VARIoT IoT vulnerabilities database
| VAR-201110-0518 | No CVE | IRAI AUTOMGEN Use-After-Free Multiple Remote Code Execution Vulnerabilities |
CVSS V2: - CVSS V3: - Severity: - |
IRAI AUTOMGEN is prone to multiple remote code-execution vulnerabilities because it fails to properly validate user-supplied input.
Attackers can exploit these issues to execute arbitrary code in the context of the user running the affected application. Failed exploits can trigger a denial-of-service condition.
AUTOMGEN 8.0.0.7 is vulnerable; other versions may also be affected.
| VAR-201110-0085 | CVE-2010-4914 | PHP Classifieds of tools/phpmailer/class.phpmailer.php In any PHP Code execution vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
PHP remote file inclusion vulnerability in tools/phpmailer/class.phpmailer.php in PHP Classifieds 7.3 allows remote attackers to execute arbitrary PHP code via a URL in the lang_path parameter
| VAR-201110-0454 | CVE-2011-3305 | Cisco Network Admission Control (NAC) Manager Vulnerable to directory traversal |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Directory traversal vulnerability in Cisco Network Admission Control (NAC) Manager 4.8.x allows remote attackers to read arbitrary files via crafted traffic to TCP port 443, aka Bug ID CSCtq10755.
Exploiting this issue will allow an attacker to access sensitive information, including password files and system logs. This could help the attacker launch further attacks.
This issue is tracked by Cisco BugID CSCtq10755. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Cisco Network Admission Control Directory Traversal Vulnerability
SECUNIA ADVISORY ID:
SA46309
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46309/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46309
RELEASE DATE:
2011-10-23
DISCUSS ADVISORY:
http://secunia.com/advisories/46309/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46309/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46309
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Cisco Network Admission Control
(NAC), which can be exploited by malicious people to disclose
sensitive information.
Certain input passed to the management interface via the URL is not
properly verified before being used. This can be exploited to
disclose the contents of arbitrary files via directory traversal
sequences.
SOLUTION:
Update to version 4.9.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits Nenad Stojanovski, Macedonian Telekom.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20111005-nac.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
There are no workarounds to mitigate this vulnerability.
Cisco has released free software updates that address this
vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20111005-nac.shtml. Cisco NAC Manager software versions 4.7.X and earlier
are not affected.
Products Confirmed Not Vulnerable
+--------------------------------
The Cisco NAC Server (Appliance) is not affected. The Cisco Identity
Services Engine (ISE) is not affected. No other Cisco products are
currently known to be affected by this vulnerability.
Details
=======
The Cisco NAC (formerly Cisco Clean Access) solution allows network
administrators to authenticate, authorize, evaluate, and remediate
wired, wireless, and remote users and their machines prior to
allowing users onto the network. The solution identifies whether
machines are compliant with security policies and repairs
vulnerabilities before permitting access to the network. You can use
the NAC Manager server and its web-based administration console to
manage multiple NAC Appliances in a deployment. The
management interface uses TCP port 443. This vulnerability is documented in Cisco bug
ID CSCtq10755 and has been assigned Common Vulnerabilities and Exposures
(CVE) ID CVE-2011-3305.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerability in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtq10755 ("Directory Traversal in CCA")
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
An unauthenticated attacker could exploit this vulnerability to
access sensitive information, including password files and system
logs, that could be leveraged to launch subsequent attacks.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20111005-nac.shtml.
Obtaining Fixed Software
========================
Cisco has released free software updates that address this
vulnerability. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20111005-nac.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2011-October-05 | Initial public release. |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities
in Cisco products, obtaining assistance with security
incidents, and registering to receive security information
from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding
Cisco security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iF4EAREIAAYFAk6Lea8ACgkQQXnnBKKRMNA0ngD/YTrCWJcqWdQPhUgRQJ6JDiJ3
lHmHHV2R88T0nBkizSoA/1Ikga6duN8/E+n1LJjk7LznS8uLqJ3I5X6JBZTyxSf8
=kF3r
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201110-0452 | CVE-2011-3303 | Cisco Multiple Devices ASA Service Module ILS Communication Resource Management Error Vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco Adaptive Security Appliances (ASA) 5500 series devices, and the ASA Services module in Cisco Catalyst 6500 series devices, with software 7.0 before 7.0(8.13), 7.1 and 7.2 before 7.2(5.4), 8.0 before 8.0(5.25), 8.1 before 8.1(2.50), 8.2 before 8.2(5.6), 8.3 before 8.3(2.23), 8.4 before 8.4(2.7), and 8.5 before 8.5(1.1) and Cisco Firewall Services Module (aka FWSM) 3.1 before 3.1(21), 3.2 before 3.2(22), 4.0 before 4.0(16), and 4.1 before 4.1(7) allow remote attackers to cause a denial of service (device reload) via malformed ILS traffic, aka Bug IDs CSCtq57697 and CSCtq57802. The problem is Bug IDs CSCtq57697 and CSCtq57802 It is a problem.Incorrect format from a third party ILS traffic Through service disruption ( Device reload ) There is a possibility of being put into a state. Multiple Cisco products are prone to multiple remote denial-of-service vulnerabilities.
These issues are being tracked by Cisco Bug IDs CSCtq09972, CSCtq09978, CSCtq09986, CSCtq09989, CSCtq57802.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20111005-asa.shtml.
Administrators can enable MSN IM inspection and specify actions when
a message violates a parameter, create an IM inspection policy map.
You can then apply the inspection policy map when you enable IM
inspection, as shown in the following example:
policy-map type inspect im MY-MSN-INSPECT
parameters
match protocol msn-im
log
!
policy-map global_policy
class inspection_default
inspect im MY-MSN-INSPECT
TACACS+ Authentication Bypass Vulnerability
+------------------------------------------
An authentication bypass vulnerability affects the TACACS+
implementation of Cisco ASA 5500 Series Adaptive Security Appliances. You identify AAA server groups by name.
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
...
inspect sunrpc
...
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
...
inspect ils
... These vulnerabilities can be triggered by using UDP
packets, not TCP.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Firewall
Services Module
Advisory ID: cisco-sa-20111005-fwsm
Revision 1.0
For Public Release 2011 October 05 1600 UTC (GMT)
+-------------------------------------------------------------------
Summary
=======
The Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500
Series switches and Cisco 7600 Series routers is affected by the
following vulnerabilities:
* Syslog Message Memory Corruption Denial of Service Vulnerability
* Authentication Proxy Denial of Service Vulnerability
* TACACS+ Authentication Bypass Vulnerability
* Sun Remote Procedure Call (SunRPC) Inspection Denial of Service
Vulnerabilities
* Internet Locator Server (ILS) Inspection Denial of Service
Vulnerability
These vulnerabilities are not interdependent; a release that is
affected by one vulnerability is not necessarily affected by the
others.
Cisco has released free software updates that address these
vulnerabilities. Workarounds are available for some of the
vulnerabilities disclosed in this advisory. Affected
versions of Cisco FWSM Software vary depending on the specific
vulnerability. Refer to the "Software Version and Fixes" section for
specific information on vulnerable versions.
Syslog Message Memory Corruption Denial of Service Vulnerability
+---------------------------------------------------------------
Devices running vulnerable versions of Cisco FWSM Software are
affected by this vulnerability if the following conditions are
satisfied:
* The device has interfaces with IPv6 addresses
* System logging is enabled (command logging enable)
* The device is configured in any way to generate system log
message 302015 (refer to the following examples)
System log message 302015 has a default severity level of 6
(informational) so, assuming that the system administrator has not
changed this default severity level, the vulnerability can be
triggered if the device is logging to any destination at level 6 or
level 7 (debug). As an example, the following configuration is
vulnerable:
logging enable
!
logging console informational
logging buffered informational
[...]
Using a custom message list (via the logging list command) that
includes system log message 302015, either by severity or by
explicitly including the message ID, is also a vulnerable
configuration. For example, the following configuration is also
vulnerable:
logging enable
!
logging list MYLIST level informational
<and/or>
logging list MYLIST message 302015
!
logging trap MYLIST
Note: The default severity level of system log messages can be
changed. If the default severity level of system log message 302015
is changed, and the device is configured to log to any destination at
the new severity level, then the device is still vulnerable.
Authentication Proxy Denial of Service Vulnerability
+---------------------------------------------------
Devices running vulnerable versions of Cisco FWSM Software are
affected by this vulnerability if they are configured to use
Authentication, Authorization, and Accounting (AAA) for network
access, also known as cut-through or authentication proxy. The
network access authentication feature is enabled if the aaa
authentication match or aaa authentication include commands are
present in the configuration of an affected device.
TACACS+ Authentication Bypass Vulnerability
+------------------------------------------
Devices running vulnerable versions of Cisco FWSM Software are
affected by this vulnerability if they are configured to use the
Terminal Access Controller Access-Control System Plus (TACACS+)
protocol for AAA. A device is configured for TACACS+ if an AAA server
group is defined in a manner similar to the following:
aaa-server my-tacacs-server protocol tacacs+
aaa-server my-tacacs-server (inside) host 192.168.1.1
[...]
Note: In the preceding example, "my-tacacs-server" is the name of the
AAA server group.
SunRPC Inspection Denial of Service Vulnerabilities
+--------------------------------------------------
Devices running vulnerable versions of Cisco FWSM Software are
affected by these vulnerabilities if SunRPC inspection is enabled.
SunRPC inspection is enabled by default.
To determine whether SunRPC inspection is enabled, issue the show
service-policy | include sunrpc command and confirm that the command
returns output. Example output follows:
FWSM# show service-policy | include sunrpc
Inspect: sunrpc, packet 324, drop 5, reset-drop 0
Alternatively, a device with SunRPC inspection enabled has a
configuration similar to the following (the inspect sunrpc command is
the command that actually enables SunRPC inspection, although the
other commands are necessary for the Cisco FWSM to actually inspect
traffic):
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
...
inspect sunrpc
!
service-policy global_policy global
Note: The service policy could also be applied to a specific
interface. (Global application is shown in the previous example.)
ILS Inspection Denial of Service Vulnerability
+---------------------------------------------
Devices running vulnerable versions of Cisco FWSM Software are
affected by these vulnerabilities if inspection of the ILS protocol
is enabled. ILS inspection is not enabled by default.
Refer to "SunRPC Inspection Denial of Service Vulnerabilities" for
information on how to determine if ILS inspection is enabled. Use the
configuration keyword "ils" instead of "sunrpc".
The following example shows a system with a Cisco FWSM (WS-SVC-FWM-1)
installed in slot 2:
switch>show module
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
1 16 SFM-capable 16 port 1000mb GBIC WS-X6516-GBIC SAL06334NS9
2 6 Firewall Module WS-SVC-FWM-1 SAD10360485
3 8 Intrusion Detection System WS-SVC-IDSM-2 SAD0932089Z
4 4 SLB Application Processor Complex WS-X6066-SLB-APC SAD093004BD
5 2 Supervisor Engine 720 (Active) WS-SUP720-3B SAL0934888E
Mod MAC addresses Hw Fw Sw Status
--- ---------------------------------- ------ ------------ ------------ -------
1 0009.11e3.ade8 to 0009.11e3.adf7 5.1 6.3(1) 8.7(0.22)BUB Ok
2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 4.0(16) Ok
3 0014.a90c.9956 to 0014.a90c.995d 5.0 7.2(1) 7.0(4)E4 Ok
4 0014.a90c.66e6 to 0014.a90c.66ed 1.7 Unknown Unknown PwrDown
5 0013.c42e.7fe0 to 0013.c42e.7fe3 4.4 8.1(3) 12.2(33)SXH8 Ok
[...]
After locating the correct slot, issue the show module <slot number>
command to identify the software version that is running, as shown in
the following example:
switch>show module 2
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
2 6 Firewall Module WS-SVC-FWM-1 SAD10360485
Mod MAC addresses Hw Fw Sw Status
--- ---------------------------------- ------ ------------ ------------ -------
2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 4.0(16) Ok
[...]
The preceding example shows that the Cisco FWSM is running software
version 4.0(16) as indicated by the Sw column.
Note: Recent versions of Cisco IOS Software will show the software
version of each module in the output from the show module command;
therefore, executing the show module <slot number> command is not
necessary.
If a Virtual Switching System (VSS) is used to allow two physical
Cisco Catalyst 6500 Series switches to operate as a single logical
virtual switch, the show module switch all command can display the
software version of all FWSMs that belong to switch 1 and switch 2.
The output from this command will be similar to the output from show
module <slot number> but will include module information for the
modules in each switch in the VSS. The FWSM
offers firewall services with stateful packet filtering and deep
packet inspection.
Syslog Message Memory Corruption Denial of Service Vulnerability
+---------------------------------------------------------------
The Cisco FWSM has a system log (syslog) feature that provides
information for monitoring normal operation and troubleshooting
network or device issues. System log messages are assigned different
severities (debugging, informational, error, critical, etc.) and can
be sent to different logging destinations.
A denial of service vulnerability exists in the implementation of one
specific system log message (message ID 302015, "Built outbound UDP
connection session-id for src-intf:IP/Port to dst-intf:IP/Port
ARP-Incomplete") that can cause memory corruption and lead to a lock
up or crash of the Cisco FWSM in the event that that system log
message needs to be generated for IPv6 traffic that has flowed
through the device. The Cisco FWSM may not recover on its own and a
manual reboot may be necessary to recover.
System log message 302015 has a default severity level of 6
(informational). Changing the default severity level of this system
message will not prevent the issue from occurring if the system is
logging to any destinations at the new severity level. The Cisco FWSM
must have interfaces with IPv6 addresses otherwise the problem does
not occur.
Authentication Proxy Denial of Service Vulnerability
+---------------------------------------------------
The Cisco FWSM authentication proxy feature allows one to use AAA to
control access to network resources. Specifically, the Cisco FWSM
cut-through proxy challenges a user initially at the application
layer and then authenticates against AAA servers. After the Cisco
FWSM authenticates the user, it shifts the session flow, and all
traffic flows directly between the user's computer and the network
resource being accessed.
A denial of service vulnerability exists in some versions of Cisco
FWSM Software that affects devices configured to use authentication
to grant users access to the network, also known as cut-through or
authentication proxy. Vulnerable configurations are those that
contain the aaa authentication match or aaa authentication include
commands. The vulnerability may be triggered when there is a high
number of network access authentication requests.
TACACS+ Authentication Bypass Vulnerability
+------------------------------------------
AAA enables the Cisco FWSM to determine who the user is
(authentication), what the user can do (authorization), and what the
user did (accounting). The Cisco FWSM supports TACACS+ authentication
for VPN users, firewall sessions, and administrative access to the
device.
An authentication bypass vulnerability exists in the TACACS+
implementation in the Cisco FWSM. Successful exploitation could allow
a remote attacker to bypass TACACS+ authentication of VPN users (the
Cisco FWSM only allows VPN sessions for management), firewall
sessions, or administrative access to the device.
SunRPC Inspection Denial of Service Vulnerabilities
+--------------------------------------------------
The SunRPC inspection engine enables or disables application
inspection for the SunRPC protocol. SunRPC is used by Network File
System (NFS) and Network Information Service (NIS). SunRPC services
can run on any port. When a client attempts to access a SunRPC
service on a server, it must learn the port on which the service is
running. The client does this by querying the port mapper process,
usually rpcbind, on the well-known port of 111.
The Cisco FWSM is affected by four vulnerabilities that may cause the
device to reload during the processing of different crafted SunRPC
messages when SunRPC inspection is enabled. These vulnerabilities are
triggered only by transit traffic; traffic that is destined to the
device does not trigger these vulnerabilities.
ILS Inspection Denial of Service Vulnerability
+---------------------------------------------
The ILS inspection engine provides Network Address Translation (NAT)
support for Microsoft NetMeeting, SiteServer, and Active Directory
products that use Lightweight Directory Access Protocol (LDAP) to
exchange directory information with an ILS server. This vulnerability is triggered by transit
traffic only; traffic that is destined to the device does not trigger
this vulnerability.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCti83875 -- Syslog message 302015 may lead to memory corruption and CP lockup
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtn15697 -- FWSM crash in thread name uauth
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCto74274 -- Crafted TACACS+ reply considered as successful auth by FWSM
CVSS Base Score - 7.9
Access Vector - Adjacent Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 6.5
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* SunRPC Inspection Denial of Service Vulnerabilities
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtq57802 -- ILS inspection crash on malformed ILS traffic
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of any of the denial of service
vulnerabilities could cause an affected device to reload. Repeated
exploitation could result in a sustained denial of service condition.
Successful exploitation of the TACACS+ authentication bypass
vulnerability could allow an attacker to bypass authentication of
VPN, firewall, and/or administrative sessions.
Software Versions and Fixes
===========================
When considering software upgrades, also consult:
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the following Cisco FWSM Software table describes a major
Cisco FWSM Software train and the earliest possible release in that
train that contains the fix (the "First Fixed Release") and the
anticipated date of availability (if not currently available) in the
First Fixed Release column. A device that is running a release that
is earlier than the release in a specific column (earlier than the
First Fixed Release) is known to be vulnerable. A vulnerable release
should be upgraded to the indicated release at a minimum, or a later
version (later than or equal to the First Fixed Release label). These vulnerabilities and their respective
workarounds are independent of each other.
Syslog Message Memory Corruption Denial of Service Vulnerability
+---------------------------------------------------------------
Completely disabling syslog 302015 with the command no logging
message 302015 is an effective workaround for this vulnerability.
Authentication Proxy Denial of Service Vulnerability
+---------------------------------------------------
There are no workarounds available for this vulnerability.
TACACS+ Authentication Bypass Vulnerability
+------------------------------------------
There are no workarounds available for this vulnerability other than
using a different authentication protocol such as RADIUS and LDAP.
SunRPC Inspection Denial of Service Vulnerabilities
+--------------------------------------------------
Administrators can mitigate these vulnerabilities by disabling SunRPC
inspection if it is not required. Administrators can disable SunRPC
inspection by issuing the no inspect sunrpc command in class
configuration sub-mode in the policy map configuration. Disabling
SunRPC inspection may cause SunRPC traffic to stop transiting the
security appliance.
ILS Inspection Denial of Service Vulnerability
+---------------------------------------------
Administrators can mitigate this vulnerability by disabling ILS
inspection if it is not required. Administrators can disable ILS
inspection by issuing the no inspect ils command in class
configuration sub-mode in the policy map configuration. Disabling ILS
inspection may cause ILS traffic to stop through the security
appliance.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
The Syslog Message Memory Corruption Denial of Service Vulnerability,
Authentication Proxy Denial of Service Vulnerability, and TACACS+
Authentication Bypass Vulnerability were discovered during the
troubleshooting of customer service requests.
The SunRPC Inspection Denial of Service Vulnerabilities and ILS
Inspection Denial of Service Vulnerability were discovered by Cisco
during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20111005-fwsm.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-October-05 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFOjHRIQXnnBKKRMNARCAUrAP9BnUYauwq7OzqUJRuoVjBLn6T2Qh3S/LRn
e0k/AYOr8AD/T7EQ/K8N+bAPmYBoJxsERyDGg80x/pxfRWFBd1s2+nE=
=hr9R
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201110-0457 | CVE-2011-3300 | Cisco Multiple Devices ASA Service Module SunRPC Communication Resource Management Error Vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco Adaptive Security Appliances (ASA) 5500 series devices, and the ASA Services module in Cisco Catalyst 6500 series devices, with software 7.0 before 7.0(8.13), 7.1 and 7.2 before 7.2(5.4), 8.0 before 8.0(5.25), 8.1 and 8.2 before 8.2(5.11), 8.3 before 8.3(2.23), 8.4 before 8.4(2.6), and 8.5 before 8.5(1.1) and Cisco Firewall Services Module (aka FWSM) 3.1 before 3.1(21), 3.2 before 3.2(22), 4.0 before 4.0(16), and 4.1 before 4.1(7) allow remote attackers to cause a denial of service (device reload) via crafted SunRPC traffic, aka Bug IDs CSCtq06065 and CSCtq09978. The problem is Bug ID CSCtq06065 and CSCtq09978 It is a problem.Skillfully crafted by a third party SunRPC Service disruption through traffic ( Device reload ) There is a possibility of being put into a state. Multiple Cisco products are prone to multiple remote denial-of-service vulnerabilities.
These issues are being tracked by Cisco Bug IDs CSCtq09972, CSCtq09978, CSCtq09986, CSCtq09989, CSCtq57802.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20111005-asa.shtml.
Administrators can enable MSN IM inspection and specify actions when
a message violates a parameter, create an IM inspection policy map.
You can then apply the inspection policy map when you enable IM
inspection, as shown in the following example:
policy-map type inspect im MY-MSN-INSPECT
parameters
match protocol msn-im
log
!
policy-map global_policy
class inspection_default
inspect im MY-MSN-INSPECT
TACACS+ Authentication Bypass Vulnerability
+------------------------------------------
An authentication bypass vulnerability affects the TACACS+
implementation of Cisco ASA 5500 Series Adaptive Security Appliances. You identify AAA server groups by name.
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
...
inspect sunrpc
...
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
...
inspect ils
... These vulnerabilities can be triggered by using UDP
packets, not TCP.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Firewall
Services Module
Advisory ID: cisco-sa-20111005-fwsm
Revision 1.0
For Public Release 2011 October 05 1600 UTC (GMT)
+-------------------------------------------------------------------
Summary
=======
The Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500
Series switches and Cisco 7600 Series routers is affected by the
following vulnerabilities:
* Syslog Message Memory Corruption Denial of Service Vulnerability
* Authentication Proxy Denial of Service Vulnerability
* TACACS+ Authentication Bypass Vulnerability
* Sun Remote Procedure Call (SunRPC) Inspection Denial of Service
Vulnerabilities
* Internet Locator Server (ILS) Inspection Denial of Service
Vulnerability
These vulnerabilities are not interdependent; a release that is
affected by one vulnerability is not necessarily affected by the
others.
Cisco has released free software updates that address these
vulnerabilities. Workarounds are available for some of the
vulnerabilities disclosed in this advisory. Affected
versions of Cisco FWSM Software vary depending on the specific
vulnerability. Refer to the "Software Version and Fixes" section for
specific information on vulnerable versions.
