220.4 |
| |------------+-----------------------|
| | 7.1 | Not Vulnerable |
| |------------+-----------------------|
| | 7.2 | Not Vulnerable |
+-------------------------------------------------------------------+
Recommended Releases
+-------------------
The "Recommended Release" table lists the releases which have fixes
for all the published vulnerabilities at the time of this Advisory.
Cisco recommends upgrading to a release equal to or later than the
release in the "Recommended Releases" table.
+-------------------------------------------------------------------+
| Affected Release | Recommended Release |
|------------------------------+------------------------------------|
| 7.0 | 7.0.230.0 |
|------------------------------+------------------------------------|
| 7.1 | 7.1.91.0 |
|------------------------------+------------------------------------|
| 7.2 | 7.2.103.0 |
+-------------------------------------------------------------------+
Workarounds
===========
This Cisco Security Advisory describes multiple distinct
vulnerabilities. These vulnerabilities and their respective
workarounds are independent of each other.
Cisco Wireless LAN Controllers Unauthorized Access Vulnerability CPU
based ACLs can be configured to block access to the affected WLC on
TCP port 1023. After ACLs are defined, they can be applied to the
management interface, the access point manager (AP-manager) interface,
or any of the dynamic interfaces for client data traffic or to the
Network Processing Unit (NPU) interface for traffic to the controller
CPU.
Additional mitigations that can be deployed on Cisco devices in the
network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory, which is available at the
following link:
http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20120229-wlc
Obtaining Fixed Software
========================
Cisco has released free software updates that address the
vulnerabilities described in this advisory. Prior to deploying
software, customers are advised to consult their maintenance providers
or check the software for feature set compatibility and known issues
that are specific to their environments.
Customers may only install and expect support for feature sets they
have purchased. By installing, downloading, accessing, or otherwise
using such software upgrades, customers agree to follow the terms of
the Cisco software license at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
Or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, upgrades should be
obtained through the Software Center on Cisco.com at:
http://www.cisco.com
Customers Using Third-Party Support Organizations
+------------------------------------------------
Customers with Cisco products that are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers,
should contact that organization for assistance with the appropriate
course of action.
The effectiveness of any workaround or fix depends on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Because of the variety of
affected products and releases, customers should consult their service
providers or support organizations to ensure that any applied
workaround or fix is the most appropriate in the intended network
before it is deployed.
Customers Without Service Contracts
+----------------------------------
Customers who purchase directly from Cisco but do not hold a Cisco
service contract and customers who make purchases through third-party
vendors but are unsuccessful in obtaining fixed software through their
point of sale should obtain upgrades by contacting the Cisco Technical
Assistance Center (TAC):
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have the product serial number available and be
prepared to provide the URL of this advisory as evidence of
entitlement to a free upgrade. Customers without service contracts
should request free upgrades through the TAC.
Refer to Cisco Worldwide Contacts at:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
For additional TAC contact information, including localized telephone
numbers, instructions, and e-mail addresses for support in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco Product Security Incident Response Team (PSIRT) is not aware
of any public announcements or malicious use of the vulnerabilities
that are described in this advisory.
These vulnerabilities were found during internal testing and during
the troubleshooting of customer service requests.
Status of This Notice: Final
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco Security Intelligence Operations at
the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120229-wlc
Additionally, a text version of this advisory is clear signed with
the Cisco PSIRT PGP key and circulated among the following e-mail
addresses:
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
Future updates of this advisory, if any, will reside on Cisco.com but
may not be announced on mailing lists. Users can monitor this
advisory's URL for any updates.
Revision History
================
+-------------------------------------------------------------------+
| Revision 1.0 | 2012-February-29 | Initial public release. |
+-------------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information about reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco is available
on Cisco.com at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This web page includes instructions for press inquiries regarding
Cisco Security Advisories. All Cisco Security Advisories are available
at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2012 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iF4EAREIAAYFAk9NNsMACgkQQXnnBKKRMNAT9QD/eiMEVJB+F+vzCBMq6lCKbhxM
fvIvDvBx2ZAMARO9pK8A/Rg0q1bR1eL4gblRgg8swazzbV/Pz0A3G4UtSx+gfXBz
=lRis
-----END PGP SIGNATURE-----
| VAR-201203-0228 | CVE-2012-0367 | Cisco Unity Connection Service disruption in ( Service crash ) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco Unity Connection before 7.1.5b(Su5), 8.0 and 8.5 before 8.5.1(Su3), and 8.6 before 8.6.2 allows remote attackers to cause a denial of service (services crash) via a series of crafted TCP segments, aka Bug ID CSCtq67899. Cisco Unity Connection There is a service disruption ( Service crash ) There is a vulnerability that becomes a condition.
An attacker can exploit this issue to cause an affected device to restart, denying service to legitimate users.
This issue is tracked by Cisco Bug ID CSCtq67899.
Cisco has released free software updates that address these
vulnerabilities. There are no workarounds that mitigate these
vulnerabilities. Customers running versions prior to 7.1 should
contact their Cisco support team for assistance in upgrading to a
supported version of Cisco Unity Connection. Customers running versions prior to 7.1 should
contact their Cisco support team for assistance in upgrading to a
supported version of Cisco Unity Connection.
Information About Cisco Business Edition
Cisco Business Edition, Cisco Business Edition 5000, and Cisco
Business Edition 6000 are affected by these vulnerabilities if the
Cisco Unity Connection version that is used is among the affected
versions in the tables reported in the "Vulnerable Products" section
of the security advisory.
Cisco Business Edition 3000 is not affected by the vulnerabilities
included in this security advisory.
Determine the Software Version
+-----------------------------
To determine the Cisco Unity Connection software version that an
appliance is running, administrators can access the Cisco Unity
Connection web interface and click the "About" link at the top right.
Optionally administrators can log in to the command-line interface,
and access the main menu. The software version can be identified by
using the show version active command. The following example shows
Cisco Unity Connection running version 8.6.2:
Welcome to the Platform Command Line Interface
admin:show version active
Active Master Version: 8.6.2.10000-30
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities. Cisco Unified Communication Manager and Cisco
Business Edition 3000 are not vulnerable to these vulnerabilities.
Details
=======
Cisco Unity Connection is a feature-rich voice messaging platform
that runs on the same Linux-based Cisco Unified Communications
Operating System that is used by Cisco Unified Communications
Manager.
The vulnerability is due to improper privilege assignment and
validation of the "Help Desk Administrator" role. An attacker could
exploit this vulnerability by logging in to the system as the Help
Desk Administrator user and changing the password for the
administrative user.
The vulnerability is due to improper handling of TCP segments. An
attacker could exploit this vulnerability by sending a sequence of
TCP segments to the affected system.
Vulnerability Scoring Details
+----------------------------
Cisco has scored the vulnerabilities in this advisory based on the
Common Vulnerability Scoring System (CVSS). The CVSS scoring in this
security advisory is in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps organizations determine the urgency and priority
of a response.
