VARIoT IoT vulnerabilities database

Cisco TelePresence Recording Server devices with software 1.6.x do not require authentication for an XML-RPC interface, which allows remote attackers to perform unspecified actions via a session on TCP port 8080, aka Bug ID CSCtg35833. Cisco TelePresence is a Cisco TelePresence solution that works in time with colleagues, partners, and customers around the world. An attacker can exploit these issues to execute arbitrary commands, cause denial-of-service conditions, gain unauthorized access, or potentially completely compromise an affected device. The solution provides components such as audio and video spaces, which can provide remote participants with a "face-to-face" virtual meeting room effect. This security advisory outlines details of the following vulnerabilities: * Unauthenticated Java Servlet Access * Common Gateway Interface (CGI) Command Injection * Unauthenticated Arbitrary File Upload * XML-Remote Procedure Call (RPC) Arbitrary File Overwrite * Cisco Discovery Protocol Remote Code Execution * Ad Hoc Recording Denial of Service * Java Remote method Invocation (RMI) Denial of Service * Unauthenticated XML-RPC Interface Duplicate Issue Identification in Other Cisco TelePresence Advisories +-------------------------------------------------------------------- The Unauthenticated Java Servlet Access vulnerability affects the Cisco TelePresence Multipoint Switch and Recording Server. The defect that is related to each component is covered in each associated advisory. The defect that is related to each component is covered in each associated advisory. The defect that is related to each component is covered in each associated advisory. The defect that is related to each component is covered in each associated advisory. The following table provides information that pertains to affected software releases: +-----------------------------------------+ | | Cisco Bug | Affected | | Description | ID | Software | | | | Releases | |-----------------+------------+----------| | Unauthenticated | | | | Java Servlet | CSCtf42005 | 1.6.x | | Access | | | |-----------------+------------+----------| | CGI Command | CSCtf97221 | 1.6.x | | Injection | | | |-----------------+------------+----------| | Unauthenticated | | | | Arbitrary File | CSCth85786 | 1.6.x | | Upload | | | |-----------------+------------+----------| | XML-RPC | | 1.6.x, | | Arbitrary File | CSCti50739 | 1.7.0 | | Overwrite | | | |-----------------+------------+----------| | Cisco Discovery | | | | Protocol Remote | CSCtd75769 | 1.6.x | | Code Execution | | | |-----------------+------------+----------| | Ad Hoc | | | | Recording | CSCtf97205 | 1.6.x | | Denial of | | | | Service | | | |-----------------+------------+----------| | Java RMI Denial | CSCtg35830 | 1.6.x | | of Service | | | |-----------------+------------+----------| | Unauthenticated | | | | XML-RPC | CSCtg35833 | 1.6.x | | Interface | | | +-----------------------------------------+ Vulnerable Products +------------------ Cisco TelePresence Recording Server devices that are running an affected version of software are affected. To determine the current version of software that is running on the Cisco TelePresence Recording Server, SSH into the device and issue the show version active and the show version inactive commands. The output should resemble the following example: admin: show version active Active Master Version: 1.7.0.0-151 Active Version Installed Software Options: No Installed Software Options Found. admin: show version inactive Inactive Master Version: 1.6.2.0-237 Inactive Version Installed Software Options: No Installed Software Options Found. In the preceding example, the system has versions 1.6.2 and 1.7.0 loaded on the device and version 1.7.0 is currently active. A device is affected only by vulnerabilities that are present in the active software version. Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. These vulnerabilities are independent of each other. CGI Command Injection +-------------------- A CGI command injection vulnerability exists within the Cisco TelePresence Recording Server that could allow a remote, unauthenticated attacker to execute arbitrary commands with elevated privileges. To successfully exploit this vulnerability the attacker would need the ability to submit a malformed request to an affected device via TCP port 443. An unauthenticated, remote attacker could place content to arbitrary locations on the device by submitting crafted requests to the affected device. To successfully exploit this vulnerability the attacker would need the ability to submit a crafted request to an affected device on TCP port 80 or 443. This vulnerability could be leveraged to obtain full control of the affected device. To successfully exploit this vulnerability the attacker would need the ability to submit a malformed request to an affected device via TCP port 12102 or 12104. This vulnerability could allow an unauthenticated, adjacent attacker to trigger a buffer overflow condition. To exploit this vulnerability, the attacker must submit a malicious Cisco Discovery Protocol packet to the affected system. Because Cisco Discovery Protocol works at the data-link layer (Layer 2), an attacker must have a way to submit an Ethernet frame directly to an affected device. This may be possible in situations where the affected system is part of a bridged network or connected to a nonpartitioned device such as a network hub. The vulnerability could allow an unauthenticated, remote attacker to cause all recording and playback threads on the device to be consumed. A restart of the affected device may be required to regain functionality. To successfully exploit this vulnerability the attacker would need the ability to submit a malformed request to an affected device via TCP port 80. Java RMI Denial of Service +------------------------- A denial of service vulnerability exists within Cisco TelePresence Recording Server devices due to a failure to properly restrict access to the RMI interface of the Java Servlet framework. An unauthenticated, remote attacker could trigger an out-of-memory condition on the Servlet host by issuing a series of crafted requests. To successfully exploit this vulnerability the attacker would need the ability to communicate to an affected device on TCP port 8999. This vulnerability could allow an unauthenticated, remote attacker to perform a limited number of actions on the system that should be restricted to authorized users. To successfully exploit this vulnerability the attacker would need the ability to communicate to an affected device on TCP port 8080. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Cisco Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss. * CSCtf42005 - Unauthenticated Java Servlet Access CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtf97221 - CGI Command Injection CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCth85786 - Unauthenticated Arbitrary File Upload CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCti50739 - XML-RPC Arbitrary File Overwrite CVSS Base Score - 9.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtd75769 - Cisco Discovery Protocol Remote Code Execution CVSS Base Score - 7.9 Access Vector - Adjacent Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 6.5 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtf97205 - Ad Hoc Recording Denial of Service CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtg35830 - Java RMI Denial of Service CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtg35833 - Unauthenticated XML-RPC Interface CVSS Base Score - 7.5 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Partial Integrity Impact - Partial Availability Impact - Partial CVSS Temporal Score - 6.2 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the Unauthenticated Java Servlet Access (CSCtf42005) vulnerability could allow an unauthenticated, remote attacker to take complete control of the affected device or system. Successful exploitation of the CGI Command Injection (CSCtf97221) vulnerability could allow an unauthenticated, remote attacker to take complete control of the affected device or system. Successful exploitation of the Unauthenticated Arbitrary File Upload (CSCth85786) vulnerability could allow an unauthenticated, remote attacker to place or overwrite arbitrary files on the affected system. This may allow the attacker to gain full control of the affected device. Successful exploitation of the XML-RPC Arbitrary File Overwrite (CSCti50739) vulnerability could allow an unauthenticated, remote attacker to create a denial of service condition. In some instances this issue could be leveraged to gain complete control of the affected system. Successful exploitation of the Cisco Discovery Protocol Remote Code Execution (CSCtd75769) vulnerability could allow an unauthenticated, adjacent attacker to take complete control of the affected system. Successful exploitation of the Ad Hoc Recording Denial of Service (CSCtf97205) vulnerability could allow an unauthenticated, remote attacker to cause a persistent denial of service condition on an affected device. Successful exploitation of the Java RMI Denial of Service (CSCtg35830) vulnerability could allow an unauthenticated, remote attacker to cause all web-based services to become inaccessible. Successful exploitation of the Unauthenticated XML-RPC Interface (CSCtg35833) vulnerability could allow an unauthenticated, remote attacker to perform a number of actions that should be restricted to authenticated users. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the following Cisco TelePresence System Software table defines a specific defect, the first fixed release, and the recommended release to resolve all the security issues identified in this advisory as well as other non-security-related issues. Cisco recommends upgrading to a release equal to or later than the release in the Recommended Release column of the table. Workarounds =========== There are no device- or system-based workarounds for the identified vulnerabilities. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20110223-telepresence.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. All vulnerabilities identified within this Security Advisory were discovered internally by Cisco. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20110223-telepresence-ctrs.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2011-February-23 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iF4EAREIAAYFAk1lHp0ACgkQQXnnBKKRMNDi6gD9FHcn7qE/BjeRZk7WFzDaN7m/ +eea5C4SM6kS1uQK5DoA/152WnbmatSGw6hJP/e2MSmWOqU1IKU5oxZOO8uqrShf =xAVI -----END PGP SIGNATURE-----

The XML-RPC implementation on Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0.x, 1.1.x, 1.5.x, 1.6.x, and 1.7.0 allows remote attackers to cause a denial of service (process crash) via a crafted request, aka Bug ID CSCtj44534. The problem is Bug ID CSCtj44534 It is a problem.Service disruption through a crafted request by a third party ( Process crash ) There is a possibility of being put into a state. Multiple denial-of-service vulnerabilities 2. A security-bypass vulnerability 3. An unauthorized-access vulnerability An attacker can exploit these issues to bypass certain security restrictions and cause a denial-of-service condition. Other attacks are also possible. These issues are being tracked by the following Cisco Bug IDs: CSCtf01253 CSCtf97164 CSCth60993 CSCtj44534. The solution provides components such as audio and video spaces, which can provide remote participants with a "face-to-face" virtual meeting room effect. This security advisory outlines details of the following vulnerabilities: * Unauthenticated Java Servlet Access * Unauthenticated Arbitrary File Upload * Cisco Discovery Protocol Remote Code Execution * Unauthorized Servlet Access * Java RMI Denial of Service * Real-Time Transport Control Protocol Denial of Service * XML-Remote Procedure Call (RPC) Denial of Service Duplicate Issue Identification in Other Cisco TelePresence Advisories The Unauthenticated Java Servlet Access vulnerability affects the Cisco TelePresence Multipoint Switch and Recording Server. The defect as related to each component is covered in each associated advisory. The defect as related to each component is covered in each associated advisory. The defect as related to each component is covered in each associated advisory. The defect as related to each component is covered in each associated advisory. The output should resemble the following example: admin: show version active Active Master Version: 1.7.0.0-471 Active Version Installed Software Options: No Installed Software Options Found. admin: show version inactive Inactive Master Version: 1.6.1.0-336 Inactive Version Installed Software Options: No Installed Software Options Found. In the preceding example, the system has versions 1.6.1 and 1.7.0 loaded on the device and version 1.7.0 is currently active. A device is only affected by vulnerabilities in the active software version. Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities Details ======= The Cisco TelePresence solution allows for immersive, in-person communication and collaboration over the network with colleagues, prospects, and partners even when they are located in opposite hemispheres. Unauthenticated Java Servlet Access +---------------------------------- A number of sensitive Java Servlets delivered via a Java Servlet framework in the Cisco Telepresence Multipoint Switch could allow a remote, unauthenticated attacker to perform actions that should be restricted to administrative users only. The attacker would need the ability to submit a crafted request to an affected device on TCP port 80, 443, or 8080. An attacker must perform a three-way TCP handshake and establish a valid session to exploit these vulnerabilities. * CTMS - CSCtf42008 ( registered customers only) has been assigned the CVE identifier CVE-2011-0383. * CTMS - CSCtf01253 ( registered customers only) has been assigned the CVE identifier CVE-2011-0384. An unauthenticated, remote attacker could submit a crafted request to an affected device that would allow for the placement of attacker-controlled content in arbitrary locations on the device. The attacker would need the ability to submit a crafted request to an affected device on TCP port 80 or 443. An attacker must perform a three-way TCP handshake and establish a valid session to exploit this vulnerability. * CTMS - CSCth61065 ( registered customers only) has been assigned the CVE identifier CVE-2011-0385. An unauthenticated, adjacent attacker could exploit the vulnerability by submitting a malicious Cisco Discovery Protocol packet to the affected system. When parsed, the malicious packet may trigger a buffer overflow. Because Cisco Discovery Protocol works at the data link layer (Layer 2), an attacker must have a way to submit an Ethernet frame directly to an affected device. This may be possible in situations where the affected system is part of a bridged network or connected to a nonpartitioned device such as a network hub. * CTMS - CSCtd75766 ( registered customers only) has been assigned the CVE identifier CVE-2011-0379. Unauthorized Servlet Access +-------------------------- An unauthorized servlet access issue exists in the administrative web interface of Cisco TelePresence Multipoint Switch devices. The attacker would need the ability to submit a crafted request to an affected device on TCP port 80 or 443. An attacker must perform a three-way TCP handshake and establish a valid session to exploit this vulnerability. * CTMS - CSCtf97164 ( registered customers only) has been assigned the CVE identifier CVE-2011-0387. An unauthenticated, remote attacker could trigger an out-of-memory condition on the servlet host by issuing a series of crafted requests. The attacker would need the ability to communicate to an affected device on TCP port 8999. An attacker must perform a three-way TCP handshake and establish a valid session to exploit this vulnerability. * CTMS - CSCtg35825 ( registered customers only) has been assigned the CVE identifier CVE-2011-0388. An unauthenticated, remote attacker could send a malicious RTCP packet to a listening RTCP control port to crash the call control process. The attacker would need to have the ability to communicate to an affected device on a UDP port that was randomly selected and negotiated during call setup. Because the vulnerability is within a UDP-based service, the attacker would not be required to perform a handshake prior to making the crafted request. This could allow the attacker to spoof the source address of an attack. * CTMS - CSCth60993 ( registered customers only) has been assigned the CVE identifier CVE-2011-0389. A remote, unauthenticated attacker could send a malicious request to an affected device to trigger a crash of the call geometry process. The attacker would need the ability to communicate to an affected device on TCP port 9000. An attacker must perform a three-way TCP handshake and establish a valid session to exploit this vulnerability. * CTMS - CSCtj44534 ( registered customers only) has been assigned the CVE identifier CVE-2011-0390. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtf42008 - Unauthenticated Java Servlet Access CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtf01253 - Unauthenticated Java Servlet Access CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCth61065 - Unauthenticated Arbitrary File Upload CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtd75766 - Cisco Discovery Protocol Remote Code Execution CVSS Base Score - 7.9 Access Vector - Adjacent Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 6.5 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtf97164 - Unauthorized Servlet Access CVSS Base Score - 8.