Syslog Message Memory Corruption Denial of Service Vulnerability
+---------------------------------------------------------------
Devices running vulnerable versions of Cisco FWSM Software are
affected by this vulnerability if the following conditions are
satisfied:
* The device has interfaces with IPv6 addresses
* System logging is enabled (command logging enable)
* The device is configured in any way to generate system log
message 302015 (refer to the following examples)
System log message 302015 has a default severity level of 6
(informational) so, assuming that the system administrator has not
changed this default severity level, the vulnerability can be
triggered if the device is logging to any destination at level 6 or
level 7 (debug). As an example, the following configuration is
vulnerable:
logging enable
!
logging console informational
logging buffered informational
[...]
Using a custom message list (via the logging list command) that
includes system log message 302015, either by severity or by
explicitly including the message ID, is also a vulnerable
configuration. For example, the following configuration is also
vulnerable:
logging enable
!
logging list MYLIST level informational
<and/or>
logging list MYLIST message 302015
!
logging trap MYLIST
Note: The default severity level of system log messages can be
changed. If the default severity level of system log message 302015
is changed, and the device is configured to log to any destination at
the new severity level, then the device is still vulnerable.
Authentication Proxy Denial of Service Vulnerability
+---------------------------------------------------
Devices running vulnerable versions of Cisco FWSM Software are
affected by this vulnerability if they are configured to use
Authentication, Authorization, and Accounting (AAA) for network
access, also known as cut-through or authentication proxy. The
network access authentication feature is enabled if the aaa
authentication match or aaa authentication include commands are
present in the configuration of an affected device.
TACACS+ Authentication Bypass Vulnerability
+------------------------------------------
Devices running vulnerable versions of Cisco FWSM Software are
affected by this vulnerability if they are configured to use the
Terminal Access Controller Access-Control System Plus (TACACS+)
protocol for AAA. A device is configured for TACACS+ if an AAA server
group is defined in a manner similar to the following:
aaa-server my-tacacs-server protocol tacacs+
aaa-server my-tacacs-server (inside) host 192.168.1.1
[...]
Note: In the preceding example, "my-tacacs-server" is the name of the
AAA server group.
SunRPC Inspection Denial of Service Vulnerabilities
+--------------------------------------------------
Devices running vulnerable versions of Cisco FWSM Software are
affected by these vulnerabilities if SunRPC inspection is enabled.
SunRPC inspection is enabled by default.
To determine whether SunRPC inspection is enabled, issue the show
service-policy | include sunrpc command and confirm that the command
returns output. Example output follows:
FWSM# show service-policy | include sunrpc
Inspect: sunrpc, packet 324, drop 5, reset-drop 0
Alternatively, a device with SunRPC inspection enabled has a
configuration similar to the following (the inspect sunrpc command is
the command that actually enables SunRPC inspection, although the
other commands are necessary for the Cisco FWSM to actually inspect
traffic):
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
...
inspect sunrpc
!
service-policy global_policy global
Note: The service policy could also be applied to a specific
interface. (Global application is shown in the previous example.)
ILS Inspection Denial of Service Vulnerability
+---------------------------------------------
Devices running vulnerable versions of Cisco FWSM Software are
affected by these vulnerabilities if inspection of the ILS protocol
is enabled. ILS inspection is not enabled by default.
Refer to "SunRPC Inspection Denial of Service Vulnerabilities" for
information on how to determine if ILS inspection is enabled. Use the
configuration keyword "ils" instead of "sunrpc".
The following example shows a system with a Cisco FWSM (WS-SVC-FWM-1)
installed in slot 2:
switch>show module
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
1 16 SFM-capable 16 port 1000mb GBIC WS-X6516-GBIC SAL06334NS9
2 6 Firewall Module WS-SVC-FWM-1 SAD10360485
3 8 Intrusion Detection System WS-SVC-IDSM-2 SAD0932089Z
4 4 SLB Application Processor Complex WS-X6066-SLB-APC SAD093004BD
5 2 Supervisor Engine 720 (Active) WS-SUP720-3B SAL0934888E
Mod MAC addresses Hw Fw Sw Status
--- ---------------------------------- ------ ------------ ------------ -------
1 0009.11e3.ade8 to 0009.11e3.adf7 5.1 6.3(1) 8.7(0.22)BUB Ok
2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 4.0(16) Ok
3 0014.a90c.9956 to 0014.a90c.995d 5.0 7.2(1) 7.0(4)E4 Ok
4 0014.a90c.66e6 to 0014.a90c.66ed 1.7 Unknown Unknown PwrDown
5 0013.c42e.7fe0 to 0013.c42e.7fe3 4.4 8.1(3) 12.2(33)SXH8 Ok
[...]
After locating the correct slot, issue the show module <slot number>
command to identify the software version that is running, as shown in
the following example:
switch>show module 2
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
2 6 Firewall Module WS-SVC-FWM-1 SAD10360485
Mod MAC addresses Hw Fw Sw Status
--- ---------------------------------- ------ ------------ ------------ -------
2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 4.0(16) Ok
[...]
The preceding example shows that the Cisco FWSM is running software
version 4.0(16) as indicated by the Sw column.
Note: Recent versions of Cisco IOS Software will show the software
version of each module in the output from the show module command;
therefore, executing the show module <slot number> command is not
necessary.
If a Virtual Switching System (VSS) is used to allow two physical
Cisco Catalyst 6500 Series switches to operate as a single logical
virtual switch, the show module switch all command can display the
software version of all FWSMs that belong to switch 1 and switch 2.
The output from this command will be similar to the output from show
module <slot number> but will include module information for the
modules in each switch in the VSS. The FWSM
offers firewall services with stateful packet filtering and deep
packet inspection.
Syslog Message Memory Corruption Denial of Service Vulnerability
+---------------------------------------------------------------
The Cisco FWSM has a system log (syslog) feature that provides
information for monitoring normal operation and troubleshooting
network or device issues. System log messages are assigned different
severities (debugging, informational, error, critical, etc.) and can
be sent to different logging destinations.
A denial of service vulnerability exists in the implementation of one
specific system log message (message ID 302015, "Built outbound UDP
connection session-id for src-intf:IP/Port to dst-intf:IP/Port
ARP-Incomplete") that can cause memory corruption and lead to a lock
up or crash of the Cisco FWSM in the event that that system log
message needs to be generated for IPv6 traffic that has flowed
through the device. The Cisco FWSM may not recover on its own and a
manual reboot may be necessary to recover.
System log message 302015 has a default severity level of 6
(informational). Changing the default severity level of this system
message will not prevent the issue from occurring if the system is
logging to any destinations at the new severity level. The Cisco FWSM
must have interfaces with IPv6 addresses otherwise the problem does
not occur.
Authentication Proxy Denial of Service Vulnerability
+---------------------------------------------------
The Cisco FWSM authentication proxy feature allows one to use AAA to
control access to network resources. Specifically, the Cisco FWSM
cut-through proxy challenges a user initially at the application
layer and then authenticates against AAA servers. After the Cisco
FWSM authenticates the user, it shifts the session flow, and all
traffic flows directly between the user's computer and the network
resource being accessed.
A denial of service vulnerability exists in some versions of Cisco
FWSM Software that affects devices configured to use authentication
to grant users access to the network, also known as cut-through or
authentication proxy. Vulnerable configurations are those that
contain the aaa authentication match or aaa authentication include
commands. The vulnerability may be triggered when there is a high
number of network access authentication requests.
TACACS+ Authentication Bypass Vulnerability
+------------------------------------------
AAA enables the Cisco FWSM to determine who the user is
(authentication), what the user can do (authorization), and what the
user did (accounting). The Cisco FWSM supports TACACS+ authentication
for VPN users, firewall sessions, and administrative access to the
device.
An authentication bypass vulnerability exists in the TACACS+
implementation in the Cisco FWSM. Successful exploitation could allow
a remote attacker to bypass TACACS+ authentication of VPN users (the
Cisco FWSM only allows VPN sessions for management), firewall
sessions, or administrative access to the device.
SunRPC Inspection Denial of Service Vulnerabilities
+--------------------------------------------------
The SunRPC inspection engine enables or disables application
inspection for the SunRPC protocol. SunRPC is used by Network File
System (NFS) and Network Information Service (NIS). SunRPC services
can run on any port. When a client attempts to access a SunRPC
service on a server, it must learn the port on which the service is
running. The client does this by querying the port mapper process,
usually rpcbind, on the well-known port of 111. These vulnerabilities are
triggered only by transit traffic; traffic that is destined to the
device does not trigger these vulnerabilities.
ILS Inspection Denial of Service Vulnerability
+---------------------------------------------
The ILS inspection engine provides Network Address Translation (NAT)
support for Microsoft NetMeeting, SiteServer, and Active Directory
products that use Lightweight Directory Access Protocol (LDAP) to
exchange directory information with an ILS server.
The Cisco FWSM is affected by a vulnerability when ILS inspection is
enabled that may cause the device to reload during the processing of
a malformed ILS message. This vulnerability is triggered by transit
traffic only; traffic that is destined to the device does not trigger
this vulnerability.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCti83875 -- Syslog message 302015 may lead to memory corruption and CP lockup
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtn15697 -- FWSM crash in thread name uauth
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCto74274 -- Crafted TACACS+ reply considered as successful auth by FWSM
CVSS Base Score - 7.9
Access Vector - Adjacent Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 6.5
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* SunRPC Inspection Denial of Service Vulnerabilities
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtq57802 -- ILS inspection crash on malformed ILS traffic
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of any of the denial of service
vulnerabilities could cause an affected device to reload. Repeated
exploitation could result in a sustained denial of service condition.
Successful exploitation of the TACACS+ authentication bypass
vulnerability could allow an attacker to bypass authentication of
VPN, firewall, and/or administrative sessions.
Software Versions and Fixes
===========================
When considering software upgrades, also consult:
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the following Cisco FWSM Software table describes a major
Cisco FWSM Software train and the earliest possible release in that
train that contains the fix (the "First Fixed Release") and the
anticipated date of availability (if not currently available) in the
First Fixed Release column. A device that is running a release that
is earlier than the release in a specific column (earlier than the
First Fixed Release) is known to be vulnerable. A vulnerable release
should be upgraded to the indicated release at a minimum, or a later
version (later than or equal to the First Fixed Release label). These vulnerabilities and their respective
workarounds are independent of each other.
Syslog Message Memory Corruption Denial of Service Vulnerability
+---------------------------------------------------------------
Completely disabling syslog 302015 with the command no logging
message 302015 is an effective workaround for this vulnerability.
Authentication Proxy Denial of Service Vulnerability
+---------------------------------------------------
There are no workarounds available for this vulnerability.
TACACS+ Authentication Bypass Vulnerability
+------------------------------------------
There are no workarounds available for this vulnerability other than
using a different authentication protocol such as RADIUS and LDAP.
SunRPC Inspection Denial of Service Vulnerabilities
+--------------------------------------------------
Administrators can mitigate these vulnerabilities by disabling SunRPC
inspection if it is not required. Administrators can disable SunRPC
inspection by issuing the no inspect sunrpc command in class
configuration sub-mode in the policy map configuration. Disabling
SunRPC inspection may cause SunRPC traffic to stop transiting the
security appliance.
ILS Inspection Denial of Service Vulnerability
+---------------------------------------------
Administrators can mitigate this vulnerability by disabling ILS
inspection if it is not required. Administrators can disable ILS
inspection by issuing the no inspect ils command in class
configuration sub-mode in the policy map configuration. Disabling ILS
inspection may cause ILS traffic to stop through the security
appliance.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
The Syslog Message Memory Corruption Denial of Service Vulnerability,
Authentication Proxy Denial of Service Vulnerability, and TACACS+
Authentication Bypass Vulnerability were discovered during the
troubleshooting of customer service requests.
The SunRPC Inspection Denial of Service Vulnerabilities and ILS
Inspection Denial of Service Vulnerability were discovered by Cisco
during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20111005-fwsm.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-October-05 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFOjHRIQXnnBKKRMNARCAUrAP9BnUYauwq7OzqUJRuoVjBLn6T2Qh3S/LRn
e0k/AYOr8AD/T7EQ/K8N+bAPmYBoJxsERyDGg80x/pxfRWFBd1s2+nE=
=hr9R
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201110-0459 | CVE-2011-3301 | Cisco Multiple Devices ASA Service Module SunRPC Resource Management Error Vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco Adaptive Security Appliances (ASA) 5500 series devices, and the ASA Services module in Cisco Catalyst 6500 series devices, with software 7.0 before 7.0(8.13), 7.1 and 7.2 before 7.2(5.4), 8.0 before 8.0(5.25), 8.1 and 8.2 before 8.2(5.11), 8.3 before 8.3(2.23), 8.4 before 8.4(2.6), and 8.5 before 8.5(1.1) and Cisco Firewall Services Module (aka FWSM) 3.1 before 3.1(21), 3.2 before 3.2(22), 4.0 before 4.0(16), and 4.1 before 4.1(7) allow remote attackers to cause a denial of service (device reload) via crafted SunRPC traffic, aka Bug IDs CSCtq06062 and CSCtq09986. The problem is Bug IDs CSCtq06062 and CSCtq09986 It is a problem.Skillfully crafted by a third party SunRPC Service disruption through traffic ( Device reload ) There is a possibility of being put into a state. Multiple Cisco products are prone to multiple remote denial-of-service vulnerabilities.
These issues are being tracked by Cisco Bug IDs CSCtq09972, CSCtq09978, CSCtq09986, CSCtq09989, CSCtq57802.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20111005-asa.shtml.
Administrators can enable MSN IM inspection and specify actions when
a message violates a parameter, create an IM inspection policy map.
You can then apply the inspection policy map when you enable IM
inspection, as shown in the following example:
policy-map type inspect im MY-MSN-INSPECT
parameters
match protocol msn-im
log
!
policy-map global_policy
class inspection_default
inspect im MY-MSN-INSPECT
TACACS+ Authentication Bypass Vulnerability
+------------------------------------------
An authentication bypass vulnerability affects the TACACS+
implementation of Cisco ASA 5500 Series Adaptive Security Appliances. You identify AAA server groups by name.
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
...
inspect sunrpc
...
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
...
inspect ils
... These vulnerabilities can be triggered by using UDP
packets, not TCP.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Firewall
Services Module
Advisory ID: cisco-sa-20111005-fwsm
Revision 1.0
For Public Release 2011 October 05 1600 UTC (GMT)
+-------------------------------------------------------------------
Summary
=======
The Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500
Series switches and Cisco 7600 Series routers is affected by the
following vulnerabilities:
* Syslog Message Memory Corruption Denial of Service Vulnerability
* Authentication Proxy Denial of Service Vulnerability
* TACACS+ Authentication Bypass Vulnerability
* Sun Remote Procedure Call (SunRPC) Inspection Denial of Service
Vulnerabilities
* Internet Locator Server (ILS) Inspection Denial of Service
Vulnerability
These vulnerabilities are not interdependent; a release that is
affected by one vulnerability is not necessarily affected by the
others.
Cisco has released free software updates that address these
vulnerabilities. Workarounds are available for some of the
vulnerabilities disclosed in this advisory. Affected
versions of Cisco FWSM Software vary depending on the specific
vulnerability. Refer to the "Software Version and Fixes" section for
specific information on vulnerable versions.
Syslog Message Memory Corruption Denial of Service Vulnerability
+---------------------------------------------------------------
Devices running vulnerable versions of Cisco FWSM Software are
affected by this vulnerability if the following conditions are
satisfied:
* The device has interfaces with IPv6 addresses
* System logging is enabled (command logging enable)
* The device is configured in any way to generate system log
message 302015 (refer to the following examples)
System log message 302015 has a default severity level of 6
(informational) so, assuming that the system administrator has not
changed this default severity level, the vulnerability can be
triggered if the device is logging to any destination at level 6 or
level 7 (debug). As an example, the following configuration is
vulnerable:
logging enable
!
logging console informational
logging buffered informational
[...]
Using a custom message list (via the logging list command) that
includes system log message 302015, either by severity or by
explicitly including the message ID, is also a vulnerable
configuration. For example, the following configuration is also
vulnerable:
logging enable
!
logging list MYLIST level informational
<and/or>
logging list MYLIST message 302015
!
logging trap MYLIST
Note: The default severity level of system log messages can be
changed. If the default severity level of system log message 302015
is changed, and the device is configured to log to any destination at
the new severity level, then the device is still vulnerable.
Authentication Proxy Denial of Service Vulnerability
+---------------------------------------------------
Devices running vulnerable versions of Cisco FWSM Software are
affected by this vulnerability if they are configured to use
Authentication, Authorization, and Accounting (AAA) for network
access, also known as cut-through or authentication proxy. The
network access authentication feature is enabled if the aaa
authentication match or aaa authentication include commands are
present in the configuration of an affected device.
TACACS+ Authentication Bypass Vulnerability
+------------------------------------------
Devices running vulnerable versions of Cisco FWSM Software are
affected by this vulnerability if they are configured to use the
Terminal Access Controller Access-Control System Plus (TACACS+)
protocol for AAA. A device is configured for TACACS+ if an AAA server
group is defined in a manner similar to the following:
aaa-server my-tacacs-server protocol tacacs+
aaa-server my-tacacs-server (inside) host 192.168.1.1
[...]
Note: In the preceding example, "my-tacacs-server" is the name of the
AAA server group.
SunRPC Inspection Denial of Service Vulnerabilities
+--------------------------------------------------
Devices running vulnerable versions of Cisco FWSM Software are
affected by these vulnerabilities if SunRPC inspection is enabled.
SunRPC inspection is enabled by default.
To determine whether SunRPC inspection is enabled, issue the show
service-policy | include sunrpc command and confirm that the command
returns output. Example output follows:
FWSM# show service-policy | include sunrpc
Inspect: sunrpc, packet 324, drop 5, reset-drop 0
Alternatively, a device with SunRPC inspection enabled has a
configuration similar to the following (the inspect sunrpc command is
the command that actually enables SunRPC inspection, although the
other commands are necessary for the Cisco FWSM to actually inspect
traffic):
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
...
inspect sunrpc
!
service-policy global_policy global
Note: The service policy could also be applied to a specific
interface. (Global application is shown in the previous example.)
ILS Inspection Denial of Service Vulnerability
+---------------------------------------------
Devices running vulnerable versions of Cisco FWSM Software are
affected by these vulnerabilities if inspection of the ILS protocol
is enabled. ILS inspection is not enabled by default.
Refer to "SunRPC Inspection Denial of Service Vulnerabilities" for
information on how to determine if ILS inspection is enabled. Use the
configuration keyword "ils" instead of "sunrpc".
The following example shows a system with a Cisco FWSM (WS-SVC-FWM-1)
installed in slot 2:
switch>show module
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
1 16 SFM-capable 16 port 1000mb GBIC WS-X6516-GBIC SAL06334NS9
2 6 Firewall Module WS-SVC-FWM-1 SAD10360485
3 8 Intrusion Detection System WS-SVC-IDSM-2 SAD0932089Z
4 4 SLB Application Processor Complex WS-X6066-SLB-APC SAD093004BD
5 2 Supervisor Engine 720 (Active) WS-SUP720-3B SAL0934888E
Mod MAC addresses Hw Fw Sw Status
--- ---------------------------------- ------ ------------ ------------ -------
1 0009.11e3.ade8 to 0009.11e3.adf7 5.1 6.3(1) 8.7(0.22)BUB Ok
2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 4.0(16) Ok
3 0014.a90c.9956 to 0014.a90c.995d 5.0 7.2(1) 7.0(4)E4 Ok
4 0014.a90c.66e6 to 0014.a90c.66ed 1.7 Unknown Unknown PwrDown
5 0013.c42e.7fe0 to 0013.c42e.7fe3 4.4 8.1(3) 12.2(33)SXH8 Ok
[...]
After locating the correct slot, issue the show module <slot number>
command to identify the software version that is running, as shown in
the following example:
switch>show module 2
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
2 6 Firewall Module WS-SVC-FWM-1 SAD10360485
Mod MAC addresses Hw Fw Sw Status
--- ---------------------------------- ------ ------------ ------------ -------
2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 4.0(16) Ok
[...]
The preceding example shows that the Cisco FWSM is running software
version 4.0(16) as indicated by the Sw column.
Note: Recent versions of Cisco IOS Software will show the software
version of each module in the output from the show module command;
therefore, executing the show module <slot number> command is not
necessary.
If a Virtual Switching System (VSS) is used to allow two physical
Cisco Catalyst 6500 Series switches to operate as a single logical
virtual switch, the show module switch all command can display the
software version of all FWSMs that belong to switch 1 and switch 2.
The output from this command will be similar to the output from show
module <slot number> but will include module information for the
modules in each switch in the VSS. The FWSM
offers firewall services with stateful packet filtering and deep
packet inspection.
Syslog Message Memory Corruption Denial of Service Vulnerability
+---------------------------------------------------------------
The Cisco FWSM has a system log (syslog) feature that provides
information for monitoring normal operation and troubleshooting
network or device issues. System log messages are assigned different
severities (debugging, informational, error, critical, etc.) and can
be sent to different logging destinations.
A denial of service vulnerability exists in the implementation of one
specific system log message (message ID 302015, "Built outbound UDP
connection session-id for src-intf:IP/Port to dst-intf:IP/Port
ARP-Incomplete") that can cause memory corruption and lead to a lock
up or crash of the Cisco FWSM in the event that that system log
message needs to be generated for IPv6 traffic that has flowed
through the device. The Cisco FWSM may not recover on its own and a
manual reboot may be necessary to recover.
System log message 302015 has a default severity level of 6
(informational). Changing the default severity level of this system
message will not prevent the issue from occurring if the system is
logging to any destinations at the new severity level. The Cisco FWSM
must have interfaces with IPv6 addresses otherwise the problem does
not occur.
Authentication Proxy Denial of Service Vulnerability
+---------------------------------------------------
The Cisco FWSM authentication proxy feature allows one to use AAA to
control access to network resources. Specifically, the Cisco FWSM
cut-through proxy challenges a user initially at the application
layer and then authenticates against AAA servers. After the Cisco
FWSM authenticates the user, it shifts the session flow, and all
traffic flows directly between the user's computer and the network
resource being accessed.