Cisco has provided a base and temporal score. Customers can also
compute environmental scores that help determine the impact of the
vulnerability in their own networks.
Cisco has provided additional information regarding CVSS at the
following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to compute the
environmental impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtd45141 - Cisco Unity Privilege Escalation Vulnerability
CVSS Base Score - 9.0
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtq67899 - Cisco Unity Denial Of Service Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Cisco Unity Connection Privilege Escalation Vulnerability
+--------------------------------------------------------
Successful exploitation of the privilege escalation vulnerability may
allow an authenticated, remote attacker to elevate privileges and
obtain full access to the affected system.
Software Versions and Fixes
===========================
Cisco has released free software updates that address these
vulnerabilities.
Cisco Unity Connection Privilege Escalation Vulnerability - CSCtd45141
+---------------------------------------------------------------------
The following table contains the first fixed releases of software for
Cisco Unity Connection, Cisco Business Edition, Cisco Business
Edition 5000, and Cisco Business Edition 6000 that address the Cisco
Unity Connection Privilege Escalation Vulnerability:
+---------------------------------------+
| Version | First Fix In |
|------------+--------------------------|
| 7.1 | 7.1.3b(Su2), 7.1.5 |
|------------+--------------------------|
| 8.0 | Not Affected |
|------------+--------------------------|
| 8.5 | Not Affected |
|------------+--------------------------|
| 8.6 | Not Affected |
+---------------------------------------+
Cisco Unity Connection Denial of Service Vulnerability - CSCtq67899
+------------------------------------------------------------------
The following table contains the first fixed releases of software for
Cisco Unity Connection, Cisco Business Edition, Cisco Business
Edition 5000, and Cisco Business Edition 6000 that address the Cisco
Unity Connection Denial of Service Vulnerability:
+---------------------------------------+
| Version | Remediation |
|---------+-----------------------------|
| 7.1 | 7.1.5b(Su5) - Available in |
| | March 2012 |
|---------+-----------------------------|
| 8.0 | Upgrade to 8.5.1(Su3) |
|---------+-----------------------------|
| 8.5 | 8.5.1(Su3) |
|---------+-----------------------------|
| 8.6 | 8.6.2 |
+---------------------------------------+
Remediation table
+----------------
The following table contains the recommended releases, which include
the fixes for all the vulnerabilities described in this advisory:
+---------------------------------------+
| Version | Remediation |
|---------+-----------------------------|
| 7.1 | 7.1.5b(Su5) - Available in |
| | March 2012 |
|---------+-----------------------------|
| 8.0 | Upgrade to 8.5.1(Su3) |
|---------+-----------------------------|
| 8.5 | 8.5.1(Su3) |
|---------+-----------------------------|
| 8.6 | 8.6.2 |
+---------------------------------------+
When considering software upgrades, customers are advised to consult
the Cisco Security Advisories and Responses archive at:
http://www.cisco.com/go/psirt and review subsequent advisories
to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and
software configurations will continue to be supported properly by the
new release. If the information is not clear, customers are advised
to contact the Cisco Technical Assistance Center (TAC) or their
contracted maintenance providers.
Workarounds
===========
There are no workarounds that mitigate these vulnerabilities.
Obtaining Fixed Software
========================
Cisco has released free software updates that address the
vulnerabilities described in this advisory. Prior to deploying
software, customers are advised to consult their maintenance
providers or check the software for feature set compatibility and
known issues that are specific to their environments.
Customers may only install and expect support for feature sets they
have purchased. By installing, downloading, accessing, or otherwise
using such software upgrades, customers agree to follow the terms of
the Cisco software license at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, upgrades should be
obtained through the Software Center on Cisco.com at:
http://www.cisco.com
Customers Using Third-Party Support Organizations
+------------------------------------------------
Customers with Cisco products that are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers,
should contact that organization for assistance with the appropriate
course of action.
The effectiveness of any workaround or fix depends on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Because of the variety of
affected products and releases, customers should consult their
service providers or support organizations to ensure that any applied
workaround or fix is the most appropriate in the intended network
before it is deployed.
Customers Without Service Contracts
+----------------------------------
Customers who purchase directly from Cisco but do not hold a Cisco
service contract and customers who make purchases through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should obtain upgrades by contacting the Cisco
Technical Assistance Center (TAC):
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have the product serial number available and be
prepared to provide the URL of this advisory as evidence of
entitlement to a free upgrade. Customers without service contracts
should request free upgrades through the TAC.
Refer to Cisco Worldwide Contacts at:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, instructions, and e-mail addresses for support in
various languages.
Exploitation and Public Announcements
=====================================
The Cisco Product Security Incident Response Team (PSIRT) is not
aware of any public announcements or malicious use of the
vulnerability that is described in this advisory.
The vulnerabilities described in this advisory were found during
internal testing or discovered during the resolution of customer
support cases.
Status of This Notice: Final
+---------------------------
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco Security Intelligence Operations at
the following link
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120229-cuc
Additionally, a text version of this advisory is clear signed with
the Cisco PSIRT PGP key and circulated among the following e-mail
addresses:
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
Future updates of this advisory, if any, will reside on Cisco.com but
may not be announced on mailing lists. Users can monitor this
advisory's URL for any updates.
Revision History
================
+----------------------------------------+
| Revision | | Initial |
| 1.0 | 2012-February-29 | public |
| | | release. |
+----------------------------------------+
Cisco Security Procedures
=========================
Complete information about reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco is available
on Cisco.com at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This web page includes instructions for press inquiries regarding
Cisco Security Advisories.
All Cisco Security Advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2012 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFPTZscQXnnBKKRMNARCFZnAP9cYfs9Aj8NtYgM+dLJjq6HPE5CBT/DXrIA
oajBxN2sqgD/SdLpRzBACGUh9MKqqtxv9uyIINNPD8wv7k17M39/2Uo=
=KbMY
-----END PGP SIGNATURE-----
| VAR-201209-0276 | CVE-2012-5001 | Unknown remote code execution vulnerability in Hitachi JP1 / Cm2 / Network Node Manager i |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Multiple unspecified vulnerabilities in Hitachi JP1/Cm2/Network Node Manager i before 09-50-03 allow remote attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors. Hitachi JP1 / Cm2 / Hierarchical is a middleware platform software.
A remote attacker can leverage this issue to execute arbitrary code within the context of the application. Successful exploits will compromise the application and possibly the underlying computer. ----------------------------------------------------------------------
Become a PSI 3.0 beta tester!
Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface.
Download it here!
http://secunia.com/psi_30_beta_launch
----------------------------------------------------------------------
TITLE:
Hitachi JP1/Cm2/Network Node Manager Multiple Unspecified
Vulnerabilities
SECUNIA ADVISORY ID:
SA48201
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/48201/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=48201
RELEASE DATE:
2012-02-29
DISCUSS ADVISORY:
http://secunia.com/advisories/48201/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/48201/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=48201
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Hitachi
JP1/Cm2/Network Node Manager, where some have an unknown impact and
others can be exploited by malicious people to cause a DoS (Denial of
Service).
The vulnerabilities are caused due to unspecified errors. No further
information is currently available.
Please see the vendor's advisory for a list of affected versions.
SOLUTION:
Apply updates (please see the vendor's advisory for details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Hitachi (English):
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/./vuls/HS12-009/index.html
Hitachi (Japanese):
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/./vuls/HS12-009/index.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201402-0055 | CVE-2012-1088 | iproute2 Vulnerable to overwriting arbitrary files |
CVSS V2: 3.3 CVSS V3: - Severity: LOW |
iproute2 before 3.3.0 allows local users to overwrite arbitrary files via a symlink attack on a temporary file used by (1) configure or (2) examples/dhcp-client-script. Linux Kernel is prone to multiple insecure temporary file-creation vulnerabilities in the 'iproute' package.
An attacker with local access could potentially exploit these issues to perform symbolic-link attacks.
Successfully mounting a symbolic attack may allow the attacker to delete or modify sensitive files. Other attacks may also be possible. iproute2 is a series of toolkits for traffic control on TCP/IP networks in Linux systems maintained by American software developer Stephen Hemminger. The toolkit includes the following components, ifconfig, route, tc, ip. A security vulnerability exists in iproute2 3.2.0 and earlier versions. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04135307
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04135307
Version: 1
HPSBGN02970 rev.1 - HP Rapid Deployment Pack (RDP) or HP Insight Control
Server Deployment, Multiple Remote Vulnerabilities affecting Confidentiality,
Integrity and Availability
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2014-03-10
Last Updated: 2014-03-10
Potential Security Impact: Multiple remote vulnerabilities affecting
confidentiality, integrity and availability
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential vulnerabilities have been identified with HP Rapid Deployment Pack
(RDP) or HP Insight Control Server Deployment. The vulnerabilities could be
exploited remotely affecting confidentiality, integrity and availability.
References: CVE-2010-4008
CVE-2010-4494
CVE-2011-2182
CVE-2011-2213
CVE-2011-2492
CVE-2011-2518
CVE-2011-2689
CVE-2011-2723
CVE-2011-3188
CVE-2011-4077
CVE-2011-4110
CVE-2012-0058
CVE-2012-0879
CVE-2012-1088
CVE-2012-1179
CVE-2012-2137
CVE-2012-2313
CVE-2012-2372
CVE-2012-2373
CVE-2012-2375
CVE-2012-2383
CVE-2012-2384
CVE-2013-6205
CVE-2013-6206
SSRT101443
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Rapid Deployment Pack (RDP) -- All versions
HP Insight Control Server Deployment -- All versions
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2013-6205 (AV:L/AC:M/Au:S/C:P/I:P/A:P) 4.1
CVE-2013-6206 (AV:N/AC:L/Au:N/C:C/I:P/A:P) 9.0
CVE-2010-4008 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2010-4494 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2011-2182 (AV:L/AC:L/Au:N/C:C/I:C/A:C) 7.2
CVE-2011-2213 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9
CVE-2011-2492 (AV:L/AC:M/Au:N/C:P/I:N/A:N) 1.9
CVE-2011-2518 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9
CVE-2011-2689 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9
CVE-2011-2723 (AV:A/AC:M/Au:N/C:N/I:N/A:C) 5.7
CVE-2011-3188 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8
CVE-2011-4077 (AV:L/AC:M/Au:N/C:C/I:C/A:C) 6.9
CVE-2011-4110 (AV:L/AC:L/Au:N/C:N/I:N/A:P) 2.1
CVE-2012-0058 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9
CVE-2012-0879 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9
CVE-2012-1088 (AV:L/AC:M/Au:N/C:N/I:P/A:P) 3.3
CVE-2012-1179 (AV:A/AC:M/Au:S/C:N/I:N/A:C) 5.2
CVE-2012-2137 (AV:L/AC:M/Au:N/C:C/I:C/A:C) 6.9
CVE-2012-2313 (AV:L/AC:H/Au:N/C:N/I:N/A:P) 1.2
CVE-2012-2372 (AV:L/AC:M/Au:S/C:N/I:N/A:C) 4.4
CVE-2012-2373 (AV:L/AC:H/Au:N/C:N/I:N/A:C) 4.0
CVE-2012-2375 (AV:A/AC:H/Au:N/C:N/I:N/A:C) 4.6
CVE-2012-2383 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9
CVE-2012-2384 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP recommends that HP Rapid Deployment Pack (RDP) or HP Insight Control
Server Deployment should only be run on private secure networks to prevent
the risk of security compromise.
HISTORY
Version:1 (rev.1) - 10 March 2014 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2014 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
iEYEARECAAYFAlMd70EACgkQ4B86/C0qfVnXowCgnnw+HySvDNjCV7VPwZHplLwc
Gw4An38h3204bsbLQN/gJQVEqFTo5IfX
=sWmR
-----END PGP SIGNATURE-----
| VAR-201206-0202 | CVE-2012-0920 | Dropbear SSH Server Remote Code Execution Vulnerability |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
Use-after-free vulnerability in Dropbear SSH Server 0.52 through 2012.54, when command restriction and public key authentication are enabled, allows remote authenticated users to execute arbitrary code and bypass command restrictions via multiple crafted command requests, related to "channels concurrency.". Dropbear SSH Server is a small Secure Shell server for embedded environments. A remote code execution vulnerability exists in Dropbear SSH Server that was caused by a post-release error. An attacker could exploit the vulnerability to execute arbitrary code with root-level privileges, which could allow an attacker to fully manipulate the affected system.
Note: To exploit the issue an attacker must be authenticated using a public key and a command restriction is enforced.
Solution: Upgrade to version 2012.55 or higher.
2012-02-24 - Coordinated public release of advisory.
Credit:
This vulnerability was discovered by Danny Fullerton from Mantor
Organization.
Special thanks to Matt. This fixes a vulnerability,
which can be exploited by malicious users to gain escalated
privileges.
For more information:
SA48147
SOLUTION:
Apply updated packages via the apt-get package manager. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2456-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
April 23, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : dropbear
Vulnerability : use after free
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-0920
Danny Fullerton discovered a use-after-free in the Dropbear SSH daemon,
resulting in potential execution of arbitrary code.
For the stable distribution (squeeze), this problem has been fixed in
version 0.52-5+squeeze1.
For the testing distribution (wheezy), this problem has been fixed in
version 2012.55-1.
For the unstable distribution (sid), this problem has been fixed in
version 2012.55-1.
We recommend that you upgrade your dropbear packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAk+XCosACgkQXm3vHE4uylrKpQCfZpU4eKxztqi8zGzsAKdxzhLV
kOcAoIshssbewzstn+sNTIJyNP7MJ10i
=uWaI
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
Become a PSI 3.0 beta tester!
Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface.
Download it here!
http://secunia.com/psi_30_beta_launch
----------------------------------------------------------------------
TITLE:
Dropbear SSH Server Use-After-Free Vulnerability
SECUNIA ADVISORY ID:
SA48147
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/48147/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=48147
RELEASE DATE:
2012-02-27
DISCUSS ADVISORY:
http://secunia.com/advisories/48147/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/48147/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=48147
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Danny Fullerton has reported a vulnerability in Dropbear SSH Server,
which can be exploited by malicious users to gain escalated
privileges.
The vulnerability is reported in version 0.52 through 2011.54.
SOLUTION:
Update to version 2012.55
PROVIDED AND/OR DISCOVERED BY:
Danny Fullerton, Mantor Organization
ORIGINAL ADVISORY:
Dropbear:
http://matt.ucc.asn.au/dropbear/CHANGES
Danny Fullerton:
http://archives.neohapsis.com/archives/fulldisclosure/2012-02/0404.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201309-20
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Dropbear: Multiple vulnerabilities
Date: September 26, 2013
Bugs: #328409, #405607
ID: 201309-20
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Dropbear, the worst of
which could lead to arbitrary code execution.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/dropbear < 2012.55 >= 2012.55
Description
===========
Multiple vulnerabilities have been discovered in Dropbear. Please
review the CVE identifier and Gentoo bug referenced below for details.
Impact
======
A remote attacker could send a specially crafted request to trigger a
use-after-free condition, possibly resulting in arbitrary code
execution or a Denial of Service condition. Additionally, the bundled
version of libtommath has an error in its prime number generation,
which could result in the generation of weak keys.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Dropbear users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/dropbear-2012.55"
References
==========
[ 1 ] CVE-2012-0920
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0920
[ 2 ] libtommath Gentoo bug
https://bugs.gentoo.org/show_bug.cgi?id=328383
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201309-20.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2013 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201202-0352 | No CVE | D-Link DCS product 'security.cgi' Cross-Site Request Forgery Vulnerability |
CVSS V2: - CVSS V3: - Severity: MEDIUM |
D-Link DCS is a camera device product. There is a vulnerability in D-Link DCS. Because the 'security.cgi' provided by the D-Link DCS product fails to properly filter the user-submitted input, it can trigger a cross-site request forgery attack. The attacker constructs a malicious URI, entice the user to access, and can perform malicious operations with administrator privileges. The D-Link DCS-900, DCS-2000, and DCS-5300 are prone to a cross-site request-forgery vulnerability.
Successful exploits may allow attackers to run privileged commands on the affected device, change configuration, cause denial-of-service conditions, or inject arbitrary script code. Other attacks are also possible.
This issue affects D-Link DCS-900, DCS-2000, and DCS-5300
| VAR-201202-0171 | CVE-2012-0365 | plural Cisco Product Local TFTP file-upload Application directory traversal vulnerability |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
Directory traversal vulnerability in the Local TFTP file-upload application on Cisco SRP 520 series devices with firmware before 1.1.26 and SRP 520W-U and 540 series devices with firmware before 1.2.4 allows remote authenticated users to upload software to arbitrary directories via unspecified vectors, aka Bug ID CSCtw56009. plural Cisco Product Local TFTP file-upload The application contains a directory traversal vulnerability. The problem is Bug ID CSCtw56009 It is a problem.Remotely authenticated users can upload software to any directory. Cisco Small Business SRP500 series appliances are prone to a directory-traversal vulnerability.
Exploiting this issue will allow an attacker to access sensitive information, including password files and system logs, and and allow installation of malicious software on the Cisco SRP 500 series device. This could help the attacker launch further attacks.
This issue is tracked by Cisco BugID CSCtw56009. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Small Business SRP 500 Series Multiple Vulnerabilities
Advisory ID: cisco-sa-20120223-srp500
Revision 1.0
For Public Release 2012 February 23 16:00 UTC (GMT)
Summary
=======
Cisco Small Business (SRP 500) Series Services Ready Platforms
contain the following three vulnerabilities:
* Cisco SRP 500 Series Web Interface Command Injection
Vulnerability
* Cisco SRP 500 Series Unauthenticated Configuration Upload
Vulnerability
* Cisco SRP 500 Series Directory Traversal Vulnerability
These vulnerabilities can be exploited using sessions to the Services
Ready Platform Configuration Utility web interface. These
vulnerabilities could be exploited from the local LAN side of the SRP
device by default configuration and the WAN side of the SRP device if
remote management is enabled. Remote management is disabled by
default.
Cisco has released free software updates that address these
vulnerabilities.
Workarounds that mitigate these vulnerabilities are available.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120223-srp500
Affected Products
=================
Vulnerable Products
+------------------
The following Cisco SRP 520 Series models are affected if running
firmware prior to version 1.1.26:
* Cisco SRP 521W
* Cisco SRP 526W
* Cisco SRP 527W
The following Cisco SRP 520W-U Series models are affected if running
firmware prior to version 1.2.4:
* Cisco SRP 521W-U
* Cisco SRP 526W-U
* Cisco SRP 527W-U
The following Cisco SRP 540 Series models are affected if running
firmware prior to version 1.2.4:
* Cisco SRP 541W
* Cisco SRP 546W
* Cisco SRP 547W
To view the firmware version on a device, log in to the Services
Ready Platform Configuration Utility and navigate to the Status >
Router page to view information about the Cisco SRP Series device and
its firmware status. The Firmware Version field indicates the
current running version of firmware on the Cisco SRP 500 Series
device.
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
Cisco SRP 500 Series devices are a flexible, cost-effective,
fixed-configuration customer premises equipment (CPE) with embedded
intelligence to enable service providers to create, provision, and
deploy premium revenue-generating services to small businesses on an
as-needed basis. These vulnerabilities
could be exploited from the local LAN side of the SRP device by
default configuration and the WAN side of the SRP device if remote
management is enabled. Remote management is disabled by default.
Cisco SRP 500 Series Web Interface Command Injection Vulnerability
+-----------------------------------------------------------------
Cisco SRP 500 Series devices contain a command injection vulnerability
that could allow an authenticated session to inject commands to be
executed by the operating system.
An attacker could exploit this vulnerability by either enticing an
administrator to access a crafted link or by performing a
man-in-the-middle attack to intercept an authenticated session. An
exploit could allow the attacker to execute operating system commands
on the device that are run in the context of the root user.
This vulnerability has been documented in Cisco bug ID CSCtt46871 and
has been assigned Common Vulnerabilities and Exposures (CVE) ID
CVE-2012-0363.
An attacker could exploit this vulnerability by first creating a
desired configuration file and then uploading it using the
unauthenticated URL.
This vulnerability has been documented in Cisco bug ID CSCtw55495 and
has been assigned CVE ID CVE-2012-0364. An
attacker could exploit this vulnerability by enticing an authenticated
user to click on a crafted link or by installing malicious files on
the FTP or HTTP server that the administrators of the device may use.
This vulnerability has been documented in Cisco bug ID CSCtw56009 and
has been assigned CVE ID CVE-2012-0365.
Vulnerability Scoring Details
=============================
Cisco has scored the vulnerabilities in this advisory based on the
Common Vulnerability Scoring System (CVSS). The CVSS scoring in this
security advisory is in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps organizations determine the urgency and priority of
a response.
Cisco has provided a base and temporal score. Customers can also
compute environmental scores that help determine the impact of the
vulnerability in their own networks.
Cisco has provided additional information regarding CVSS at the
following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to compute the
environmental impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtt46871 - Cisco SRP 500 Series Web Interface Command Injection
Vulnerability
CVSS Base Score - 9.0
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtw55495 - Cisco SRP 500 Series Unauthenticated Configuration
Upload Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - Complete
Availability Impact - None
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtw56009 - Cisco SRP 500 Series Directory Traversal Vulnerability
CVSS Base Score - 9.0
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of these vulnerabilities may result in the
execution of arbitrary commands on the device or the uploading of
files that may be malicious, which may allow the attacker to alter the
device configuration.
Software Versions and Fixes
===========================
When considering software upgrades, also consult:
http://www.cisco.com/go/psirt
As well as any subsequent advisories to determine exposure and a
complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
+---------------------------------------------------------------+
| Affected Product | First Fixed Release |
|-----------------------------+---------------------------------|
| Cisco SRP 521W | 1.1.26 |
|-----------------------------+---------------------------------|
| Cisco SRP 526W | 1.1.26 |
|-----------------------------+---------------------------------|
| Cisco SRP 527W | 1.1.26 |
|-----------------------------+---------------------------------|
| Cisco SRP 521W-U | 1.2.4 |
|-----------------------------+---------------------------------|
| Cisco SRP 526W-U | 1.2.4 |
|-----------------------------+---------------------------------|
| Cisco SRP 527W-U | 1.2.4 |
|-----------------------------+---------------------------------|
| Cisco SRP 541W | 1.2.4 |
|-----------------------------+---------------------------------|
| Cisco SRP 546W | 1.2.4 |
|-----------------------------+---------------------------------|
| Cisco SRP 547W | 1.2.4 |
+---------------------------------------------------------------+
The latest Cisco SRP 500 Series Services Ready Platforms firmware can
be downloaded at:
http://www.cisco.com/cisco/software/navigator.html?mdfid=282736194&i=rm
Workarounds
===========
The Cisco SRP 500 Series devices are designed as CPE devices, and only
disabling access from the outside network will prevent exploitation,
from remote networks. The following mitigations help limit exposure
to this vulnerability:
* Disable Remote Management
Caution: Do not disable remote management if administrators
manage devices using the WAN connection. This action will result
in a loss of management connectivity to the device.
Remote Management is disabled by default. If it is enabled,
administrators can disable this feature by choosing
Administration > Web Access Management. Change the setting for
the Remote Management field to Disabled.
Disabling remote management limits exposure because the
vulnerability can then be exploited from the inter-LAN network
only.
* Limit Remote Management Access to Specific IP Addresses
If remote management is required, secure the device so that it
can be accessed by certain IP addresses only, rather than the
default setting of All IP Addresses. After choosing
Administration > Web Access Management, an administrator can
change the Allowed Remote IP Address setting to ensure that only
devices with specified IP addresses can access the device.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
Or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers should obtain upgraded software through their regular update
channels. For most customers, this means that upgrades should be
obtained through the Software Center on Cisco's worldwide website at:
http://www.cisco.com
If the information is not clear, please contact the Cisco Small
Business Support Center or your contracted maintenance provider for
assistance. Small Business Support Center contacts are as follows.
+1 866 606 1866 (toll free from within North America)
+1 408 418 1866 (toll call from anywhere in the world)
Customers should have their product serial number available.
For additional support contact information, including localized
telephone numbers, and instructions and e-mail addresses for use in
various languages refer to:
http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
Customers with Service Contracts
+-------------------------------
See the Obtaining Fixed Software section of this advisory.
Customers Using Third-Party Support Organizations
+------------------------------------------------
See the Obtaining Fixed Software section of this advisory.
Customers Without Service Contracts
+----------------------------------
See the Obtaining Fixed Software section of this advisory.
Exploitation and Public Announcements
=====================================
The Cisco Product Security Incident Response Team (PSIRT) is not aware
of any public announcements or malicious use of the vulnerabilities
that are described in this advisory.
These vulnerabilities were reported to Cisco by Michal Sajdak of
Securitum, Poland.
Status of This Notice: Final
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an uncontrolled
copy, and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco Security Intelligence Operations at
the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120223-srp500
Additionally, a text version of this advisory is clear signed with
the Cisco PSIRT PGP key and circulated among the following e-mail
addresses:
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
Future updates of this advisory, if any, will reside on Cisco.com but
may not be announced on mailing lists. Users can monitor this
advisory's URL for any updates.
Revision History
================
+-------------------------------------------------------------------+
| Revision 1.0 | 2012-02-23 | Initial Public Release |
+-------------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2012 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iF4EAREIAAYFAk9FbNgACgkQQXnnBKKRMNAfIAD/WMs9GOrkuwOl4hChGWKdtysj
zrvZf97YvaI0rShqp0gA/33sBJSMX3KcSYgYZS5RgYG5ZLFV0Cc2zXURzQRzxY85
=WMsW
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201202-0170 | CVE-2012-0364 | plural Cisco Vulnerabilities that can replace configuration files in products |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco SRP 520 series devices with firmware before 1.1.26 and SRP 520W-U and 540 series devices with firmware before 1.2.4 allow remote attackers to replace the configuration file via an upload request to an unspecified URL, aka Bug ID CSCtw55495. plural Cisco The product contains a vulnerability that can replace configuration files. Cisco Small Business SRP500 series appliances are prone to a security-bypass vulnerability because they allow attackers to gain unauthorized access to the device.
This issue is being tracked by Cisco Bug ID CSCtw55495.
An unauthenticated attacker can exploit this issue to upload a specially crafted configuration file to the affected device, thereby aiding in further attacks. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Small Business SRP 500 Series Multiple Vulnerabilities
Advisory ID: cisco-sa-20120223-srp500
Revision 1.0
For Public Release 2012 February 23 16:00 UTC (GMT)
Summary
=======
Cisco Small Business (SRP 500) Series Services Ready Platforms
contain the following three vulnerabilities:
* Cisco SRP 500 Series Web Interface Command Injection
Vulnerability
* Cisco SRP 500 Series Unauthenticated Configuration Upload
Vulnerability
* Cisco SRP 500 Series Directory Traversal Vulnerability
These vulnerabilities can be exploited using sessions to the Services
Ready Platform Configuration Utility web interface. These
vulnerabilities could be exploited from the local LAN side of the SRP
device by default configuration and the WAN side of the SRP device if
remote management is enabled. Remote management is disabled by
default.
Cisco has released free software updates that address these
vulnerabilities.
Workarounds that mitigate these vulnerabilities are available.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120223-srp500
Affected Products
=================
Vulnerable Products
+------------------
The following Cisco SRP 520 Series models are affected if running
firmware prior to version 1.1.26:
* Cisco SRP 521W
* Cisco SRP 526W
* Cisco SRP 527W
The following Cisco SRP 520W-U Series models are affected if running
firmware prior to version 1.2.4:
* Cisco SRP 521W-U
* Cisco SRP 526W-U
* Cisco SRP 527W-U
The following Cisco SRP 540 Series models are affected if running
firmware prior to version 1.2.4:
* Cisco SRP 541W
* Cisco SRP 546W
* Cisco SRP 547W
To view the firmware version on a device, log in to the Services
Ready Platform Configuration Utility and navigate to the Status >
Router page to view information about the Cisco SRP Series device and
its firmware status.
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
Cisco SRP 500 Series devices are a flexible, cost-effective,
fixed-configuration customer premises equipment (CPE) with embedded
intelligence to enable service providers to create, provision, and
deploy premium revenue-generating services to small businesses on an
as-needed basis. These vulnerabilities
could be exploited from the local LAN side of the SRP device by
default configuration and the WAN side of the SRP device if remote
management is enabled. Remote management is disabled by default.
An attacker could exploit this vulnerability by either enticing an
administrator to access a crafted link or by performing a
man-in-the-middle attack to intercept an authenticated session. An
exploit could allow the attacker to execute operating system commands
on the device that are run in the context of the root user. An
attacker could exploit this vulnerability by enticing an authenticated
user to click on a crafted link or by installing malicious files on
the FTP or HTTP server that the administrators of the device may use.
Vulnerability Scoring Details
=============================
Cisco has scored the vulnerabilities in this advisory based on the
Common Vulnerability Scoring System (CVSS). The CVSS scoring in this
security advisory is in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps organizations determine the urgency and priority of
a response.
Cisco has provided a base and temporal score. Customers can also
compute environmental scores that help determine the impact of the
vulnerability in their own networks.
Cisco has provided additional information regarding CVSS at the
following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to compute the
environmental impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtt46871 - Cisco SRP 500 Series Web Interface Command Injection
Vulnerability
CVSS Base Score - 9.0
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtw55495 - Cisco SRP 500 Series Unauthenticated Configuration
Upload Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - Complete
Availability Impact - None
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtw56009 - Cisco SRP 500 Series Directory Traversal Vulnerability
CVSS Base Score - 9.0
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of these vulnerabilities may result in the
execution of arbitrary commands on the device or the uploading of
files that may be malicious, which may allow the attacker to alter the
device configuration.
Software Versions and Fixes
===========================
When considering software upgrades, also consult:
http://www.cisco.com/go/psirt
As well as any subsequent advisories to determine exposure and a
complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
+---------------------------------------------------------------+
| Affected Product | First Fixed Release |
|-----------------------------+---------------------------------|
| Cisco SRP 521W | 1.1.26 |
|-----------------------------+---------------------------------|
| Cisco SRP 526W | 1.1.26 |
|-----------------------------+---------------------------------|
| Cisco SRP 527W | 1.1.26 |
|-----------------------------+---------------------------------|
| Cisco SRP 521W-U | 1.2.4 |
|-----------------------------+---------------------------------|
| Cisco SRP 526W-U | 1.2.4 |
|-----------------------------+---------------------------------|
| Cisco SRP 527W-U | 1.2.4 |
|-----------------------------+---------------------------------|
| Cisco SRP 541W | 1.2.4 |
|-----------------------------+---------------------------------|
| Cisco SRP 546W | 1.2.4 |
|-----------------------------+---------------------------------|
| Cisco SRP 547W | 1.2.4 |
+---------------------------------------------------------------+
The latest Cisco SRP 500 Series Services Ready Platforms firmware can
be downloaded at:
http://www.cisco.com/cisco/software/navigator.html?mdfid=282736194&i=rm
Workarounds
===========
The Cisco SRP 500 Series devices are designed as CPE devices, and only
disabling access from the outside network will prevent exploitation,
from remote networks. The following mitigations help limit exposure
to this vulnerability:
* Disable Remote Management
Caution: Do not disable remote management if administrators
manage devices using the WAN connection. This action will result
in a loss of management connectivity to the device.
Remote Management is disabled by default. If it is enabled,
administrators can disable this feature by choosing
Administration > Web Access Management. Change the setting for
the Remote Management field to Disabled.
Disabling remote management limits exposure because the
vulnerability can then be exploited from the inter-LAN network
only.
* Limit Remote Management Access to Specific IP Addresses
If remote management is required, secure the device so that it
can be accessed by certain IP addresses only, rather than the
default setting of All IP Addresses. After choosing
Administration > Web Access Management, an administrator can
change the Allowed Remote IP Address setting to ensure that only
devices with specified IP addresses can access the device.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
Or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers should obtain upgraded software through their regular update
channels. For most customers, this means that upgrades should be
obtained through the Software Center on Cisco's worldwide website at:
http://www.cisco.com
If the information is not clear, please contact the Cisco Small
Business Support Center or your contracted maintenance provider for
assistance. Small Business Support Center contacts are as follows.
+1 866 606 1866 (toll free from within North America)
+1 408 418 1866 (toll call from anywhere in the world)
Customers should have their product serial number available.
For additional support contact information, including localized
telephone numbers, and instructions and e-mail addresses for use in
various languages refer to:
http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
Customers with Service Contracts
+-------------------------------
See the Obtaining Fixed Software section of this advisory.
Customers Using Third-Party Support Organizations
+------------------------------------------------
See the Obtaining Fixed Software section of this advisory.
Customers Without Service Contracts
+----------------------------------
See the Obtaining Fixed Software section of this advisory.
Exploitation and Public Announcements
=====================================
The Cisco Product Security Incident Response Team (PSIRT) is not aware
of any public announcements or malicious use of the vulnerabilities
that are described in this advisory.
These vulnerabilities were reported to Cisco by Michal Sajdak of
Securitum, Poland.
Status of This Notice: Final
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an uncontrolled
copy, and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco Security Intelligence Operations at
the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120223-srp500
Additionally, a text version of this advisory is clear signed with
the Cisco PSIRT PGP key and circulated among the following e-mail
addresses:
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
Future updates of this advisory, if any, will reside on Cisco.com but
may not be announced on mailing lists. Users can monitor this
advisory's URL for any updates.
Revision History
================
+-------------------------------------------------------------------+
| Revision 1.0 | 2012-02-23 | Initial Public Release |
+-------------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2012 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iF4EAREIAAYFAk9FbNgACgkQQXnnBKKRMNAfIAD/WMs9GOrkuwOl4hChGWKdtysj
zrvZf97YvaI0rShqp0gA/33sBJSMX3KcSYgYZS5RgYG5ZLFV0Cc2zXURzQRzxY85
=WMsW
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201202-0169 | CVE-2012-0363 | plural Cisco Product Web An arbitrary command execution vulnerability in the interface |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
The web interface on Cisco SRP 520 series devices with firmware before 1.1.26 and SRP 520W-U and 540 series devices with firmware before 1.2.4 allows remote authenticated users to execute arbitrary commands via unspecified vectors, related to a "command injection vulnerability," aka Bug ID CSCtt46871. plural Cisco Product Web The interface contains a vulnerability that allows arbitrary commands to be executed. The problem is Bug ID CSCtt46871 It is a problem.An arbitrary command may be executed by a remotely authenticated user. Cisco Small Business SRP500 series appliances are prone to a remote command-injection vulnerability.
Successful exploits will result in the execution of operating system commands in the context of the root user. This may facilitate a complete compromise of an affected computer.
This issue is being tracked by Cisco bug ID CSCtt46871. These
vulnerabilities could be exploited from the local LAN side of the SRP
device by default configuration and the WAN side of the SRP device if
remote management is enabled. Remote management is disabled by
default.
Cisco has released free software updates that address these
vulnerabilities.
Workarounds that mitigate these vulnerabilities are available.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120223-srp500
Affected Products
=================
Vulnerable Products
+------------------
The following Cisco SRP 520 Series models are affected if running
firmware prior to version 1.1.26:
* Cisco SRP 521W
* Cisco SRP 526W
* Cisco SRP 527W
The following Cisco SRP 520W-U Series models are affected if running
firmware prior to version 1.2.4:
* Cisco SRP 521W-U
* Cisco SRP 526W-U
* Cisco SRP 527W-U
The following Cisco SRP 540 Series models are affected if running
firmware prior to version 1.2.4:
* Cisco SRP 541W
* Cisco SRP 546W
* Cisco SRP 547W
To view the firmware version on a device, log in to the Services
Ready Platform Configuration Utility and navigate to the Status >
Router page to view information about the Cisco SRP Series device and
its firmware status. The Firmware Version field indicates the
current running version of firmware on the Cisco SRP 500 Series
device.
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
Cisco SRP 500 Series devices are a flexible, cost-effective,
fixed-configuration customer premises equipment (CPE) with embedded
intelligence to enable service providers to create, provision, and
deploy premium revenue-generating services to small businesses on an
as-needed basis. These vulnerabilities
could be exploited from the local LAN side of the SRP device by
default configuration and the WAN side of the SRP device if remote
management is enabled. Remote management is disabled by default.
An attacker could exploit this vulnerability by either enticing an
administrator to access a crafted link or by performing a
man-in-the-middle attack to intercept an authenticated session.
An attacker could exploit this vulnerability by first creating a
desired configuration file and then uploading it using the
unauthenticated URL. An exploit could allow the attacker to alter the
configuration of the Cisco SRP 500 Series device. An
attacker could exploit this vulnerability by enticing an authenticated
user to click on a crafted link or by installing malicious files on
the FTP or HTTP server that the administrators of the device may use.
An exploit could allow the attacker to install malicious software on
the Cisco SRP 500 Series device to launch future attacks.
Vulnerability Scoring Details
=============================
Cisco has scored the vulnerabilities in this advisory based on the
Common Vulnerability Scoring System (CVSS). The CVSS scoring in this
security advisory is in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps organizations determine the urgency and priority of
a response.
Cisco has provided a base and temporal score. Customers can also
compute environmental scores that help determine the impact of the
vulnerability in their own networks.
Cisco has provided additional information regarding CVSS at the
following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to compute the
environmental impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtt46871 - Cisco SRP 500 Series Web Interface Command Injection
Vulnerability
CVSS Base Score - 9.0
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtw55495 - Cisco SRP 500 Series Unauthenticated Configuration
Upload Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - Complete
Availability Impact - None
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtw56009 - Cisco SRP 500 Series Directory Traversal Vulnerability
CVSS Base Score - 9.0
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of these vulnerabilities may result in the
execution of arbitrary commands on the device or the uploading of
files that may be malicious, which may allow the attacker to alter the
device configuration.
Software Versions and Fixes
===========================
When considering software upgrades, also consult:
http://www.cisco.com/go/psirt
As well as any subsequent advisories to determine exposure and a
complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
+---------------------------------------------------------------+
| Affected Product | First Fixed Release |
|-----------------------------+---------------------------------|
| Cisco SRP 521W | 1.1.26 |
|-----------------------------+---------------------------------|
| Cisco SRP 526W | 1.1.26 |
|-----------------------------+---------------------------------|
| Cisco SRP 527W | 1.1.26 |
|-----------------------------+---------------------------------|
| Cisco SRP 521W-U | 1.2.4 |
|-----------------------------+---------------------------------|
| Cisco SRP 526W-U | 1.2.4 |
|-----------------------------+---------------------------------|
| Cisco SRP 527W-U | 1.2.4 |
|-----------------------------+---------------------------------|
| Cisco SRP 541W | 1.2.4 |
|-----------------------------+---------------------------------|
| Cisco SRP 546W | 1.2.4 |
|-----------------------------+---------------------------------|
| Cisco SRP 547W | 1.2.4 |
+---------------------------------------------------------------+
The latest Cisco SRP 500 Series Services Ready Platforms firmware can
be downloaded at:
http://www.cisco.com/cisco/software/navigator.html?mdfid=282736194&i=rm
Workarounds
===========
The Cisco SRP 500 Series devices are designed as CPE devices, and only
disabling access from the outside network will prevent exploitation,
from remote networks. The following mitigations help limit exposure
to this vulnerability:
* Disable Remote Management
Caution: Do not disable remote management if administrators
manage devices using the WAN connection. This action will result
in a loss of management connectivity to the device.
Remote Management is disabled by default. If it is enabled,
administrators can disable this feature by choosing
Administration > Web Access Management. Change the setting for
the Remote Management field to Disabled.
Disabling remote management limits exposure because the
vulnerability can then be exploited from the inter-LAN network
only.
* Limit Remote Management Access to Specific IP Addresses
If remote management is required, secure the device so that it
can be accessed by certain IP addresses only, rather than the
default setting of All IP Addresses. After choosing
Administration > Web Access Management, an administrator can
change the Allowed Remote IP Address setting to ensure that only
devices with specified IP addresses can access the device.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
Or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers should obtain upgraded software through their regular update
channels. For most customers, this means that upgrades should be
obtained through the Software Center on Cisco's worldwide website at:
http://www.cisco.com
If the information is not clear, please contact the Cisco Small
Business Support Center or your contracted maintenance provider for
assistance. Small Business Support Center contacts are as follows.
+1 866 606 1866 (toll free from within North America)
+1 408 418 1866 (toll call from anywhere in the world)
Customers should have their product serial number available.
For additional support contact information, including localized
telephone numbers, and instructions and e-mail addresses for use in
various languages refer to:
http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
Customers with Service Contracts
+-------------------------------
See the Obtaining Fixed Software section of this advisory.
Customers Using Third-Party Support Organizations
+------------------------------------------------
See the Obtaining Fixed Software section of this advisory.
Customers Without Service Contracts
+----------------------------------
See the Obtaining Fixed Software section of this advisory.
Exploitation and Public Announcements
=====================================
The Cisco Product Security Incident Response Team (PSIRT) is not aware
of any public announcements or malicious use of the vulnerabilities
that are described in this advisory.
These vulnerabilities were reported to Cisco by Michal Sajdak of
Securitum, Poland.
Status of This Notice: Final
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an uncontrolled
copy, and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco Security Intelligence Operations at
the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120223-srp500
Additionally, a text version of this advisory is clear signed with
the Cisco PSIRT PGP key and circulated among the following e-mail
addresses:
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
Future updates of this advisory, if any, will reside on Cisco.com but
may not be announced on mailing lists. Users can monitor this
advisory's URL for any updates.
Revision History
================
+-------------------------------------------------------------------+
| Revision 1.0 | 2012-02-23 | Initial Public Release |
+-------------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2012 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iF4EAREIAAYFAk9FbNgACgkQQXnnBKKRMNAfIAD/WMs9GOrkuwOl4hChGWKdtysj
zrvZf97YvaI0rShqp0gA/33sBJSMX3KcSYgYZS5RgYG5ZLFV0Cc2zXURzQRzxY85
=WMsW
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201210-0417 | CVE-2012-5323 |
Xavi X7968 Vulnerable to cross-site request forgery
Related entries in the VARIoT exploits database: VAR-E-201202-0072, VAR-E-201202-0070, VAR-E-201202-0071 |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Cross-site request forgery (CSRF) vulnerability in webconfig/admin_passwd/passwd.html/admin_passwd in Xavi X7968 allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via the sysUserName, sysPassword, and sysCfmPwd parameters. The Xavi 7968 ADSL Router is an ADSL router device. There is a vulnerability in the Xavi 7968 ADSL Router. Because the program fails to properly validate user-submitted requests, an attacker can build a malicious URI, trick the user into parsing, and run privileged commands on the device, such as changing the configuration, performing a denial of service attack, or injecting arbitrary script code. Xavi 7968 ADSL Router is prone to cross-site scripting, HTML-injection and cross-site request forgery vulnerabilities.
The attacker can exploit the issues to execute arbitrary script code in the context of the vulnerable site, potentially allowing the attacker to steal cookie-based authentication credentials, or perform certain administrative functions on victim's behalf. Other attacks are also possible. ----------------------------------------------------------------------
Become a PSI 3.0 beta tester!
Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface.
Download it here!
http://secunia.com/psi_30_beta_launch
----------------------------------------------------------------------
TITLE:
XAVi X7968 Cross-Site Scripting and Request Forgery Vulnerabilities
SECUNIA ADVISORY ID:
SA48050
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/48050/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=48050
RELEASE DATE:
2012-03-06
DISCUSS ADVISORY:
http://secunia.com/advisories/48050/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/48050/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=48050
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Two vulnerabilities have been reported in XAVi X7968, which can be
exploited by malicious people to conduct cross-site scripting and
request forgery attacks.
1) Input passed via the "pvcName" parameter to
webconfig/wan/confirm.html/confirm is not properly sanitised before
being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context
of an affected device.
2) The device's web interface allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the
requests. This can be exploited to e.g. change an administrator's
password or conduct script insertion attacks by tricking a logged in
administrator into visiting a malicious web site.
SOLUTION:
Filter malicious characters and character sequences using a proxy. Do
not browse untrusted sites or follow untrusted links while being
logged-in to the device.
PROVIDED AND/OR DISCOVERED BY:
Busindre
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. (Admin privileges)
** XSS example: (Alert with Cookie)
http://192.168.1.1/webconfig/wan/confirm.html/confirm?context=pageAction%3Dadd%26pvcName%3D%2522%253e%253c%252ftd%253e%253cscript%253ealert%28document.cookie%29%253c%252fscript%253e%26vpi%3D0%26vci%3D38%26scat%3DUBR%26accessmode%3Dpppoe%26encap%3Dvcmux%26encapmode%3Dbridged%26iptype%3Ddhcp%26nat_enable%3Dfalse%26def_route_enable%3Dfalse%26qos_enable%3Dfalse%26chkPPPOEAC%3Dfalse%26tBoxPPPOEAC%3DNot%2520Configured%26sessiontype%3Dalways_on%26username%3Da%26password%3Dss&confirm=+Apply+
** Persistent XSS example: (Alert with Cookie)
Add code: http://192.168.1.1/webconfig/lan/lan_config.html/local_lan_config?ip_add_txtbox=192.168.1.1&sub_mask_txtbox=255.255.255.0&host_name_txtbox=Hack<SCRIPT>alert(document.cookie)</script>&domain_name_txtbox=local.lan&mtu_txtbox=1500&next=Apply
Exploit URL: http://192.168.1.1/webconfig/upgrade_image/image_upgrade.html
** Cross site request forgery example: (Change admin Password 1234 -> 12345):
http://192.168.1.2/webconfig/admin_passwd/passwd.html/admin_passwd?sysUserName=1234&sysPassword=12345&sysCfmPwd=12345&cmdSubmit=Apply
This is just an example, all forms in the router interface are vulnerable to CSRF and if they accept text input, to XSS.
Author: Busindre busilezas[@]gmail.com
| VAR-201202-0350 | No CVE | Advantech/Broadwin HMI/SCADA RPC Remote code execution vulnerability |
CVSS V2: 7.0 CVSS V3: - Severity: HIGH |
BroadWin SCADA WebAccess is a web browser-based HMI and SCADA software for industrial control systems and automation. A vulnerability exists in the implementation of Advantech/Broadwin HMI/SCADA WebAccess 6.x.x/7.x.x that could be exploited by a remote attacker to execute arbitrary code on the system
| VAR-201202-0342 | CVE-2012-1234 | Advantech/BroadWin WebAccess SQL Injection Vulnerability |
CVSS V2: 6.5 CVSS V3: - Severity: MEDIUM |
SQL injection vulnerability in Advantech/BroadWin WebAccess 7.0 allows remote authenticated users to execute arbitrary SQL commands via a malformed URL. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0234. BroadWin SCADA WebAccess is a web browser-based HMI and SCADA software for industrial control systems and automation
| VAR-201202-0343 | CVE-2012-1235 | Advantech/BroadWin WebAccess Cross-Site Request Forgery Vulnerability |
CVSS V2: 6.0 CVSS V3: - Severity: MEDIUM |
Cross-site request forgery (CSRF) vulnerability in Advantech/BroadWin WebAccess 7.0 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0235. Advantech/BroadWin WebAccess Contains a cross-site request forgery vulnerability. BroadWin SCADA WebAccess is a web browser-based HMI and SCADA software for industrial control systems and automation