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Partial Integrity Impact - Partial Availability Impact - Complete CVSS Temporal Score - 6.6 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtg35825 - Java RMI Denial of Service CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCth60993 - Real-Time Transport Control Protocol Denial of Service CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtj44534 - XML-RPC Denial of Service CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the Unauthenticated Java Servlet (CSCtf42008, CSCtf01253) vulnerabilities could allow an unauthenticated, remote attacker to take complete control of the affected device. Successful exploitation of the Unauthenticated Arbitrary File Upload (CSCth61065) vulnerability could allow an unauthenticated, remote attacker to place or overwrite arbitrary files on the affected system. This may allow the attacker to gain full control of the affected device. Successful exploitation of the Cisco Discovery Protocol Remote Code Execution (CSCtd75766) vulnerability could allow an unauthenticated, adjacent attacker to take complete control of the affected system. Successful exploitation of the Unauthorized Servlet Access (CSCtf97164) vulnerability could allow a remote, authenticated attacker to perform certain actions on the system that should be restricted by the attacker's privilege level. Successful exploitation of the Java RMI Denial of Service (CSCtg35825) vulnerability could allow an unauthenticated, remote attacker to cause all web-based services to become inaccessible. Successful exploitation of the Real-Time Transport Control Protocol Denial of Service (CSCth60993) vulnerability could allow an unauthenticated, remote attacker to terminate all active calls on the affected device. Successful exploitation of the XML-RPC Denial of Service (CSCtj44534) vulnerability could allow an unauthenticated, remote attacker to terminate all current calls and potentially cause the device to become unusable for future calls. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the following Cisco TelePresence System Software table defines a specific defect, the "First Fixed Release", and the "Recommended Release" to resolve all of the security issues identified in this advisory as well as other non-security related issues. Cisco recommends upgrading to a release equal to or later than the release in the Recommended Release column of the table. +------------------------------------------------------------------+ | | | | First | Recommended | | Vulnerability | Bug ID | Component | Fixed | Release | | | | | Version | | |-----------------+------------+-----------+---------+-------------| | Unauthenticated | CSCtf01253 | CTMS | 1.7.0 | 1.7.1 | |Java Servlet |------------+-----------+---------+-------------| | Access | CSCtf42008 | CTMS | 1.7.0 | 1.7.1 | |-----------------+------------+-----------+---------+-------------| | Unauthenticated | | | | | | Arbitrary File | CSCth61065 | CTMS | 1.7.0 | 1.7.1 | | Upload | | | | | |-----------------+------------+-----------+---------+-------------| | Cisco Discovery | | | | | | Protocol Remote | CSCtd75766 | CTMS | 1.7.0 | 1.7.1 | | Code Execution | | | | | |-----------------+------------+-----------+---------+-------------| | Unauthorized | CSCtf97164 | CTMS | 1.7.0 | 1.7.1 | | Servlet Access | | | | | |-----------------+------------+-----------+---------+-------------| | Java RMI JBOSS | | | | | | Denial of | CSCtg35825 | CTMS | 1.7.0 | 1.7.1 | | Service | | | | | |-----------------+------------+-----------+---------+-------------| | Real-Time | | | | | | Transport | | | | | | Control | CSCth60993 | CTMS | 1.7.0 | 1.7.1 | | Protocol Denial | | | | | | of Service | | | | | |-----------------+------------+-----------+---------+-------------| | XML-RPC Denial | CSCtj44534 | CTMS | 1.7.1 | 1.7.1 | | of Service | | | | | +------------------------------------------------------------------+ It is recommended that all components of the Cisco TelePresence solution be upgraded to 1.7.1 or greater. Workarounds =========== There are no device- or system-based workarounds for the identified vulnerabilities. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this Advisory: http://www.cisco.com/warp/public/707/cisco-amb-20110223-telepresence.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. All vulnerabilities identified within this Cisco Security Advisory were discovered internally by Cisco. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20110223-telepresence-ctms.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2011-February-23 | public | | | | release. | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iF4EAREIAAYFAk1lGIgACgkQQXnnBKKRMNBBNQD+IwqhL7IFqfRCVCE1tbY8JLIy WDnDjjUQ7wOvoq1TemQA/2IZTmd9iLO+4qVFvHgKZTsGGVDYCzz3+DO5jHQ/6bse =KSfu -----END PGP SIGNATURE-----

Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0.x, 1.1.x, 1.5.x, and 1.6.x allow remote attackers to cause a denial of service (process crash) via a crafted Real-Time Transport Control Protocol (RTCP) UDP packet, aka Bug ID CSCth60993. Multiple denial-of-service vulnerabilities 2. A security-bypass vulnerability 3. An unauthorized-access vulnerability An attacker can exploit these issues to bypass certain security restrictions and cause a denial-of-service condition. Other attacks are also possible. These issues are being tracked by the following Cisco Bug IDs: CSCtf01253 CSCtf97164 CSCth60993 CSCtj44534. The solution provides components such as audio and video spaces, which can provide remote participants with a "face-to-face" virtual meeting room effect. The defect as related to each component is covered in each associated advisory. The defect as related to each component is covered in each associated advisory. The defect as related to each component is covered in each associated advisory. The defect as related to each component is covered in each associated advisory. The output should resemble the following example: admin: show version active Active Master Version: 1.7.0.0-471 Active Version Installed Software Options: No Installed Software Options Found. admin: show version inactive Inactive Master Version: 1.6.1.0-336 Inactive Version Installed Software Options: No Installed Software Options Found. In the preceding example, the system has versions 1.6.1 and 1.7.0 loaded on the device and version 1.7.0 is currently active. A device is only affected by vulnerabilities in the active software version. Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities Details ======= The Cisco TelePresence solution allows for immersive, in-person communication and collaboration over the network with colleagues, prospects, and partners even when they are located in opposite hemispheres. Unauthenticated Java Servlet Access +---------------------------------- A number of sensitive Java Servlets delivered via a Java Servlet framework in the Cisco Telepresence Multipoint Switch could allow a remote, unauthenticated attacker to perform actions that should be restricted to administrative users only. The attacker would need the ability to submit a crafted request to an affected device on TCP port 80, 443, or 8080. An attacker must perform a three-way TCP handshake and establish a valid session to exploit these vulnerabilities. * CTMS - CSCtf42008 ( registered customers only) has been assigned the CVE identifier CVE-2011-0383. * CTMS - CSCtf01253 ( registered customers only) has been assigned the CVE identifier CVE-2011-0384. An unauthenticated, remote attacker could submit a crafted request to an affected device that would allow for the placement of attacker-controlled content in arbitrary locations on the device. The attacker would need the ability to submit a crafted request to an affected device on TCP port 80 or 443. An attacker must perform a three-way TCP handshake and establish a valid session to exploit this vulnerability. * CTMS - CSCth61065 ( registered customers only) has been assigned the CVE identifier CVE-2011-0385. An unauthenticated, adjacent attacker could exploit the vulnerability by submitting a malicious Cisco Discovery Protocol packet to the affected system. When parsed, the malicious packet may trigger a buffer overflow. Because Cisco Discovery Protocol works at the data link layer (Layer 2), an attacker must have a way to submit an Ethernet frame directly to an affected device. This may be possible in situations where the affected system is part of a bridged network or connected to a nonpartitioned device such as a network hub. * CTMS - CSCtd75766 ( registered customers only) has been assigned the CVE identifier CVE-2011-0379. Unauthorized Servlet Access +-------------------------- An unauthorized servlet access issue exists in the administrative web interface of Cisco TelePresence Multipoint Switch devices. The attacker would need the ability to submit a crafted request to an affected device on TCP port 80 or 443. An attacker must perform a three-way TCP handshake and establish a valid session to exploit this vulnerability. * CTMS - CSCtf97164 ( registered customers only) has been assigned the CVE identifier CVE-2011-0387. An unauthenticated, remote attacker could trigger an out-of-memory condition on the servlet host by issuing a series of crafted requests. The attacker would need the ability to communicate to an affected device on TCP port 8999. An attacker must perform a three-way TCP handshake and establish a valid session to exploit this vulnerability. * CTMS - CSCtg35825 ( registered customers only) has been assigned the CVE identifier CVE-2011-0388. An unauthenticated, remote attacker could send a malicious RTCP packet to a listening RTCP control port to crash the call control process. The attacker would need to have the ability to communicate to an affected device on a UDP port that was randomly selected and negotiated during call setup. Because the vulnerability is within a UDP-based service, the attacker would not be required to perform a handshake prior to making the crafted request. This could allow the attacker to spoof the source address of an attack. * CTMS - CSCth60993 ( registered customers only) has been assigned the CVE identifier CVE-2011-0389. A remote, unauthenticated attacker could send a malicious request to an affected device to trigger a crash of the call geometry process. The attacker would need the ability to communicate to an affected device on TCP port 9000. An attacker must perform a three-way TCP handshake and establish a valid session to exploit this vulnerability. * CTMS - CSCtj44534 ( registered customers only) has been assigned the CVE identifier CVE-2011-0390. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtf42008 - Unauthenticated Java Servlet Access CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtf01253 - Unauthenticated Java Servlet Access CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCth61065 - Unauthenticated Arbitrary File Upload CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtd75766 - Cisco Discovery Protocol Remote Code Execution CVSS Base Score - 7.9 Access Vector - Adjacent Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 6.5 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtf97164 - Unauthorized Servlet Access CVSS Base Score - 8.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Partial Integrity Impact - Partial Availability Impact - Complete CVSS Temporal Score - 6.6 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtg35825 - Java RMI Denial of Service CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCth60993 - Real-Time Transport Control Protocol Denial of Service CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtj44534 - XML-RPC Denial of Service CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the Unauthenticated Java Servlet (CSCtf42008, CSCtf01253) vulnerabilities could allow an unauthenticated, remote attacker to take complete control of the affected device. Successful exploitation of the Unauthenticated Arbitrary File Upload (CSCth61065) vulnerability could allow an unauthenticated, remote attacker to place or overwrite arbitrary files on the affected system. This may allow the attacker to gain full control of the affected device. Successful exploitation of the Cisco Discovery Protocol Remote Code Execution (CSCtd75766) vulnerability could allow an unauthenticated, adjacent attacker to take complete control of the affected system. Successful exploitation of the Unauthorized Servlet Access (CSCtf97164) vulnerability could allow a remote, authenticated attacker to perform certain actions on the system that should be restricted by the attacker's privilege level. Successful exploitation of the Java RMI Denial of Service (CSCtg35825) vulnerability could allow an unauthenticated, remote attacker to cause all web-based services to become inaccessible. Successful exploitation of the XML-RPC Denial of Service (CSCtj44534) vulnerability could allow an unauthenticated, remote attacker to terminate all current calls and potentially cause the device to become unusable for future calls. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the following Cisco TelePresence System Software table defines a specific defect, the "First Fixed Release", and the "Recommended Release" to resolve all of the security issues identified in this advisory as well as other non-security related issues. Cisco recommends upgrading to a release equal to or later than the release in the Recommended Release column of the table. Workarounds =========== There are no device- or system-based workarounds for the identified vulnerabilities. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this Advisory: http://www.cisco.com/warp/public/707/cisco-amb-20110223-telepresence.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. All vulnerabilities identified within this Cisco Security Advisory were discovered internally by Cisco. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20110223-telepresence-ctms.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2011-February-23 | public | | | | release. | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iF4EAREIAAYFAk1lGIgACgkQQXnnBKKRMNBBNQD+IwqhL7IFqfRCVCE1tbY8JLIy WDnDjjUQ7wOvoq1TemQA/2IZTmd9iLO+4qVFvHgKZTsGGVDYCzz3+DO5jHQ/6bse =KSfu -----END PGP SIGNATURE-----

The CGI implementation on Cisco TelePresence endpoint devices with software 1.2.x through 1.5.x allows remote attackers to execute arbitrary commands via a malformed request, related to "command injection vulnerabilities," aka Bug ID CSCtb31640. The problem is Bug ID CSCtb31640 It is a problem.Arbitrary commands may be executed by a third party via a malformed request. Cisco TelePresence is a telepresence conferencing solution developed by Cisco. To exploit these vulnerabilities, an attacker must send a malformed request to the affected device's TCP port 8082. Cisco TelePresence endpoint devices are prone to multiple vulnerabilities. An attacker can exploit these issues to execute arbitrary commands, disclose potentially sensitive information, or cause denial-of-service conditions. The solution provides components such as audio and video spaces, which can provide remote participants with a "face-to-face" virtual meeting room effect. The defect that is related to each component is covered in each associated advisory. To determine the current version of software that is running on the endpoint, access the device via SSH and issue the show version command. The output should resemble the following example. The version that is active on the system will be marked by an asterisk character (*). admin: show version primary Factory CTS 1.4.2(2194) *Slot 1 CTS 1.7.1(4750) P1 Slot 2 CTS 1.6.2(2835) P1 admin: In the preceding example, the system has versions 1.4.2, 1.6.2, and 1.7.1 loaded on the device and version 1.7.1 is currently active. A device is affected only by vulnerabilities that are present in the active software version. Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= The Cisco TelePresence solution allows for immersive, in-person communication and collaboration over the network with colleagues, prospects, and partners even when they are located in opposite hemispheres. An attacker must perform a three-way TCP handshake and establish a valid session to exploit these vulnerabilities: * Cisco TelePresence endpoint - CSCtb31685 ( registered customers only) has been assigned the CVE identifier CVE-2011-0373. Because the vulnerability is within a UDP based service, the attacker would not be required to perform a handshake prior to making the crafted request. However, due to the fact that this is an information disclosure issue the attacker would need to supply a valid return IP address to retrieve the information. An attacker with the ability to impersonate a Cisco TelePresence Manager system could remotely inject an invalid IP address into a configuration file that could cause a critical service on the device to crash. An endpoint affected by this issue will remain unusable until it has been manually restored to a known good state. Restoration of service may require an administrator to reload software on the affected device. The issue may require that the attacker perform an ARP spoofing or other form of impersonation attack. This vulnerability could allow an unauthenticated, adjacent attacker to trigger a buffer overflow condition. Because Cisco Discovery Protocol functions at the Data-Link (L2) layer, an attacker must submit an Ethernet frame directly to an affected device. This scenario may be possible when affected systems are part of a bridged network or connected to a nonpartitioned device such as a network hub. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Cisco Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtb31640 - Unauthenticated CGI Access CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtb31685 - CGI Command Injection CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtb31659 - CGI Command Injection CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCth24671 - CGI Command Injection CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCte43876 - TFTP Information Disclosure CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCth03605 - Malicious IP Address Injection CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtb52587 - XML-RPC Command Injection CVSS Base Score - 8.3 Access Vector - Adjacent Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 6.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtd75754 - Cisco Discovery Protocol Remote Code Execution CVSS Base Score - 7.9 Access Vector - Adjacent Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 6.5 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the Unauthenticated CGI Access (CSCtb31640) vulnerability could allow an unauthenticated, remote attacker to take complete control of an affected device or system. Successful exploitation of the TFTP Information Disclosure (CSCte43876) vulnerability could allow an unauthenticated, remote attacker to take complete control of an affected system. Successful exploitation of the Malicious IP Address Injection (CSCth03605) vulnerability could allow an unauthenticated, remote attacker to cause a persistent denial of service condition on an affected system. Successful exploitation of the XML-RPC Command Injection (CSCtb52587) vulnerability could allow an unauthenticated, adjacent attacker to take complete control of an affected system. Successful exploitation of the Cisco Discovery Protocol Remote Code Execution (CSCtd75754) vulnerability could allow an unauthenticated, adjacent attacker to take complete control of an affected system. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the following Cisco TelePresence System Software table defines a specific defect, the first fixed release, and the recommended release to resolve all the security issues identified in this advisory as well as other non-security-related issues. Cisco recommends upgrading to a release equal to or later than the release in the Recommended Release column of the table. Workarounds =========== There are no device- or system-based workarounds for the identified vulnerabilities. Additional mitigations that can be deployed on Cisco devices in the network are available in the Cisco Applied Intelligence companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20110223-telepresence.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. All vulnerabilities identified in this Cisco Security Advisory were discovered internally by Cisco. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20110223-telepresence-cts.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Intial | | 1.0 | 2011-February-23 | public | | | | release. | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iF4EAREIAAYFAk1lJpgACgkQQXnnBKKRMNAkUAD6ApT3xpU4A4OutzIXLIDjQ4Gn OIBwpovUdzC/bWS4QjoA/ikyL3RwYvau4o3CkCFyciwaxbk/o5Pmtg0tulTQWWjv =HXfS -----END PGP SIGNATURE-----

The CGI implementation on Cisco TelePresence endpoint devices with software 1.2.x through 1.5.x allows remote authenticated users to execute arbitrary commands via a malformed request, related to "command injection vulnerabilities," aka Bug ID CSCtb31659. Cisco TelePresence is a telepresence conferencing solution developed by Cisco. To exploit these vulnerabilities, an attacker must send a malformed request to the affected device's TCP port 443. An attacker must perform three TCP handshakes and establish a legitimate session to exploit these vulnerabilities. Cisco TelePresence endpoint devices are prone to multiple vulnerabilities. An attacker can exploit these issues to execute arbitrary commands, disclose potentially sensitive information, or cause denial-of-service conditions. The solution provides components such as audio and video spaces, which can provide remote participants with a "face-to-face" virtual meeting room effect. The defect that is related to each component is covered in each associated advisory. To determine the current version of software that is running on the endpoint, access the device via SSH and issue the show version command. The output should resemble the following example. The version that is active on the system will be marked by an asterisk character (*). admin: show version primary Factory CTS 1.4.2(2194) *Slot 1 CTS 1.7.1(4750) P1 Slot 2 CTS 1.6.2(2835) P1 admin: In the preceding example, the system has versions 1.4.2, 1.6.2, and 1.7.1 loaded on the device and version 1.7.1 is currently active. A device is affected only by vulnerabilities that are present in the active software version. Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= The Cisco TelePresence solution allows for immersive, in-person communication and collaboration over the network with colleagues, prospects, and partners even when they are located in opposite hemispheres. Because the vulnerability is within a UDP based service, the attacker would not be required to perform a handshake prior to making the crafted request. However, due to the fact that this is an information disclosure issue the attacker would need to supply a valid return IP address to retrieve the information. An attacker with the ability to impersonate a Cisco TelePresence Manager system could remotely inject an invalid IP address into a configuration file that could cause a critical service on the device to crash. An endpoint affected by this issue will remain unusable until it has been manually restored to a known good state. Restoration of service may require an administrator to reload software on the affected device. The issue may require that the attacker perform an ARP spoofing or other form of impersonation attack. This vulnerability could allow an unauthenticated, adjacent attacker to trigger a buffer overflow condition. Because Cisco Discovery Protocol functions at the Data-Link (L2) layer, an attacker must submit an Ethernet frame directly to an affected device. This scenario may be possible when affected systems are part of a bridged network or connected to a nonpartitioned device such as a network hub. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Cisco Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtb31640 - Unauthenticated CGI Access CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtb31685 - CGI Command Injection CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtb31659 - CGI Command Injection CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCth24671 - CGI Command Injection CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCte43876 - TFTP Information Disclosure CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCth03605 - Malicious IP Address Injection CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtb52587 - XML-RPC Command Injection CVSS Base Score - 8.3 Access Vector - Adjacent Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 6.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtd75754 - Cisco Discovery Protocol Remote Code Execution CVSS Base Score - 7.9 Access Vector - Adjacent Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 6.5 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the Unauthenticated CGI Access (CSCtb31640) vulnerability could allow an unauthenticated, remote attacker to take complete control of an affected device or system. Successful exploitation of the TFTP Information Disclosure (CSCte43876) vulnerability could allow an unauthenticated, remote attacker to take complete control of an affected system. Successful exploitation of the Malicious IP Address Injection (CSCth03605) vulnerability could allow an unauthenticated, remote attacker to cause a persistent denial of service condition on an affected system. Successful exploitation of the XML-RPC Command Injection (CSCtb52587) vulnerability could allow an unauthenticated, adjacent attacker to take complete control of an affected system. Successful exploitation of the Cisco Discovery Protocol Remote Code Execution (CSCtd75754) vulnerability could allow an unauthenticated, adjacent attacker to take complete control of an affected system. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the following Cisco TelePresence System Software table defines a specific defect, the first fixed release, and the recommended release to resolve all the security issues identified in this advisory as well as other non-security-related issues. Cisco recommends upgrading to a release equal to or later than the release in the Recommended Release column of the table. Workarounds =========== There are no device- or system-based workarounds for the identified vulnerabilities. Additional mitigations that can be deployed on Cisco devices in the network are available in the Cisco Applied Intelligence companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20110223-telepresence.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. All vulnerabilities identified in this Cisco Security Advisory were discovered internally by Cisco. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20110223-telepresence-cts.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Intial | | 1.0 | 2011-February-23 | public | | | | release. | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iF4EAREIAAYFAk1lJpgACgkQQXnnBKKRMNAkUAD6ApT3xpU4A4OutzIXLIDjQ4Gn OIBwpovUdzC/bWS4QjoA/ikyL3RwYvau4o3CkCFyciwaxbk/o5Pmtg0tulTQWWjv =HXfS -----END PGP SIGNATURE-----

The CGI implementation on Cisco TelePresence endpoint devices with software 1.2.x through 1.5.x allows remote authenticated users to execute arbitrary commands via a malformed request, related to "command injection vulnerabilities," aka Bug ID CSCtb31685. Cisco TelePresence is a telepresence conferencing solution developed by Cisco. To exploit these vulnerabilities, an attacker must send a malformed request to the affected device's TCP port 443. An attacker must perform three TCP handshakes and establish a legitimate session to exploit these vulnerabilities. Cisco TelePresence endpoint devices are prone to multiple vulnerabilities. An attacker can exploit these issues to execute arbitrary commands, disclose potentially sensitive information, or cause denial-of-service conditions. The solution provides components such as audio and video spaces, which can provide remote participants with a "face-to-face" virtual meeting room effect. The defect that is related to each component is covered in each associated advisory. To determine the current version of software that is running on the endpoint, access the device via SSH and issue the show version command. The output should resemble the following example. The version that is active on the system will be marked by an asterisk character (*). admin: show version primary Factory CTS 1.4.2(2194) *Slot 1 CTS 1.7.1(4750) P1 Slot 2 CTS 1.6.2(2835) P1 admin: In the preceding example, the system has versions 1.4.2, 1.6.2, and 1.7.1 loaded on the device and version 1.7.1 is currently active. A device is affected only by vulnerabilities that are present in the active software version. Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= The Cisco TelePresence solution allows for immersive, in-person communication and collaboration over the network with colleagues, prospects, and partners even when they are located in opposite hemispheres. Because the vulnerability is within a UDP based service, the attacker would not be required to perform a handshake prior to making the crafted request. However, due to the fact that this is an information disclosure issue the attacker would need to supply a valid return IP address to retrieve the information. An attacker with the ability to impersonate a Cisco TelePresence Manager system could remotely inject an invalid IP address into a configuration file that could cause a critical service on the device to crash. An endpoint affected by this issue will remain unusable until it has been manually restored to a known good state. Restoration of service may require an administrator to reload software on the affected device. The issue may require that the attacker perform an ARP spoofing or other form of impersonation attack. This vulnerability could allow an unauthenticated, adjacent attacker to trigger a buffer overflow condition. Because Cisco Discovery Protocol functions at the Data-Link (L2) layer, an attacker must submit an Ethernet frame directly to an affected device. This scenario may be possible when affected systems are part of a bridged network or connected to a nonpartitioned device such as a network hub. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Cisco Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtb31640 - Unauthenticated CGI Access CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtb31685 - CGI Command Injection CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtb31659 - CGI Command Injection CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCth24671 - CGI Command Injection CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCte43876 - TFTP Information Disclosure CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCth03605 - Malicious IP Address Injection CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtb52587 - XML-RPC Command Injection CVSS Base Score - 8.3 Access Vector - Adjacent Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 6.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtd75754 - Cisco Discovery Protocol Remote Code Execution CVSS Base Score - 7.9 Access Vector - Adjacent Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 6.5 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the Unauthenticated CGI Access (CSCtb31640) vulnerability could allow an unauthenticated, remote attacker to take complete control of an affected device or system. Successful exploitation of the TFTP Information Disclosure (CSCte43876) vulnerability could allow an unauthenticated, remote attacker to take complete control of an affected system. Successful exploitation of the Malicious IP Address Injection (CSCth03605) vulnerability could allow an unauthenticated, remote attacker to cause a persistent denial of service condition on an affected system. Successful exploitation of the XML-RPC Command Injection (CSCtb52587) vulnerability could allow an unauthenticated, adjacent attacker to take complete control of an affected system. Successful exploitation of the Cisco Discovery Protocol Remote Code Execution (CSCtd75754) vulnerability could allow an unauthenticated, adjacent attacker to take complete control of an affected system. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the following Cisco TelePresence System Software table defines a specific defect, the first fixed release, and the recommended release to resolve all the security issues identified in this advisory as well as other non-security-related issues. Cisco recommends upgrading to a release equal to or later than the release in the Recommended Release column of the table. Workarounds =========== There are no device- or system-based workarounds for the identified vulnerabilities. Additional mitigations that can be deployed on Cisco devices in the network are available in the Cisco Applied Intelligence companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20110223-telepresence.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. All vulnerabilities identified in this Cisco Security Advisory were discovered internally by Cisco. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20110223-telepresence-cts.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Intial | | 1.0 | 2011-February-23 | public | | | | release. | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iF4EAREIAAYFAk1lJpgACgkQQXnnBKKRMNAkUAD6ApT3xpU4A4OutzIXLIDjQ4Gn OIBwpovUdzC/bWS4QjoA/ikyL3RwYvau4o3CkCFyciwaxbk/o5Pmtg0tulTQWWjv =HXfS -----END PGP SIGNATURE-----

Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 7.0 before 7.0(8.12), 7.1 and 7.2 before 7.2(5.2), 8.0 before 8.0(5.21), 8.1 before 8.1(2.49), 8.2 before 8.2(3.6), and 8.3 before 8.3(2.7) and Cisco PIX Security Appliances 500 series devices, when transparent firewall mode is configured but IPv6 is not configured, allow remote attackers to cause a denial of service (packet buffer exhaustion and device outage) via IPv6 traffic, aka Bug ID CSCtj04707. The problem is Bug ID CSCtj04707 It is a problem.By a third party IPv6 Service disruption through traffic (DoS) There is a possibility of being put into a state. When the security application device receives IPv6 communication but does not configure IPv6 operation, the number of available message buffers is reduced. IPv6 transit communication does not cause this problem. The administrator can submit the show blocks command to check the message buffer utilization. If the number of blocks is 0, the application device is affected by this vulnerability: ciscoasa# show blocks SIZE MAX LOW CNT 0 400 360 400 4 200 199 199 80 400 358 400 256 1412 1381 1412 1550 6274 0 0 ... An attacker can exploit these issues to disclose potentially sensitive information or to cause denial-of-service conditions. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110223-asa.shtml. Note: The Cisco Firewall Services Module (FWSM) is affected by one of these vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerability that affects the Cisco FWSM. That advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20110223-fwsm.shtml. Affected versions of Cisco ASA Software vary depending on the specific vulnerability. Vulnerable Products +------------------ For specific version information, refer to the Software Versions and Fixes section of this advisory. Transparent firewall mode is enabled on the appliance if the command "firewall transparent" is present in the configuration. The default firewall mode is routed, not transparent. Administrators can determine if SCCP inspection is enabled by issuing the "show service-policy | include skinny" command and confirming that output, such as what is displayed in the following example, is returned. ciscoasa# show service-policy | include skinny Inspect: skinny, packet 0, drop 0, reset-drop 0 Alternatively, a device that has SCCP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect skinny ... ! service-policy global_policy global Note: The service policy could also be applied to a specific interface instead of globally, which is displayed in the previous example. SCCP inspection is enabled by default. The following example displays an affected configuration (Cisco ASA Software version 8.0 and 8.1): router rip ... ! phone-proxy <instance name> media-termination address <IP address> ... <Rest of phone proxy feature configuration> Or (Cisco ASA Software version 8.2 and later): router rip ... ! media-termination <instance name> address <IP address> ! <Rest of phone proxy feature configuration> A security appliance is vulnerable if it is processing RIP messages ("router rip") and if a global media termination address is configured for the Cisco Phone Proxy feature (refer to previous example). Note that Cisco ASA Software versions 8.0 and 8.1 only allow a global media termination address. However, in Cisco ASA Software version 8.2 and later, it is possible to tie a media termination address to an interface. This configuration, which is accomplished by issuing the command "address <IP address> interface <interface name>" in media termination configuration mode, is not affected. Neither RIP nor the Cisco Phone Proxy feature is enabled by default. An affected configuration consists of the following minimum commands: crypto ca trustpoint <trustpoint name> keypair <keypair name> crl configure crypto ca server crypto ca certificate chain <trustpoint name> certificate ca 01 ... ! http server enable The local CA server is not enabled by default. Because Cisco PIX 500 Series Security Appliances reached the end of software maintenance releases milestone on July 28, 2009, no further software releases will be available. For more information, refer to the End of Life announcement at http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/end_of_life_notice_cisco_pix_525_sec_app.html. How to Determine Software Versions +--------------------------------- To determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can issue the "show version" command. It offers firewall, intrusion prevention system (IPS), anti-X, and virtual private network (VPN) services. This vulnerability is documented in Cisco bug ID CSCtj04707 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2011-0393. Appliances are only vulnerable if SCCP inspection is enabled. Only transit traffic can trigger this vulnerability; traffic that is destined to the appliance will not trigger the vulnerability. This vulnerability is documented in Cisco bug ID CSCtg69457 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2011-0394. Appliances are vulnerable only if both RIP and the Cisco Phone Proxy feature are enabled. Note: the affected configuration requires that a global media termination address is configured, which is the only possible configuration option in Cisco ASA Software versions 8.0 and 8.1. However, it is possible to tie a media termination address to an interface in Cisco ASA Software version 8.2 and later. This configuration is not vulnerable. This vulnerability is documented in Cisco bug ID CSCtg66583 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2011-0395. but not system:) when the security appliance is configured as a local CA server. No authentication is required. File systems could contain sensitive information, such as backup device configurations (which may contain passwords or shared secrets), Cisco ASA Software images, or digital certificates. This vulnerability is documented in Cisco bug ID CSCtk12352 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2011-0396. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtj04707 ("Possible packet buffer exhaustion when operating in transparent mode ") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtg69457 ("SCCP inspection DoS vulnerability") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtg66583 ("RIP denial of service vulnerability") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtk12352 ("Possible to browse flash memory when CA is enabled") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Transparent Firewall Packet Buffer Exhaustion Vulnerability +---------------------------------------------------------- Successful exploitation of this vulnerability could cause a decrease in the number of available packet buffers. Repeated exploitation could eventually deplete all available packet buffers, which may cause an appliance to stop forwarding traffic. SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- Successful exploitation of this vulnerability could cause a reload of the affected device. Repeated exploitation may result in a sustained denial of service condition. RIP Denial of Service Vulnerability +---------------------------------- Successful exploitation of this vulnerability could cause a reload of the affected device. Repeated exploitation may result in a sustained denial of service condition. Unauthorized File System Access Vulnerability +-------------------------------------------- Successful exploitation of this vulnerability could allow unauthorized, unauthenticated users to retrieve files that are stored in an affected appliance's file system, which may contain sensitive information. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +---------------------------------------+ | Vulnerability | Major | First Fixed | | | Release | Release | |---------------+---------+-------------| | | | 7.0(8.12); | | | | available | | | 7.0 | late | | | | February | | | | 2011 | | |---------+-------------| | | | Vulnerable; | | | 7.1 | migrate to | | | | 7.2(5.2) | |Transparent |---------+-------------| | Firewall | 7.2 | 7.2(5.2) | |Packet Buffer |---------+-------------| | Exhaustion | 8.0 | 8.0(5.21) | |Vulnerability |---------+-------------| | (CSCtj04707) | | 8.1(2.49); | | | 8.1 | available | | | | early March | | | | 2011 | | |---------+-------------| | | 8.2 | 8.2(3.6) | | |---------+-------------| | | 8.3 | 8.3(2.7) | | |---------+-------------| | | 8.4 | Not | | | | vulnerable | |---------------+---------+-------------| | | 7.0 | 7.0(8.11) | | |---------+-------------| | | | Vulnerable; | | | 7.1 | migrate to | | | | 7.2(5.1) | | |---------+-------------| | SCCP | 7.2 | 7.2(5.1) | |Inspection |---------+-------------| | Denial of | 8.0 | 8.0(5.19) | |Service |---------+-------------| | Vulnerability | 8.1 | 8.1(2.47) | |(CSCtg69457) |---------+-------------| | | 8.2 | 8.2(2.19) | | |---------+-------------| | | 8.3 | 8.3(1.8) | | |---------+-------------| | | 8.4 | Not | | | | vulnerable | |---------------+---------+-------------| | | 7.0 | Not | | | | vulnerable | | |---------+-------------| | | 7.1 | Not | | | | vulnerable | | |---------+-------------| | | 7.2 | Not | | RIP Denial of | | vulnerable | |Service |---------+-------------| | Vulnerability | 8.0 | 8.0(5.20) | |(CSCtg66583) |---------+-------------| | | 8.1 | 8.1(2.48) | | |---------+-------------| | | 8.2 | 8.2(3) | | |---------+-------------| | | 8.3 | 8.3(2.1) | | |---------+-------------| | | 8.4 | Not | | | | vulnerable | |---------------+---------+-------------| | | 7.0 | Not | | | | vulnerable | | |---------+-------------| | | 7.1 | Not | | | | vulnerable | | |---------+-------------| | | 7.2 | Not | | | | vulnerable | |Unauthorized |---------+-------------| | File System | 8.0 | 8.0(5.23) | |Access |---------+-------------| | Vulnerability | | 8.1(2.49); | | (CSCtk12352) | 8.1 | available | | | | early March | | | | 2011 | | |---------+-------------| | | 8.2 | 8.2(4.1) | | |---------+-------------| | | 8.3 | 8.3(2.13) | | |---------+-------------| | | 8.4 | Not | | | | vulnerable | +---------------------------------------+ Recommended Releases +------------------- The following table lists all recommended releases. These recommended releases contain the fixes for all vulnerabilities in this advisory. Cisco recommends upgrading to a release that is equal to or later than these recommended releases. These vulnerabilities and their respective workarounds are independent of each other. Transparent Firewall Packet Buffer Exhaustion Vulnerability +---------------------------------------------------------- There are no workarounds for this vulnerability. SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- Administrators can mitigate this vulnerability by disabling SCCP inspection if it is not required. Administrators can disable SCCP inspection by issuing the "no inspect skinny" command in class configuration submode in the policy map configuration. RIP Denial of Service Vulnerability +---------------------------------- There are no workarounds for Cisco ASA Software version 8.0 and 8.1. On Cisco ASA Software version 8.2 and later, administrators can configure a non-global media termination address by specifying a termination address that will be tied to a specific interface. For example: router rip ... ! media-termination <instance name> address <IP address> interface <interface name> ! <Rest of phone proxy feature configuration> Unauthorized File System Access Vulnerability +-------------------------------------------- There are no workarounds for this vulnerability. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. The Transparent Firewall Packet Buffer Exhaustion Vulnerability, SCCP Inspection Denial of Service Vulnerability, and RIP Denial of Service Vulnerability were found during internal testing. The Unauthorized File System Access Vulnerability was discovered during the resolution of customer support cases. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20110223-asa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2011-February-23 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Feb 23, 2011 Document ID: 112881 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iF4EAREIAAYFAk1lMPwACgkQQXnnBKKRMNBMBQD/a+ok1yfH7Fb21ZoPDh56AC4A V/yl9nhgKFu3M/lDOqgA/0kybpk0NolgXRBExnKPMPOI94KiHhhPQtUYxo/j3tCH =sciX -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: Cisco ASA 5500 Series Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43488 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43488/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43488 RELEASE DATE: 2011-03-12 DISCUSS ADVISORY: http://secunia.com/advisories/43488/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43488/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43488 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Cisco Adaptive Security Appliance (ASA), which can be exploited by malicious people to cause a DoS (Denial of Service) and disclose potentially sensitive information. "flash:", "disk0:", or "disk1:" but not "system:"). This can be exploited to gain access to e.g. Please see vendor advisories for details. PROVIDED AND/OR DISCOVERED BY: 1-3) Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20110223-asa.shtml http://www.cisco.com/en/US/products/products_security_advisory09186a0080b6e14d.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor

Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 8.0 before 8.0(5.20), 8.1 before 8.1(2.48), 8.2 before 8.2(3), and 8.3 before 8.3(2.1), when the RIP protocol and the Cisco Phone Proxy functionality are configured, allow remote attackers to cause a denial of service (device reload) via a RIP update, aka Bug ID CSCtg66583. The problem is Bug ID CSCtg66583 It is a problem.By a third party RIP Service disruption through updates (DoS) There is a possibility of being put into a state. The Cisco Adaptive Security Appliance is an adaptive security appliance that provides modules for security and VPN services. Cisco ASA 5500 series security appliances are prone to multiple remote vulnerabilities. An attacker can exploit these issues to disclose potentially sensitive information or to cause denial-of-service conditions. FWSM is a firewall service module. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110223-asa.shtml. A separate Cisco Security Advisory has been published to disclose the vulnerability that affects the Cisco FWSM. That advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20110223-fwsm.shtml. Vulnerable Products +------------------ For specific version information, refer to the Software Versions and Fixes section of this advisory. Transparent Firewall Packet Buffer Exhaustion Vulnerability +---------------------------------------------------------- A packet buffer exhaustion vulnerability affects multiple versions of Cisco ASA Software when a security appliance is configured to operate in the transparent firewall mode. Transparent firewall mode is enabled on the appliance if the command "firewall transparent" is present in the configuration. The default firewall mode is routed, not transparent. Administrators can determine if SCCP inspection is enabled by issuing the "show service-policy | include skinny" command and confirming that output, such as what is displayed in the following example, is returned. ciscoasa# show service-policy | include skinny Inspect: skinny, packet 0, drop 0, reset-drop 0 Alternatively, a device that has SCCP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect skinny ... ! service-policy global_policy global Note: The service policy could also be applied to a specific interface instead of globally, which is displayed in the previous example. SCCP inspection is enabled by default. The following example displays an affected configuration (Cisco ASA Software version 8.0 and 8.1): router rip ... ! phone-proxy <instance name> media-termination address <IP address> ... ! media-termination <instance name> address <IP address> ! <Rest of phone proxy feature configuration> A security appliance is vulnerable if it is processing RIP messages ("router rip") and if a global media termination address is configured for the Cisco Phone Proxy feature (refer to previous example). Note that Cisco ASA Software versions 8.0 and 8.1 only allow a global media termination address. However, in Cisco ASA Software version 8.2 and later, it is possible to tie a media termination address to an interface. This configuration, which is accomplished by issuing the command "address <IP address> interface <interface name>" in media termination configuration mode, is not affected. An affected configuration consists of the following minimum commands: crypto ca trustpoint <trustpoint name> keypair <keypair name> crl configure crypto ca server crypto ca certificate chain <trustpoint name> certificate ca 01 ... ! http server enable The local CA server is not enabled by default. Because Cisco PIX 500 Series Security Appliances reached the end of software maintenance releases milestone on July 28, 2009, no further software releases will be available. For more information, refer to the End of Life announcement at http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/end_of_life_notice_cisco_pix_525_sec_app.html. How to Determine Software Versions +--------------------------------- To determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can issue the "show version" command. It offers firewall, intrusion prevention system (IPS), anti-X, and virtual private network (VPN) services. The number of available packet buffers may decrease when a security appliance receives IPv6 traffic and is not configured for IPv6 operation. IPv6 transit traffic does not cause a problem. Administrators can check packet buffer utilization by issuing the command "show blocks" and inspecting the output for the number of available 1,550-byte blocks. If the number of blocks is zero (indicated by 0 in the CNT column), then the security appliance may be experiencing this issue. For example: ciscoasa# show blocks SIZE MAX LOW CNT 0 400 360 400 4 200 199 199 80 400 358 400 256 1412 1381 1412 1550 6274 0 0 ... This vulnerability is documented in Cisco bug ID CSCtj04707 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2011-0393. Appliances are only vulnerable if SCCP inspection is enabled. Only transit traffic can trigger this vulnerability; traffic that is destined to the appliance will not trigger the vulnerability. This vulnerability is documented in Cisco bug ID CSCtg69457 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2011-0394. Note: the affected configuration requires that a global media termination address is configured, which is the only possible configuration option in Cisco ASA Software versions 8.0 and 8.1. However, it is possible to tie a media termination address to an interface in Cisco ASA Software version 8.2 and later. This configuration is not vulnerable. This vulnerability is documented in Cisco bug ID CSCtg66583 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2011-0395. but not system:) when the security appliance is configured as a local CA server. No authentication is required. File systems could contain sensitive information, such as backup device configurations (which may contain passwords or shared secrets), Cisco ASA Software images, or digital certificates. This vulnerability is documented in Cisco bug ID CSCtk12352 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2011-0396. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtj04707 ("Possible packet buffer exhaustion when operating in transparent mode ") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtg69457 ("SCCP inspection DoS vulnerability") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtg66583 ("RIP denial of service vulnerability") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtk12352 ("Possible to browse flash memory when CA is enabled") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Transparent Firewall Packet Buffer Exhaustion Vulnerability +---------------------------------------------------------- Successful exploitation of this vulnerability could cause a decrease in the number of available packet buffers. Repeated exploitation could eventually deplete all available packet buffers, which may cause an appliance to stop forwarding traffic. SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- Successful exploitation of this vulnerability could cause a reload of the affected device. Repeated exploitation may result in a sustained denial of service condition. RIP Denial of Service Vulnerability +---------------------------------- Successful exploitation of this vulnerability could cause a reload of the affected device. Repeated exploitation may result in a sustained denial of service condition. Unauthorized File System Access Vulnerability +-------------------------------------------- Successful exploitation of this vulnerability could allow unauthorized, unauthenticated users to retrieve files that are stored in an affected appliance's file system, which may contain sensitive information. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +---------------------------------------+ | Vulnerability | Major | First Fixed | | | Release | Release | |---------------+---------+-------------| | | | 7.0(8.12); | | | | available | | | 7.0 | late | | | | February | | | | 2011 | | |---------+-------------| | | | Vulnerable; | | | 7.1 | migrate to | | | | 7.2(5.2) | |Transparent |---------+-------------| | Firewall | 7.2 | 7.2(5.2) | |Packet Buffer |---------+-------------| | Exhaustion | 8.0 | 8.0(5.21) | |Vulnerability |---------+-------------| | (CSCtj04707) | | 8.1(2.49); | | | 8.1 | available | | | | early March | | | | 2011 | | |---------+-------------| | | 8.2 | 8.2(3.6) | | |---------+-------------| | | 8.3 | 8.3(2.7) | | |---------+-------------| | | 8.4 | Not | | | | vulnerable | |---------------+---------+-------------| | | 7.0 | 7.0(8.11) | | |---------+-------------| | | | Vulnerable; | | | 7.1 | migrate to | | | | 7.2(5.1) | | |---------+-------------| | SCCP | 7.2 | 7.2(5.1) | |Inspection |---------+-------------| | Denial of | 8.0 | 8.0(5.19) | |Service |---------+-------------| | Vulnerability | 8.1 | 8.1(2.47) | |(CSCtg69457) |---------+-------------| | | 8.2 | 8.2(2.19) | | |---------+-------------| | | 8.3 | 8.3(1.8) | | |---------+-------------| | | 8.4 | Not | | | | vulnerable | |---------------+---------+-------------| | | 7.0 | Not | | | | vulnerable | | |---------+-------------| | | 7.1 | Not | | | | vulnerable | | |---------+-------------| | | 7.2 | Not | | RIP Denial of | | vulnerable | |Service |---------+-------------| | Vulnerability | 8.0 | 8.0(5.20) | |(CSCtg66583) |---------+-------------| | | 8.1 | 8.1(2.48) | | |---------+-------------| | | 8.2 | 8.2(3) | | |---------+-------------| | | 8.3 | 8.3(2.1) | | |---------+-------------| | | 8.4 | Not | | | | vulnerable | |---------------+---------+-------------| | | 7.0 | Not | | | | vulnerable | | |---------+-------------| | | 7.1 | Not | | | | vulnerable | | |---------+-------------| | | 7.2 | Not | | | | vulnerable | |Unauthorized |---------+-------------| | File System | 8.0 | 8.0(5.23) | |Access |---------+-------------| | Vulnerability | | 8.1(2.49); | | (CSCtk12352) | 8.1 | available | | | | early March | | | | 2011 | | |---------+-------------| | | 8.2 | 8.2(4.1) | | |---------+-------------| | | 8.3 | 8.3(2.13) | | |---------+-------------| | | 8.4 | Not | | | | vulnerable | +---------------------------------------+ Recommended Releases +------------------- The following table lists all recommended releases. These recommended releases contain the fixes for all vulnerabilities in this advisory. Cisco recommends upgrading to a release that is equal to or later than these recommended releases. These vulnerabilities and their respective workarounds are independent of each other. Transparent Firewall Packet Buffer Exhaustion Vulnerability +---------------------------------------------------------- There are no workarounds for this vulnerability. SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- Administrators can mitigate this vulnerability by disabling SCCP inspection if it is not required. Administrators can disable SCCP inspection by issuing the "no inspect skinny" command in class configuration submode in the policy map configuration. On Cisco ASA Software version 8.2 and later, administrators can configure a non-global media termination address by specifying a termination address that will be tied to a specific interface. For example: router rip ... ! media-termination <instance name> address <IP address> interface <interface name> ! <Rest of phone proxy feature configuration> Unauthorized File System Access Vulnerability +-------------------------------------------- There are no workarounds for this vulnerability. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. The Transparent Firewall Packet Buffer Exhaustion Vulnerability, SCCP Inspection Denial of Service Vulnerability, and RIP Denial of Service Vulnerability were found during internal testing. The Unauthorized File System Access Vulnerability was discovered during the resolution of customer support cases. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20110223-asa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2011-February-23 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Feb 23, 2011 Document ID: 112881 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iF4EAREIAAYFAk1lMPwACgkQQXnnBKKRMNBMBQD/a+ok1yfH7Fb21ZoPDh56AC4A V/yl9nhgKFu3M/lDOqgA/0kybpk0NolgXRBExnKPMPOI94KiHhhPQtUYxo/j3tCH =sciX -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: Cisco ASA 5500 Series Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43488 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43488/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43488 RELEASE DATE: 2011-03-12 DISCUSS ADVISORY: http://secunia.com/advisories/43488/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43488/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43488 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Cisco Adaptive Security Appliance (ASA), which can be exploited by malicious people to cause a DoS (Denial of Service) and disclose potentially sensitive information. "flash:", "disk0:", or "disk1:" but not "system:"). This can be exploited to gain access to e.g. Please see vendor advisories for details. PROVIDED AND/OR DISCOVERED BY: 1-3) Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20110223-asa.shtml http://www.cisco.com/en/US/products/products_security_advisory09186a0080b6e14d.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor

Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 8.0 before 8.0(5.23), 8.1 before 8.1(2.49), 8.2 before 8.2(4.1), and 8.3 before 8.3(2.13), when a Certificate Authority (CA) is configured, allow remote attackers to read arbitrary files via unspecified vectors, aka Bug ID CSCtk12352. The problem is Bug ID CSCtk12352 It is a problem.A third party may be able to read arbitrary files. The Cisco Adaptive Security Appliance is an adaptive security appliance that provides modules for security and VPN services. The file system contains sensitive information such as backup device configuration (which may include a password or shared secret), Cisco ASA software image or digital certificate. An attacker can exploit these issues to disclose potentially sensitive information or to cause denial-of-service conditions. FWSM is a firewall service module. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110223-asa.shtml. Note: The Cisco Firewall Services Module (FWSM) is affected by one of these vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerability that affects the Cisco FWSM. That advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20110223-fwsm.shtml. Affected versions of Cisco ASA Software vary depending on the specific vulnerability. Vulnerable Products +------------------ For specific version information, refer to the Software Versions and Fixes section of this advisory. Transparent Firewall Packet Buffer Exhaustion Vulnerability +---------------------------------------------------------- A packet buffer exhaustion vulnerability affects multiple versions of Cisco ASA Software when a security appliance is configured to operate in the transparent firewall mode. Transparent firewall mode is enabled on the appliance if the command "firewall transparent" is present in the configuration. The default firewall mode is routed, not transparent. The "show firewall" command can also be used to determine the firewall operation mode: ciscoasa# show firewall Firewall mode: Transparent SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- A denial of service vulnerability affects the SCCP inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances. Administrators can determine if SCCP inspection is enabled by issuing the "show service-policy | include skinny" command and confirming that output, such as what is displayed in the following example, is returned. ciscoasa# show service-policy | include skinny Inspect: skinny, packet 0, drop 0, reset-drop 0 Alternatively, a device that has SCCP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect skinny ... ! service-policy global_policy global Note: The service policy could also be applied to a specific interface instead of globally, which is displayed in the previous example. SCCP inspection is enabled by default. The following example displays an affected configuration (Cisco ASA Software version 8.0 and 8.1): router rip ... ! phone-proxy <instance name> media-termination address <IP address> ... <Rest of phone proxy feature configuration> Or (Cisco ASA Software version 8.2 and later): router rip ... ! media-termination <instance name> address <IP address> ! <Rest of phone proxy feature configuration> A security appliance is vulnerable if it is processing RIP messages ("router rip") and if a global media termination address is configured for the Cisco Phone Proxy feature (refer to previous example). Note that Cisco ASA Software versions 8.0 and 8.1 only allow a global media termination address. However, in Cisco ASA Software version 8.2 and later, it is possible to tie a media termination address to an interface. This configuration, which is accomplished by issuing the command "address <IP address> interface <interface name>" in media termination configuration mode, is not affected. Neither RIP nor the Cisco Phone Proxy feature is enabled by default. An affected configuration consists of the following minimum commands: crypto ca trustpoint <trustpoint name> keypair <keypair name> crl configure crypto ca server crypto ca certificate chain <trustpoint name> certificate ca 01 ... ! http server enable The local CA server is not enabled by default. Because Cisco PIX 500 Series Security Appliances reached the end of software maintenance releases milestone on July 28, 2009, no further software releases will be available. For more information, refer to the End of Life announcement at http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/end_of_life_notice_cisco_pix_525_sec_app.html. How to Determine Software Versions +--------------------------------- To determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can issue the "show version" command. The following example shows a Cisco ASA 5500 Series Adaptive Security Appliance that is running software version 8.3(1): ASA#show version | include Version Cisco Adaptive Security Appliance Software Version 8.3(1) Device Manager Version 6.3(1) Customers who use Cisco Adaptive Security Device Manager (ASDM) to manage devices can locate the software version in the table that is displayed in the login window or upper-left corner of the Cisco ASDM window. It offers firewall, intrusion prevention system (IPS), anti-X, and virtual private network (VPN) services. The number of available packet buffers may decrease when a security appliance receives IPv6 traffic and is not configured for IPv6 operation. IPv6 transit traffic does not cause a problem. Administrators can check packet buffer utilization by issuing the command "show blocks" and inspecting the output for the number of available 1,550-byte blocks. If the number of blocks is zero (indicated by 0 in the CNT column), then the security appliance may be experiencing this issue. For example: ciscoasa# show blocks SIZE MAX LOW CNT 0 400 360 400 4 200 199 199 80 400 358 400 256 1412 1381 1412 1550 6274 0 0 ... This vulnerability is documented in Cisco bug ID CSCtj04707 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2011-0393. Appliances are only vulnerable if SCCP inspection is enabled. Only transit traffic can trigger this vulnerability; traffic that is destined to the appliance will not trigger the vulnerability. This vulnerability is documented in Cisco bug ID CSCtg69457 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2011-0394. Appliances are vulnerable only if both RIP and the Cisco Phone Proxy feature are enabled. Note: the affected configuration requires that a global media termination address is configured, which is the only possible configuration option in Cisco ASA Software versions 8.0 and 8.1. However, it is possible to tie a media termination address to an interface in Cisco ASA Software version 8.2 and later. This configuration is not vulnerable. This vulnerability is documented in Cisco bug ID CSCtg66583 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2011-0395. No authentication is required. This vulnerability is documented in Cisco bug ID CSCtk12352 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2011-0396. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtj04707 ("Possible packet buffer exhaustion when operating in transparent mode ") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtg69457 ("SCCP inspection DoS vulnerability") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtg66583 ("RIP denial of service vulnerability") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtk12352 ("Possible to browse flash memory when CA is enabled") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Transparent Firewall Packet Buffer Exhaustion Vulnerability +---------------------------------------------------------- Successful exploitation of this vulnerability could cause a decrease in the number of available packet buffers. Repeated exploitation could eventually deplete all available packet buffers, which may cause an appliance to stop forwarding traffic. SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- Successful exploitation of this vulnerability could cause a reload of the affected device. Repeated exploitation may result in a sustained denial of service condition. RIP Denial of Service Vulnerability +---------------------------------- Successful exploitation of this vulnerability could cause a reload of the affected device. Repeated exploitation may result in a sustained denial of service condition. Unauthorized File System Access Vulnerability +-------------------------------------------- Successful exploitation of this vulnerability could allow unauthorized, unauthenticated users to retrieve files that are stored in an affected appliance's file system, which may contain sensitive information. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +---------------------------------------+ | Vulnerability | Major | First Fixed | | | Release | Release | |---------------+---------+-------------| | | | 7.0(8.12); | | | | available | | | 7.0 | late | | | | February | | | | 2011 | | |---------+-------------| | | | Vulnerable; | | | 7.1 | migrate to | | | | 7.2(5.2) | |Transparent |---------+-------------| | Firewall | 7.2 | 7.2(5.2) | |Packet Buffer |---------+-------------| | Exhaustion | 8.0 | 8.0(5.21) | |Vulnerability |---------+-------------| | (CSCtj04707) | | 8.1(2.49); | | | 8.1 | available | | | | early March | | | | 2011 | | |---------+-------------| | | 8.2 | 8.2(3.6) | | |---------+-------------| | | 8.3 | 8.3(2.7) | | |---------+-------------| | | 8.4 | Not | | | | vulnerable | |---------------+---------+-------------| | | 7.0 | 7.0(8.11) | | |---------+-------------| | | | Vulnerable; | | | 7.1 | migrate to | | | | 7.2(5.1) | | |---------+-------------| | SCCP | 7.2 | 7.2(5.1) | |Inspection |---------+-------------| | Denial of | 8.0 | 8.0(5.19) | |Service |---------+-------------| | Vulnerability | 8.1 | 8.1(2.47) | |(CSCtg69457) |---------+-------------| | | 8.2 | 8.2(2.19) | | |---------+-------------| | | 8.3 | 8.3(1.8) | | |---------+-------------| | | 8.4 | Not | | | | vulnerable | |---------------+---------+-------------| | | 7.0 | Not | | | | vulnerable | | |---------+-------------| | | 7.1 | Not | | | | vulnerable | | |---------+-------------| | | 7.2 | Not | | RIP Denial of | | vulnerable | |Service |---------+-------------| | Vulnerability | 8.0 | 8.0(5.20) | |(CSCtg66583) |---------+-------------| | | 8.1 | 8.1(2.48) | | |---------+-------------| | | 8.2 | 8.2(3) | | |---------+-------------| | | 8.3 | 8.3(2.1) | | |---------+-------------| | | 8.4 | Not | | | | vulnerable | |---------------+---------+-------------| | | 7.0 | Not | | | | vulnerable | | |---------+-------------| | | 7.1 | Not | | | | vulnerable | | |---------+-------------| | | 7.2 | Not | | | | vulnerable | |Unauthorized |---------+-------------| | File System | 8.0 | 8.0(5.23) | |Access |---------+-------------| | Vulnerability | | 8.1(2.49); | | (CSCtk12352) | 8.1 | available | | | | early March | | | | 2011 | | |---------+-------------| | | 8.2 | 8.2(4.1) | | |---------+-------------| | | 8.3 | 8.3(2.13) | | |---------+-------------| | | 8.4 | Not | | | | vulnerable | +---------------------------------------+ Recommended Releases +------------------- The following table lists all recommended releases. These recommended releases contain the fixes for all vulnerabilities in this advisory. Cisco recommends upgrading to a release that is equal to or later than these recommended releases. These vulnerabilities and their respective workarounds are independent of each other. Transparent Firewall Packet Buffer Exhaustion Vulnerability +---------------------------------------------------------- There are no workarounds for this vulnerability. SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- Administrators can mitigate this vulnerability by disabling SCCP inspection if it is not required. Administrators can disable SCCP inspection by issuing the "no inspect skinny" command in class configuration submode in the policy map configuration. RIP Denial of Service Vulnerability +---------------------------------- There are no workarounds for Cisco ASA Software version 8.0 and 8.1. On Cisco ASA Software version 8.2 and later, administrators can configure a non-global media termination address by specifying a termination address that will be tied to a specific interface. For example: router rip ... ! media-termination <instance name> address <IP address> interface <interface name> ! <Rest of phone proxy feature configuration> Unauthorized File System Access Vulnerability +-------------------------------------------- There are no workarounds for this vulnerability. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. The Transparent Firewall Packet Buffer Exhaustion Vulnerability, SCCP Inspection Denial of Service Vulnerability, and RIP Denial of Service Vulnerability were found during internal testing. The Unauthorized File System Access Vulnerability was discovered during the resolution of customer support cases. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20110223-asa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2011-February-23 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Feb 23, 2011 Document ID: 112881 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iF4EAREIAAYFAk1lMPwACgkQQXnnBKKRMNBMBQD/a+ok1yfH7Fb21ZoPDh56AC4A V/yl9nhgKFu3M/lDOqgA/0kybpk0NolgXRBExnKPMPOI94KiHhhPQtUYxo/j3tCH =sciX -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: Cisco ASA 5500 Series Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43488 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43488/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43488 RELEASE DATE: 2011-03-12 DISCUSS ADVISORY: http://secunia.com/advisories/43488/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43488/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43488 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Cisco Adaptive Security Appliance (ASA), which can be exploited by malicious people to cause a DoS (Denial of Service) and disclose potentially sensitive information. "flash:", "disk0:", or "disk1:" but not "system:"). This can be exploited to gain access to e.g. Please see vendor advisories for details. PROVIDED AND/OR DISCOVERED BY: 1-3) Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20110223-asa.shtml http://www.cisco.com/en/US/products/products_security_advisory09186a0080b6e14d.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor

Multiple unspecified vulnerabilities in a third-party component of the Citrix Licensing Administration Console 11.6, formerly License Management Console, allow remote attackers to (1) access unauthorized "license administration functionality" or (2) cause a denial of service via unknown vectors. An attacker can exploit these issues to bypass certain security restrictions and cause denial-of-service conditions. Few technical details are currently available. We will update this BID as more information emerges. Citrix Licensing 11.6 and prior are affected. ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: Citrix Licensing Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43459 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43459/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43459 RELEASE DATE: 2011-03-10 DISCUSS ADVISORY: http://secunia.com/advisories/43459/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43459/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43459 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Citrix Licensing, which can be exploited by malicious users to bypass certain security restrictions and by malicious people to cause a DoS (Denial of Service). The vulnerabilities are reported in versions 11.6 and prior. SOLUTION: Restrict access to the system to trusted users only. Do not browse untrusted web sites or follow untrusted links while being logged-in to the application. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Citrix (CTX128167): http://support.citrix.com/article/CTX128167 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in lft in pWhois Layer Four Traceroute (LFT) 3.x before 3.3 allows local users to gain privileges via a crafted command line. pWhois Layer Four Traceroute Contains a privilege escalation vulnerability due to command line argument parsing. In addition, Layer Four Traceroute Even distributions that include and distribute ”lft” Binary SETUID root Those that do not are not affected by this vulnerability.Layer Four Traceroute But SETUID root If the local user is root May get permission. Layer Four Traceroute (LFT) is a fast, multi-protocol routing trace engine. The previous version of Layer Four Traceroute also affected this vulnerability. Some distributions are immune to the fact that the 'lft' of the SETUID root attribute is not installed. Attackers can exploit this issue to execute arbitrary code with superuser privileges, completely compromising an affected computer. Versions prior to 3.3 are vulnerable. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201412-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Multiple packages, Multiple vulnerabilities fixed in 2012 Date: December 11, 2014 Bugs: #284536, #300903, #334475, #358787, #371320, #372905, #399427, #401645, #427802, #428776 ID: 201412-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== This GLSA contains notification of vulnerabilities found in several Gentoo packages which have been fixed prior to January 1, 2013. The worst of these vulnerabilities could lead to local privilege escalation and remote code execution. Please see the package list and CVE identifiers below for more information. Background ========== For more information on the packages listed in this GLSA, please see their homepage referenced in the ebuild. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-apps/egroupware < 1.8.004.20120613 >= 1.8.004.20120613 2 x11-libs/vte < 0.32.2 >= 0.32.2 *>= 0.28.2-r204 *>= 0.28.2-r206 3 net-analyzer/lft < 3.33 >= 3.33 4 dev-php/suhosin < 0.9.33 >= 0.9.33 5 x11-misc/slock < 1.0 >= 1.0 6 sys-cluster/ganglia < 3.3.7 >= 3.3.7 7 net-im/gg-transport < 2.2.4 >= 2.2.4 ------------------------------------------------------------------- 7 affected packages Description =========== Vulnerabilities have been discovered in the packages listed below. Please review the CVE identifiers in the Reference section for details. * EGroupware * VTE * Layer Four Traceroute (LFT) * Suhosin * Slock * Ganglia * Jabber to GaduGadu Gateway Impact ====== A context-dependent attacker may be able to gain escalated privileges, execute arbitrary code, cause Denial of Service, obtain sensitive information, or otherwise bypass security restrictions. Workaround ========== There is no known workaround at this time. Resolution ========== All EGroupware users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-apps/egroupware-1.8.004.20120613" All VTE 0.32 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=x11-libs/vte-0.32.2" All VTE 0.28 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=x11-libs/vte-0.28.2-r204" All Layer Four Traceroute users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/lft-3.33" All Suhosin users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-php/suhosin-0.9.33" All Slock users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=x11-misc/slock-1.0" All Ganglia users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-cluster/ganglia-3.3.7" All Jabber to GaduGadu Gateway users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-im/gg-transport-2.2.4" NOTE: This is a legacy GLSA. Updates for all affected architectures have been available since 2013. It is likely that your system is already no longer affected by these issues. References ========== [ 1 ] CVE-2008-4776 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4776 [ 2 ] CVE-2010-2713 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2713 [ 3 ] CVE-2010-3313 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3313 [ 4 ] CVE-2010-3314 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3314 [ 5 ] CVE-2011-0765 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0765 [ 6 ] CVE-2011-2198 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2198 [ 7 ] CVE-2012-0807 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0807 [ 8 ] CVE-2012-0808 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0808 [ 9 ] CVE-2012-1620 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1620 [ 10 ] CVE-2012-2738 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2738 [ 11 ] CVE-2012-3448 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3448 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201412-10.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: Layer Four Traceroute (LFT) Unspecified Security Issue SECUNIA ADVISORY ID: SA43381 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43381/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43381 RELEASE DATE: 2011-03-06 DISCUSS ADVISORY: http://secunia.com/advisories/43381/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43381/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43381 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability with an unknown impact has been reported in Layer Four Traceroute (LFT). The vulnerability is caused due to an unspecified error. No further information is currently available. SOLUTION: Update to version 3.3. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://pwhois.org/lft/ OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Use-after-free vulnerability in WebCore in WebKit before r77705, as used in Google Chrome before 11.0.672.2 and other products, allows user-assisted remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via vectors that entice a user to resubmit a form, related to improper handling of provisional items by the HistoryController component, aka rdar problem 8938557. WebKit is prone to a denial-of-service vulnerability. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. A use-after-free vulnerability exists in WebCore in WebKit versions prior to r77705 used in Google Chrome versions prior to 11.0.672.2 and others. The vulnerability is related to improper handling of temporary items by the HistoryController component

The Dell DellSystemLite.Scanner ActiveX control in DellSystemLite.ocx 1.0.0.0 does not properly restrict the values of the WMIAttributesOfInterest property, which allows remote attackers to execute arbitrary WMI Query Language (WQL) statements via a crafted value, as demonstrated by a value that triggers disclosure of information about installed software. The DellSystemLite.Scanner ActiveX control is prone to a directory-traversal vulnerability and an information-disclosure vulnerability because the application fails to sufficiently sanitize user-supplied input. Exploiting these issues may allow an attacker to obtain sensitive information. DellSystemLite.ocx 1.0.0.0 is vulnerable; other versions may also be affected. Dell The DellSystemLite.Scanner control is a scanner control. ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: Dell DellSystemLite.Scanner ActiveX Control Two Vulnerabilities SECUNIA ADVISORY ID: SA42880 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/42880/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=42880 RELEASE DATE: 2011-02-18 DISCUSS ADVISORY: http://secunia.com/advisories/42880/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/42880/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=42880 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Secunia Research has discovered two vulnerabilities in Dell DellSystemLite.Scanner ActiveX control, which can be exploited by malicious people to disclose various information. 1) An input validation error in the "GetData()" method can be exploited to disclose the contents of arbitrary text files via directory traversal specifiers passed in the "fileID" parameter. 2) The unsafe property "WMIAttributesOfInterest" allows assigning arbitrary WMI Query Language (WQL) statements and can be exploited to e.g. disclose system information like installed software. The vulnerabilities are confirmed in DellSystemLite.ocx version 1.0.0.0. SOLUTION: Set the kill-bit for the affected ActiveX control. PROVIDED AND/OR DISCOVERED BY: Dmitriy Pletnev, Secunia Research. ORIGINAL ADVISORY: Secunia Research: http://secunia.com/secunia_research/2011-10/ http://secunia.com/secunia_research/2011-11/ OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Directory traversal vulnerability in the GetData method in the Dell DellSystemLite.Scanner ActiveX control in DellSystemLite.ocx 1.0.0.0 allows remote attackers to read arbitrary files via directory traversal sequences in the fileID parameter. The DellSystemLite.Scanner ActiveX control is prone to a directory-traversal vulnerability and an information-disclosure vulnerability because the application fails to sufficiently sanitize user-supplied input. Exploiting these issues may allow an attacker to obtain sensitive information. DellSystemLite.ocx 1.0.0.0 is vulnerable; other versions may also be affected. Dell The DellSystemLite.Scanner control is a scanner control. ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: Dell DellSystemLite.Scanner ActiveX Control Two Vulnerabilities SECUNIA ADVISORY ID: SA42880 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/42880/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=42880 RELEASE DATE: 2011-02-18 DISCUSS ADVISORY: http://secunia.com/advisories/42880/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/42880/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=42880 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Secunia Research has discovered two vulnerabilities in Dell DellSystemLite.Scanner ActiveX control, which can be exploited by malicious people to disclose various information. 2) The unsafe property "WMIAttributesOfInterest" allows assigning arbitrary WMI Query Language (WQL) statements and can be exploited to e.g. disclose system information like installed software. The vulnerabilities are confirmed in DellSystemLite.ocx version 1.0.0.0. SOLUTION: Set the kill-bit for the affected ActiveX control. PROVIDED AND/OR DISCOVERED BY: Dmitriy Pletnev, Secunia Research. ORIGINAL ADVISORY: Secunia Research: http://secunia.com/secunia_research/2011-10/ http://secunia.com/secunia_research/2011-11/ OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Management Console (webagent.exe) in Cisco Security Agent 5.1, 5.2, and 6.0 before 6.0.2.145 allows remote attackers to create arbitrary files and execute arbitrary code via unspecified parameters in a crafted st_upload request. Authentication is not required to exploit this vulnerability. The flaw exists within the webagent.exe component which is handed requests by an Apache instance that listens by default on TCP port 443. When handling an st_upload request the process does not properly validate POST parameters used for a file creation. The contents of this newly created file are controllable via another POST variable. Successful exploits will allow attackers to modify agent policies and system configuration and perform other administrative tasks, resulting in the complete compromise of an affected device. Failed exploit attempts will result in a denial-of-service condition. This issue is tracked by Cisco Bug ID CSCtj51216. Malicious attackers can exploit these to exploit vulnerable systems. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110216-csa.shtml. Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by this vulnerability. Details ======= Cisco Security Agent provides threat protection for server and desktop computing systems. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss. Software Versions and Fixes =========================== When considering software upgrades, consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Cisco Security Agent software can be downloaded from the following link: http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=278065206 Workarounds =========== The following policy can be configured as a workaround to mitigate this vulnerability. Create a New Application Class +----------------------------- Step 1. Specify the name of the application class as 'CSA MC - all applications but not its descendants'. Step 2. Select when created from one of the following executables in the Add Process to application class area and specify @(regpath HKLM\ SOFTWARE\Cisco\CSAMC60\ProductRootDir default=**\CSAMC*)\**\*.exe as the value. Step 3. Ensure that the Only this process option is selected. Step 4. Click Save. Create a priority deny Application Control Rule +---------------------------------------------- Step 1. Name the APCR as CSAMC applications invoking non-CSAMC applications for better readability. Step 2. Enable logging. Step 3. For Current applications in any of the following selected classes select the application class created under "Create a New Application Class." For the But not option, select <none>. Step 4. For New applications in any of the following selected classes select <All Applications>. For the But not option, select the new application class created under "Create a New Application Class." Step 5. Click Save. Obtaining Fixed Software ======================== Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was found by Gerry Eisenhaur and reported to Cisco by ZDI. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20110216-csa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2011-Feb-16 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iFcDBQFNW/82QXnnBKKRMNARCIH6AP49mg0QkCFiVw8mOFFGR8jVQtTHjoGhGFE5 EwIuwGcJLgD/X5zaZbdTNsmTL/1EYvRRzAH5h+QZ30FgO6cKC06RJVo= =PFD9 -----END PGP SIGNATURE----- . More details can be found at: http://www.cisco.com/warp/public/707/cisco-sa-20110216-csa.shtml -- Disclosure Timeline: 2010-09-23 - Vulnerability reported to vendor 2011-02-16 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Gerry Eisenhaur -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: Cisco Security Agent Management Center File Upload Vulnerability SECUNIA ADVISORY ID: SA43383 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43383/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43383 RELEASE DATE: 2011-03-06 DISCUSS ADVISORY: http://secunia.com/advisories/43383/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43383/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43383 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Cisco Security Agent, which can be exploited by malicious people to compromise a vulnerable system. Successful exploitation may allow execution of arbitrary code with SYSTEM privileges. SOLUTION: Update to version 6.0.2.145. PROVIDED AND/OR DISCOVERED BY: Gerry Eisenhaur via ZDI. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20110216-csa.shtml ZDI: http://www.zerodayinitiative.com/advisories/ZDI-11-088/ OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor

The 7T Interactive Graphical SCADA System is an automated monitoring and control system. An attacker can send a specially crafted message to the 20222 TCP port monitored by the target server, which can trigger a denial of service or arbitrary code execution. An attacker can exploit this issue to execute arbitrary code with administrative privileges. Successfully exploiting this issue will completely comprise the affected system. Failed exploit attempts will result in a denial-of-service condition. ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: 7-Technologies Interactive Graphical SCADA System ODBC Server Vulnerability SECUNIA ADVISORY ID: SA43359 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43359/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43359 RELEASE DATE: 2011-03-05 DISCUSS ADVISORY: http://secunia.com/advisories/43359/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43359/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43359 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in 7-Technologies Interactive Graphical SCADA System, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Successful exploitation may allow execution of arbitrary code. SOLUTION: Update to the latest version. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: Jeremy Brown ORIGINAL ADVISORY: http://www.us-cert.gov/control_systems/pdf/ICSA-11-018-02.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Use-after-free vulnerability in Control Microsystems ClearSCADA 2005, 2007, and 2009 before R2.3 and R1.4, as used in SCX before 67 R4.5 and 68 R3.9, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified long strings that trigger heap memory corruption. Control Microsystems is Schneider Electric, a global provider of SCADA hardware and software products. ClearSCADA is an integrated SCADA host platform that includes a rotation training engine, real-time database, web server, alarm processor and reporting software. There are several security vulnerabilities in ClearSCADA: 1. There is a heap-based buffer overflow for ClearSCADA applications, and a type heap overflow for overflow after release. Sending a legal message containing a very long string can trigger heap corruption. 2, ClearSCADA provides a WEB interface that supports HTTP and HTTPS. By default, the ClearSCADA server uses HTTP, which allows anyone to obtain plaintext authentication information by sniffing. 3. There is a reflective cross-site scripting attack on the WEB interface. With this vulnerability, an attacker can directly inject malicious code into a user's browser session. The parameter returned to the user is missing filtering. Attackers can exploit vulnerabilities for cross-site scripting attacks to obtain sensitive information or hijack user sessions. Control Microsystems ClearSCADA is prone to multiple remote vulnerabilities, including: 1. An information-disclosure vulnerability An attacker can exploit these issues to execute arbitrary code with elevated privileges, execute arbitrary script code within the context of the webserver, steal cookie-based authentication credentials, and gain access to sensitive information. Other attacks are also possible. The following products are affected: ClearSCADA 2005 ClearSCADA 2007 ClearSCADA 2009. ClearSCADA The application has a use error after release. ---------------------------------------------------------------------- Join Secunia @ FIRST Conference, 12-17 June, Hilton Vienna, Austria See to the presentation "The Dynamics and Threats of End-Point Software Portfolios" by Secunia's Research Analyst Director, Stefan Frei. Read more: http://conference.first.org/ ---------------------------------------------------------------------- TITLE: ClearSCADA Cross-Site Scripting and Buffer Overflow Vulnerabilities SECUNIA ADVISORY ID: SA44955 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/44955/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=44955 RELEASE DATE: 2011-06-16 DISCUSS ADVISORY: http://secunia.com/advisories/44955/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/44955/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=44955 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in ClearSCADA, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a vulnerable system. The vulnerabilities are reported the following products: * ClearSCADA 2005 (all versions) * ClearSCADA 2007 (all versions) * ClearSCADA 2009 (all versions except R2.3 and R1.4) SOLUTION: Update to a fixed version. Please see the CERT advisory for more information. PROVIDED AND/OR DISCOVERED BY: US-CERT credits Digital Bond. ORIGINAL ADVISORY: Digital Bond: http://www.digitalbond.com/scadapedia/vulnerability-notes/heap-overflow-vulnerability/ http://www.digitalbond.com/scadapedia/vulnerability-notes/control-microsystems-cross-site-scripting-vulnerability/ US-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-10-314-01A.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Linksys WAP610N is a wireless router. The Linksys WAP610N does not require authentication of the remote management console, allowing an attacker to run system commands as root. The Linksys WAP610N is prone to a security vulnerability that allows unauthenticated root access. An attacker can exploit this issue to gain unauthorized root access to affected devices. Successful exploits will result in the complete compromise of an affected device. Linksys WAP610N firmware versions 1.0.01 and 1.0.00 are vulnerable; other versions may also be affected

accounts/ValidateAnswers in the security-questions implementation in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 makes it easier for remote attackers to reset user passwords, and consequently obtain access to arbitrary user accounts, via a modified (1) Hide_Captcha or (2) quesList parameter in a validateAll action. ManageEngine ADSelfService Plus is a secure, web-based end-user self-service password reset solution. ManageEngine ADSelfService Plus has a security vulnerability that allows the user to set a series of security questions to answer during registration so that the lost password can be recovered later. After the recovery request and user ID are sent, the system will ask the user to answer a series of security questions that will be sent using the POST request: POST /accounts/ValidateAnswers?methodToCall=validateAll HTTP/1.1Host: SERVERUser-Agent: Mozilla/5.0 (X11 U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.10 (maverick) Firefox/3.6.13Accept: text/html,application/xhtml+xml,application/xml;q=0.9,* /*;q=0.8Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1, utf-8;q=0.7,*;q=0.7Keep- Alive: 115Proxy-Connection: keep-aliveReferer: http://SERVER/accounts/ValidateUserCookie: JSESSIONID=8F93EB242EF06C51BE93EB0CEDA69085Content-Type: application/x-www-form-urlencodedContent-Length: 294loginId=1501&Hide_Captcha=0&POLICY_ID=1&Confirm_Answer=1&SESSION_EXPIRY_TIME=5&LOGIN_NAME= Alice&REM_SESSION_TIME=00%3A40&bAns=11111&bQues=PreDefined-2&bAns=22222&bQues=PreDefined-3&bAns=33333&bQues=PreDefined-4&bAns=44444&bQues=PreDefined-5&quesList=4&DIGEST=qodpgd&next=Continue&DIS_ALL_QUE S=1 As can be seen from the above HTTP POST request, the client can have the ability to decide: - by modifying the \"Hide_Captcha\" field to determine if he is willing to complete the verification code. - Modify the \"quesList\" parameter to determine how many questions he is willing to answer. Therefore, an attacker can choose to answer a security question, and the verification code can be bypassed to indicate that the process can be automated. Allows an attacker to bypass security restrictions, execute arbitrary script code, and leak sensitive information. ManageEngine ADSelfService Plus is prone to multiple vulnerabilities, including multiple security-bypass and cross-site scripting vulnerabilities. This may help them steal cookie-based authentication credentials and launch other attacks. ManageEngine ADSelfService Plus 4.4 is vulnerable; other versions may also be affected. *Advisory Information* Title: ZOHO ManageEngine ADSelfService multiple vulnerabilities Advisory ID: CORE-2011-0103 Advisory URL: http://www.coresecurity.com/content/zoho-manageengine-vulnerabilities Date published: 2011-02-10 Date of last update: 2011-02-10 Vendors contacted: ZOHO Corporation Release mode: Coordinated release 2. *Vulnerability Information* Class: Protection Mechanism Failure [CWE-693], Authentication Issues [CWE-287], Cross-Site Scripting (XSS) [CWE-79] Impact: Code execution, Security bypass Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2010-3272, CVE-2010-3273, CVE-2010-3274 3. This software helps domain users to perform self service password reset, self service account unlock and employee self update of personal details (e.g. telephone numbers, etc) in Microsoft Windows Active Directory. Administrators find it easy to automate password resets, account unlocks while managing optimizing the expenses associated with helpdesk calls. Additionally, the CAPTCHA mechanism can be bypassed in the same manner, enabling the automation of the guessing attempts. The security question mechanism can also be bypassed by changing the flow of the application, skipping the security question mechanism and sending a HTTP request requiring the password change immediately after declaring which user is to run the recovery procedure. Additionally, two cross site scripting vulnerabilities were found related to search functions. 4. ManageEngine ADSelfService Plus 4.4. 5. *Non-vulnerable packages* . ManageEngine ADSelfService Plus 4.5 Build 4500 and above. 6. *Vendor Information, Solutions and Workarounds* Core would like to thanks Manikandan.T [2] for giving us the following detailed information about the way Zoho team has addressed the security vulnerabilities highlighted in this document. 6.1. *Solution to the Weak security question mechanism* [CVE-2010-3272] In addition to the Security Questions, the latest version of ADSelfService Plus also includes an SMS Verification / Email Verification mechanism. This adds an additional security while password. Users must confirm the code sent to their mobile phones / email when they are to reset password / unlock accounts. The earlier Builds used URL based on Post Request which was considered vulnerable. This has been replaced by a more secure Tokenizer mechanism. This mechanism prevents "by-passing any process / steps involved in password reset / account unlock". The Tokenizer mechanism mandates the flow of addressing every process only in the defined sequence. This implies that the "Hide_Captcha / quesList" fields cannot be altered; if not, they do not follow the desired sequence. 6.2. *Solution to the Security question bypass* [CVE-2010-3273] Earlier version of ADSelfService Plus checked the validation only at the page where the user was present. Now Each and Every step and also the previous steps are being validated. The "Tokenizer Method" ensures that no steps are bypassed. It also ensures that validation occurs at every level and also only in the sequence desired. 6.3. *Solution to Cross site scripting vulnerabilities* [CVE-2010-3274] Security Filters are used to prevent Cross Site Scripting vulnerabilities. ADSelfService Plus now checks every input provided by a user at all the pages including "Password Reset / Unlock Account", Employee Search pages. 7. *Credits* This vulnerability was discovered and researched by Ernesto Alvarez from Core Security Technologies. The publication of this advisory was coordinated by Fernando Miranda from Core Security Advisories team. 8. *Technical Description / Proof of Concept Code* 8.1. Whether he wants to complete a captcha or not, by altering the "Hide_Captcha" field. 2. The reason for this weakness is that most of the recovery logic is left to the client to execute. This allows the client to alter the recovery procedure, weakening the process. 8.2. In order to bypass the mechanism, an attacker must first select the user whose password is to be changed, an operation which does not require authentication, and then skip the security question mechanism, issuing a HTTP request to the URL that accept password changes. The normal recovery procedure in the ADSelfService Plus system consists of four steps: 1. *Invoke the reset function.* By going to '//SERVER/accounts/Reset', the user is prompted to enter his user id. 2. *Input the user id that needs a password reset.* By filling the form from step 1, the user id in sent to 'http://SERVER/accounts/ValidateUser' using a HTTP POST. During this step, the user id is associated with the HTTP session (as shown in the JSESSIONID cookie). The user is prompted with the security questions. 3. *Validate the security questions.* The answers are sent for validation to: /----- http://SERVER/accounts/ValidateAnswers?methodToCall=validateAll -----/ If the answers are correct, a HTTP page with a form to input the new password is sent to the user. If the answers are wrong, the user is prompted again for the correct answers, and the step 3 must be redone. 4. *Reset the password.* The new password is sent in a HTTP POST to 'http://SERVER/accounts/ResetResult'. The server resets the password. While some of the logic (mostly requiring changes to server data) is on the server side, the order of the steps to be performed can be controlled by the user. By performing steps 2 and 4 while skipping step 3, the user is able to change the password for another user of his choice. This flaw is due to the way the server acts on the information received. Step 2 associates a JSESSIONID to a user id (apparently necessary to perform step 3) while step 4 changes the password of whatever account is associated with the JSP session, setting it to the value posted. Since the server does not check whether step 3 has been completed, forging the appropriate HTTP POST requests necessary to perform the two steps mentioned is sufficient to change a user's password. 8.3. *Cross site scripting vulnerabilities* [CVE-2010-3274] Two cross site scripting vulnerabilities were discovered, both related to the employee search function publicly available in the application. The first one involves the function used for listing matching usernames according to search criteria previously entered by the user, found in 'http://SERVER/EmployeeSearch.cc?actionId=showList'. The server reflects the contents of the 'searchString' field back to the user. An example of such an injection would be: /----- http://SERVER/EmployeeSearch.cc?actionId=showList&searchString=alice%22%20onmouseover=%22alert%28%27xss%27%29&parameterName=name&searchType=contains -----/ This example would cause the following HTML to be presented to the user: /----- <option value="equals" > Equals</option> </select> <input type="text" name="searchString" id="searchTextField" class="textfield" value="alice" onmouseover="alert('xss')" onkeypress="javascript:return searchOnKeyPressEvent(event)"> <input type="button" name="search" id="search" class="button" value="&nbsp;Go&nbsp;" onclick="javascript:searchAD()"> </td> <tr> -----/ The second cross site scripting vulnerability is present in the search page at 'http://SERVER/EmployeeSearch.cc?actionId=Search'. This page accepts the search parameters and then creates a new form to be sent to 'http://SERVER/EmployeeSearch.cc?actionId=showList'. During the creation of the form, the unfiltered input is reflected to the user within a javascript block as shown below. /----- <script> var searchValue = 'alice'; alert('xss'); var a='a'; var paramName = 'name'; var searchType = 'contains'; </script> -----/ The example above was caused by following a link to: /----- http://SERVER/EmployeeSearch.cc?actionId=Search&amp;parameterName=name&amp;searchType=contains&amp;searchString=alice%22+onMouseOver%3D%22javascript%3Aalert%28%27xss%27%29 -----/ This reflection is not obvious at first sight, as the source code shown after the process is finished is the showList page source. This code can be easily viewed if captured on the wire using a proxy server, though. Additionally, since invoking 'http://SERVER/EmployeeSearch.cc?actionId=Search' causes a redirection to 'http://SERVER/EmployeeSearch.cc?actionId=showList', entering any data capable of triggering a vulnerability in the latter page can be introduced in the former with the same results. It is important to note that since the cross site scripting vulnerabilities were detected while investigating the authentication bypass issues and were considered a secondary matter, the pages containing them were not thoroughly tested. This leaves the possibility of other similar cross site scripting vulnerabilities remaining undetected. 