A denial of service vulnerability exists in some versions of Cisco
FWSM Software that affects devices configured to use authentication
to grant users access to the network, also known as cut-through or
authentication proxy. Vulnerable configurations are those that
contain the aaa authentication match or aaa authentication include
commands. The vulnerability may be triggered when there is a high
number of network access authentication requests.
TACACS+ Authentication Bypass Vulnerability
+------------------------------------------
AAA enables the Cisco FWSM to determine who the user is
(authentication), what the user can do (authorization), and what the
user did (accounting). The Cisco FWSM supports TACACS+ authentication
for VPN users, firewall sessions, and administrative access to the
device.
An authentication bypass vulnerability exists in the TACACS+
implementation in the Cisco FWSM. Successful exploitation could allow
a remote attacker to bypass TACACS+ authentication of VPN users (the
Cisco FWSM only allows VPN sessions for management), firewall
sessions, or administrative access to the device.
SunRPC Inspection Denial of Service Vulnerabilities
+--------------------------------------------------
The SunRPC inspection engine enables or disables application
inspection for the SunRPC protocol. SunRPC is used by Network File
System (NFS) and Network Information Service (NIS). SunRPC services
can run on any port. When a client attempts to access a SunRPC
service on a server, it must learn the port on which the service is
running. The client does this by querying the port mapper process,
usually rpcbind, on the well-known port of 111. These vulnerabilities are
triggered only by transit traffic; traffic that is destined to the
device does not trigger these vulnerabilities.
ILS Inspection Denial of Service Vulnerability
+---------------------------------------------
The ILS inspection engine provides Network Address Translation (NAT)
support for Microsoft NetMeeting, SiteServer, and Active Directory
products that use Lightweight Directory Access Protocol (LDAP) to
exchange directory information with an ILS server.
The Cisco FWSM is affected by a vulnerability when ILS inspection is
enabled that may cause the device to reload during the processing of
a malformed ILS message. This vulnerability is triggered by transit
traffic only; traffic that is destined to the device does not trigger
this vulnerability.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCti83875 -- Syslog message 302015 may lead to memory corruption and CP lockup
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtn15697 -- FWSM crash in thread name uauth
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCto74274 -- Crafted TACACS+ reply considered as successful auth by FWSM
CVSS Base Score - 7.9
Access Vector - Adjacent Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 6.5
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* SunRPC Inspection Denial of Service Vulnerabilities
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtq57802 -- ILS inspection crash on malformed ILS traffic
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of any of the denial of service
vulnerabilities could cause an affected device to reload. Repeated
exploitation could result in a sustained denial of service condition.
Successful exploitation of the TACACS+ authentication bypass
vulnerability could allow an attacker to bypass authentication of
VPN, firewall, and/or administrative sessions.
Software Versions and Fixes
===========================
When considering software upgrades, also consult:
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the following Cisco FWSM Software table describes a major
Cisco FWSM Software train and the earliest possible release in that
train that contains the fix (the "First Fixed Release") and the
anticipated date of availability (if not currently available) in the
First Fixed Release column. A device that is running a release that
is earlier than the release in a specific column (earlier than the
First Fixed Release) is known to be vulnerable. A vulnerable release
should be upgraded to the indicated release at a minimum, or a later
version (later than or equal to the First Fixed Release label). These vulnerabilities and their respective
workarounds are independent of each other.
Syslog Message Memory Corruption Denial of Service Vulnerability
+---------------------------------------------------------------
Completely disabling syslog 302015 with the command no logging
message 302015 is an effective workaround for this vulnerability.
Authentication Proxy Denial of Service Vulnerability
+---------------------------------------------------
There are no workarounds available for this vulnerability.
TACACS+ Authentication Bypass Vulnerability
+------------------------------------------
There are no workarounds available for this vulnerability other than
using a different authentication protocol such as RADIUS and LDAP.
SunRPC Inspection Denial of Service Vulnerabilities
+--------------------------------------------------
Administrators can mitigate these vulnerabilities by disabling SunRPC
inspection if it is not required. Administrators can disable SunRPC
inspection by issuing the no inspect sunrpc command in class
configuration sub-mode in the policy map configuration. Disabling
SunRPC inspection may cause SunRPC traffic to stop transiting the
security appliance.
ILS Inspection Denial of Service Vulnerability
+---------------------------------------------
Administrators can mitigate this vulnerability by disabling ILS
inspection if it is not required. Administrators can disable ILS
inspection by issuing the no inspect ils command in class
configuration sub-mode in the policy map configuration. Disabling ILS
inspection may cause ILS traffic to stop through the security
appliance.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
The Syslog Message Memory Corruption Denial of Service Vulnerability,
Authentication Proxy Denial of Service Vulnerability, and TACACS+
Authentication Bypass Vulnerability were discovered during the
troubleshooting of customer service requests.
The SunRPC Inspection Denial of Service Vulnerabilities and ILS
Inspection Denial of Service Vulnerability were discovered by Cisco
during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20111005-fwsm.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-October-05 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFOjHRIQXnnBKKRMNARCAUrAP9BnUYauwq7OzqUJRuoVjBLn6T2Qh3S/LRn
e0k/AYOr8AD/T7EQ/K8N+bAPmYBoJxsERyDGg80x/pxfRWFBd1s2+nE=
=hr9R
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201110-0460 | CVE-2011-3298 | plural Cisco Vulnerabilities that can bypass product authentication |
CVSS V2: 7.9 CVSS V3: - Severity: HIGH |
Cisco Adaptive Security Appliances (ASA) 5500 series devices, and the ASA Services module in Cisco Catalyst 6500 series devices, with software 7.0 before 7.0(8.13), 7.1 and 7.2 before 7.2(5.3), 8.0 before 8.0(5.24), 8.1 before 8.1(2.50), 8.2 before 8.2(5), 8.3 before 8.3(2.18), 8.4 before 8.4(1.10), and 8.5 before 8.5(1.1) and Cisco Firewall Services Module (aka FWSM) 3.1 before 3.1(21), 3.2 before 3.2(22), 4.0 before 4.0(16), and 4.1 before 4.1(7) allow remote attackers to bypass authentication via a crafted TACACS+ reply, aka Bug IDs CSCto40365 and CSCto74274. The problem is Bug ID CSCto40365 and CSCto74274 It is a problem.Skillfully crafted by a third party TACACS+ reply Authentication may be bypassed.
Successful exploits allow remote attackers to bypass authentication and gain administrative access to vulnerable devices.
This issue is being tracked by Cisco bug IDs CSCto74274 and CSCto40365.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20111005-asa.shtml.
Administrators can enable MSN IM inspection and specify actions when
a message violates a parameter, create an IM inspection policy map.
You can then apply the inspection policy map when you enable IM
inspection, as shown in the following example:
policy-map type inspect im MY-MSN-INSPECT
parameters
match protocol msn-im
log
!
policy-map global_policy
class inspection_default
inspect im MY-MSN-INSPECT
TACACS+ Authentication Bypass Vulnerability
+------------------------------------------
An authentication bypass vulnerability affects the TACACS+
implementation of Cisco ASA 5500 Series Adaptive Security Appliances. You identify AAA server groups by name.
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
...
inspect sunrpc
...
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
...
inspect ils
... These vulnerabilities can be triggered by using UDP
packets, not TCP.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Firewall
Services Module
Advisory ID: cisco-sa-20111005-fwsm
Revision 1.0
For Public Release 2011 October 05 1600 UTC (GMT)
+-------------------------------------------------------------------
Summary
=======
The Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500
Series switches and Cisco 7600 Series routers is affected by the
following vulnerabilities:
* Syslog Message Memory Corruption Denial of Service Vulnerability
* Authentication Proxy Denial of Service Vulnerability
* TACACS+ Authentication Bypass Vulnerability
* Sun Remote Procedure Call (SunRPC) Inspection Denial of Service
Vulnerabilities
* Internet Locator Server (ILS) Inspection Denial of Service
Vulnerability
These vulnerabilities are not interdependent; a release that is
affected by one vulnerability is not necessarily affected by the
others.
Cisco has released free software updates that address these
vulnerabilities. Workarounds are available for some of the
vulnerabilities disclosed in this advisory. Affected
versions of Cisco FWSM Software vary depending on the specific
vulnerability. Refer to the "Software Version and Fixes" section for
specific information on vulnerable versions.
Syslog Message Memory Corruption Denial of Service Vulnerability
+---------------------------------------------------------------
Devices running vulnerable versions of Cisco FWSM Software are
affected by this vulnerability if the following conditions are
satisfied:
* The device has interfaces with IPv6 addresses
* System logging is enabled (command logging enable)
* The device is configured in any way to generate system log
message 302015 (refer to the following examples)
System log message 302015 has a default severity level of 6
(informational) so, assuming that the system administrator has not
changed this default severity level, the vulnerability can be
triggered if the device is logging to any destination at level 6 or
level 7 (debug). As an example, the following configuration is
vulnerable:
logging enable
!
logging console informational
logging buffered informational
[...]
Using a custom message list (via the logging list command) that
includes system log message 302015, either by severity or by
explicitly including the message ID, is also a vulnerable
configuration. For example, the following configuration is also
vulnerable:
logging enable
!
logging list MYLIST level informational
<and/or>
logging list MYLIST message 302015
!
logging trap MYLIST
Note: The default severity level of system log messages can be
changed. If the default severity level of system log message 302015
is changed, and the device is configured to log to any destination at
the new severity level, then the device is still vulnerable.
Authentication Proxy Denial of Service Vulnerability
+---------------------------------------------------
Devices running vulnerable versions of Cisco FWSM Software are
affected by this vulnerability if they are configured to use
Authentication, Authorization, and Accounting (AAA) for network
access, also known as cut-through or authentication proxy. The
network access authentication feature is enabled if the aaa
authentication match or aaa authentication include commands are
present in the configuration of an affected device.
TACACS+ Authentication Bypass Vulnerability
+------------------------------------------
Devices running vulnerable versions of Cisco FWSM Software are
affected by this vulnerability if they are configured to use the
Terminal Access Controller Access-Control System Plus (TACACS+)
protocol for AAA. A device is configured for TACACS+ if an AAA server
group is defined in a manner similar to the following:
aaa-server my-tacacs-server protocol tacacs+
aaa-server my-tacacs-server (inside) host 192.168.1.1
[...]
Note: In the preceding example, "my-tacacs-server" is the name of the
AAA server group.
SunRPC Inspection Denial of Service Vulnerabilities
+--------------------------------------------------
Devices running vulnerable versions of Cisco FWSM Software are
affected by these vulnerabilities if SunRPC inspection is enabled.
SunRPC inspection is enabled by default.
To determine whether SunRPC inspection is enabled, issue the show
service-policy | include sunrpc command and confirm that the command
returns output. Example output follows:
FWSM# show service-policy | include sunrpc
Inspect: sunrpc, packet 324, drop 5, reset-drop 0
Alternatively, a device with SunRPC inspection enabled has a
configuration similar to the following (the inspect sunrpc command is
the command that actually enables SunRPC inspection, although the
other commands are necessary for the Cisco FWSM to actually inspect
traffic):
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
...
inspect sunrpc
!
service-policy global_policy global
Note: The service policy could also be applied to a specific
interface. (Global application is shown in the previous example.)
ILS Inspection Denial of Service Vulnerability
+---------------------------------------------
Devices running vulnerable versions of Cisco FWSM Software are
affected by these vulnerabilities if inspection of the ILS protocol
is enabled. ILS inspection is not enabled by default.
Refer to "SunRPC Inspection Denial of Service Vulnerabilities" for
information on how to determine if ILS inspection is enabled. Use the
configuration keyword "ils" instead of "sunrpc".
The following example shows a system with a Cisco FWSM (WS-SVC-FWM-1)
installed in slot 2:
switch>show module
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
1 16 SFM-capable 16 port 1000mb GBIC WS-X6516-GBIC SAL06334NS9
2 6 Firewall Module WS-SVC-FWM-1 SAD10360485
3 8 Intrusion Detection System WS-SVC-IDSM-2 SAD0932089Z
4 4 SLB Application Processor Complex WS-X6066-SLB-APC SAD093004BD
5 2 Supervisor Engine 720 (Active) WS-SUP720-3B SAL0934888E
Mod MAC addresses Hw Fw Sw Status
--- ---------------------------------- ------ ------------ ------------ -------
1 0009.11e3.ade8 to 0009.11e3.adf7 5.1 6.3(1) 8.7(0.22)BUB Ok
2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 4.0(16) Ok
3 0014.a90c.9956 to 0014.a90c.995d 5.0 7.2(1) 7.0(4)E4 Ok
4 0014.a90c.66e6 to 0014.a90c.66ed 1.7 Unknown Unknown PwrDown
5 0013.c42e.7fe0 to 0013.c42e.7fe3 4.4 8.1(3) 12.2(33)SXH8 Ok
[...]
After locating the correct slot, issue the show module <slot number>
command to identify the software version that is running, as shown in
the following example:
switch>show module 2
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
2 6 Firewall Module WS-SVC-FWM-1 SAD10360485
Mod MAC addresses Hw Fw Sw Status
--- ---------------------------------- ------ ------------ ------------ -------
2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 4.0(16) Ok
[...]
The preceding example shows that the Cisco FWSM is running software
version 4.0(16) as indicated by the Sw column.
Note: Recent versions of Cisco IOS Software will show the software
version of each module in the output from the show module command;
therefore, executing the show module <slot number> command is not
necessary.
If a Virtual Switching System (VSS) is used to allow two physical
Cisco Catalyst 6500 Series switches to operate as a single logical
virtual switch, the show module switch all command can display the
software version of all FWSMs that belong to switch 1 and switch 2.
The output from this command will be similar to the output from show
module <slot number> but will include module information for the
modules in each switch in the VSS.
Alternatively, version information can be obtained directly from the
Cisco FWSM through the show version command, as shown in the
following example:
FWSM> show version
FWSM Firewall Version 4.0(16)
[...]
Customers who use the Cisco Adaptive Security Device Manager (ASDM)
to manage their devices can find the version of the software
displayed in the table in the login window or in the upper left
corner of the Cisco ASDM window. The FWSM
offers firewall services with stateful packet filtering and deep
packet inspection.
The Cisco FWSM is affected by multiple vulnerabilities, which are
described in the following sections.
Syslog Message Memory Corruption Denial of Service Vulnerability
+---------------------------------------------------------------
The Cisco FWSM has a system log (syslog) feature that provides
information for monitoring normal operation and troubleshooting
network or device issues. System log messages are assigned different
severities (debugging, informational, error, critical, etc.) and can
be sent to different logging destinations.
A denial of service vulnerability exists in the implementation of one
specific system log message (message ID 302015, "Built outbound UDP
connection session-id for src-intf:IP/Port to dst-intf:IP/Port
ARP-Incomplete") that can cause memory corruption and lead to a lock
up or crash of the Cisco FWSM in the event that that system log
message needs to be generated for IPv6 traffic that has flowed
through the device. The Cisco FWSM may not recover on its own and a
manual reboot may be necessary to recover.
System log message 302015 has a default severity level of 6
(informational). Changing the default severity level of this system
message will not prevent the issue from occurring if the system is
logging to any destinations at the new severity level. The Cisco FWSM
must have interfaces with IPv6 addresses otherwise the problem does
not occur.
Authentication Proxy Denial of Service Vulnerability
+---------------------------------------------------
The Cisco FWSM authentication proxy feature allows one to use AAA to
control access to network resources. Specifically, the Cisco FWSM
cut-through proxy challenges a user initially at the application
layer and then authenticates against AAA servers. After the Cisco
FWSM authenticates the user, it shifts the session flow, and all
traffic flows directly between the user's computer and the network
resource being accessed.
A denial of service vulnerability exists in some versions of Cisco
FWSM Software that affects devices configured to use authentication
to grant users access to the network, also known as cut-through or
authentication proxy. Vulnerable configurations are those that
contain the aaa authentication match or aaa authentication include
commands. The vulnerability may be triggered when there is a high
number of network access authentication requests.
TACACS+ Authentication Bypass Vulnerability
+------------------------------------------
AAA enables the Cisco FWSM to determine who the user is
(authentication), what the user can do (authorization), and what the
user did (accounting). The Cisco FWSM supports TACACS+ authentication
for VPN users, firewall sessions, and administrative access to the
device.
An authentication bypass vulnerability exists in the TACACS+
implementation in the Cisco FWSM.
SunRPC Inspection Denial of Service Vulnerabilities
+--------------------------------------------------
The SunRPC inspection engine enables or disables application
inspection for the SunRPC protocol. SunRPC is used by Network File
System (NFS) and Network Information Service (NIS). SunRPC services
can run on any port. When a client attempts to access a SunRPC
service on a server, it must learn the port on which the service is
running. The client does this by querying the port mapper process,
usually rpcbind, on the well-known port of 111.
The Cisco FWSM is affected by four vulnerabilities that may cause the
device to reload during the processing of different crafted SunRPC
messages when SunRPC inspection is enabled. These vulnerabilities are
triggered only by transit traffic; traffic that is destined to the
device does not trigger these vulnerabilities.
ILS Inspection Denial of Service Vulnerability
+---------------------------------------------
The ILS inspection engine provides Network Address Translation (NAT)
support for Microsoft NetMeeting, SiteServer, and Active Directory
products that use Lightweight Directory Access Protocol (LDAP) to
exchange directory information with an ILS server.
The Cisco FWSM is affected by a vulnerability when ILS inspection is
enabled that may cause the device to reload during the processing of
a malformed ILS message. This vulnerability is triggered by transit
traffic only; traffic that is destined to the device does not trigger
this vulnerability.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCti83875 -- Syslog message 302015 may lead to memory corruption and CP lockup
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtn15697 -- FWSM crash in thread name uauth
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCto74274 -- Crafted TACACS+ reply considered as successful auth by FWSM
CVSS Base Score - 7.9
Access Vector - Adjacent Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 6.5
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* SunRPC Inspection Denial of Service Vulnerabilities
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtq57802 -- ILS inspection crash on malformed ILS traffic
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of any of the denial of service
vulnerabilities could cause an affected device to reload. Repeated
exploitation could result in a sustained denial of service condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult:
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the following Cisco FWSM Software table describes a major
Cisco FWSM Software train and the earliest possible release in that
train that contains the fix (the "First Fixed Release") and the
anticipated date of availability (if not currently available) in the
First Fixed Release column. A device that is running a release that
is earlier than the release in a specific column (earlier than the
First Fixed Release) is known to be vulnerable. A vulnerable release
should be upgraded to the indicated release at a minimum, or a later
version (later than or equal to the First Fixed Release label).
Workarounds
===========
This Cisco Security Advisory describes multiple distinct
vulnerabilities. These vulnerabilities and their respective
workarounds are independent of each other.
Syslog Message Memory Corruption Denial of Service Vulnerability
+---------------------------------------------------------------
Completely disabling syslog 302015 with the command no logging
message 302015 is an effective workaround for this vulnerability.
Authentication Proxy Denial of Service Vulnerability
+---------------------------------------------------
There are no workarounds available for this vulnerability.
TACACS+ Authentication Bypass Vulnerability
+------------------------------------------
There are no workarounds available for this vulnerability other than
using a different authentication protocol such as RADIUS and LDAP.
SunRPC Inspection Denial of Service Vulnerabilities
+--------------------------------------------------
Administrators can mitigate these vulnerabilities by disabling SunRPC
inspection if it is not required. Administrators can disable SunRPC
inspection by issuing the no inspect sunrpc command in class
configuration sub-mode in the policy map configuration. Disabling
SunRPC inspection may cause SunRPC traffic to stop transiting the
security appliance.
ILS Inspection Denial of Service Vulnerability
+---------------------------------------------
Administrators can mitigate this vulnerability by disabling ILS
inspection if it is not required. Administrators can disable ILS
inspection by issuing the no inspect ils command in class
configuration sub-mode in the policy map configuration. Disabling ILS
inspection may cause ILS traffic to stop through the security
appliance.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
The Syslog Message Memory Corruption Denial of Service Vulnerability,
Authentication Proxy Denial of Service Vulnerability, and TACACS+
Authentication Bypass Vulnerability were discovered during the
troubleshooting of customer service requests.
The SunRPC Inspection Denial of Service Vulnerabilities and ILS
Inspection Denial of Service Vulnerability were discovered by Cisco
during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20111005-fwsm.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-October-05 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFOjHRIQXnnBKKRMNARCAUrAP9BnUYauwq7OzqUJRuoVjBLn6T2Qh3S/LRn
e0k/AYOr8AD/T7EQ/K8N+bAPmYBoJxsERyDGg80x/pxfRWFBd1s2+nE=
=hr9R
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201110-0255 | CVE-2011-3297 | Cisco Firewall Services Service disruption in modules ( Module crash ) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco Firewall Services Module (aka FWSM) 3.1 before 3.1(21), 3.2 before 3.2(22), 4.0 before 4.0(16), and 4.1 before 4.1(7), when certain authentication configurations are used, allows remote attackers to cause a denial of service (module crash) by making many authentication requests for network access, aka Bug ID CSCtn15697. ( Module crash ) There is a vulnerability that becomes a condition. ( Module crash ) There is a possibility of being put into a state.
An attacker can exploit this issue to cause the affected devices to reload, triggering a denial-of-service condition.
This issue is tracked by Cisco Bug ID CSCtn15697.
Cisco has released free software updates that address these
vulnerabilities. Workarounds are available for some of the
vulnerabilities disclosed in this advisory. Affected
versions of Cisco FWSM Software vary depending on the specific
vulnerability. Refer to the "Software Version and Fixes" section for
specific information on vulnerable versions.
Syslog Message Memory Corruption Denial of Service Vulnerability
+---------------------------------------------------------------
Devices running vulnerable versions of Cisco FWSM Software are
affected by this vulnerability if the following conditions are
satisfied:
* The device has interfaces with IPv6 addresses
* System logging is enabled (command logging enable)
* The device is configured in any way to generate system log
message 302015 (refer to the following examples)
System log message 302015 has a default severity level of 6
(informational) so, assuming that the system administrator has not
changed this default severity level, the vulnerability can be
triggered if the device is logging to any destination at level 6 or
level 7 (debug). As an example, the following configuration is
vulnerable:
logging enable
!
logging console informational
logging buffered informational
[...]
Using a custom message list (via the logging list command) that
includes system log message 302015, either by severity or by
explicitly including the message ID, is also a vulnerable
configuration. For example, the following configuration is also
vulnerable:
logging enable
!
logging list MYLIST level informational
<and/or>
logging list MYLIST message 302015
!
logging trap MYLIST
Note: The default severity level of system log messages can be
changed. If the default severity level of system log message 302015
is changed, and the device is configured to log to any destination at
the new severity level, then the device is still vulnerable. The
network access authentication feature is enabled if the aaa
authentication match or aaa authentication include commands are
present in the configuration of an affected device.
TACACS+ Authentication Bypass Vulnerability
+------------------------------------------
Devices running vulnerable versions of Cisco FWSM Software are
affected by this vulnerability if they are configured to use the
Terminal Access Controller Access-Control System Plus (TACACS+)
protocol for AAA. A device is configured for TACACS+ if an AAA server
group is defined in a manner similar to the following:
aaa-server my-tacacs-server protocol tacacs+
aaa-server my-tacacs-server (inside) host 192.168.1.1
[...]
Note: In the preceding example, "my-tacacs-server" is the name of the
AAA server group.
SunRPC Inspection Denial of Service Vulnerabilities
+--------------------------------------------------
Devices running vulnerable versions of Cisco FWSM Software are
affected by these vulnerabilities if SunRPC inspection is enabled.
SunRPC inspection is enabled by default.
To determine whether SunRPC inspection is enabled, issue the show
service-policy | include sunrpc command and confirm that the command
returns output. Example output follows:
FWSM# show service-policy | include sunrpc
Inspect: sunrpc, packet 324, drop 5, reset-drop 0
Alternatively, a device with SunRPC inspection enabled has a
configuration similar to the following (the inspect sunrpc command is
the command that actually enables SunRPC inspection, although the
other commands are necessary for the Cisco FWSM to actually inspect
traffic):
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
...
inspect sunrpc
!
service-policy global_policy global
Note: The service policy could also be applied to a specific
interface. (Global application is shown in the previous example.)
ILS Inspection Denial of Service Vulnerability
+---------------------------------------------
Devices running vulnerable versions of Cisco FWSM Software are
affected by these vulnerabilities if inspection of the ILS protocol
is enabled. ILS inspection is not enabled by default.
Refer to "SunRPC Inspection Denial of Service Vulnerabilities" for
information on how to determine if ILS inspection is enabled. Use the
configuration keyword "ils" instead of "sunrpc".
How to Determine the Running Software Version
+--------------------------------------------
To determine the version of Cisco FWSM Software that is running on a
device, issue the show module command from Cisco IOS Software or
Cisco Catalyst Operating System Software to identify what modules and
submodules are installed on the system.
The following example shows a system with a Cisco FWSM (WS-SVC-FWM-1)
installed in slot 2:
switch>show module
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
1 16 SFM-capable 16 port 1000mb GBIC WS-X6516-GBIC SAL06334NS9
2 6 Firewall Module WS-SVC-FWM-1 SAD10360485
3 8 Intrusion Detection System WS-SVC-IDSM-2 SAD0932089Z
4 4 SLB Application Processor Complex WS-X6066-SLB-APC SAD093004BD
5 2 Supervisor Engine 720 (Active) WS-SUP720-3B SAL0934888E
Mod MAC addresses Hw Fw Sw Status
--- ---------------------------------- ------ ------------ ------------ -------
1 0009.11e3.ade8 to 0009.11e3.adf7 5.1 6.3(1) 8.7(0.22)BUB Ok
2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 4.0(16) Ok
3 0014.a90c.9956 to 0014.a90c.995d 5.0 7.2(1) 7.0(4)E4 Ok
4 0014.a90c.66e6 to 0014.a90c.66ed 1.7 Unknown Unknown PwrDown
5 0013.c42e.7fe0 to 0013.c42e.7fe3 4.4 8.1(3) 12.2(33)SXH8 Ok
[...]
After locating the correct slot, issue the show module <slot number>
command to identify the software version that is running, as shown in
the following example:
switch>show module 2
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
2 6 Firewall Module WS-SVC-FWM-1 SAD10360485
Mod MAC addresses Hw Fw Sw Status
--- ---------------------------------- ------ ------------ ------------ -------
2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 4.0(16) Ok
[...]
The preceding example shows that the Cisco FWSM is running software
version 4.0(16) as indicated by the Sw column.
Note: Recent versions of Cisco IOS Software will show the software
version of each module in the output from the show module command;
therefore, executing the show module <slot number> command is not
necessary.
If a Virtual Switching System (VSS) is used to allow two physical
Cisco Catalyst 6500 Series switches to operate as a single logical
virtual switch, the show module switch all command can display the
software version of all FWSMs that belong to switch 1 and switch 2.
The output from this command will be similar to the output from show
module <slot number> but will include module information for the
modules in each switch in the VSS.
Alternatively, version information can be obtained directly from the
Cisco FWSM through the show version command, as shown in the
following example:
FWSM> show version
FWSM Firewall Version 4.0(16)
[...]
Customers who use the Cisco Adaptive Security Device Manager (ASDM)
to manage their devices can find the version of the software
displayed in the table in the login window or in the upper left
corner of the Cisco ASDM window. The FWSM
offers firewall services with stateful packet filtering and deep
packet inspection.
The Cisco FWSM is affected by multiple vulnerabilities, which are
described in the following sections.
Syslog Message Memory Corruption Denial of Service Vulnerability
+---------------------------------------------------------------
The Cisco FWSM has a system log (syslog) feature that provides
information for monitoring normal operation and troubleshooting
network or device issues. System log messages are assigned different
severities (debugging, informational, error, critical, etc.) and can
be sent to different logging destinations.
A denial of service vulnerability exists in the implementation of one
specific system log message (message ID 302015, "Built outbound UDP
connection session-id for src-intf:IP/Port to dst-intf:IP/Port
ARP-Incomplete") that can cause memory corruption and lead to a lock
up or crash of the Cisco FWSM in the event that that system log
message needs to be generated for IPv6 traffic that has flowed
through the device. The Cisco FWSM may not recover on its own and a
manual reboot may be necessary to recover.
System log message 302015 has a default severity level of 6
(informational). Changing the default severity level of this system
message will not prevent the issue from occurring if the system is
logging to any destinations at the new severity level. The Cisco FWSM
must have interfaces with IPv6 addresses otherwise the problem does
not occur. Specifically, the Cisco FWSM
cut-through proxy challenges a user initially at the application
layer and then authenticates against AAA servers. After the Cisco
FWSM authenticates the user, it shifts the session flow, and all
traffic flows directly between the user's computer and the network
resource being accessed. Vulnerable configurations are those that
contain the aaa authentication match or aaa authentication include
commands.
TACACS+ Authentication Bypass Vulnerability
+------------------------------------------
AAA enables the Cisco FWSM to determine who the user is
(authentication), what the user can do (authorization), and what the
user did (accounting).
An authentication bypass vulnerability exists in the TACACS+
implementation in the Cisco FWSM. Successful exploitation could allow
a remote attacker to bypass TACACS+ authentication of VPN users (the
Cisco FWSM only allows VPN sessions for management), firewall
sessions, or administrative access to the device.
SunRPC Inspection Denial of Service Vulnerabilities
+--------------------------------------------------
The SunRPC inspection engine enables or disables application
inspection for the SunRPC protocol. SunRPC is used by Network File
System (NFS) and Network Information Service (NIS). SunRPC services
can run on any port. When a client attempts to access a SunRPC
service on a server, it must learn the port on which the service is
running. The client does this by querying the port mapper process,
usually rpcbind, on the well-known port of 111.
The Cisco FWSM is affected by four vulnerabilities that may cause the
device to reload during the processing of different crafted SunRPC
messages when SunRPC inspection is enabled. These vulnerabilities are
triggered only by transit traffic; traffic that is destined to the
device does not trigger these vulnerabilities.
These vulnerabilities are documented in Cisco bug IDs CSCtq09972
CSCtq09978, CSCtq09986, and CSCtq09989; and have been assigned Common
Vulnerabilities and Exposures (CVE) IDs CVE-2011-3299, CVE-2011-3300,
CVE-2011-3301, and CVE-2011-3302, respectively.
ILS Inspection Denial of Service Vulnerability
+---------------------------------------------
The ILS inspection engine provides Network Address Translation (NAT)
support for Microsoft NetMeeting, SiteServer, and Active Directory
products that use Lightweight Directory Access Protocol (LDAP) to
exchange directory information with an ILS server.
The Cisco FWSM is affected by a vulnerability when ILS inspection is
enabled that may cause the device to reload during the processing of
a malformed ILS message. This vulnerability is triggered by transit
traffic only; traffic that is destined to the device does not trigger
this vulnerability.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCti83875 -- Syslog message 302015 may lead to memory corruption and CP lockup
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtn15697 -- FWSM crash in thread name uauth
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCto74274 -- Crafted TACACS+ reply considered as successful auth by FWSM
CVSS Base Score - 7.9
Access Vector - Adjacent Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 6.5
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* SunRPC Inspection Denial of Service Vulnerabilities
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtq57802 -- ILS inspection crash on malformed ILS traffic
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of any of the denial of service
vulnerabilities could cause an affected device to reload. Repeated
exploitation could result in a sustained denial of service condition.
Successful exploitation of the TACACS+ authentication bypass
vulnerability could allow an attacker to bypass authentication of
VPN, firewall, and/or administrative sessions.
Software Versions and Fixes
===========================
When considering software upgrades, also consult:
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the following Cisco FWSM Software table describes a major
Cisco FWSM Software train and the earliest possible release in that
train that contains the fix (the "First Fixed Release") and the
anticipated date of availability (if not currently available) in the
First Fixed Release column. A device that is running a release that
is earlier than the release in a specific column (earlier than the
First Fixed Release) is known to be vulnerable. A vulnerable release
should be upgraded to the indicated release at a minimum, or a later
version (later than or equal to the First Fixed Release label).
Workarounds
===========
This Cisco Security Advisory describes multiple distinct
vulnerabilities. These vulnerabilities and their respective
workarounds are independent of each other.
Syslog Message Memory Corruption Denial of Service Vulnerability
+---------------------------------------------------------------
Completely disabling syslog 302015 with the command no logging
message 302015 is an effective workaround for this vulnerability.
Authentication Proxy Denial of Service Vulnerability
+---------------------------------------------------
There are no workarounds available for this vulnerability.
TACACS+ Authentication Bypass Vulnerability
+------------------------------------------
There are no workarounds available for this vulnerability other than
using a different authentication protocol such as RADIUS and LDAP.
SunRPC Inspection Denial of Service Vulnerabilities
+--------------------------------------------------
Administrators can mitigate these vulnerabilities by disabling SunRPC
inspection if it is not required. Administrators can disable SunRPC
inspection by issuing the no inspect sunrpc command in class
configuration sub-mode in the policy map configuration. Disabling
SunRPC inspection may cause SunRPC traffic to stop transiting the
security appliance.
ILS Inspection Denial of Service Vulnerability
+---------------------------------------------
Administrators can mitigate this vulnerability by disabling ILS
inspection if it is not required. Administrators can disable ILS
inspection by issuing the no inspect ils command in class
configuration sub-mode in the policy map configuration. Disabling ILS
inspection may cause ILS traffic to stop through the security
appliance.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
The Syslog Message Memory Corruption Denial of Service Vulnerability,
Authentication Proxy Denial of Service Vulnerability, and TACACS+
Authentication Bypass Vulnerability were discovered during the
troubleshooting of customer service requests.
The SunRPC Inspection Denial of Service Vulnerabilities and ILS
Inspection Denial of Service Vulnerability were discovered by Cisco
during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20111005-fwsm.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-October-05 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFOjHRIQXnnBKKRMNARCAUrAP9BnUYauwq7OzqUJRuoVjBLn6T2Qh3S/LRn
e0k/AYOr8AD/T7EQ/K8N+bAPmYBoJxsERyDGg80x/pxfRWFBd1s2+nE=
=hr9R
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201110-0254 | CVE-2011-3296 |
Cisco Firewall Services Service disruption in modules (DoS) Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-201110-0219 |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco Firewall Services Module (aka FWSM) 3.1 before 3.1(21), 3.2 before 3.2(22), 4.0 before 4.0(16), and 4.1 before 4.1(7), when IPv6 is used, allows remote attackers to cause a denial of service (memory corruption and module crash or hang) via vectors that trigger syslog message 302015, aka Bug ID CSCti83875.
An attacker can exploit this issue to cause the affected application to crash, denying service to legitimate users.
This issue is being tracked by Cisco Bug ID CSCti83875.
Cisco has released free software updates that address these
vulnerabilities. Workarounds are available for some of the
vulnerabilities disclosed in this advisory.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20111005-fwsm.shtml
Note: Cisco ASA 5500 Series Adaptive Security Appliances and the
Cisco Catalyst 6500 Series ASA Services Module are affected by some
of the vulnerabilities described in this advisory. A separate Cisco
Security Advisory has been published to disclose these and other
vulnerabilities that affect the Cisco ASA 5500 Series Adaptive
Security Appliances and the Cisco Catalyst 6500 Series ASA Services
Module. The advisory is available at:
http://www.cisco.com/warp/public/707/cisco-sa-20111005-asa.shtml
Affected Products
=================
Vulnerable Products
+------------------
The Cisco FWSM for the Cisco Catalyst 6500 Series switches and Cisco
7600 Series routers is affected by multiple vulnerabilities. Affected
versions of Cisco FWSM Software vary depending on the specific
vulnerability. Refer to the "Software Version and Fixes" section for
specific information on vulnerable versions.
Syslog Message Memory Corruption Denial of Service Vulnerability
+---------------------------------------------------------------
Devices running vulnerable versions of Cisco FWSM Software are
affected by this vulnerability if the following conditions are
satisfied:
* The device has interfaces with IPv6 addresses
* System logging is enabled (command logging enable)
* The device is configured in any way to generate system log
message 302015 (refer to the following examples)
System log message 302015 has a default severity level of 6
(informational) so, assuming that the system administrator has not
changed this default severity level, the vulnerability can be
triggered if the device is logging to any destination at level 6 or
level 7 (debug). As an example, the following configuration is
vulnerable:
logging enable
!
logging console informational
logging buffered informational
[...]
Using a custom message list (via the logging list command) that
includes system log message 302015, either by severity or by
explicitly including the message ID, is also a vulnerable
configuration. For example, the following configuration is also
vulnerable:
logging enable
!
logging list MYLIST level informational
<and/or>
logging list MYLIST message 302015
!
logging trap MYLIST
Note: The default severity level of system log messages can be
changed. If the default severity level of system log message 302015
is changed, and the device is configured to log to any destination at
the new severity level, then the device is still vulnerable.
Authentication Proxy Denial of Service Vulnerability
+---------------------------------------------------
Devices running vulnerable versions of Cisco FWSM Software are
affected by this vulnerability if they are configured to use
Authentication, Authorization, and Accounting (AAA) for network
access, also known as cut-through or authentication proxy. The
network access authentication feature is enabled if the aaa
authentication match or aaa authentication include commands are
present in the configuration of an affected device.
TACACS+ Authentication Bypass Vulnerability
+------------------------------------------
Devices running vulnerable versions of Cisco FWSM Software are
affected by this vulnerability if they are configured to use the
Terminal Access Controller Access-Control System Plus (TACACS+)
protocol for AAA. A device is configured for TACACS+ if an AAA server
group is defined in a manner similar to the following:
aaa-server my-tacacs-server protocol tacacs+
aaa-server my-tacacs-server (inside) host 192.168.1.1
[...]
Note: In the preceding example, "my-tacacs-server" is the name of the
AAA server group.
SunRPC Inspection Denial of Service Vulnerabilities
+--------------------------------------------------
Devices running vulnerable versions of Cisco FWSM Software are
affected by these vulnerabilities if SunRPC inspection is enabled.
SunRPC inspection is enabled by default.
To determine whether SunRPC inspection is enabled, issue the show
service-policy | include sunrpc command and confirm that the command
returns output. Example output follows:
FWSM# show service-policy | include sunrpc
Inspect: sunrpc, packet 324, drop 5, reset-drop 0
Alternatively, a device with SunRPC inspection enabled has a
configuration similar to the following (the inspect sunrpc command is
the command that actually enables SunRPC inspection, although the
other commands are necessary for the Cisco FWSM to actually inspect
traffic):
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
...
inspect sunrpc
!
service-policy global_policy global
Note: The service policy could also be applied to a specific
interface. (Global application is shown in the previous example.)
ILS Inspection Denial of Service Vulnerability
+---------------------------------------------
Devices running vulnerable versions of Cisco FWSM Software are
affected by these vulnerabilities if inspection of the ILS protocol
is enabled. ILS inspection is not enabled by default.
Refer to "SunRPC Inspection Denial of Service Vulnerabilities" for
information on how to determine if ILS inspection is enabled. Use the
configuration keyword "ils" instead of "sunrpc".
How to Determine the Running Software Version
+--------------------------------------------
To determine the version of Cisco FWSM Software that is running on a
device, issue the show module command from Cisco IOS Software or
Cisco Catalyst Operating System Software to identify what modules and
submodules are installed on the system.
The following example shows a system with a Cisco FWSM (WS-SVC-FWM-1)
installed in slot 2:
switch>show module
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
1 16 SFM-capable 16 port 1000mb GBIC WS-X6516-GBIC SAL06334NS9
2 6 Firewall Module WS-SVC-FWM-1 SAD10360485
3 8 Intrusion Detection System WS-SVC-IDSM-2 SAD0932089Z
4 4 SLB Application Processor Complex WS-X6066-SLB-APC SAD093004BD
5 2 Supervisor Engine 720 (Active) WS-SUP720-3B SAL0934888E
Mod MAC addresses Hw Fw Sw Status
--- ---------------------------------- ------ ------------ ------------ -------
1 0009.11e3.ade8 to 0009.11e3.adf7 5.1 6.3(1) 8.7(0.22)BUB Ok
2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 4.0(16) Ok
3 0014.a90c.9956 to 0014.a90c.995d 5.0 7.2(1) 7.0(4)E4 Ok
4 0014.a90c.66e6 to 0014.a90c.66ed 1.7 Unknown Unknown PwrDown
5 0013.c42e.7fe0 to 0013.c42e.7fe3 4.4 8.1(3) 12.2(33)SXH8 Ok
[...]
After locating the correct slot, issue the show module <slot number>
command to identify the software version that is running, as shown in
the following example:
switch>show module 2
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
2 6 Firewall Module WS-SVC-FWM-1 SAD10360485
Mod MAC addresses Hw Fw Sw Status
--- ---------------------------------- ------ ------------ ------------ -------
2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 4.0(16) Ok
[...]
The preceding example shows that the Cisco FWSM is running software
version 4.0(16) as indicated by the Sw column.
Note: Recent versions of Cisco IOS Software will show the software
version of each module in the output from the show module command;
therefore, executing the show module <slot number> command is not
necessary.
If a Virtual Switching System (VSS) is used to allow two physical
Cisco Catalyst 6500 Series switches to operate as a single logical
virtual switch, the show module switch all command can display the
software version of all FWSMs that belong to switch 1 and switch 2.
The output from this command will be similar to the output from show
module <slot number> but will include module information for the
modules in each switch in the VSS.
Alternatively, version information can be obtained directly from the
Cisco FWSM through the show version command, as shown in the
following example:
FWSM> show version
FWSM Firewall Version 4.0(16)
[...]
Customers who use the Cisco Adaptive Security Device Manager (ASDM)
to manage their devices can find the version of the software
displayed in the table in the login window or in the upper left
corner of the Cisco ASDM window. The version notation is similar to
the following example:
FWSM Version: 4.0(16)
Products Confirmed Not Vulnerable
+--------------------------------
With the exception of Cisco ASA 5500 Series Adaptive Security
Appliances and the Cisco Catalyst 6500 Series ASA Services Module, no
other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
The Cisco FWSM is a high-speed, integrated firewall module for Cisco
Catalyst 6500 Series switches and Cisco 7600 Series routers. The FWSM
offers firewall services with stateful packet filtering and deep
packet inspection.
The Cisco FWSM is affected by multiple vulnerabilities, which are
described in the following sections. System log messages are assigned different
severities (debugging, informational, error, critical, etc.) and can
be sent to different logging destinations. The Cisco FWSM may not recover on its own and a
manual reboot may be necessary to recover.
System log message 302015 has a default severity level of 6
(informational). Changing the default severity level of this system
message will not prevent the issue from occurring if the system is
logging to any destinations at the new severity level. The Cisco FWSM
must have interfaces with IPv6 addresses otherwise the problem does
not occur.
Authentication Proxy Denial of Service Vulnerability
+---------------------------------------------------
The Cisco FWSM authentication proxy feature allows one to use AAA to
control access to network resources. Specifically, the Cisco FWSM
cut-through proxy challenges a user initially at the application
layer and then authenticates against AAA servers. After the Cisco
FWSM authenticates the user, it shifts the session flow, and all
traffic flows directly between the user's computer and the network
resource being accessed.
A denial of service vulnerability exists in some versions of Cisco
FWSM Software that affects devices configured to use authentication
to grant users access to the network, also known as cut-through or
authentication proxy. Vulnerable configurations are those that
contain the aaa authentication match or aaa authentication include
commands. The vulnerability may be triggered when there is a high
number of network access authentication requests.
TACACS+ Authentication Bypass Vulnerability
+------------------------------------------
AAA enables the Cisco FWSM to determine who the user is
(authentication), what the user can do (authorization), and what the
user did (accounting). The Cisco FWSM supports TACACS+ authentication
for VPN users, firewall sessions, and administrative access to the
device.
An authentication bypass vulnerability exists in the TACACS+
implementation in the Cisco FWSM. Successful exploitation could allow
a remote attacker to bypass TACACS+ authentication of VPN users (the
Cisco FWSM only allows VPN sessions for management), firewall
sessions, or administrative access to the device.
SunRPC Inspection Denial of Service Vulnerabilities
+--------------------------------------------------
The SunRPC inspection engine enables or disables application
inspection for the SunRPC protocol. SunRPC is used by Network File
System (NFS) and Network Information Service (NIS). SunRPC services
can run on any port. When a client attempts to access a SunRPC
service on a server, it must learn the port on which the service is
running. The client does this by querying the port mapper process,
usually rpcbind, on the well-known port of 111.
The Cisco FWSM is affected by four vulnerabilities that may cause the
device to reload during the processing of different crafted SunRPC
messages when SunRPC inspection is enabled. These vulnerabilities are
triggered only by transit traffic; traffic that is destined to the
device does not trigger these vulnerabilities.
These vulnerabilities are documented in Cisco bug IDs CSCtq09972
CSCtq09978, CSCtq09986, and CSCtq09989; and have been assigned Common
Vulnerabilities and Exposures (CVE) IDs CVE-2011-3299, CVE-2011-3300,
CVE-2011-3301, and CVE-2011-3302, respectively.
ILS Inspection Denial of Service Vulnerability
+---------------------------------------------
The ILS inspection engine provides Network Address Translation (NAT)
support for Microsoft NetMeeting, SiteServer, and Active Directory
products that use Lightweight Directory Access Protocol (LDAP) to
exchange directory information with an ILS server.
The Cisco FWSM is affected by a vulnerability when ILS inspection is
enabled that may cause the device to reload during the processing of
a malformed ILS message. This vulnerability is triggered by transit
traffic only; traffic that is destined to the device does not trigger
this vulnerability.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCti83875 -- Syslog message 302015 may lead to memory corruption and CP lockup
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtn15697 -- FWSM crash in thread name uauth
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCto74274 -- Crafted TACACS+ reply considered as successful auth by FWSM
CVSS Base Score - 7.9
Access Vector - Adjacent Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 6.5
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* SunRPC Inspection Denial of Service Vulnerabilities
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtq57802 -- ILS inspection crash on malformed ILS traffic
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of any of the denial of service
vulnerabilities could cause an affected device to reload. Repeated
exploitation could result in a sustained denial of service condition.
Successful exploitation of the TACACS+ authentication bypass
vulnerability could allow an attacker to bypass authentication of
VPN, firewall, and/or administrative sessions.
Software Versions and Fixes
===========================
When considering software upgrades, also consult:
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the following Cisco FWSM Software table describes a major
Cisco FWSM Software train and the earliest possible release in that
train that contains the fix (the "First Fixed Release") and the
anticipated date of availability (if not currently available) in the
First Fixed Release column. A device that is running a release that
is earlier than the release in a specific column (earlier than the
First Fixed Release) is known to be vulnerable. A vulnerable release
should be upgraded to the indicated release at a minimum, or a later
version (later than or equal to the First Fixed Release label).
Workarounds
===========
This Cisco Security Advisory describes multiple distinct
vulnerabilities. These vulnerabilities and their respective
workarounds are independent of each other.
Syslog Message Memory Corruption Denial of Service Vulnerability
+---------------------------------------------------------------
Completely disabling syslog 302015 with the command no logging
message 302015 is an effective workaround for this vulnerability.
Authentication Proxy Denial of Service Vulnerability
+---------------------------------------------------
There are no workarounds available for this vulnerability.
TACACS+ Authentication Bypass Vulnerability
+------------------------------------------
There are no workarounds available for this vulnerability other than
using a different authentication protocol such as RADIUS and LDAP.
SunRPC Inspection Denial of Service Vulnerabilities
+--------------------------------------------------
Administrators can mitigate these vulnerabilities by disabling SunRPC
inspection if it is not required. Administrators can disable SunRPC
inspection by issuing the no inspect sunrpc command in class
configuration sub-mode in the policy map configuration. Disabling
SunRPC inspection may cause SunRPC traffic to stop transiting the
security appliance.
ILS Inspection Denial of Service Vulnerability
+---------------------------------------------
Administrators can mitigate this vulnerability by disabling ILS
inspection if it is not required. Administrators can disable ILS
inspection by issuing the no inspect ils command in class
configuration sub-mode in the policy map configuration. Disabling ILS
inspection may cause ILS traffic to stop through the security
appliance.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
The SunRPC Inspection Denial of Service Vulnerabilities and ILS
Inspection Denial of Service Vulnerability were discovered by Cisco
during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20111005-fwsm.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-October-05 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFOjHRIQXnnBKKRMNARCAUrAP9BnUYauwq7OzqUJRuoVjBLn6T2Qh3S/LRn
e0k/AYOr8AD/T7EQ/K8N+bAPmYBoJxsERyDGg80x/pxfRWFBd1s2+nE=
=hr9R
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201110-0453 | CVE-2011-3304 | Cisco Adaptive Security Appliances Device and Cisco Catalyst 6500 Service disruption in the series (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco Adaptive Security Appliances (ASA) 5500 series devices, and the ASA Services module in Cisco Catalyst 6500 series devices, with software 7.2 before 7.2(5.3), 8.0 before 8.0(5.25), 8.1 before 8.1(2.50), 8.2 before 8.2(5.11), 8.3 before 8.3(2.23), 8.4 before 8.4(2), and 8.5 before 8.5(1.1) allow remote attackers to cause a denial of service (device reload) via crafted MSN Instant Messenger traffic, aka Bug ID CSCtl67486. The problem is Bug ID CSCtl67486 It is a problem.Skillfully crafted by a third party MSN Instant Messenger Service disruption through traffic (DoS) There is a possibility of being put into a state.
An attacker can exploit this issue to cause a vulnerable device to reload, triggering a denial-of-service condition.
This issue is tracked by Cisco Bug ID CSCtl67486.
Workarounds for some of the vulnerabilities are provided in this
advisory.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20111005-asa.shtml. A separate Cisco Security Advisory has been published
to disclose the vulnerabilities that affect the FWSM. Affected versions of Cisco ASA Software will vary
depending on the specific vulnerability.
Vulnerable Products
+------------------
For specific version information, refer to the Software Versions and
Fixes section of this advisory.
MSN IM inspection is not enabled by default.
Administrators can enable MSN IM inspection and specify actions when
a message violates a parameter, create an IM inspection policy map.
In order to enable TACACS+ for authentication, authorization, or
accounting (AAA), you must first create at least one AAA server group
per AAA protocol and add one or more servers to each group with the
"aaa-server" command. You identify AAA server groups by name.
SunRPC inspection is enabled by default.
To check if SunRPC inspection is enabled, issue the "show service-policy
| include sunrpc" command and confirm that output, such as what is
displayed in the following example, is returned.
ciscoasa# show service-policy | include sunrpc
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
The following configuration commands are used to enable SunRPC
inspection in the Cisco ASA.
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
...
inspect sunrpc
...
ILS inspection is not enabled by default.
To check if ILS inspection is enabled, issue the "show service-policy |
include ils" command and confirm that output, such as what is displayed
in the following example, is returned.
ciscoasa# show service-policy | include ils
Inspect: ils, packet 0, drop 0, reset-drop 0
The following configuration commands are used to enable ILS
inspection in the Cisco ASA.
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
...
inspect ils
...
!
service-policy global_policy global
How to Determine the Running Software Version
+--------------------------------------------
To determine whether a vulnerable version of Cisco ASA Software is
running on an appliance, administrators can issue the "show version"
command. The following example shows a Cisco ASA 5500 Series Adaptive
Security Appliance that is running software version 8.4(1):
ASA#show version | include Version
Cisco Adaptive Security Appliance Software Version 8.4(1)
Device Manager Version 6.4(1)
Customers who use Cisco ASDM to manage devices can locate the
software version in the table that is displayed in the login window
or upper-left corner of the Cisco ASDM window.
Products Confirmed Not Vulnerable
+--------------------------------
With the exception of the Cisco FWSM, no other Cisco products are
currently known to be affected by these vulnerabilities.
Note: Only transit traffic can trigger this vulnerability; traffic that
is destined to the appliance will not trigger the vulnerability. MSN IM
inspection is not enabled by default.
TACACS+ Authentication Bypass Vulnerability
+------------------------------------------
AAA enables the ASA to determine who the user is (authentication),
what the user can do (authorization), and what the user did
(accounting). The Cisco ASA supports TACACS+ authentication for VPN
users, firewall sessions, and administrative access to the device.
An authentication bypass vulnerability exists in the TACACS+
implementation of the Cisco ASA. Successful exploitation could allow
a remote attacker to bypass TACACS+ authentication of VPN users,
firewall sessions, or administrative access to the device. The
attacker needs to have access to the network between the ASA and the
TACACS+ server in order to successfully exploit this vulnerability.
SunRPC Inspection Denial of Service Vulnerabilities
+--------------------------------------------------
The Sun RPC inspection engine performs application inspection for the
Sun RPC protocol. Sun RPC is used by Network File System (NFS) and
Network Information Service (NIS). Sun RPC services can run on any
port. When a client attempts to access a Sun RPC service on a server,
it must learn the port that service is running on. The client does
this by querying the port mapper process, usually rpcbind, on the
well-known port of 111.
Note: Only transit traffic can trigger these vulnerabilities;
traffic that is destined to the appliance will not trigger the
vulnerabilities. These vulnerabilities can be triggered by using UDP
packets, not TCP. SunRPC inspection is enabled by default.
These vulnerabilities are documented in Cisco bug IDs CSCto92380,
CSCtq06065, CSCtq06062, CSCto92398; and have been assigned CVE IDs
CVE-2011-3299, CVE-2011-3300, CVE-2011-3301, and CVE-2010-3302,
respectively.
ILS Inspection Denial of Service Vulnerability
+---------------------------------------------
The ILS inspection engine provides NAT support for Microsoft
NetMeeting, SiteServer, and Active Directory products that use LDAP
to exchange directory information with an ILS server.
Note: Only transit traffic can trigger this vulnerability; traffic
that is destined to the appliance will not trigger the vulnerability.
ILS inspection is not enabled by default.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtl67486 ("MSN IM Inspection Denial of Service Vulnerability")
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCto40365 ("TACACS+ Authentication Bypass Vulnerability")
CVSS Base Score - 7.9
Access Vector - Adjacent Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 6.5
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCto92380, CSCtq06065, CSCtq06062, CSCto92398 ("SunRPC Inspection
Denial of Service Vulnerabilities")
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtq57697 ("ILS inspection crash on malformed ILS traffic")
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of all the DoS vulnerabilities could cause an
affected device to reload. Repeated exploitation could result in a
sustained DoS condition.
Successful exploitation of the TACACS+ authentication bypass
vulnerability could allow an attacker to bypass authentication of
VPN, firewall and/or administrative sessions.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
+------------------------------------------------------------+
| Vulnerability | Major | First Fixed |
| | Release | Release |
|--------------------------------+---------+-----------------|
| | 7.0 | Not vulnerable |
| |---------+-----------------|
| | 7.1 | Not vulnerable |
| |---------+-----------------|
| | 7.2 | 7.2(5.3) |
| |---------+-----------------|
| | 8.0 | 8.0(5.25) |
|MSN Instant Messeger (IM) |---------+-----------------|
| Inspection Denial of Service | 8.1 | 8.1(2.50) |
|Vulnerability (CSCtl67486) |---------+-----------------|
| | 8.2 | 8.2(5.9) |
| |---------+-----------------|
| | 8.3 | 8.3(2.23) |
| |---------+-----------------|
| | 8.4 | 8.4(2) |
| |---------+-----------------|
| | 8.5 | 8.5(1.1) |
|--------------------------------+---------+-----------------|
| | 7.0 | 7.0(8.13) |
| |---------+-----------------|
| | | Vulnerable; |
| | 7.1 | migrate to 7.2 |
| | | (5.4) or later |
| |---------+-----------------|
| | 7.2 | 7.2(5.3) |
| |---------+-----------------|
| TACACS+ Authentication Bypass | 8.0 | 8.0(5.24) |
|Vulnerability (CSCto40365) |---------+-----------------|
| | 8.1 | 8.1(2.50) |
| |---------+-----------------|
| | 8.2 | 8.2(5) |
| |---------+-----------------|
| | 8.3 | 8.3(2.18) |
| |---------+-----------------|
| | 8.4 | 8.4(1.10) |
| |---------+-----------------|
| | 8.5 | 8.5(1.1) |
|--------------------------------+---------+-----------------|
| | 7.0 | 7.0(8.13) |
| |---------+-----------------|
| | | Vulnerable; |
| | 7.1 | migrate to 7.2 |
| | | (5.4) or later |
| |---------+-----------------|
| | 7.2 | 7.2(5.4) |
| |---------+-----------------|
| SunRPC Inspection Denial of | 8.0 | 8.0(5.25) |
|Service Vulnerabilities |---------+-----------------|
| | | Vulnerable; |
| (CSCto92380, CSCtq06065, | 8.1 | migrate to 8.2 |
| CSCtq06062, CSCto92398) | | or later |
| |---------+-----------------|
| | 8.2 | 8.2(5.9) |
| |---------+-----------------|
| | 8.3 | 8.3(2.23) |
| |---------+-----------------|
| | 8.4 | 8.4(2.6) |
| |---------+-----------------|
| | 8.5 | 8.5(1.1) |
|--------------------------------+---------+-----------------|
| | 7.0 | 7.0(8.13) |
| |---------+-----------------|
| | | Vulnerable; |
| | 7.1 | migrate to 7.2 |
| | | (5.4) or later |
| |---------+-----------------|
| | 7.2 | 7.2(5.4) |
| |---------+-----------------|
| ILS Inspection Denial of | 8.0 | 8.0(5.25) |
|Service Vulnerability |---------+-----------------|
| (CSCtq57697.) | 8.1 | 8.1(2.50) |
| |---------+-----------------|
| | 8.2 | 8.2(5.6) |
| |---------+-----------------|
| | 8.3 | 8.3(2.23) |
| |---------+-----------------|
| | 8.4 | 8.4(2.7) |
| |---------+-----------------|
| | 8.5 | 8.5(1.1) |
+------------------------------------------------------------+
Recommended Releases
+-------------------
The following table lists all recommended releases. These recommended
releases contain the fixes for all vulnerabilities in this advisory.
Cisco recommends upgrading to a release that is equal to or later
than these recommended releases.
+------------------------------------------------------------+
| Major Release | Recommended Release |
|---------------+--------------------------------------------|
| 7.0 | 7.0(8.13) |
|---------------+--------------------------------------------|
| 7.1 | Vulnerable; migrate to 7.2(5.4) or later |
|---------------+--------------------------------------------|
| 7.2 | 7.2(5.4) |
|---------------+--------------------------------------------|
| 8.0 | 8.0(5.25) |
|---------------+--------------------------------------------|
| 8.1 | Vulnerable; migrate to 8.2 or later |
|---------------+--------------------------------------------|
| 8.2 | 8.2(5.11) |
|---------------+--------------------------------------------|
| 8.3 | 8.3(2.24) |
|---------------+--------------------------------------------|
| 8.4 | 8.4(2.7) |
|---------------+--------------------------------------------|
| 8.5 | 8.5(1.1) |
+------------------------------------------------------------+
Workarounds
===========
This Cisco Security Advisory describes multiple distinct
vulnerabilities. These vulnerabilities and their respective
workarounds are independent of each other.
MSN Instant Messeger (IM) Inspection DoS Vulnerability
+-----------------------------------------------------
Administrators can mitigate this vulnerability by disabling MSN IM
inspection if it is not required. Administrators can disable MSN IM
inspection by issuing the "no inspect im" command in class configuration
sub-mode in the policy map configuration.
TACACS+ Authentication Bypass Vulnerability
+------------------------------------------
There are no workarounds available for this vulnerability other than
using a different authentication protocol such as RADIUS, Active
Directory, etc.
SunRPC Inspection DoS Vulnerabilities
+------------------------------------
Administrators can mitigate this vulnerability by disabling SunRPC
inspection if it is not required. Administrators can disable SunRPC
inspection by issuing the "no inspect sunrpc" command in class
configuration sub-mode in the policy map configuration. Disabling
SunRPC inspection may cause SunRPC traffic to stop through the security
appliance.
ILS Inspection DoS Vulnerability
+-------------------------------
Administrators can mitigate this vulnerability by disabling ILS
inspection if it is not required. Administrators can disable
ILS inspection by issuing the "no inspect ils" command in class
configuration sub-mode in the policy map configuration. Disabling ILS
inspection may cause ILS traffic to stop through the security appliance.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
All the DoS vulnerabilities were discovered during internal testing.
The TACACS+ authentication vulnerability was found during the
troubleshooting of a customer service request.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20111005-asa.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2011-October-05 | Initial public release. |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities
in Cisco products, obtaining assistance with security
incidents, and registering to receive security information
from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding
Cisco security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iF4EAREIAAYFAk6LebsACgkQQXnnBKKRMNAHggD/dslMKLhVk9yV2wABkyniRCib
jU3j+DyALI9yvmbBQPMA/jmI4QL/c3e5/xvIXhjO0kT6uUmpL8sjJQyJ58zXfMOK
=1Nf6
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201110-0456 | CVE-2011-3299 | Cisco Multiple Devices ASA Service Module SunRPC Resource Management Error Vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco Adaptive Security Appliances (ASA) 5500 series devices, and the ASA Services module in Cisco Catalyst 6500 series devices, with software 7.0 before 7.0(8.13), 7.1 and 7.2 before 7.2(5.4), 8.0 before 8.0(5.25), 8.1 and 8.2 before 8.2(5.11), 8.3 before 8.3(2.23), 8.4 before 8.4(2.6), and 8.5 before 8.5(1.1) and Cisco Firewall Services Module (aka FWSM) 3.1 before 3.1(21), 3.2 before 3.2(22), 4.0 before 4.0(16), and 4.1 before 4.1(7) allow remote attackers to cause a denial of service (device reload) via crafted SunRPC traffic, aka Bug IDs CSCto92380 and CSCtq09972. The problem is Bug ID CSCto92380 and CSCtq09972 It is a problem.Skillfully crafted by a third party SunRPC Service disruption through traffic ( Device reload ) There is a possibility of being put into a state. Multiple Cisco products are prone to multiple remote denial-of-service vulnerabilities.
These issues are being tracked by Cisco Bug IDs CSCtq09972, CSCtq09978, CSCtq09986, CSCtq09989, CSCtq57802.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20111005-asa.shtml.
Administrators can enable MSN IM inspection and specify actions when
a message violates a parameter, create an IM inspection policy map.
You can then apply the inspection policy map when you enable IM
inspection, as shown in the following example:
policy-map type inspect im MY-MSN-INSPECT
parameters
match protocol msn-im
log
!
policy-map global_policy
class inspection_default
inspect im MY-MSN-INSPECT
TACACS+ Authentication Bypass Vulnerability
+------------------------------------------
An authentication bypass vulnerability affects the TACACS+
implementation of Cisco ASA 5500 Series Adaptive Security Appliances. You identify AAA server groups by name.
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
...
inspect sunrpc
...
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
...
inspect ils
... These vulnerabilities can be triggered by using UDP
packets, not TCP.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Firewall
Services Module
Advisory ID: cisco-sa-20111005-fwsm
Revision 1.0
For Public Release 2011 October 05 1600 UTC (GMT)
+-------------------------------------------------------------------
Summary
=======
The Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500
Series switches and Cisco 7600 Series routers is affected by the
following vulnerabilities:
* Syslog Message Memory Corruption Denial of Service Vulnerability
* Authentication Proxy Denial of Service Vulnerability
* TACACS+ Authentication Bypass Vulnerability
* Sun Remote Procedure Call (SunRPC) Inspection Denial of Service
Vulnerabilities
* Internet Locator Server (ILS) Inspection Denial of Service
Vulnerability
These vulnerabilities are not interdependent; a release that is
affected by one vulnerability is not necessarily affected by the
others.
Cisco has released free software updates that address these
vulnerabilities. Workarounds are available for some of the
vulnerabilities disclosed in this advisory. Affected
versions of Cisco FWSM Software vary depending on the specific
vulnerability. Refer to the "Software Version and Fixes" section for
specific information on vulnerable versions.
Syslog Message Memory Corruption Denial of Service Vulnerability
+---------------------------------------------------------------
Devices running vulnerable versions of Cisco FWSM Software are
affected by this vulnerability if the following conditions are
satisfied:
* The device has interfaces with IPv6 addresses
* System logging is enabled (command logging enable)
* The device is configured in any way to generate system log
message 302015 (refer to the following examples)
System log message 302015 has a default severity level of 6
(informational) so, assuming that the system administrator has not
changed this default severity level, the vulnerability can be
triggered if the device is logging to any destination at level 6 or
level 7 (debug). As an example, the following configuration is
vulnerable:
logging enable
!
logging console informational
logging buffered informational
[...]
Using a custom message list (via the logging list command) that
includes system log message 302015, either by severity or by
explicitly including the message ID, is also a vulnerable
configuration. For example, the following configuration is also
vulnerable:
logging enable
!
logging list MYLIST level informational
<and/or>
logging list MYLIST message 302015
!
logging trap MYLIST
Note: The default severity level of system log messages can be
changed. If the default severity level of system log message 302015
is changed, and the device is configured to log to any destination at
the new severity level, then the device is still vulnerable.
Authentication Proxy Denial of Service Vulnerability
+---------------------------------------------------
Devices running vulnerable versions of Cisco FWSM Software are
affected by this vulnerability if they are configured to use
Authentication, Authorization, and Accounting (AAA) for network
access, also known as cut-through or authentication proxy. The
network access authentication feature is enabled if the aaa
authentication match or aaa authentication include commands are
present in the configuration of an affected device.
TACACS+ Authentication Bypass Vulnerability
+------------------------------------------
Devices running vulnerable versions of Cisco FWSM Software are
affected by this vulnerability if they are configured to use the
Terminal Access Controller Access-Control System Plus (TACACS+)
protocol for AAA. A device is configured for TACACS+ if an AAA server
group is defined in a manner similar to the following:
aaa-server my-tacacs-server protocol tacacs+
aaa-server my-tacacs-server (inside) host 192.168.1.1
[...]
Note: In the preceding example, "my-tacacs-server" is the name of the
AAA server group.
SunRPC Inspection Denial of Service Vulnerabilities
+--------------------------------------------------
Devices running vulnerable versions of Cisco FWSM Software are
affected by these vulnerabilities if SunRPC inspection is enabled.
SunRPC inspection is enabled by default.
To determine whether SunRPC inspection is enabled, issue the show
service-policy | include sunrpc command and confirm that the command
returns output. Example output follows:
FWSM# show service-policy | include sunrpc
Inspect: sunrpc, packet 324, drop 5, reset-drop 0
Alternatively, a device with SunRPC inspection enabled has a
configuration similar to the following (the inspect sunrpc command is
the command that actually enables SunRPC inspection, although the
other commands are necessary for the Cisco FWSM to actually inspect
traffic):
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
...
inspect sunrpc
!
service-policy global_policy global
Note: The service policy could also be applied to a specific
interface. (Global application is shown in the previous example.)
ILS Inspection Denial of Service Vulnerability
+---------------------------------------------
Devices running vulnerable versions of Cisco FWSM Software are
affected by these vulnerabilities if inspection of the ILS protocol
is enabled. ILS inspection is not enabled by default.
Refer to "SunRPC Inspection Denial of Service Vulnerabilities" for
information on how to determine if ILS inspection is enabled. Use the
configuration keyword "ils" instead of "sunrpc".
The following example shows a system with a Cisco FWSM (WS-SVC-FWM-1)
installed in slot 2:
switch>show module
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
1 16 SFM-capable 16 port 1000mb GBIC WS-X6516-GBIC SAL06334NS9
2 6 Firewall Module WS-SVC-FWM-1 SAD10360485
3 8 Intrusion Detection System WS-SVC-IDSM-2 SAD0932089Z
4 4 SLB Application Processor Complex WS-X6066-SLB-APC SAD093004BD
5 2 Supervisor Engine 720 (Active) WS-SUP720-3B SAL0934888E
Mod MAC addresses Hw Fw Sw Status
--- ---------------------------------- ------ ------------ ------------ -------
1 0009.11e3.ade8 to 0009.11e3.adf7 5.1 6.3(1) 8.7(0.22)BUB Ok
2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 4.0(16) Ok
3 0014.a90c.9956 to 0014.a90c.995d 5.0 7.2(1) 7.0(4)E4 Ok
4 0014.a90c.66e6 to 0014.a90c.66ed 1.7 Unknown Unknown PwrDown
5 0013.c42e.7fe0 to 0013.c42e.7fe3 4.4 8.1(3) 12.2(33)SXH8 Ok
[...]
After locating the correct slot, issue the show module <slot number>
command to identify the software version that is running, as shown in
the following example:
switch>show module 2
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
2 6 Firewall Module WS-SVC-FWM-1 SAD10360485
Mod MAC addresses Hw Fw Sw Status
--- ---------------------------------- ------ ------------ ------------ -------
2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 4.0(16) Ok
[...]
The preceding example shows that the Cisco FWSM is running software
version 4.0(16) as indicated by the Sw column.
Note: Recent versions of Cisco IOS Software will show the software
version of each module in the output from the show module command;
therefore, executing the show module <slot number> command is not
necessary.
If a Virtual Switching System (VSS) is used to allow two physical
Cisco Catalyst 6500 Series switches to operate as a single logical
virtual switch, the show module switch all command can display the
software version of all FWSMs that belong to switch 1 and switch 2.
The output from this command will be similar to the output from show
module <slot number> but will include module information for the
modules in each switch in the VSS. The FWSM
offers firewall services with stateful packet filtering and deep
packet inspection.
Syslog Message Memory Corruption Denial of Service Vulnerability
+---------------------------------------------------------------
The Cisco FWSM has a system log (syslog) feature that provides
information for monitoring normal operation and troubleshooting
network or device issues. System log messages are assigned different
severities (debugging, informational, error, critical, etc.) and can
be sent to different logging destinations.
A denial of service vulnerability exists in the implementation of one
specific system log message (message ID 302015, "Built outbound UDP
connection session-id for src-intf:IP/Port to dst-intf:IP/Port
ARP-Incomplete") that can cause memory corruption and lead to a lock
up or crash of the Cisco FWSM in the event that that system log
message needs to be generated for IPv6 traffic that has flowed
through the device. The Cisco FWSM may not recover on its own and a
manual reboot may be necessary to recover.
System log message 302015 has a default severity level of 6
(informational). Changing the default severity level of this system
message will not prevent the issue from occurring if the system is
logging to any destinations at the new severity level. The Cisco FWSM
must have interfaces with IPv6 addresses otherwise the problem does
not occur.
Authentication Proxy Denial of Service Vulnerability
+---------------------------------------------------
The Cisco FWSM authentication proxy feature allows one to use AAA to
control access to network resources. Specifically, the Cisco FWSM
cut-through proxy challenges a user initially at the application
layer and then authenticates against AAA servers. After the Cisco
FWSM authenticates the user, it shifts the session flow, and all
traffic flows directly between the user's computer and the network
resource being accessed.
A denial of service vulnerability exists in some versions of Cisco
FWSM Software that affects devices configured to use authentication
to grant users access to the network, also known as cut-through or
authentication proxy. Vulnerable configurations are those that
contain the aaa authentication match or aaa authentication include
commands. The vulnerability may be triggered when there is a high
number of network access authentication requests.
TACACS+ Authentication Bypass Vulnerability
+------------------------------------------
AAA enables the Cisco FWSM to determine who the user is
(authentication), what the user can do (authorization), and what the
user did (accounting). The Cisco FWSM supports TACACS+ authentication
for VPN users, firewall sessions, and administrative access to the
device.
An authentication bypass vulnerability exists in the TACACS+
implementation in the Cisco FWSM. Successful exploitation could allow
a remote attacker to bypass TACACS+ authentication of VPN users (the
Cisco FWSM only allows VPN sessions for management), firewall
sessions, or administrative access to the device.
SunRPC Inspection Denial of Service Vulnerabilities
+--------------------------------------------------
The SunRPC inspection engine enables or disables application
inspection for the SunRPC protocol. SunRPC is used by Network File
System (NFS) and Network Information Service (NIS). SunRPC services
can run on any port. When a client attempts to access a SunRPC
service on a server, it must learn the port on which the service is
running. The client does this by querying the port mapper process,
usually rpcbind, on the well-known port of 111. These vulnerabilities are
triggered only by transit traffic; traffic that is destined to the
device does not trigger these vulnerabilities.
ILS Inspection Denial of Service Vulnerability
+---------------------------------------------
The ILS inspection engine provides Network Address Translation (NAT)
support for Microsoft NetMeeting, SiteServer, and Active Directory
products that use Lightweight Directory Access Protocol (LDAP) to
exchange directory information with an ILS server.
The Cisco FWSM is affected by a vulnerability when ILS inspection is
enabled that may cause the device to reload during the processing of
a malformed ILS message. This vulnerability is triggered by transit
traffic only; traffic that is destined to the device does not trigger
this vulnerability.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCti83875 -- Syslog message 302015 may lead to memory corruption and CP lockup
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtn15697 -- FWSM crash in thread name uauth
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCto74274 -- Crafted TACACS+ reply considered as successful auth by FWSM
CVSS Base Score - 7.9
Access Vector - Adjacent Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 6.5
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* SunRPC Inspection Denial of Service Vulnerabilities
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtq57802 -- ILS inspection crash on malformed ILS traffic
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of any of the denial of service
vulnerabilities could cause an affected device to reload. Repeated
exploitation could result in a sustained denial of service condition.
Successful exploitation of the TACACS+ authentication bypass
vulnerability could allow an attacker to bypass authentication of
VPN, firewall, and/or administrative sessions.
Software Versions and Fixes
===========================
When considering software upgrades, also consult:
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the following Cisco FWSM Software table describes a major
Cisco FWSM Software train and the earliest possible release in that
train that contains the fix (the "First Fixed Release") and the
anticipated date of availability (if not currently available) in the
First Fixed Release column. A device that is running a release that
is earlier than the release in a specific column (earlier than the
First Fixed Release) is known to be vulnerable. A vulnerable release
should be upgraded to the indicated release at a minimum, or a later
version (later than or equal to the First Fixed Release label). These vulnerabilities and their respective
workarounds are independent of each other.
Syslog Message Memory Corruption Denial of Service Vulnerability
+---------------------------------------------------------------
Completely disabling syslog 302015 with the command no logging
message 302015 is an effective workaround for this vulnerability.
Authentication Proxy Denial of Service Vulnerability
+---------------------------------------------------
There are no workarounds available for this vulnerability.
TACACS+ Authentication Bypass Vulnerability
+------------------------------------------
There are no workarounds available for this vulnerability other than
using a different authentication protocol such as RADIUS and LDAP.
SunRPC Inspection Denial of Service Vulnerabilities
+--------------------------------------------------
Administrators can mitigate these vulnerabilities by disabling SunRPC
inspection if it is not required. Administrators can disable SunRPC
inspection by issuing the no inspect sunrpc command in class
configuration sub-mode in the policy map configuration. Disabling
SunRPC inspection may cause SunRPC traffic to stop transiting the
security appliance.
ILS Inspection Denial of Service Vulnerability
+---------------------------------------------
Administrators can mitigate this vulnerability by disabling ILS
inspection if it is not required. Administrators can disable ILS
inspection by issuing the no inspect ils command in class
configuration sub-mode in the policy map configuration. Disabling ILS
inspection may cause ILS traffic to stop through the security
appliance.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
The Syslog Message Memory Corruption Denial of Service Vulnerability,
Authentication Proxy Denial of Service Vulnerability, and TACACS+
Authentication Bypass Vulnerability were discovered during the
troubleshooting of customer service requests.
The SunRPC Inspection Denial of Service Vulnerabilities and ILS
Inspection Denial of Service Vulnerability were discovered by Cisco
during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20111005-fwsm.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-October-05 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFOjHRIQXnnBKKRMNARCAUrAP9BnUYauwq7OzqUJRuoVjBLn6T2Qh3S/LRn
e0k/AYOr8AD/T7EQ/K8N+bAPmYBoJxsERyDGg80x/pxfRWFBd1s2+nE=
=hr9R
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201111-0180 | CVE-2011-4501 | Portable SDK for UPnP Devices (libupnp) contains multiple buffer overflows in SSDP |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The UPnP IGD implementation in Edimax EdiLinux on the Edimax BR-6104K with firmware before 3.25, Edimax 6114Wg, Canyon-Tech CN-WF512 with firmware 1.83, Canyon-Tech CN-WF514 with firmware 2.08, Sitecom WL-153 with firmware before 1.39, and Sweex LB000021 with firmware 3.15 allows remote attackers to establish arbitrary port mappings by sending a UPnP AddPortMapping action in a SOAP request to the WAN interface, related to an "external forwarding" vulnerability. The Portable SDK for UPnP Devices libupnp library contains multiple buffer overflow vulnerabilities. Devices that use libupnp may also accept UPnP queries over the WAN interface, therefore exposing the vulnerabilities to the internet. Universal Plug and Play (UPnP) Multiple compatible routers have vulnerabilities with insufficient access restrictions. UPnP For supported routers, WAN Unintended from the side interface UPnP There is a vulnerability that allows the request to be accepted.An unauthenticated remote third party could obtain local network information or use the product as a proxy. Universal Plug and Play (UPnP) is a network protocol that is mostly used for personal computer device discovery and communication with other devices and the Internet. These requests can be used to connect to the internal host or proxy connection of the NAT firewall. Remote unauthenticated attackers can exploit vulnerabilities to scan internal hosts or communicate via the device proxy Internet.
The following devices are affected:
Cisco Linksys WRT54G firmware version prior to 4.30.5
Cisco Linksys WRT54GS v1 through v3 firmware versions prior to 4.71.1
Cisco Linksys WRT54GS v4 firmware versions prior to 1.06.1
Cisco Linksys WRT54GX firmware 2.00.05
Edimax BR-6104K prior to 3.25
Edimax 6114Wg
Canyon-Tech CN-WF512 firmware version 1.83
Canyon-Tech CN-WF514 firmware version 2.08
Sitecom WL-153 prior to firmware 1.39
Sitecom WL-111
Sweex LB000021 firmware version 3.15
ZyXEL P-330W
SpeedTouch 5x6 firmware versions prior to 6.2.29
Thomson TG585 firmware versions prior to 7.4.3.2. Vulnerabilities exist in the UPnP IGD installation and enablement of Edimax EdiLinux for various versions of Edimax. This vulnerability is related to the \"external forwarding\" vulnerability. ----------------------------------------------------------------------
The final version of the CSI 6.0 has been released.
Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/
----------------------------------------------------------------------
TITLE:
Siemens OZW / OZS Multiple Products libupnp Buffer Overflow
Vulnerabilities
SECUNIA ADVISORY ID:
SA52035
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/52035/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=52035
RELEASE DATE:
2013-01-31
DISCUSS ADVISORY:
http://secunia.com/advisories/52035/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/52035/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=52035
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in multiple Siemens OZW
and OZS products, which can be exploited by malicious people to
compromise a vulnerable device.
1) Multiple vulnerabilities are caused due to a bundled version of
libupnp.
For more information:
SA51949
2) Multiple boundary errors within the "unique_service_name()"
function (ssdp/ssdp_ctrlpt.c) in libupnp when handling SSDP requests
can be exploited to cause stack-based buffer overflows. The vendor is planning
to provide fixes with upcoming firmware updates.
PROVIDED AND/OR DISCOVERED BY:
2) Rapid7
ORIGINAL ADVISORY:
Siemens SSA-963338:
http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-963338.pdf
Rapid7:
https://community.rapid7.com/docs/DOC-2150
https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. This library is used in several vendor network
devices in addition to media streaming and file sharing applications.
These vulnerabilities were disclosed on January 29th, 2013 in a CERT
Vulnerability Note, VU#922681, which can be viewed at:
http://www.kb.cert.org/vuls/id/922681
Cisco is currently evaluating products for possible exposure to these
vulnerabilities. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130129-upnp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iF4EAREIAAYFAlEIJZ8ACgkQUddfH3/BbTrUagD9FnKSVkc2iIfGs+7c8SVPT26+
ga5hYEz9UMUnitcqnbcBAIKe6KnkR6he2zbstVtbTKtqSjE7pfVb3lTKVZSeAkM5
=6sTu
-----END PGP SIGNATURE-----
| VAR-201111-0179 | CVE-2011-4500 | Portable SDK for UPnP Devices (libupnp) contains multiple buffer overflows in SSDP |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The UPnP IGD implementation on the Cisco Linksys WRT54GX with firmware 2.00.05, when UPnP is enabled, configures the SOAP server to listen on the WAN port, which allows remote attackers to administer the firewall via SOAP requests. The Portable SDK for UPnP Devices libupnp library contains multiple buffer overflow vulnerabilities. Devices that use libupnp may also accept UPnP queries over the WAN interface, therefore exposing the vulnerabilities to the internet. Universal Plug and Play (UPnP) Multiple compatible routers have vulnerabilities with insufficient access restrictions. UPnP For supported routers, WAN Unintended from the side interface UPnP There is a vulnerability that allows the request to be accepted.An unauthenticated remote third party could obtain local network information or use the product as a proxy. Universal Plug and Play (UPnP) is a network protocol that is mostly used for personal computer device discovery and communication with other devices and the Internet. These requests can be used to connect to the internal host or proxy connection of the NAT firewall. Remote unauthenticated attackers can exploit vulnerabilities to scan internal hosts or communicate via the device proxy Internet.
The following devices are affected:
Cisco Linksys WRT54G firmware version prior to 4.30.5
Cisco Linksys WRT54GS v1 through v3 firmware versions prior to 4.71.1
Cisco Linksys WRT54GS v4 firmware versions prior to 1.06.1
Cisco Linksys WRT54GX firmware 2.00.05
Edimax BR-6104K prior to 3.25
Edimax 6114Wg
Canyon-Tech CN-WF512 firmware version 1.83
Canyon-Tech CN-WF514 firmware version 2.08
Sitecom WL-153 prior to firmware 1.39
Sitecom WL-111
Sweex LB000021 firmware version 3.15
ZyXEL P-330W
SpeedTouch 5x6 firmware versions prior to 6.2.29
Thomson TG585 firmware versions prior to 7.4.3.2. ----------------------------------------------------------------------
The final version of the CSI 6.0 has been released.
Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/
----------------------------------------------------------------------
TITLE:
Siemens OZW / OZS Multiple Products libupnp Buffer Overflow
Vulnerabilities
SECUNIA ADVISORY ID:
SA52035
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/52035/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=52035
RELEASE DATE:
2013-01-31
DISCUSS ADVISORY:
http://secunia.com/advisories/52035/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/52035/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=52035
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in multiple Siemens OZW
and OZS products, which can be exploited by malicious people to
compromise a vulnerable device.
1) Multiple vulnerabilities are caused due to a bundled version of
libupnp.
For more information:
SA51949
2) Multiple boundary errors within the "unique_service_name()"
function (ssdp/ssdp_ctrlpt.c) in libupnp when handling SSDP requests
can be exploited to cause stack-based buffer overflows. The vendor is planning
to provide fixes with upcoming firmware updates.
PROVIDED AND/OR DISCOVERED BY:
2) Rapid7
ORIGINAL ADVISORY:
Siemens SSA-963338:
http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-963338.pdf
Rapid7:
https://community.rapid7.com/docs/DOC-2150
https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. This library is used in several vendor network
devices in addition to media streaming and file sharing applications.
These vulnerabilities were disclosed on January 29th, 2013 in a CERT
Vulnerability Note, VU#922681, which can be viewed at:
http://www.kb.cert.org/vuls/id/922681
Cisco is currently evaluating products for possible exposure to these
vulnerabilities. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130129-upnp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iF4EAREIAAYFAlEIJZ8ACgkQUddfH3/BbTrUagD9FnKSVkc2iIfGs+7c8SVPT26+
ga5hYEz9UMUnitcqnbcBAIKe6KnkR6he2zbstVtbTKtqSjE7pfVb3lTKVZSeAkM5
=6sTu
-----END PGP SIGNATURE-----
| VAR-201111-0178 | CVE-2011-4499 | Portable SDK for UPnP Devices (libupnp) contains multiple buffer overflows in SSDP |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The UPnP IGD implementation in the Broadcom UPnP stack on the Cisco Linksys WRT54G with firmware before 4.30.5, WRT54GS v1 through v3 with firmware before 4.71.1, and WRT54GS v4 with firmware before 1.06.1 allows remote attackers to establish arbitrary port mappings by sending a UPnP AddPortMapping action in a SOAP request to the WAN interface, related to an "external forwarding" vulnerability. The Portable SDK for UPnP Devices libupnp library contains multiple buffer overflow vulnerabilities. Devices that use libupnp may also accept UPnP queries over the WAN interface, therefore exposing the vulnerabilities to the internet. Universal Plug and Play (UPnP) Multiple compatible routers have vulnerabilities with insufficient access restrictions. UPnP For supported routers, WAN Unintended from the side interface UPnP There is a vulnerability that allows the request to be accepted.An unauthenticated remote third party could obtain local network information or use the product as a proxy. Universal Plug and Play (UPnP) is a network protocol that is mostly used for personal computer device discovery and communication with other devices and the Internet. These requests can be used to connect to the internal host or proxy connection of the NAT firewall. Remote unauthenticated attackers can exploit vulnerabilities to scan internal hosts or communicate via the device proxy Internet.
The following devices are affected:
Cisco Linksys WRT54G firmware version prior to 4.30.5
Cisco Linksys WRT54GS v1 through v3 firmware versions prior to 4.71.1
Cisco Linksys WRT54GS v4 firmware versions prior to 1.06.1
Cisco Linksys WRT54GX firmware 2.00.05
Edimax BR-6104K prior to 3.25
Edimax 6114Wg
Canyon-Tech CN-WF512 firmware version 1.83
Canyon-Tech CN-WF514 firmware version 2.08
Sitecom WL-153 prior to firmware 1.39
Sitecom WL-111
Sweex LB000021 firmware version 3.15
ZyXEL P-330W
SpeedTouch 5x6 firmware versions prior to 6.2.29
Thomson TG585 firmware versions prior to 7.4.3.2. A vulnerability exists in the UPnP IGD installation and enablement of multiple versions of the Broadcom UPnP stack on the Cisco Linksys WRT54G. This vulnerability is related to the "external forwarding" vulnerability. ----------------------------------------------------------------------
The final version of the CSI 6.0 has been released.
Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/
----------------------------------------------------------------------
TITLE:
Siemens OZW / OZS Multiple Products libupnp Buffer Overflow
Vulnerabilities
SECUNIA ADVISORY ID:
SA52035
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/52035/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=52035
RELEASE DATE:
2013-01-31
DISCUSS ADVISORY:
http://secunia.com/advisories/52035/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/52035/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=52035
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in multiple Siemens OZW
and OZS products, which can be exploited by malicious people to
compromise a vulnerable device.
1) Multiple vulnerabilities are caused due to a bundled version of
libupnp.
For more information:
SA51949
2) Multiple boundary errors within the "unique_service_name()"
function (ssdp/ssdp_ctrlpt.c) in libupnp when handling SSDP requests
can be exploited to cause stack-based buffer overflows. The vendor is planning
to provide fixes with upcoming firmware updates.
PROVIDED AND/OR DISCOVERED BY:
2) Rapid7
ORIGINAL ADVISORY:
Siemens SSA-963338:
http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-963338.pdf
Rapid7:
https://community.rapid7.com/docs/DOC-2150
https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. This library is used in several vendor network
devices in addition to media streaming and file sharing applications.
These vulnerabilities were disclosed on January 29th, 2013 in a CERT
Vulnerability Note, VU#922681, which can be viewed at:
http://www.kb.cert.org/vuls/id/922681
Cisco is currently evaluating products for possible exposure to these
vulnerabilities. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130129-upnp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iF4EAREIAAYFAlEIJZ8ACgkQUddfH3/BbTrUagD9FnKSVkc2iIfGs+7c8SVPT26+
ga5hYEz9UMUnitcqnbcBAIKe6KnkR6he2zbstVtbTKtqSjE7pfVb3lTKVZSeAkM5
=6sTu
-----END PGP SIGNATURE-----
| VAR-201111-0162 | CVE-2011-4506 | Portable SDK for UPnP Devices (libupnp) contains multiple buffer overflows in SSDP |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The UPnP IGD implementation on the Thomson (aka Technicolor) TG585 with firmware 7.x before 7.4.3.2 allows remote attackers to establish arbitrary port mappings by sending a UPnP AddPortMapping action in a SOAP request to the WAN interface, related to an "external forwarding" vulnerability. The Portable SDK for UPnP Devices libupnp library contains multiple buffer overflow vulnerabilities. Devices that use libupnp may also accept UPnP queries over the WAN interface, therefore exposing the vulnerabilities to the internet. Universal Plug and Play (UPnP) Multiple compatible routers have vulnerabilities with insufficient access restrictions. UPnP For supported routers, WAN Unintended from the side interface UPnP There is a vulnerability that allows the request to be accepted.An unauthenticated remote third party could obtain local network information or use the product as a proxy. Universal Plug and Play (UPnP) is a network protocol that is mostly used for personal computer device discovery and communication with other devices and the Internet. These requests can be used to connect to the internal host or proxy connection of the NAT firewall. Remote unauthenticated attackers can exploit vulnerabilities to scan internal hosts or communicate via the device proxy Internet.
The following devices are affected:
Cisco Linksys WRT54G firmware version prior to 4.30.5
Cisco Linksys WRT54GS v1 through v3 firmware versions prior to 4.71.1
Cisco Linksys WRT54GS v4 firmware versions prior to 1.06.1
Cisco Linksys WRT54GX firmware 2.00.05
Edimax BR-6104K prior to 3.25
Edimax 6114Wg
Canyon-Tech CN-WF512 firmware version 1.83
Canyon-Tech CN-WF514 firmware version 2.08
Sitecom WL-153 prior to firmware 1.39
Sitecom WL-111
Sweex LB000021 firmware version 3.15
ZyXEL P-330W
SpeedTouch 5x6 firmware versions prior to 6.2.29
Thomson TG585 firmware versions prior to 7.4.3.2. A vulnerability exists in the UPnP IGD installation enablement in Thomson (also known as Technicolor) TG585 with firmware 7.x prior to firmware 7.4.3.2. This vulnerability is related to the \"external forwarding\" vulnerability. ----------------------------------------------------------------------
The final version of the CSI 6.0 has been released.
Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/
----------------------------------------------------------------------
TITLE:
Siemens OZW / OZS Multiple Products libupnp Buffer Overflow
Vulnerabilities
SECUNIA ADVISORY ID:
SA52035
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/52035/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=52035
RELEASE DATE:
2013-01-31
DISCUSS ADVISORY:
http://secunia.com/advisories/52035/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/52035/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=52035
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in multiple Siemens OZW
and OZS products, which can be exploited by malicious people to
compromise a vulnerable device.
1) Multiple vulnerabilities are caused due to a bundled version of
libupnp.
For more information:
SA51949
2) Multiple boundary errors within the "unique_service_name()"
function (ssdp/ssdp_ctrlpt.c) in libupnp when handling SSDP requests
can be exploited to cause stack-based buffer overflows. The vendor is planning
to provide fixes with upcoming firmware updates.
PROVIDED AND/OR DISCOVERED BY:
2) Rapid7
ORIGINAL ADVISORY:
Siemens SSA-963338:
http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-963338.pdf
Rapid7:
https://community.rapid7.com/docs/DOC-2150
https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. This library is used in several vendor network
devices in addition to media streaming and file sharing applications.
These vulnerabilities were disclosed on January 29th, 2013 in a CERT
Vulnerability Note, VU#922681, which can be viewed at:
http://www.kb.cert.org/vuls/id/922681
Cisco is currently evaluating products for possible exposure to these
vulnerabilities. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130129-upnp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iF4EAREIAAYFAlEIJZ8ACgkQUddfH3/BbTrUagD9FnKSVkc2iIfGs+7c8SVPT26+
ga5hYEz9UMUnitcqnbcBAIKe6KnkR6he2zbstVtbTKtqSjE7pfVb3lTKVZSeAkM5
=6sTu
-----END PGP SIGNATURE-----
| VAR-201111-0161 | CVE-2011-4505 | Portable SDK for UPnP Devices (libupnp) contains multiple buffer overflows in SSDP |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The UPnP IGD implementation on SpeedTouch 5x6 devices with firmware before 6.2.29 allows remote attackers to establish arbitrary port mappings by sending a UPnP AddPortMapping action in a SOAP request to the WAN interface, related to an "external forwarding" vulnerability. The Portable SDK for UPnP Devices libupnp library contains multiple buffer overflow vulnerabilities. Devices that use libupnp may also accept UPnP queries over the WAN interface, therefore exposing the vulnerabilities to the internet. Universal Plug and Play (UPnP) Multiple compatible routers have vulnerabilities with insufficient access restrictions. Universal Plug and Play (UPnP) is a network protocol that is mostly used for personal computer device discovery and communication with other devices and the Internet. These requests can be used to connect to the internal host or proxy connection of the NAT firewall. Remote unauthenticated attackers can exploit vulnerabilities to scan internal hosts or communicate via the device proxy Internet.
The following devices are affected:
Cisco Linksys WRT54G firmware version prior to 4.30.5
Cisco Linksys WRT54GS v1 through v3 firmware versions prior to 4.71.1
Cisco Linksys WRT54GS v4 firmware versions prior to 1.06.1
Cisco Linksys WRT54GX firmware 2.00.05
Edimax BR-6104K prior to 3.25
Edimax 6114Wg
Canyon-Tech CN-WF512 firmware version 1.83
Canyon-Tech CN-WF514 firmware version 2.08
Sitecom WL-153 prior to firmware 1.39
Sitecom WL-111
Sweex LB000021 firmware version 3.15
ZyXEL P-330W
SpeedTouch 5x6 firmware versions prior to 6.2.29
Thomson TG585 firmware versions prior to 7.4.3.2. Speedtouch is a wireless Internet router for the home. This vulnerability is related to the \"external forwarding\" vulnerability. ----------------------------------------------------------------------
The final version of the CSI 6.0 has been released.
Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/
----------------------------------------------------------------------
TITLE:
Siemens OZW / OZS Multiple Products libupnp Buffer Overflow
Vulnerabilities
SECUNIA ADVISORY ID:
SA52035
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/52035/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=52035
RELEASE DATE:
2013-01-31
DISCUSS ADVISORY:
http://secunia.com/advisories/52035/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/52035/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=52035
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in multiple Siemens OZW
and OZS products, which can be exploited by malicious people to
compromise a vulnerable device.
1) Multiple vulnerabilities are caused due to a bundled version of
libupnp.
For more information:
SA51949
2) Multiple boundary errors within the "unique_service_name()"
function (ssdp/ssdp_ctrlpt.c) in libupnp when handling SSDP requests
can be exploited to cause stack-based buffer overflows. The vendor is planning
to provide fixes with upcoming firmware updates.
PROVIDED AND/OR DISCOVERED BY:
2) Rapid7
ORIGINAL ADVISORY:
Siemens SSA-963338:
http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-963338.pdf
Rapid7:
https://community.rapid7.com/docs/DOC-2150
https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. This library is used in several vendor network
devices in addition to media streaming and file sharing applications.
These vulnerabilities were disclosed on January 29th, 2013 in a CERT
Vulnerability Note, VU#922681, which can be viewed at:
http://www.kb.cert.org/vuls/id/922681
Cisco is currently evaluating products for possible exposure to these
vulnerabilities. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130129-upnp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iF4EAREIAAYFAlEIJZ8ACgkQUddfH3/BbTrUagD9FnKSVkc2iIfGs+7c8SVPT26+
ga5hYEz9UMUnitcqnbcBAIKe6KnkR6he2zbstVtbTKtqSjE7pfVb3lTKVZSeAkM5
=6sTu
-----END PGP SIGNATURE-----
| VAR-201111-0159 | CVE-2011-4503 | Portable SDK for UPnP Devices (libupnp) contains multiple buffer overflows in SSDP |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The UPnP IGD implementation in Broadcom Linux on the Sitecom WL-111 allows remote attackers to establish arbitrary port mappings by sending a UPnP AddPortMapping action in a SOAP request to the WAN interface, related to an "external forwarding" vulnerability. The Portable SDK for UPnP Devices libupnp library contains multiple buffer overflow vulnerabilities. Devices that use libupnp may also accept UPnP queries over the WAN interface, therefore exposing the vulnerabilities to the internet. Universal Plug and Play (UPnP) Multiple compatible routers have vulnerabilities with insufficient access restrictions. A vulnerability exists in the UPnP IGD installation of Broadcom Linux for Sitecom WL-111. This vulnerability is related to the \"external forwarding\" vulnerability.
An attacker can exploit this issue to gain unauthorized access to scan the internal host or proxy internet traffic through an affected device.
The following devices are affected:
Cisco Linksys WRT54G firmware version prior to 4.30.5
Cisco Linksys WRT54GS v1 through v3 firmware versions prior to 4.71.1
Cisco Linksys WRT54GS v4 firmware versions prior to 1.06.1
Cisco Linksys WRT54GX firmware 2.00.05
Edimax BR-6104K prior to 3.25
Edimax 6114Wg
Canyon-Tech CN-WF512 firmware version 1.83
Canyon-Tech CN-WF514 firmware version 2.08
Sitecom WL-153 prior to firmware 1.39
Sitecom WL-111
Sweex LB000021 firmware version 3.15
ZyXEL P-330W
SpeedTouch 5x6 firmware versions prior to 6.2.29
Thomson TG585 firmware versions prior to 7.4.3.2. ----------------------------------------------------------------------
The final version of the CSI 6.0 has been released.
Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/
----------------------------------------------------------------------
TITLE:
Siemens OZW / OZS Multiple Products libupnp Buffer Overflow
Vulnerabilities
SECUNIA ADVISORY ID:
SA52035
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/52035/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=52035
RELEASE DATE:
2013-01-31
DISCUSS ADVISORY:
http://secunia.com/advisories/52035/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/52035/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=52035
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in multiple Siemens OZW
and OZS products, which can be exploited by malicious people to
compromise a vulnerable device.
1) Multiple vulnerabilities are caused due to a bundled version of
libupnp.
For more information:
SA51949
2) Multiple boundary errors within the "unique_service_name()"
function (ssdp/ssdp_ctrlpt.c) in libupnp when handling SSDP requests
can be exploited to cause stack-based buffer overflows. The vendor is planning
to provide fixes with upcoming firmware updates.
PROVIDED AND/OR DISCOVERED BY:
2) Rapid7
ORIGINAL ADVISORY:
Siemens SSA-963338:
http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-963338.pdf
Rapid7:
https://community.rapid7.com/docs/DOC-2150
https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. This library is used in several vendor network
devices in addition to media streaming and file sharing applications.
These vulnerabilities were disclosed on January 29th, 2013 in a CERT
Vulnerability Note, VU#922681, which can be viewed at:
http://www.kb.cert.org/vuls/id/922681
Cisco is currently evaluating products for possible exposure to these
vulnerabilities. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130129-upnp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iF4EAREIAAYFAlEIJZ8ACgkQUddfH3/BbTrUagD9FnKSVkc2iIfGs+7c8SVPT26+
ga5hYEz9UMUnitcqnbcBAIKe6KnkR6he2zbstVtbTKtqSjE7pfVb3lTKVZSeAkM5
=6sTu
-----END PGP SIGNATURE-----
| VAR-201111-0160 | CVE-2011-4504 | Portable SDK for UPnP Devices (libupnp) contains multiple buffer overflows in SSDP |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The UPnP IGD implementation in the Pseudo ICS UPnP software on the ZyXEL P-330W allows remote attackers to establish arbitrary port mappings by sending a UPnP AddPortMapping action in a SOAP request to the WAN interface, related to an "external forwarding" vulnerability. The Portable SDK for UPnP Devices libupnp library contains multiple buffer overflow vulnerabilities. Devices that use libupnp may also accept UPnP queries over the WAN interface, therefore exposing the vulnerabilities to the internet. Universal Plug and Play (UPnP) Multiple compatible routers have vulnerabilities with insufficient access restrictions. Universal Plug and Play (UPnP) is a network protocol that is mostly used for personal computer device discovery and communication with other devices and the Internet. These requests can be used to connect to the internal host or proxy connection of the NAT firewall. Remote unauthenticated attackers can exploit vulnerabilities to scan internal hosts or communicate via the device proxy Internet.
The following devices are affected:
Cisco Linksys WRT54G firmware version prior to 4.30.5
Cisco Linksys WRT54GS v1 through v3 firmware versions prior to 4.71.1
Cisco Linksys WRT54GS v4 firmware versions prior to 1.06.1
Cisco Linksys WRT54GX firmware 2.00.05
Edimax BR-6104K prior to 3.25
Edimax 6114Wg
Canyon-Tech CN-WF512 firmware version 1.83
Canyon-Tech CN-WF514 firmware version 2.08
Sitecom WL-153 prior to firmware 1.39
Sitecom WL-111
Sweex LB000021 firmware version 3.15
ZyXEL P-330W
SpeedTouch 5x6 firmware versions prior to 6.2.29
Thomson TG585 firmware versions prior to 7.4.3.2. ZyXEL P-330W is a wireless broadband router. A vulnerability exists in the UPnP IGD installation enablement of the ZyXEL P-330W's Pseudo ICS UPnP software. This vulnerability is related to the \"external forwarding\" vulnerability. ----------------------------------------------------------------------
The final version of the CSI 6.0 has been released.
Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/
----------------------------------------------------------------------
TITLE:
Siemens OZW / OZS Multiple Products libupnp Buffer Overflow
Vulnerabilities
SECUNIA ADVISORY ID:
SA52035
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/52035/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=52035
RELEASE DATE:
2013-01-31
DISCUSS ADVISORY:
http://secunia.com/advisories/52035/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/52035/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=52035
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in multiple Siemens OZW
and OZS products, which can be exploited by malicious people to
compromise a vulnerable device.
1) Multiple vulnerabilities are caused due to a bundled version of
libupnp.
For more information:
SA51949
2) Multiple boundary errors within the "unique_service_name()"
function (ssdp/ssdp_ctrlpt.c) in libupnp when handling SSDP requests
can be exploited to cause stack-based buffer overflows. The vendor is planning
to provide fixes with upcoming firmware updates.
PROVIDED AND/OR DISCOVERED BY:
2) Rapid7
ORIGINAL ADVISORY:
Siemens SSA-963338:
http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-963338.pdf
Rapid7:
https://community.rapid7.com/docs/DOC-2150
https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. This library is used in several vendor network
devices in addition to media streaming and file sharing applications.
These vulnerabilities were disclosed on January 29th, 2013 in a CERT
Vulnerability Note, VU#922681, which can be viewed at:
http://www.kb.cert.org/vuls/id/922681
Cisco is currently evaluating products for possible exposure to these
vulnerabilities. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130129-upnp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iF4EAREIAAYFAlEIJZ8ACgkQUddfH3/BbTrUagD9FnKSVkc2iIfGs+7c8SVPT26+
ga5hYEz9UMUnitcqnbcBAIKe6KnkR6he2zbstVtbTKtqSjE7pfVb3lTKVZSeAkM5
=6sTu
-----END PGP SIGNATURE-----
| VAR-201111-0158 | CVE-2011-4502 | Portable SDK for UPnP Devices (libupnp) contains multiple buffer overflows in SSDP |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The UPnP IGD implementation in Edimax EdiLinux on the Edimax BR-6104K with firmware before 3.25, Edimax 6114Wg, Canyon-Tech CN-WF512 with firmware 1.83, Canyon-Tech CN-WF514 with firmware 2.08, Sitecom WL-153 with firmware before 1.39, and Sweex LB000021 with firmware 3.15 allows remote attackers to execute arbitrary commands via shell metacharacters. The Portable SDK for UPnP Devices libupnp library contains multiple buffer overflow vulnerabilities. Devices that use libupnp may also accept UPnP queries over the WAN interface, therefore exposing the vulnerabilities to the internet. Universal Plug and Play (UPnP) Multiple compatible routers have vulnerabilities with insufficient access restrictions. UPnP For supported routers, WAN Unintended from the side interface UPnP There is a vulnerability that allows the request to be accepted.An unauthenticated remote third party could obtain local network information or use the product as a proxy. There are vulnerabilities in the Edimax Edimax EdiLinux UPnP IGD installation enablement.
An attacker can exploit this issue to gain unauthorized access to scan the internal host or proxy internet traffic through an affected device.
The following devices are affected:
Cisco Linksys WRT54G firmware version prior to 4.30.5
Cisco Linksys WRT54GS v1 through v3 firmware versions prior to 4.71.1
Cisco Linksys WRT54GS v4 firmware versions prior to 1.06.1
Cisco Linksys WRT54GX firmware 2.00.05
Edimax BR-6104K prior to 3.25
Edimax 6114Wg
Canyon-Tech CN-WF512 firmware version 1.83
Canyon-Tech CN-WF514 firmware version 2.08
Sitecom WL-153 prior to firmware 1.39
Sitecom WL-111
Sweex LB000021 firmware version 3.15
ZyXEL P-330W
SpeedTouch 5x6 firmware versions prior to 6.2.29
Thomson TG585 firmware versions prior to 7.4.3.2. ----------------------------------------------------------------------
The final version of the CSI 6.0 has been released.
Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/
----------------------------------------------------------------------
TITLE:
Siemens OZW / OZS Multiple Products libupnp Buffer Overflow
Vulnerabilities
SECUNIA ADVISORY ID:
SA52035
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/52035/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=52035
RELEASE DATE:
2013-01-31
DISCUSS ADVISORY:
http://secunia.com/advisories/52035/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/52035/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=52035
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in multiple Siemens OZW
and OZS products, which can be exploited by malicious people to
compromise a vulnerable device.
1) Multiple vulnerabilities are caused due to a bundled version of
libupnp.
For more information:
SA51949
2) Multiple boundary errors within the "unique_service_name()"
function (ssdp/ssdp_ctrlpt.c) in libupnp when handling SSDP requests
can be exploited to cause stack-based buffer overflows. The vendor is planning
to provide fixes with upcoming firmware updates.
PROVIDED AND/OR DISCOVERED BY:
2) Rapid7
ORIGINAL ADVISORY:
Siemens SSA-963338:
http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-963338.pdf
Rapid7:
https://community.rapid7.com/docs/DOC-2150
https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. This library is used in several vendor network
devices in addition to media streaming and file sharing applications.
These vulnerabilities were disclosed on January 29th, 2013 in a CERT
Vulnerability Note, VU#922681, which can be viewed at:
http://www.kb.cert.org/vuls/id/922681
Cisco is currently evaluating products for possible exposure to these
vulnerabilities. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130129-upnp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iF4EAREIAAYFAlEIJZ8ACgkQUddfH3/BbTrUagD9FnKSVkc2iIfGs+7c8SVPT26+
ga5hYEz9UMUnitcqnbcBAIKe6KnkR6he2zbstVtbTKtqSjE7pfVb3lTKVZSeAkM5
=6sTu
-----END PGP SIGNATURE-----
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character. Apache HTTP Server is prone to an information disclosure vulnerability.
An attacker can exploit this vulnerability to gain access to sensitive information.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker might obtain sensitive information, gain privileges,
send requests to unintended servers behind proxies, bypass certain
security restrictions, obtain the values of HTTPOnly cookies, or cause
a Denial of Service in various ways.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Apache HTTP Server users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-servers/apache-2.2.22-r1"
References
==========
[ 1 ] CVE-2010-0408
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0408
[ 2 ] CVE-2010-0434
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0434
[ 3 ] CVE-2010-1452
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1452
[ 4 ] CVE-2010-2791
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2791
[ 5 ] CVE-2011-3192
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3192
[ 6 ] CVE-2011-3348
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3348
[ 7 ] CVE-2011-3368
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3368
[ 8 ] CVE-2011-3607
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3607
[ 9 ] CVE-2011-4317
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4317
[ 10 ] CVE-2012-0021
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0021
[ 11 ] CVE-2012-0031
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0031
[ 12 ] CVE-2012-0053
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0053
[ 13 ] CVE-2012-0883
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0883
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201206-25.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. ==========================================================================
Ubuntu Security Notice USN-1259-1
November 11, 2011
apache2, apache2-mpm-itk vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS
Summary:
Multiple vulnerabilities and a regression were fixed in the Apache HTTP
server. This could allow remote
attackers to contact internal webservers behind the proxy that were
not intended for external exposure. (CVE-2011-3348)
Samuel Montosa discovered that the ITK Multi-Processing Module for
Apache did not properly handle certain configuration sections that
specify NiceValue but not AssignUserID, preventing Apache from dropping
privileges correctly. This issue only affected Ubuntu 10.04 LTS, Ubuntu
10.10 and Ubuntu 11.04. (CVE-2011-1176)
USN 1199-1 fixed a vulnerability in the byterange filter of Apache. The
upstream patch introduced a regression in Apache when handling specific
byte range requests.
Original advisory details:
A flaw was discovered in the byterange filter in Apache.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.10:
apache2.2-bin 2.2.20-1ubuntu1.1
Ubuntu 11.04:
apache2-mpm-itk 2.2.17-1ubuntu1.4
apache2.2-bin 2.2.17-1ubuntu1.4
Ubuntu 10.10:
apache2-mpm-itk 2.2.16-1ubuntu3.4
apache2.2-bin 2.2.16-1ubuntu3.4
Ubuntu 10.04 LTS:
apache2-mpm-itk 2.2.14-5ubuntu8.7
apache2.2-bin 2.2.14-5ubuntu8.7
Ubuntu 8.04 LTS:
apache2.2-common 2.2.8-1ubuntu0.22
In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: httpd security and bug fix update
Advisory ID: RHSA-2012:0543-01
Product: JBoss Enterprise Web Server
Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0543.html
Issue date: 2012-05-07
CVE Names: CVE-2011-3348 CVE-2011-3368 CVE-2011-3607
CVE-2012-0021 CVE-2012-0031 CVE-2012-0053
=====================================================================
1. Summary:
An update for the Apache HTTP Server component for JBoss Enterprise Web
Server 1.0.2 that fixes multiple security issues and one bug is now
available from the Red Hat Customer Portal.
The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2.
It was discovered that the Apache HTTP Server did not properly validate the
request URI for proxied requests. In certain configurations, if a reverse
proxy used the ProxyPassMatch directive, or if it used the RewriteRule
directive with the proxy flag, a remote attacker could make the proxy
connect to an arbitrary server, possibly disclosing sensitive information
from internal web servers not directly accessible to the attacker.
(CVE-2011-3368)
It was discovered that mod_proxy_ajp incorrectly returned an "Internal
Server Error" response when processing certain malformed HTTP requests,
which caused the back-end server to be marked as failed in configurations
where mod_proxy was used in load balancer mode. A remote attacker could
cause mod_proxy to not send requests to back-end AJP (Apache JServ
Protocol) servers for the retry timeout period or until all back-end
servers were marked as failed. (CVE-2011-3348)
The httpd server included the full HTTP header line in the default error
page generated when receiving an excessively long or malformed header.
Malicious JavaScript running in the server's domain context could use this
flaw to gain access to httpOnly cookies. (CVE-2012-0053)
An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way httpd performed substitutions in regular expressions. An
attacker able to set certain httpd settings, such as a user permitted to
override the httpd configuration for a specific directory using a
".htaccess" file, could use this flaw to crash the httpd child process or,
possibly, execute arbitrary code with the privileges of the "apache" user.
(CVE-2011-3607)
A NULL pointer dereference flaw was found in the httpd mod_log_config
module. In configurations where cookie logging is enabled, a remote
attacker could use this flaw to crash the httpd child process via an HTTP
request with a malformed Cookie header. (CVE-2012-0021)
A flaw was found in the way httpd handled child process status information.
A malicious program running with httpd child process privileges (such as a
PHP or CGI script) could use this flaw to cause the parent httpd process to
crash during httpd service shutdown. (CVE-2012-0031)
Red Hat would like to thank Context Information Security for reporting the
CVE-2011-3368 issue.
This update also fixes the following bug:
* The fix for CVE-2011-3192 provided by the RHSA-2011:1330 update
introduced a regression in the way httpd handled certain Range HTTP header
values. This update corrects this regression. (BZ#749071)
All users of JBoss Enterprise Web Server 1.0.2 as provided from the Red Hat
Customer Portal are advised to apply this update.
3. Solution:
The References section of this erratum contains a download link (you must
log in to download the update). Before applying the update, back up your
existing JBoss Enterprise Web Server installation (including all
applications and configuration files).
4. Bugs fixed (http://bugzilla.redhat.com/):
736690 - CVE-2011-3348 httpd: mod_proxy_ajp remote temporary DoS
740045 - CVE-2011-3368 httpd: reverse web proxy vulnerability
769844 - CVE-2011-3607 httpd: ap_pregsub Integer overflow to buffer overflow
773744 - CVE-2012-0031 httpd: possible crash on shutdown due to flaw in scoreboard handling
785065 - CVE-2012-0021 httpd: NULL pointer dereference crash in mod_log_config
785069 - CVE-2012-0053 httpd: cookie exposure due to error responses
5. References:
https://www.redhat.com/security/data/cve/CVE-2011-3348.html
https://www.redhat.com/security/data/cve/CVE-2011-3368.html
https://www.redhat.com/security/data/cve/CVE-2011-3607.html
https://www.redhat.com/security/data/cve/CVE-2012-0021.html
https://www.redhat.com/security/data/cve/CVE-2012-0031.html
https://www.redhat.com/security/data/cve/CVE-2012-0053.html
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=1.0.2
https://rhn.redhat.com/errata/RHSA-2011-1330.html
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2012 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFPqBfUXlSAg2UNWIIRAgp2AJ432q0jjbDmtWUkzP2pTCOTuyM5ywCcDYDy
4xGCmUQd1BJTxhSroB4/okA=
=45KX
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. This version of Apache is principally a security
and bug fix release, including the following significant security fixes:
* SECURITY: CVE-2011-3368 (cve.mitre.org)
Reject requests where the request-URI does not match the HTTP
specification, preventing unexpected expansion of target URLs in
some reverse proxy configurations.
* SECURITY: CVE-2011-3607 (cve.mitre.org)
Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
is enabled, could allow local users to gain privileges via a .htaccess
file.
* SECURITY: CVE-2011-4317 (cve.mitre.org)
Resolve additional cases of URL rewriting with ProxyPassMatch or
RewriteRule, where particular request-URIs could result in undesired
backend network exposure in some configurations.
* SECURITY: CVE-2012-0021 (cve.mitre.org)
mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
string is in use and a client sends a nameless, valueless cookie, causing
a denial of service. The issue existed since version 2.2.17.
* SECURITY: CVE-2012-0053 (cve.mitre.org)
Fixed an issue in error responses that could expose "httpOnly" cookies
when no custom ErrorDocument is specified for status code 400.
The Apache HTTP Project thanks halfdog, Context Information Security Ltd,
Prutha Parikh of Qualys, and Norman Hippert for bringing these issues to
the attention of the security team.
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
Apache HTTP Server 2.2.22 is available for download from:
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.2 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.2.22 includes only
those changes introduced since the prior 2.2 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
http://httpd.apache.org/security/vulnerabilities_22.html
This release includes the Apache Portable Runtime (APR) version 1.4.5
and APR Utility Library (APR-util) version 1.4.2, bundled with the tar
and zip distributions. The APR libraries libapr and libaprutil (and
on Win32, libapriconv version 1.2.1) must all be updated to ensure
binary compatibility and address many known security and platform bugs.
APR-util version 1.4 represents a minor version upgrade from earlier
httpd source distributions, which previously included version 1.3.
Apache 2.2 offers numerous enhancements, improvements, and performance
boosts over the 2.0 codebase. For an overview of new features
introduced since 2.0 please see:
http://httpd.apache.org/docs/2.2/new_features_2_2.html
This release builds on and extends the Apache 2.0 API. Modules written
for Apache 2.0 will need to be recompiled in order to run with Apache
2.2, and require minimal or no source code changes.
http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING
When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03231301
Version: 1
HPSBMU02748 SSRT100772 rev.1 - HP OpenView Network Node Manager (OV NNM) Running Apache HTTP Server, Remote Unauthorized Disclosure of Information, Unauthorized Modification, Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2012-03-27
Last Updated: 2012-03-27
Potential Security Impact: Remote unauthorized disclosure of information, unauthorized modification, Denial of Service (DoS)
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM) running Apache HTTP Server. The vulnerabilities could be exploited remotely resulting in unauthorized disclosure of information, unauthorized modification, or Denial of Service (DoS).
References: CVE-2012-0053, CVE-2012-0031, CVE-2012-0021, CVE-2011-4317, CVE-2011-3607, CVE-2011-3368
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP OpenView Network Node Manager (OV NNM) v7.53 running on HP-UX, Linux, and Solaris.
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2012-0053 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
CVE-2012-0031 (AV:L/AC:L/Au:N/C:P/I:P/A:P) 4.6
CVE-2012-0021 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 2.6
CVE-2011-4317 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2011-3607 (AV:L/AC:M/Au:N/C:P/I:P/A:P) 4.4
CVE-2011-3368 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided a hotfix to resolve the vulnerabilities. The SSRT100772 hotfix is available by contacting the normal HP Services support channel.
MANUAL ACTIONS: Yes - NonUpdate
Install the hotfix for SSRT100772.
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS (for HP-UX)
For HP-UX OV NNM 7.53
HP-UX B.11.31
HP-UX B.11.23 (IA)
HP-UX B.11.23 (PA)
HP-UX B.11.11
=============
OVNNMgr.OVNNM-RUN,fr=B.07.50.00
action: install the hotfix for SSRT100772
END AFFECTED VERSIONS (for HP-UX)
HISTORY
Version:1 (rev.1) - 27 March 2012 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430
Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2012 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. The apr-util package has also been
updated to the latest version.
Here are the details from the Slackware 13.37 ChangeLog:
+--------------------------+
patches/packages/apr-util-1.4.1-i486-1_slack13.37.txz: Upgraded.
patches/packages/httpd-2.2.22-i486-1_slack13.37.txz: Upgraded. PR 52256.
[Eric Covener]
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3368
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3607
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4317
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0021
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0031
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0053
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated packages for Slackware 12.0:
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/apr-util-1.4.1-i486-1_slack12.0.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/httpd-2.2.22-i486-1_slack12.0.tgz
Updated packages for Slackware 12.1:
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/apr-util-1.4.1-i486-1_slack12.1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/httpd-2.2.22-i486-1_slack12.1.tgz
Updated packages for Slackware 12.2:
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/apr-util-1.4.1-i486-1_slack12.2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/httpd-2.2.22-i486-1_slack12.2.tgz
Updated packages for Slackware 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/apr-util-1.4.1-i486-1_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/httpd-2.2.22-i486-1_slack13.0.txz
Updated packages for Slackware x86_64 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/apr-util-1.4.1-x86_64-1_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/httpd-2.2.22-x86_64-1_slack13.0.txz
Updated packages for Slackware 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/apr-util-1.4.1-i486-1_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/httpd-2.2.22-i486-1_slack13.1.txz
Updated packages for Slackware x86_64 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/apr-util-1.4.1-x86_64-1_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/httpd-2.2.22-x86_64-1_slack13.1.txz
Updated packages for Slackware 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/apr-util-1.4.1-i486-1_slack13.37.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/httpd-2.2.22-i486-1_slack13.37.txz
Updated packages for Slackware x86_64 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/apr-util-1.4.1-x86_64-1_slack13.37.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/httpd-2.2.22-x86_64-1_slack13.37.txz
Updated packages for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/apr-util-1.4.1-i486-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/httpd-2.2.22-i486-1.txz
Updated packages for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/apr-util-1.4.1-x86_64-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/httpd-2.2.22-x86_64-1.txz
MD5 signatures:
+-------------+
Slackware 12.0 packages:
3143affee7e89d16a2f5b4f58f1f2c9d apr-util-1.4.1-i486-1_slack12.0.tgz
86c2b71a544c9533794951f718bd907b httpd-2.2.22-i486-1_slack12.0.tgz
Slackware 12.1 packages:
aab31157fa672bb2bc11851b486c9d5c apr-util-1.4.1-i486-1_slack12.1.tgz
1362ef9a9b2d355e1cf9b5c7e0ae0607 httpd-2.2.22-i486-1_slack12.1.tgz
Slackware 12.2 packages:
f30f1f0a949f321b6aefb99a703eca3f apr-util-1.4.1-i486-1_slack12.2.tgz
18fd6ddd6e6bbf4a7222ade821ec1aa1 httpd-2.2.22-i486-1_slack12.2.tgz
Slackware 13.0 packages:
d3600fef7f1cabb62554417567fb55ab apr-util-1.4.1-i486-1_slack13.0.txz
0456c808efb92da333942ff939746d77 httpd-2.2.22-i486-1_slack13.0.txz
Slackware x86_64 13.0 packages:
d15c2e0a4aa074bbadfa50099da482b2 apr-util-1.4.1-x86_64-1_slack13.0.txz
1b72685b2519bbf167973d88dce562e1 httpd-2.2.22-x86_64-1_slack13.0.txz
Slackware 13.1 packages:
9c7c2bb99c99f3a6275f0dc9636ce38c apr-util-1.4.1-i486-1_slack13.1.txz
49a5e4a73be2328d80cca186efe2f6f7 httpd-2.2.22-i486-1_slack13.1.txz
Slackware x86_64 13.1 packages:
4f9dcb6495c04d3094cc68050440505b apr-util-1.4.1-x86_64-1_slack13.1.txz
1f378f8a4d990d7298e0155b22cfcf19 httpd-2.2.22-x86_64-1_slack13.1.txz
Slackware 13.37 packages:
7feb382700511d72737c5a31e91ee56e apr-util-1.4.1-i486-1_slack13.37.txz
783de593b5827c8601e2b486cf98397f httpd-2.2.22-i486-1_slack13.37.txz
Slackware x86_64 13.37 packages:
1bd4b3df67a0449f3015e82e47cd808d apr-util-1.4.1-x86_64-1_slack13.37.txz
8999903e736cbb29c055ea2bf66cfed1 httpd-2.2.22-x86_64-1_slack13.37.txz
Slackware -current packages:
e709c8056cede91c35fd354ad5b654df l/apr-util-1.4.1-i486-1.txz
97c295a42d4678537c62d6ce54d3e1fa n/httpd-2.2.22-i486-1.txz
Slackware x86_64 -current packages:
55fdf36b05ff7e82aa9a015289290424 l/apr-util-1.4.1-x86_64-1.txz
09daa138b81fbf877596e4abc2a01bb6 n/httpd-2.2.22-x86_64-1.txz
Installation instructions:
+------------------------+
Upgrade the packages as root:
# upgradepkg apr-util-1.4.1-i486-1_slack13.37.txz httpd-2.2.22-i486-1_slack13.37.txz
Then, restart the httpd daemon.
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. Relevant releases/architectures:
RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64
3. (BZ#736593, BZ#736594)
All httpd users should upgrade to these updated packages, which contain
backported patches to correct these issues. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied. Package List:
Red Hat Enterprise Linux AS version 4:
Source:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/httpd-2.0.52-49.ent.src.rpm
i386:
httpd-2.0.52-49.ent.i386.rpm
httpd-debuginfo-2.0.52-49.ent.i386.rpm
httpd-devel-2.0.52-49.ent.i386.rpm
httpd-manual-2.0.52-49.ent.i386.rpm
httpd-suexec-2.0.52-49.ent.i386.rpm
mod_ssl-2.0.52-49.ent.i386.rpm
ia64:
httpd-2.0.52-49.ent.ia64.rpm
httpd-debuginfo-2.0.52-49.ent.ia64.rpm
httpd-devel-2.0.52-49.ent.ia64.rpm
httpd-manual-2.0.52-49.ent.ia64.rpm
httpd-suexec-2.0.52-49.ent.ia64.rpm
mod_ssl-2.0.52-49.ent.ia64.rpm
ppc:
httpd-2.0.52-49.ent.ppc.rpm
httpd-debuginfo-2.0.52-49.ent.ppc.rpm
httpd-devel-2.0.52-49.ent.ppc.rpm
httpd-manual-2.0.52-49.ent.ppc.rpm
httpd-suexec-2.0.52-49.ent.ppc.rpm
mod_ssl-2.0.52-49.ent.ppc.rpm
s390:
httpd-2.0.52-49.ent.s390.rpm
httpd-debuginfo-2.0.52-49.ent.s390.rpm
httpd-devel-2.0.52-49.ent.s390.rpm
httpd-manual-2.0.52-49.ent.s390.rpm
httpd-suexec-2.0.52-49.ent.s390.rpm
mod_ssl-2.0.52-49.ent.s390.rpm
s390x:
httpd-2.0.52-49.ent.s390x.rpm
httpd-debuginfo-2.0.52-49.ent.s390x.rpm
httpd-devel-2.0.52-49.ent.s390x.rpm
httpd-manual-2.0.52-49.ent.s390x.rpm
httpd-suexec-2.0.52-49.ent.s390x.rpm
mod_ssl-2.0.52-49.ent.s390x.rpm
x86_64:
httpd-2.0.52-49.ent.x86_64.rpm
httpd-debuginfo-2.0.52-49.ent.x86_64.rpm
httpd-devel-2.0.52-49.ent.x86_64.rpm
httpd-manual-2.0.52-49.ent.x86_64.rpm
httpd-suexec-2.0.52-49.ent.x86_64.rpm
mod_ssl-2.0.52-49.ent.x86_64.rpm
Red Hat Enterprise Linux Desktop version 4:
Source:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/httpd-2.0.52-49.ent.src.rpm
i386:
httpd-2.0.52-49.ent.i386.rpm
httpd-debuginfo-2.0.52-49.ent.i386.rpm
httpd-devel-2.0.52-49.ent.i386.rpm
httpd-manual-2.0.52-49.ent.i386.rpm
httpd-suexec-2.0.52-49.ent.i386.rpm
mod_ssl-2.0.52-49.ent.i386.rpm
x86_64:
httpd-2.0.52-49.ent.x86_64.rpm
httpd-debuginfo-2.0.52-49.ent.x86_64.rpm
httpd-devel-2.0.52-49.ent.x86_64.rpm
httpd-manual-2.0.52-49.ent.x86_64.rpm
httpd-suexec-2.0.52-49.ent.x86_64.rpm
mod_ssl-2.0.52-49.ent.x86_64.rpm
Red Hat Enterprise Linux ES version 4:
Source:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/httpd-2.0.52-49.ent.src.rpm
i386:
httpd-2.0.52-49.ent.i386.rpm
httpd-debuginfo-2.0.52-49.ent.i386.rpm
httpd-devel-2.0.52-49.ent.i386.rpm
httpd-manual-2.0.52-49.ent.i386.rpm
httpd-suexec-2.0.52-49.ent.i386.rpm
mod_ssl-2.0.52-49.ent.i386.rpm
ia64:
httpd-2.0.52-49.ent.ia64.rpm
httpd-debuginfo-2.0.52-49.ent.ia64.rpm
httpd-devel-2.0.52-49.ent.ia64.rpm
httpd-manual-2.0.52-49.ent.ia64.rpm
httpd-suexec-2.0.52-49.ent.ia64.rpm
mod_ssl-2.0.52-49.ent.ia64.rpm
x86_64:
httpd-2.0.52-49.ent.x86_64.rpm
httpd-debuginfo-2.0.52-49.ent.x86_64.rpm
httpd-devel-2.0.52-49.ent.x86_64.rpm
httpd-manual-2.0.52-49.ent.x86_64.rpm
httpd-suexec-2.0.52-49.ent.x86_64.rpm
mod_ssl-2.0.52-49.ent.x86_64.rpm
Red Hat Enterprise Linux WS version 4:
Source:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/httpd-2.0.52-49.ent.src.rpm
i386:
httpd-2.0.52-49.ent.i386.rpm
httpd-debuginfo-2.0.52-49.ent.i386.rpm
httpd-devel-2.0.52-49.ent.i386.rpm
httpd-manual-2.0.52-49.ent.i386.rpm
httpd-suexec-2.0.52-49.ent.i386.rpm
mod_ssl-2.0.52-49.ent.i386.rpm
ia64:
httpd-2.0.52-49.ent.ia64.rpm
httpd-debuginfo-2.0.52-49.ent.ia64.rpm
httpd-devel-2.0.52-49.ent.ia64.rpm
httpd-manual-2.0.52-49.ent.ia64.rpm
httpd-suexec-2.0.52-49.ent.ia64.rpm
mod_ssl-2.0.52-49.ent.ia64.rpm
x86_64:
httpd-2.0.52-49.ent.x86_64.rpm
httpd-debuginfo-2.0.52-49.ent.x86_64.rpm
httpd-devel-2.0.52-49.ent.x86_64.rpm
httpd-manual-2.0.52-49.ent.x86_64.rpm
httpd-suexec-2.0.52-49.ent.x86_64.rpm
mod_ssl-2.0.52-49.ent.x86_64.rpm
Red Hat Enterprise Linux Desktop (v. 5 client):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/httpd-2.2.3-53.el5_7.3.src.rpm
i386:
httpd-2.2.3-53.el5_7.3.i386.rpm
httpd-debuginfo-2.2.3-53.el5_7.3.i386.rpm
mod_ssl-2.2.3-53.el5_7.3.i386.rpm
x86_64:
httpd-2.2.3-53.el5_7.3.x86_64.rpm
httpd-debuginfo-2.2.3-53.el5_7.3.x86_64.rpm
mod_ssl-2.2.3-53.el5_7.3.x86_64.rpm
RHEL Desktop Workstation (v. 5 client):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/httpd-2.2.3-53.el5_7.3.src.rpm
i386:
httpd-debuginfo-2.2.3-53.el5_7.3.i386.rpm
httpd-devel-2.2.3-53.el5_7.3.i386.rpm
httpd-manual-2.2.3-53.el5_7.3.i386.rpm
x86_64:
httpd-debuginfo-2.2.3-53.el5_7.3.i386.rpm
httpd-debuginfo-2.2.3-53.el5_7.3.x86_64.rpm
httpd-devel-2.2.3-53.el5_7.3.i386.rpm
httpd-devel-2.2.3-53.el5_7.3.x86_64.rpm
httpd-manual-2.2.3-53.el5_7.3.x86_64.rpm
Red Hat Enterprise Linux (v. 5 server):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/httpd-2.2.3-53.el5_7.3.src.rpm
i386:
httpd-2.2.3-53.el5_7.3.i386.rpm
httpd-debuginfo-2.2.3-53.el5_7.3.i386.rpm
httpd-devel-2.2.3-53.el5_7.3.i386.rpm
httpd-manual-2.2.3-53.el5_7.3.i386.rpm
mod_ssl-2.2.3-53.el5_7.3.i386.rpm
ia64:
httpd-2.2.3-53.el5_7.3.ia64.rpm
httpd-debuginfo-2.2.3-53.el5_7.3.ia64.rpm
httpd-devel-2.2.3-53.el5_7.3.ia64.rpm
httpd-manual-2.2.3-53.el5_7.3.ia64.rpm
mod_ssl-2.2.3-53.el5_7.3.ia64.rpm
ppc:
httpd-2.2.3-53.el5_7.3.ppc.rpm
httpd-debuginfo-2.2.3-53.el5_7.3.ppc.rpm
httpd-debuginfo-2.2.3-53.el5_7.3.ppc64.rpm
httpd-devel-2.2.3-53.el5_7.3.ppc.rpm
httpd-devel-2.2.3-53.el5_7.3.ppc64.rpm
httpd-manual-2.2.3-53.el5_7.3.ppc.rpm
mod_ssl-2.2.3-53.el5_7.3.ppc.rpm
s390x:
httpd-2.2.3-53.el5_7.3.s390x.rpm
httpd-debuginfo-2.2.3-53.el5_7.3.s390.rpm
httpd-debuginfo-2.2.3-53.el5_7.3.s390x.rpm
httpd-devel-2.2.3-53.el5_7.3.s390.rpm
httpd-devel-2.2.3-53.el5_7.3.s390x.rpm
httpd-manual-2.2.3-53.el5_7.3.s390x.rpm
mod_ssl-2.2.3-53.el5_7.3.s390x.rpm
x86_64:
httpd-2.2.3-53.el5_7.3.x86_64.rpm
httpd-debuginfo-2.2.3-53.el5_7.3.i386.rpm
httpd-debuginfo-2.2.3-53.el5_7.3.x86_64.rpm
httpd-devel-2.2.3-53.el5_7.3.i386.rpm
httpd-devel-2.2.3-53.el5_7.3.x86_64.rpm
httpd-manual-2.2.3-53.el5_7.3.x86_64.rpm
mod_ssl-2.2.3-53.el5_7.3.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7.
HP Secure Web Server (SWS) for OpenVMS V2.2 and earlier