9. *Report Timeline* . 2011-01-11: Initial notification to the vendor. Publication date set to February 2nd, 2011. 2011-01-13: The Zoho team asks Core for a technical description of the vulnerability. 2011-01-13: Technical details sent to Zoho team by Core. 2011-01-17: The Zoho team acknowledges reception of advisory draft and asks a contact phone number to discuss these flaws. 2011-01-17: The Core team notifies its preference for keeping the whole communication process through email, in order to track all interactions, and involve all those interested in: 1. the Core Security Advisories Team, 2. the Zoho team and, 3. the discoverer of the vulnerability. If there is something that cannot be resolved via email, Core team can eventually send a phone number to set up a conference call, but that is not necessary at the moment. 2011-01-20: The Zoho team notifies that the vulnerabilities highlighted in the document will be addressed in the upcoming release of ADSelfService Plus, scheduled to be released before Feb. 11th. 2011-01-21: Core notifies that the advisory was re-scheduled to Feb. 10th, and asks if any security bulleting is going to be released by Zoho team regarding these vulnerabilities. 2011-01-28: The Zoho team notifies that they are on schedule for the release of the new version of ADSelfService Plus. Zoho have plans to publish a report regarding these vulnerabilities, including solutions and workarounds. 2011-02-07: Core asks if Zoho team will be ready for disclosure next Thursday Feb 10th in order to coordinate the advisory publication. 2011-02-08: The Zoho team notifies that they are ready with the Engineering Release version ADSelfService Plus 4.5 Build 4500. This version of ADSelfService Plus has taken into consideration and also addressed all security vulnerabilities highlighted by this advisory. Zoho is going to make a public announcement by Tomorrow. 2011-02-10: The advisory CORE-2011-0103 is published. 10. *References* [1] ADSelfService Plus http://www.manageengine.com/products/self-service-password. [2] Manikandan.T, Senior Program Manager, ManageEngine ADSelfService Plus. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com/. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and prove real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2011 Core Security Technologies and (c) 2011 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: ManageEngine ADSelfService Plus Cross-Site Scripting and Security Bypass SECUNIA ADVISORY ID: SA43241 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43241/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43241 RELEASE DATE: 2011-02-12 DISCUSS ADVISORY: http://secunia.com/advisories/43241/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43241/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43241 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Core Security Technologies has reported multiple vulnerabilities in ManageEngine ADSelfService Plus, which can be exploited by malicious people to conduct cross-site scripting attacks and bypass certain security restrictions. 2) Input passed to the "searchString" parameter in EmployeeSearch.cc (when "actionId" is set to "showList" or "Search") is not properly sanitised before being returned to the user. The vulnerabilities are reported in version 4.4. SOLUTION: Reportedly fixed in version 4.5 Build 4500. ORIGINAL ADVISORY: CORE-2011-0103: http://www.coresecurity.com/content/zoho-manageengine-vulnerabilities OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor

Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in the Employee Search Engine in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allow remote attackers to inject arbitrary web script or HTML via the searchString parameter in a (1) showList or (2) Search action. ManageEngine ADSelfService Plus is a secure, web-based end-user self-service password reset solution. The first problem exists in http://SERVER/EmployeeSearch.cc?actionId=showList, and the submission is similar to the following injection: http://SERVER/EmployeeSearch.cc?actionId=showList&searchString=alice%22%20onmouseover=%22alert%28 %27xss%27%29&parameterName=name&searchType=contains will cause the following HTML to be submitted to the user: <option value=\"equals\" > Equals</option></select><input type=\"text\" name=\"searchString\" id =\"searchTextField\" class=\"textfield\" value=\"alice\" onmouseover=\"alert('xss')\" onkeypress=\"javascript:return searchOnKeyPressEvent(event)\"><input type=\"button\" name=\"search\" id= \"search\" class=\"button\" value=\"&nbsp;Go&nbsp;\" onclick=\"javascript:searchAD()\"></td><tr>The second question exists at http://SERVER/EmployeeSearch.cc?actionId =Search, this page receives the search parameters and then creates a form that is sent to http://SERVER/EmployeeSearch.cc?actionId=showList. During the creation process, the unfiltered input is reflected to the user as a javasript block as follows: <script> var searchValue = 'alice'; alert('xss'); var a='a'; var paramName = 'name' ; var searchType = 'contains';</script> The above example can be generated by the following link: http://SERVER/EmployeeSearch.cc?actionId=Search&amp;parameterName=name&amp;searchType=contains&amp;searchString=alice%22+onMouseOver %3D%22javascript%3Aalert%28%27xss%27%29. Attackers can exploit these issues to bypass certain security restrictions and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help them steal cookie-based authentication credentials and launch other attacks. ManageEngine ADSelfService Plus 4.4 is vulnerable; other versions may also be affected. *Advisory Information* Title: ZOHO ManageEngine ADSelfService multiple vulnerabilities Advisory ID: CORE-2011-0103 Advisory URL: http://www.coresecurity.com/content/zoho-manageengine-vulnerabilities Date published: 2011-02-10 Date of last update: 2011-02-10 Vendors contacted: ZOHO Corporation Release mode: Coordinated release 2. *Vulnerability Information* Class: Protection Mechanism Failure [CWE-693], Authentication Issues [CWE-287], Cross-Site Scripting (XSS) [CWE-79] Impact: Code execution, Security bypass Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2010-3272, CVE-2010-3273, CVE-2010-3274 3. This software helps domain users to perform self service password reset, self service account unlock and employee self update of personal details (e.g. telephone numbers, etc) in Microsoft Windows Active Directory. Administrators find it easy to automate password resets, account unlocks while managing optimizing the expenses associated with helpdesk calls. The security question mechanism used for password recovery can be weakened by tampering the HTTP POST request containing the answers, allowing an attacker to pass the security check by guessing just one of the security answers. Additionally, the CAPTCHA mechanism can be bypassed in the same manner, enabling the automation of the guessing attempts. The security question mechanism can also be bypassed by changing the flow of the application, skipping the security question mechanism and sending a HTTP request requiring the password change immediately after declaring which user is to run the recovery procedure. 4. ManageEngine ADSelfService Plus 4.4. 5. *Non-vulnerable packages* . ManageEngine ADSelfService Plus 4.5 Build 4500 and above. 6. *Vendor Information, Solutions and Workarounds* Core would like to thanks Manikandan.T [2] for giving us the following detailed information about the way Zoho team has addressed the security vulnerabilities highlighted in this document. 6.1. *Solution to the Weak security question mechanism* [CVE-2010-3272] In addition to the Security Questions, the latest version of ADSelfService Plus also includes an SMS Verification / Email Verification mechanism. This adds an additional security while password. Users must confirm the code sent to their mobile phones / email when they are to reset password / unlock accounts. The earlier Builds used URL based on Post Request which was considered vulnerable. This has been replaced by a more secure Tokenizer mechanism. This mechanism prevents "by-passing any process / steps involved in password reset / account unlock". The Tokenizer mechanism mandates the flow of addressing every process only in the defined sequence. This implies that the "Hide_Captcha / quesList" fields cannot be altered; if not, they do not follow the desired sequence. 6.2. *Solution to the Security question bypass* [CVE-2010-3273] Earlier version of ADSelfService Plus checked the validation only at the page where the user was present. Now Each and Every step and also the previous steps are being validated. The "Tokenizer Method" ensures that no steps are bypassed. It also ensures that validation occurs at every level and also only in the sequence desired. 6.3. *Solution to Cross site scripting vulnerabilities* [CVE-2010-3274] Security Filters are used to prevent Cross Site Scripting vulnerabilities. ADSelfService Plus now checks every input provided by a user at all the pages including "Password Reset / Unlock Account", Employee Search pages. 7. *Credits* This vulnerability was discovered and researched by Ernesto Alvarez from Core Security Technologies. The publication of this advisory was coordinated by Fernando Miranda from Core Security Advisories team. 8. *Technical Description / Proof of Concept Code* 8.1. *Weak security question mechanism* [CVE-2010-3272] The procedure to recover a lost password involves the user answering a series of security questions set during enrollment. After the recovery request and user ID have been sent, the system requires the user to answer a certain number of security questions, whose answers are then sent using a POST request, as seen below. /----- POST /accounts/ValidateAnswers?methodToCall=validateAll HTTP/1.1 Host: SERVER User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.10 (maverick) Firefox/3.6.13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://SERVER/accounts/ValidateUser Cookie: JSESSIONID=8F93EB242EF06C51BE93EB0CEDA69085 Content-Type: application/x-www-form-urlencoded Content-Length: 294 loginId=1501&Hide_Captcha=0&POLICY_ID=1&Confirm_Answer=1&SESSION_EXPIRY_TIME=5&LOGIN_NAME=alice&REM_SESSION_TIME=00%3A40&bAns=11111&bQues=PreDefined-2&bAns=22222&bQues=PreDefined-3&bAns=33333&bQues=PreDefined-4&bAns=44444&bQues=PreDefined-5&quesList=4&DIGEST=qodpgd&next=Continue&DIS_ALL_QUES=1 -----/ As seen in the HTTP POST above, the client has the ability to decide: 1. Whether he wants to complete a captcha or not, by altering the "Hide_Captcha" field. 2. How many security questions he has to answer, if he modifies the "quesList" parameter. Therefore, an attacker can choose to answer just one security question of his choice, and this procedure can be automated, since the captcha can be bypassed. The reason for this weakness is that most of the recovery logic is left to the client to execute. This allows the client to alter the recovery procedure, weakening the process. 8.2. *Security question bypass* [CVE-2010-3273] The security question mechanism can also be completely bypassed, allowing an attacker to reset an arbitrary user password. In order to bypass the mechanism, an attacker must first select the user whose password is to be changed, an operation which does not require authentication, and then skip the security question mechanism, issuing a HTTP request to the URL that accept password changes. The normal recovery procedure in the ADSelfService Plus system consists of four steps: 1. *Invoke the reset function.* By going to '//SERVER/accounts/Reset', the user is prompted to enter his user id. 2. *Input the user id that needs a password reset.* By filling the form from step 1, the user id in sent to 'http://SERVER/accounts/ValidateUser' using a HTTP POST. During this step, the user id is associated with the HTTP session (as shown in the JSESSIONID cookie). The user is prompted with the security questions. 3. *Validate the security questions.* The answers are sent for validation to: /----- http://SERVER/accounts/ValidateAnswers?methodToCall=validateAll -----/ If the answers are correct, a HTTP page with a form to input the new password is sent to the user. If the answers are wrong, the user is prompted again for the correct answers, and the step 3 must be redone. 4. *Reset the password.* The new password is sent in a HTTP POST to 'http://SERVER/accounts/ResetResult'. The server resets the password. While some of the logic (mostly requiring changes to server data) is on the server side, the order of the steps to be performed can be controlled by the user. By performing steps 2 and 4 while skipping step 3, the user is able to change the password for another user of his choice. This flaw is due to the way the server acts on the information received. Step 2 associates a JSESSIONID to a user id (apparently necessary to perform step 3) while step 4 changes the password of whatever account is associated with the JSP session, setting it to the value posted. Since the server does not check whether step 3 has been completed, forging the appropriate HTTP POST requests necessary to perform the two steps mentioned is sufficient to change a user's password. 8.3. The first one involves the function used for listing matching usernames according to search criteria previously entered by the user, found in 'http://SERVER/EmployeeSearch.cc?actionId=showList'. The server reflects the contents of the 'searchString' field back to the user. This code can be easily viewed if captured on the wire using a proxy server, though. Additionally, since invoking 'http://SERVER/EmployeeSearch.cc?actionId=Search' causes a redirection to 'http://SERVER/EmployeeSearch.cc?actionId=showList', entering any data capable of triggering a vulnerability in the latter page can be introduced in the former with the same results. It is important to note that since the cross site scripting vulnerabilities were detected while investigating the authentication bypass issues and were considered a secondary matter, the pages containing them were not thoroughly tested. This leaves the possibility of other similar cross site scripting vulnerabilities remaining undetected. 9. *Report Timeline* . 2011-01-11: Initial notification to the vendor. Publication date set to February 2nd, 2011. 2011-01-13: The Zoho team asks Core for a technical description of the vulnerability. 2011-01-13: Technical details sent to Zoho team by Core. 2011-01-17: The Zoho team acknowledges reception of advisory draft and asks a contact phone number to discuss these flaws. 2011-01-17: The Core team notifies its preference for keeping the whole communication process through email, in order to track all interactions, and involve all those interested in: 1. the Core Security Advisories Team, 2. the Zoho team and, 3. the discoverer of the vulnerability. If there is something that cannot be resolved via email, Core team can eventually send a phone number to set up a conference call, but that is not necessary at the moment. 2011-01-20: The Zoho team notifies that the vulnerabilities highlighted in the document will be addressed in the upcoming release of ADSelfService Plus, scheduled to be released before Feb. 11th. 2011-01-21: Core notifies that the advisory was re-scheduled to Feb. 10th, and asks if any security bulleting is going to be released by Zoho team regarding these vulnerabilities. 2011-01-28: The Zoho team notifies that they are on schedule for the release of the new version of ADSelfService Plus. Zoho have plans to publish a report regarding these vulnerabilities, including solutions and workarounds. 2011-02-07: Core asks if Zoho team will be ready for disclosure next Thursday Feb 10th in order to coordinate the advisory publication. 2011-02-08: The Zoho team notifies that they are ready with the Engineering Release version ADSelfService Plus 4.5 Build 4500. This version of ADSelfService Plus has taken into consideration and also addressed all security vulnerabilities highlighted by this advisory. Zoho is going to make a public announcement by Tomorrow. 2011-02-10: The advisory CORE-2011-0103 is published. 10. *References* [1] ADSelfService Plus http://www.manageengine.com/products/self-service-password. [2] Manikandan.T, Senior Program Manager, ManageEngine ADSelfService Plus. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com/. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and prove real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2011 Core Security Technologies and (c) 2011 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: ManageEngine ADSelfService Plus Cross-Site Scripting and Security Bypass SECUNIA ADVISORY ID: SA43241 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43241/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43241 RELEASE DATE: 2011-02-12 DISCUSS ADVISORY: http://secunia.com/advisories/43241/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43241/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43241 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Core Security Technologies has reported multiple vulnerabilities in ManageEngine ADSelfService Plus, which can be exploited by malicious people to conduct cross-site scripting attacks and bypass certain security restrictions. 2) Input passed to the "searchString" parameter in EmployeeSearch.cc (when "actionId" is set to "showList" or "Search") is not properly sanitised before being returned to the user. The vulnerabilities are reported in version 4.4. SOLUTION: Reportedly fixed in version 4.5 Build 4500. ORIGINAL ADVISORY: CORE-2011-0103: http://www.coresecurity.com/content/zoho-manageengine-vulnerabilities OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor