VARIoT IoT vulnerabilities database
| VAR-201005-0465 | No CVE | Hitachi Collaboration Common Utility Unspecified Stack Buffer Overflow Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Hitachi Collaboration Common Utility is prone to a stack-based buffer-overflow vulnerability.
Very few technical details are currently available. We will update this BID as more information emerges.
Successfully exploiting this issue allows an attacker to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. ----------------------------------------------------------------------
Secunia CSI integrated with Microsoft WSUS and Microsoft SCCM for 3rd party Patch Management
Free webinars
http://secunia.com/vulnerability_scanning/corporate/webinars/
----------------------------------------------------------------------
TITLE:
Hitachi Cosminexus Products Unspecified Vulnerability
SECUNIA ADVISORY ID:
SA40065
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/40065/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=40065
RELEASE DATE:
2010-06-04
DISCUSS ADVISORY:
http://secunia.com/advisories/40065/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/40065/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=40065
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Hitachi has acknowledged a vulnerability in Hitachi products, which
has unknown impacts.
Please see the vendor's advisory for a list of affected products and
versions.
SOLUTION:
Please see the vendor's advisory for fix information.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
HS10-006:
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS10-006/index.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0535 | No CVE | Hitachi Web Server SSL Certificate Revocation Security Bypass Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Hitachi Web Server is prone to a security-bypass vulnerability affecting Secure Socket Layer (SSL) certificate revocation lists.
Attackers may exploit this issue to potentially gain unauthorized access to the vulnerable server. ----------------------------------------------------------------------
Secunia CSI integrated with Microsoft WSUS and Microsoft SCCM for 3rd party Patch Management
Free webinars
http://secunia.com/vulnerability_scanning/corporate/webinars/
----------------------------------------------------------------------
TITLE:
Hiachi Web Server SSL Client Certificate Revocation List Security
Bypass
SECUNIA ADVISORY ID:
SA40067
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/40067/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=40067
RELEASE DATE:
2010-06-04
DISCUSS ADVISORY:
http://secunia.com/advisories/40067/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/40067/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=40067
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Hitachi has acknowledged a security issue in Hitachi Web Server,
which can be exploited by malicious people to bypass certain security
restriction.
The security issue is caused due to an unspecified error when
processing the certificate revocation list of SSL client
certificates, which can be exploited to e.g. pass the SSL client
authentication with certificates registered in certificate revocation
lists.
Please see the vendor's advisory for a list of affected products and
versions.
SOLUTION:
Apply patches as soon as available. Do not rely on the correct
processing of certificate revocation lists. Please see the vendor's
advisory for fix information.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
HS10-009:
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS10-009/index.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0874 | CVE-2010-0539 | Java of window drawing An arbitrary code execution vulnerability in the implementation |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Integer signedness error in the window drawing implementation in Apple Java for Mac OS X 10.5 before Update 7 and Java for Mac OS X 10.6 before Update 2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted applet.
Successful exploits will allow an attacker to run arbitrary code in the context of the affected software. Failed exploit attempts may result in denial-of-service conditions.
This issue affects the following:
Mac OS X 10.5.8 (and prior versions)
Mac OS X Server 10.5.8 (and prior versions)
Mac OS X 10.6.3 (and prior versions)
Mac OS X Server 10.6.3 (and prior versions). ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers. This fixes some
vulnerabilities, which can be exploited by malicious people to bypass
certain security restrictions, manipulate certain data, disclose
potentially sensitive information, cause a DoS (Denial of Service),
or to compromise a user's system.
For more information:
SA34451
SA37255
SA39260
1) An error in the handling of mediaLibImage objects can be exploited
to cause an out-of-bounds memory access and potentially execute
arbitrary code when a user e.g. visits a web page containing a
specially crafted Java applet.
2) A signedness error when drawing windows can be exploited to
corrupt memory and potentially execute arbitrary code when a user
e.g. visits a web page containing a specially crafted Java applet.
SOLUTION:
Apply updates.
http://support.apple.com/kb/DL971
PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits Marc Schoenefeld, University of Bamberg.
2) The vendor credits Jonathan Bringhurst of Northrop Grumman, and
Jeffrey Czerniak.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4170
http://support.apple.com/kb/HT4171
OTHER REFERENCES:
SA34451:
http://secunia.com/advisories/34451/
SA37255:
http://secunia.com/advisories/37255/
SA39260:
http://secunia.com/advisories/39260/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0870 | CVE-2010-0538 | Apple Mac OS X Run on Java Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Apple Java for Mac OS X 10.5 before Update 7 and Java for Mac OS X 10.6 before Update 2 do not properly handle mediaLibImage objects, which allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds memory access and application crash) via a crafted applet, related to the com.sun.medialib.mlib package.
Successful exploits will allow an attacker to run arbitrary code in the context of the affected software. Failed exploit attempts may result in denial-of-service conditions.
This issue affects the following:
Mac OS X 10.5.8 (and prior versions)
Mac OS X Server 10.5.8 (and prior versions)
Mac OS X 10.6.3 (and prior versions)
Mac OS X Server 10.6.3 (and prior versions). Apple Java used by the Mac operating system cannot properly handle the mediaLibImage object. ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers. This fixes some
vulnerabilities, which can be exploited by malicious people to bypass
certain security restrictions, manipulate certain data, disclose
potentially sensitive information, cause a DoS (Denial of Service),
or to compromise a user's system.
For more information:
SA34451
SA37255
SA39260
1) An error in the handling of mediaLibImage objects can be exploited
to cause an out-of-bounds memory access and potentially execute
arbitrary code when a user e.g. visits a web page containing a
specially crafted Java applet.
2) A signedness error when drawing windows can be exploited to
corrupt memory and potentially execute arbitrary code when a user
e.g. visits a web page containing a specially crafted Java applet.
SOLUTION:
Apply updates.
http://support.apple.com/kb/DL971
PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits Marc Schoenefeld, University of Bamberg.
2) The vendor credits Jonathan Bringhurst of Northrop Grumman, and
Jeffrey Czerniak.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4170
http://support.apple.com/kb/HT4171
OTHER REFERENCES:
SA34451:
http://secunia.com/advisories/34451/
SA37255:
http://secunia.com/advisories/37255/
SA39260:
http://secunia.com/advisories/39260/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0325 | CVE-2010-1454 | VMware SpringSource tc Server Runtime In JMX Vulnerability to gain access to the interface |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
com.springsource.tcserver.serviceability.rmi.JmxSocketListener in VMware SpringSource tc Server Runtime 6.0.19 and 6.0.20 before 6.0.20.D, and 6.0.25.A before 6.0.25.A-SR01, does not properly enforce the requirement for an encrypted (aka s2enc) password, which allows remote attackers to obtain JMX interface access via a blank password. SpringSource tc Server is a Tomcat-based web application server released by the vmware subsidiary. com.springsource.tcserver.serviceability.rmi.JmxSocketListener has security issues. If the Listener uses a password-encrypted configuration (such as adding s2enc:// before the password), then you can verify successful access to JMX regardless of whether you enter the correct password or an empty string. interface. By default, the JMX interface does not allow remote access, but it can be configured to be remotely accessible by setting the address property.
An attacker can exploit this issue to bypass certain security restrictions and gain unauthorized access to the JMX interface, which may lead to further attacks.
Versions prior to SpringSource tc Server runtime 6.0.20.D and 6.0.25.A-SR01 are vulnerable.
Mitigation:
All users are recommended to immediately switch to non-encrypted passwords for the JMX interface or to disable the JMX interface.
References:
[1] http://www.springsource.com/security/tc-server
Mark Thomas
SpringSource Security Team
. ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
http://secunia.com/company/jobs/
----------------------------------------------------------------------
TITLE:
SpringSource tc Server Encrypted Password Security Bypass
SECUNIA ADVISORY ID:
SA39778
VERIFY ADVISORY:
http://secunia.com/advisories/39778/
DESCRIPTION:
A vulnerability has been reported in SpringSource tc Server, which
can be exploited by malicious, local users to bypass certain security
restrictions.
The vulnerability is caused due to an error within the
com.springsource.tcserver.serviceability.rmi.JmxSocketListener
listener when handling encrypted passwords. This can be exploited to
bypass the authentication by e.g. entering an empty password.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits Erhan Baz, Yapi Kredi.
ORIGINAL ADVISORY:
http://www.springsource.com/security/cve-2010-1454
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0181 | CVE-2010-1942 | Fujitsu Interstage Application Server Servlet Component Security Vulnerability |
CVSS V2: 6.4 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in the Servlet service in Fujitsu Limited Interstage Application Server 3.0 through 7.0, as used in Interstage Application Framework Suite, Interstage Business Application Server, and Interstage List Manager, allows attackers to obtain sensitive information or force invalid requests to be processed via unknown vectors related to unspecified invalid requests and settings on the load balancing device. According to the developer, the impact of this vulnerability depends on the implementation of the web application. Fujitsu Interstage Application Server is an application platform that supports the construction and operation of business systems. A remote attacker can exploit the vulnerability to perform partial illegal requests or obtain sensitive information from other users. ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
SOLUTION:
Please see the vendor's advisory for a patch matrix.
The vendor recommends setting the distribution beginning time to five
minutes or more at the loading balancer.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Fujitsu:
http://www.fujitsu.com/global/support/software/security/products-f/interstage-201001e.html
OTHER REFERENCES:
JVN:
http://jvn.jp/en/jp/JVN90248889/index.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0173 | CVE-2010-1563 | Cisco PGW 2200 Softswitch of SIP Denial of service in implementation (DoS) Vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The SIP implementation on the Cisco PGW 2200 Softswitch with software 9.7(3)S before 9.7(3)S9 and 9.7(3)P before 9.7(3)P9 allows remote attackers to cause a denial of service (device crash) via a malformed header, aka Bug ID CSCsk04588. Cisco PGW 2200 Softswitch is prone to a remote denial-of-service vulnerability. This issue is tracked by Cisco BugID CSCsk04588.
NOTE: This issue was previously documented in BID 40110 (Cisco PGW 2200 Softswitch Multiple Denial of Service Vulnerabilities), but has been given its own record to better document it. The Cisco PGW 2200 is a carrier-grade software switch that can be used to perform call control in NGN and IMS infrastructures. The bug ID is CSCsk04588. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Multiple vulnerabilities in Cisco PGW Softswitch
Document ID: 111870
Advisory ID: cisco-sa-20100512-pgw
http://www.cisco.com/warp/public/707/cisco-sa-20100512-pgw.shtml
Revision 1.0
For Public Release 2010 May 12 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
=======
Multiple vulnerabilities exist in the Cisco PGW 2200 Softswitch
series of products. Each vulnerability described in this advisory is
independent from other. The vulnerabilities are related to processing
Session Initiation Protocol (SIP) or Media Gateway Control Protocol
(MGCP) messages.
Successful exploitation of all but one of these vulnerabilities can
crash the affected device. Exploitation of the remaining
vulnerability will not crash the affected device, but it can lead to
a denial-of-service (DoS) condition in which no new TCP-based
connections will be accepted or created.
Cisco has released free software updates that address these
vulnerabilities. There are no workarounds that mitigate these
vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20100512-pgw.shtml
Affected Products
=================
Vulnerable Products
+------------------
The Cisco PGW 2200 Softswitch is affected by these vulnerabilities.
The following table displays information about software releases that
are affected by individual vulnerabilities. Each vulnerability in the
table affects all software releases prior to the release that is
listed in the table.
+---------------------------------------+
| Cisco Bug | Affects All Software |
| ID | Releases Prior This |
| | Version(s) |
|------------+--------------------------|
| CSCsz13590 | 9.8(1)S5 |
|------------+--------------------------|
| CSCsl39126 | 9.7(3)S11 |
|------------+--------------------------|
| CSCsk32606 | 9.7(3)S11 |
|------------+--------------------------|
| CSCsk44115 | 9.7(3)S11, 9.7(3)P11 |
|------------+--------------------------|
| CSCsk40030 | 9.7(3)S10 |
|------------+--------------------------|
| CSCsk38165 | 9.7(3)S10 |
|------------+--------------------------|
| CSCsj98521 | 9.7(3)S9, 9.7(3)P9 |
|------------+--------------------------|
| CSCsk04588 | 9.7(3)S9, 9.7(3)P9 |
|------------+--------------------------|
| CSCsk13561 | 9.7(3)S9, 9.7(3)P9 |
+---------------------------------------+
To determine the software version running on a Cisco product, log in
to the device and issue the RTRV-NE command. This command displays
information about the Cisco PGW 2200 Softswitch hardware, software,
and current state.
The following example identifies a Cisco PGW 2200 Softswitch running
software release 9.7(3):
mml> RTRV-NE
Media Gateway Controller - MGC-01 2010-04-23 11:55:00.000
M RTRV
"Type:MGC (Switch Mode)"
"Hardware platform:sun4u sparc SUNW,Sun-Fire-V210"
"Vendor:"Cisco Systems, Inc.""
"Location:MGC-01 - Media Gateway Controller"
"Version:"9.7(3)""
"Patch:"CSCOgs028/CSCOnn028""
"Platform State:ACTIVE"
;
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities. In particular, Cisco IOS Software is not affected by
these vulnerabilities.
Details
=======
SIP is a popular signaling protocol used to manage voice and video
calls across IP networks such as the Internet. SIP is responsible for
handling all aspects of call setup and termination. Voice and video
are the most popular types of sessions that SIP handles, but the
protocol is flexible to accommodate for other applications that
require call setup and termination. SIP call signaling can use UDP
(port 5060), TCP (port 5060), or Transport Layer Security (TLS; TCP
port 5061) as the underlying transport protocol.
MGCP is the protocol for controlling telephony gateways from external
call control elements known as media gateway controllers or call
agents. A telephony gateway is a network element that provides
conversion between the audio signals carried on telephone circuits
and data packets carried over the Internet or other packet networks.
Multiple DoS vulnerabilities exist in the Cisco PGW 2200 Softswitch
SIP implementation, and one vulnerability is in the MGCP
implementation.
The following vulnerabilities can cause affected devices to crash:
* CSCsl39126 (registered customers only), CVE ID CVE-2010-0601
* CSCsk32606 (registered customers only), CVE ID CVE-2010-0602
* CSCsk40030 (registered customers only), CVE ID CVE-2010-0603
* CSCsk38165 (registered customers only), CVE ID CVE-2010-0604
* CSCsk44115 (registered customers only), CVE ID CVE-2010-1561
* CSCsj98521 (registered customers only), CVE ID CVE-2010-1562
* CSCsk04588 (registered customers only), CVE ID CVE-2010-1563
* CSCsz13590 (registered customers only), CVE ID CVE-2010-1567
The following vulnerability may cause an affected device to be unable
to accept or create a new TCP connection. Existing calls will not be
terminated, but no new SIP connections will be established. If
exploited, this vulnerability will also prevent the device from
establishing any new HTTP, SSH or Telnet sessions.
* CSCsk13561 (registered customers only), CVE ID CVE-2010-1565
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this security advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsl39126 - Malformed MGCP packet can crash device
CVSS Base Score - 7.8
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
CVSS Temporal Score - 6.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCsk32606 - Malformed SIP packet can crash device
CSCsk40030 - Malformed Session Attribute can crash device
CSCsk38165 - Device crash during SIP testing
CSCsk44115 - Device crash while processing overly long message
CSCsj98521 - Device crash while processing malformed Contact Header
CSCsk04588 - Device crash while processing malformed header
CSCsz13590 - Malformed SIP header can crash device
CVSS Base Score - 7.8
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
CVSS Temporal Score - 6.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCsk13561 - Exhaustion of TCP sockets prevents device from accepting
new connections
CVSS Base Score - 7.8
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
CVSS Temporal Score - 6.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
Impact
======
Successful exploitation of all but one vulnerability in this advisory
can crash the affected device. The remaining vulnerability will not
crash the affected device, but it can lead to a DoS condition in
which no new TCP-based connections will be accepted or created.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
All vulnerabilities listed in this Security Advisory are addressed in
Cisco PGW 2200 Softswitch version 9.7(3)S11, version 9.8(1)S5, and
subsequent, software releases.
Workarounds
===========
There are no workarounds for the vulnerabilities in this advisory.
In the case of the vulnerability that corresponds to Cisco Bug ID
CSCsk13561, administrator must manually reboot the affected device to
restore the device's ability to accept new connections. Because
vulnerability prevents new TCP-based session to be created, this
reboot can be initiated only from the console. If a failover device
is configured, existing sessions will continue while the affected
device is reloading. Without a failover device, all active sessions
will be terminated while the affected device is reloading.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20100512-pgw.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20100512-pgw.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2010-May-12 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices.
All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAkvqxeUACgkQ86n/Gc8U/uDSSACaAkFu2uZrHTxH/nHA+t3EH05g
3LcAnjmSVqwTjrB3Ck5IuAopPY2iBssX
=dBOb
-----END PGP SIGNATURE-----
| VAR-201005-0330 | CVE-2010-1565 | Cisco PGW 2200 Softswitch of SIP Service disruption in implementation (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the SIP implementation on the Cisco PGW 2200 Softswitch with software 9.7(3)S before 9.7(3)S9 and 9.7(3)P before 9.7(3)P9 allows remote attackers to cause a denial of service (TCP socket exhaustion) via unknown vectors, aka Bug ID CSCsk13561. Cisco PGW 2200 Softswitch is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to cause an affected device to stop accepting new TCP connections, effectively denying service to a legitimate user. This issue is tracked by Cisco BugID CSCsk13561.
NOTE: This issue was previously documented in BID 40110 (Cisco PGW 2200 Softswitch Multiple Denial of Service Vulnerabilities), but has been given its own record to better document it. The Cisco PGW 2200 is a carrier-grade software switch that can be used to perform call control in NGN and IMS infrastructures. The bug ID is CSCsk13561. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Multiple vulnerabilities in Cisco PGW Softswitch
Document ID: 111870
Advisory ID: cisco-sa-20100512-pgw
http://www.cisco.com/warp/public/707/cisco-sa-20100512-pgw.shtml
Revision 1.0
For Public Release 2010 May 12 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
=======
Multiple vulnerabilities exist in the Cisco PGW 2200 Softswitch
series of products. Each vulnerability described in this advisory is
independent from other. The vulnerabilities are related to processing
Session Initiation Protocol (SIP) or Media Gateway Control Protocol
(MGCP) messages.
Successful exploitation of all but one of these vulnerabilities can
crash the affected device. Exploitation of the remaining
vulnerability will not crash the affected device, but it can lead to
a denial-of-service (DoS) condition in which no new TCP-based
connections will be accepted or created.
Cisco has released free software updates that address these
vulnerabilities. There are no workarounds that mitigate these
vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20100512-pgw.shtml
Affected Products
=================
Vulnerable Products
+------------------
The Cisco PGW 2200 Softswitch is affected by these vulnerabilities.
The following table displays information about software releases that
are affected by individual vulnerabilities. Each vulnerability in the
table affects all software releases prior to the release that is
listed in the table.
+---------------------------------------+
| Cisco Bug | Affects All Software |
| ID | Releases Prior This |
| | Version(s) |
|------------+--------------------------|
| CSCsz13590 | 9.8(1)S5 |
|------------+--------------------------|
| CSCsl39126 | 9.7(3)S11 |
|------------+--------------------------|
| CSCsk32606 | 9.7(3)S11 |
|------------+--------------------------|
| CSCsk44115 | 9.7(3)S11, 9.7(3)P11 |
|------------+--------------------------|
| CSCsk40030 | 9.7(3)S10 |
|------------+--------------------------|
| CSCsk38165 | 9.7(3)S10 |
|------------+--------------------------|
| CSCsj98521 | 9.7(3)S9, 9.7(3)P9 |
|------------+--------------------------|
| CSCsk04588 | 9.7(3)S9, 9.7(3)P9 |
|------------+--------------------------|
| CSCsk13561 | 9.7(3)S9, 9.7(3)P9 |
+---------------------------------------+
To determine the software version running on a Cisco product, log in
to the device and issue the RTRV-NE command. This command displays
information about the Cisco PGW 2200 Softswitch hardware, software,
and current state.
The following example identifies a Cisco PGW 2200 Softswitch running
software release 9.7(3):
mml> RTRV-NE
Media Gateway Controller - MGC-01 2010-04-23 11:55:00.000
M RTRV
"Type:MGC (Switch Mode)"
"Hardware platform:sun4u sparc SUNW,Sun-Fire-V210"
"Vendor:"Cisco Systems, Inc.""
"Location:MGC-01 - Media Gateway Controller"
"Version:"9.7(3)""
"Patch:"CSCOgs028/CSCOnn028""
"Platform State:ACTIVE"
;
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities. In particular, Cisco IOS Software is not affected by
these vulnerabilities.
Details
=======
SIP is a popular signaling protocol used to manage voice and video
calls across IP networks such as the Internet. SIP is responsible for
handling all aspects of call setup and termination. Voice and video
are the most popular types of sessions that SIP handles, but the
protocol is flexible to accommodate for other applications that
require call setup and termination. SIP call signaling can use UDP
(port 5060), TCP (port 5060), or Transport Layer Security (TLS; TCP
port 5061) as the underlying transport protocol.
MGCP is the protocol for controlling telephony gateways from external
call control elements known as media gateway controllers or call
agents. A telephony gateway is a network element that provides
conversion between the audio signals carried on telephone circuits
and data packets carried over the Internet or other packet networks.
Multiple DoS vulnerabilities exist in the Cisco PGW 2200 Softswitch
SIP implementation, and one vulnerability is in the MGCP
implementation.
The following vulnerabilities can cause affected devices to crash:
* CSCsl39126 (registered customers only), CVE ID CVE-2010-0601
* CSCsk32606 (registered customers only), CVE ID CVE-2010-0602
* CSCsk40030 (registered customers only), CVE ID CVE-2010-0603
* CSCsk38165 (registered customers only), CVE ID CVE-2010-0604
* CSCsk44115 (registered customers only), CVE ID CVE-2010-1561
* CSCsj98521 (registered customers only), CVE ID CVE-2010-1562
* CSCsk04588 (registered customers only), CVE ID CVE-2010-1563
* CSCsz13590 (registered customers only), CVE ID CVE-2010-1567
The following vulnerability may cause an affected device to be unable
to accept or create a new TCP connection. Existing calls will not be
terminated, but no new SIP connections will be established. If
exploited, this vulnerability will also prevent the device from
establishing any new HTTP, SSH or Telnet sessions.
* CSCsk13561 (registered customers only), CVE ID CVE-2010-1565
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this security advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsl39126 - Malformed MGCP packet can crash device
CVSS Base Score - 7.8
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
CVSS Temporal Score - 6.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCsk32606 - Malformed SIP packet can crash device
CSCsk40030 - Malformed Session Attribute can crash device
CSCsk38165 - Device crash during SIP testing
CSCsk44115 - Device crash while processing overly long message
CSCsj98521 - Device crash while processing malformed Contact Header
CSCsk04588 - Device crash while processing malformed header
CSCsz13590 - Malformed SIP header can crash device
CVSS Base Score - 7.8
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
CVSS Temporal Score - 6.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCsk13561 - Exhaustion of TCP sockets prevents device from accepting
new connections
CVSS Base Score - 7.8
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
CVSS Temporal Score - 6.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
Impact
======
Successful exploitation of all but one vulnerability in this advisory
can crash the affected device. The remaining vulnerability will not
crash the affected device, but it can lead to a DoS condition in
which no new TCP-based connections will be accepted or created.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
All vulnerabilities listed in this Security Advisory are addressed in
Cisco PGW 2200 Softswitch version 9.7(3)S11, version 9.8(1)S5, and
subsequent, software releases.
Workarounds
===========
There are no workarounds for the vulnerabilities in this advisory.
In the case of the vulnerability that corresponds to Cisco Bug ID
CSCsk13561, administrator must manually reboot the affected device to
restore the device's ability to accept new connections. Because
vulnerability prevents new TCP-based session to be created, this
reboot can be initiated only from the console. If a failover device
is configured, existing sessions will continue while the affected
device is reloading. Without a failover device, all active sessions
will be terminated while the affected device is reloading.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20100512-pgw.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20100512-pgw.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2010-May-12 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices.
All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAkvqxeUACgkQ86n/Gc8U/uDSSACaAkFu2uZrHTxH/nHA+t3EH05g
3LcAnjmSVqwTjrB3Ck5IuAopPY2iBssX
=dBOb
-----END PGP SIGNATURE-----
| VAR-201005-0331 | CVE-2010-1567 | Cisco PGW 2200 Softswitch of SIP Service disruption in implementation (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The SIP implementation on the Cisco PGW 2200 Softswitch with software before 9.8(1)S5 allows remote attackers to cause a denial of service (device crash) via a malformed header, aka Bug ID CSCsz13590. Cisco PGW 2200 Softswitch is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to cause an affected device to crash, effectively denying service to a legitimate user. This issue is tracked by Cisco BugID CSCsz13590.
NOTE: This issue was previously documented in BID 40110 (Cisco PGW 2200 Softswitch Multiple Denial of Service Vulnerabilities), but has been given its own record to better document it. The Cisco PGW 2200 is a carrier-grade software switch that can be used to perform call control in NGN and IMS infrastructures. The bug ID is CSCsz13590. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Multiple vulnerabilities in Cisco PGW Softswitch
Document ID: 111870
Advisory ID: cisco-sa-20100512-pgw
http://www.cisco.com/warp/public/707/cisco-sa-20100512-pgw.shtml
Revision 1.0
For Public Release 2010 May 12 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
=======
Multiple vulnerabilities exist in the Cisco PGW 2200 Softswitch
series of products. Each vulnerability described in this advisory is
independent from other. The vulnerabilities are related to processing
Session Initiation Protocol (SIP) or Media Gateway Control Protocol
(MGCP) messages.
Successful exploitation of all but one of these vulnerabilities can
crash the affected device. Exploitation of the remaining
vulnerability will not crash the affected device, but it can lead to
a denial-of-service (DoS) condition in which no new TCP-based
connections will be accepted or created.
Cisco has released free software updates that address these
vulnerabilities. There are no workarounds that mitigate these
vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20100512-pgw.shtml
Affected Products
=================
Vulnerable Products
+------------------
The Cisco PGW 2200 Softswitch is affected by these vulnerabilities.
The following table displays information about software releases that
are affected by individual vulnerabilities. Each vulnerability in the
table affects all software releases prior to the release that is
listed in the table.
+---------------------------------------+
| Cisco Bug | Affects All Software |
| ID | Releases Prior This |
| | Version(s) |
|------------+--------------------------|
| CSCsz13590 | 9.8(1)S5 |
|------------+--------------------------|
| CSCsl39126 | 9.7(3)S11 |
|------------+--------------------------|
| CSCsk32606 | 9.7(3)S11 |
|------------+--------------------------|
| CSCsk44115 | 9.7(3)S11, 9.7(3)P11 |
|------------+--------------------------|
| CSCsk40030 | 9.7(3)S10 |
|------------+--------------------------|
| CSCsk38165 | 9.7(3)S10 |
|------------+--------------------------|
| CSCsj98521 | 9.7(3)S9, 9.7(3)P9 |
|------------+--------------------------|
| CSCsk04588 | 9.7(3)S9, 9.7(3)P9 |
|------------+--------------------------|
| CSCsk13561 | 9.7(3)S9, 9.7(3)P9 |
+---------------------------------------+
To determine the software version running on a Cisco product, log in
to the device and issue the RTRV-NE command. This command displays
information about the Cisco PGW 2200 Softswitch hardware, software,
and current state.
The following example identifies a Cisco PGW 2200 Softswitch running
software release 9.7(3):
mml> RTRV-NE
Media Gateway Controller - MGC-01 2010-04-23 11:55:00.000
M RTRV
"Type:MGC (Switch Mode)"
"Hardware platform:sun4u sparc SUNW,Sun-Fire-V210"
"Vendor:"Cisco Systems, Inc.""
"Location:MGC-01 - Media Gateway Controller"
"Version:"9.7(3)""
"Patch:"CSCOgs028/CSCOnn028""
"Platform State:ACTIVE"
;
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities. In particular, Cisco IOS Software is not affected by
these vulnerabilities.
Details
=======
SIP is a popular signaling protocol used to manage voice and video
calls across IP networks such as the Internet. SIP is responsible for
handling all aspects of call setup and termination. Voice and video
are the most popular types of sessions that SIP handles, but the
protocol is flexible to accommodate for other applications that
require call setup and termination. SIP call signaling can use UDP
(port 5060), TCP (port 5060), or Transport Layer Security (TLS; TCP
port 5061) as the underlying transport protocol.
MGCP is the protocol for controlling telephony gateways from external
call control elements known as media gateway controllers or call
agents. A telephony gateway is a network element that provides
conversion between the audio signals carried on telephone circuits
and data packets carried over the Internet or other packet networks.
Multiple DoS vulnerabilities exist in the Cisco PGW 2200 Softswitch
SIP implementation, and one vulnerability is in the MGCP
implementation.
The following vulnerabilities can cause affected devices to crash:
* CSCsl39126 (registered customers only), CVE ID CVE-2010-0601
* CSCsk32606 (registered customers only), CVE ID CVE-2010-0602
* CSCsk40030 (registered customers only), CVE ID CVE-2010-0603
* CSCsk38165 (registered customers only), CVE ID CVE-2010-0604
* CSCsk44115 (registered customers only), CVE ID CVE-2010-1561
* CSCsj98521 (registered customers only), CVE ID CVE-2010-1562
* CSCsk04588 (registered customers only), CVE ID CVE-2010-1563
* CSCsz13590 (registered customers only), CVE ID CVE-2010-1567
The following vulnerability may cause an affected device to be unable
to accept or create a new TCP connection. Existing calls will not be
terminated, but no new SIP connections will be established. If
exploited, this vulnerability will also prevent the device from
establishing any new HTTP, SSH or Telnet sessions.
* CSCsk13561 (registered customers only), CVE ID CVE-2010-1565
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this security advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsl39126 - Malformed MGCP packet can crash device
CVSS Base Score - 7.8
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
CVSS Temporal Score - 6.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCsk32606 - Malformed SIP packet can crash device
CSCsk40030 - Malformed Session Attribute can crash device
CSCsk38165 - Device crash during SIP testing
CSCsk44115 - Device crash while processing overly long message
CSCsj98521 - Device crash while processing malformed Contact Header
CSCsk04588 - Device crash while processing malformed header
CSCsz13590 - Malformed SIP header can crash device
CVSS Base Score - 7.8
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
CVSS Temporal Score - 6.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCsk13561 - Exhaustion of TCP sockets prevents device from accepting
new connections
CVSS Base Score - 7.8
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
CVSS Temporal Score - 6.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
Impact
======
Successful exploitation of all but one vulnerability in this advisory
can crash the affected device. The remaining vulnerability will not
crash the affected device, but it can lead to a DoS condition in
which no new TCP-based connections will be accepted or created.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
All vulnerabilities listed in this Security Advisory are addressed in
Cisco PGW 2200 Softswitch version 9.7(3)S11, version 9.8(1)S5, and
subsequent, software releases.
Workarounds
===========
There are no workarounds for the vulnerabilities in this advisory.
In the case of the vulnerability that corresponds to Cisco Bug ID
CSCsk13561, administrator must manually reboot the affected device to
restore the device's ability to accept new connections. Because
vulnerability prevents new TCP-based session to be created, this
reboot can be initiated only from the console. If a failover device
is configured, existing sessions will continue while the affected
device is reloading. Without a failover device, all active sessions
will be terminated while the affected device is reloading.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20100512-pgw.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20100512-pgw.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2010-May-12 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices.
All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAkvqxeUACgkQ86n/Gc8U/uDSSACaAkFu2uZrHTxH/nHA+t3EH05g
3LcAnjmSVqwTjrB3Ck5IuAopPY2iBssX
=dBOb
-----END PGP SIGNATURE-----
| VAR-201005-0055 | CVE-2010-0475 | Palo Alto Networks Firewall Interface 'editUser.esp' HTML Injection Vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in esp/editUser.esp in the Palo Alto Networks firewall 3.0.x before 3.0.9 and 3.1.x before 3.1.1 allows remote attackers to inject arbitrary web script or HTML via the role parameter. Palo Alto Networks Firewall is a firewall device. The remote attacker can request a cross-site scripting attack by submitting a malicious parameter. After the script is executed on the target user's browser, the script can be executed on the target user's browser. Get sensitive information or hijack a conversation.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible. We will update this BID when more information is available
| VAR-201005-0071 | CVE-2010-0602 | Cisco PGW 2200 Softswitch of SIP Service disruption in implementation (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The SIP implementation on the Cisco PGW 2200 Softswitch with software before 9.7(3)S11 allows remote attackers to cause a denial of service (device crash) via a malformed packet, aka Bug ID CSCsk32606. Cisco PGW 2200 Softswitch is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to cause an affected device to crash, effectively denying service to a legitimate user. This issue is tracked by Cisco BugID CSCsk32606.
NOTE: This issue was previously documented in BID 40110 (Cisco PGW 2200 Softswitch Multiple Denial of Service Vulnerabilities), but has been given its own record to better document it. The Cisco PGW 2200 is a carrier-grade software switch that can be used to perform call control in NGN and IMS infrastructures. The bug ID is CSCsk32606. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Multiple vulnerabilities in Cisco PGW Softswitch
Document ID: 111870
Advisory ID: cisco-sa-20100512-pgw
http://www.cisco.com/warp/public/707/cisco-sa-20100512-pgw.shtml
Revision 1.0
For Public Release 2010 May 12 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
=======
Multiple vulnerabilities exist in the Cisco PGW 2200 Softswitch
series of products. Each vulnerability described in this advisory is
independent from other. The vulnerabilities are related to processing
Session Initiation Protocol (SIP) or Media Gateway Control Protocol
(MGCP) messages.
Successful exploitation of all but one of these vulnerabilities can
crash the affected device. Exploitation of the remaining
vulnerability will not crash the affected device, but it can lead to
a denial-of-service (DoS) condition in which no new TCP-based
connections will be accepted or created.
Cisco has released free software updates that address these
vulnerabilities. There are no workarounds that mitigate these
vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20100512-pgw.shtml
Affected Products
=================
Vulnerable Products
+------------------
The Cisco PGW 2200 Softswitch is affected by these vulnerabilities.
The following table displays information about software releases that
are affected by individual vulnerabilities. Each vulnerability in the
table affects all software releases prior to the release that is
listed in the table.
+---------------------------------------+
| Cisco Bug | Affects All Software |
| ID | Releases Prior This |
| | Version(s) |
|------------+--------------------------|
| CSCsz13590 | 9.8(1)S5 |
|------------+--------------------------|
| CSCsl39126 | 9.7(3)S11 |
|------------+--------------------------|
| CSCsk32606 | 9.7(3)S11 |
|------------+--------------------------|
| CSCsk44115 | 9.7(3)S11, 9.7(3)P11 |
|------------+--------------------------|
| CSCsk40030 | 9.7(3)S10 |
|------------+--------------------------|
| CSCsk38165 | 9.7(3)S10 |
|------------+--------------------------|
| CSCsj98521 | 9.7(3)S9, 9.7(3)P9 |
|------------+--------------------------|
| CSCsk04588 | 9.7(3)S9, 9.7(3)P9 |
|------------+--------------------------|
| CSCsk13561 | 9.7(3)S9, 9.7(3)P9 |
+---------------------------------------+
To determine the software version running on a Cisco product, log in
to the device and issue the RTRV-NE command. This command displays
information about the Cisco PGW 2200 Softswitch hardware, software,
and current state.
The following example identifies a Cisco PGW 2200 Softswitch running
software release 9.7(3):
mml> RTRV-NE
Media Gateway Controller - MGC-01 2010-04-23 11:55:00.000
M RTRV
"Type:MGC (Switch Mode)"
"Hardware platform:sun4u sparc SUNW,Sun-Fire-V210"
"Vendor:"Cisco Systems, Inc.""
"Location:MGC-01 - Media Gateway Controller"
"Version:"9.7(3)""
"Patch:"CSCOgs028/CSCOnn028""
"Platform State:ACTIVE"
;
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities. In particular, Cisco IOS Software is not affected by
these vulnerabilities.
Details
=======
SIP is a popular signaling protocol used to manage voice and video
calls across IP networks such as the Internet. SIP is responsible for
handling all aspects of call setup and termination. Voice and video
are the most popular types of sessions that SIP handles, but the
protocol is flexible to accommodate for other applications that
require call setup and termination. SIP call signaling can use UDP
(port 5060), TCP (port 5060), or Transport Layer Security (TLS; TCP
port 5061) as the underlying transport protocol.
MGCP is the protocol for controlling telephony gateways from external
call control elements known as media gateway controllers or call
agents. A telephony gateway is a network element that provides
conversion between the audio signals carried on telephone circuits
and data packets carried over the Internet or other packet networks.
Multiple DoS vulnerabilities exist in the Cisco PGW 2200 Softswitch
SIP implementation, and one vulnerability is in the MGCP
implementation.
The following vulnerabilities can cause affected devices to crash:
* CSCsl39126 (registered customers only), CVE ID CVE-2010-0601
* CSCsk32606 (registered customers only), CVE ID CVE-2010-0602
* CSCsk40030 (registered customers only), CVE ID CVE-2010-0603
* CSCsk38165 (registered customers only), CVE ID CVE-2010-0604
* CSCsk44115 (registered customers only), CVE ID CVE-2010-1561
* CSCsj98521 (registered customers only), CVE ID CVE-2010-1562
* CSCsk04588 (registered customers only), CVE ID CVE-2010-1563
* CSCsz13590 (registered customers only), CVE ID CVE-2010-1567
The following vulnerability may cause an affected device to be unable
to accept or create a new TCP connection. Existing calls will not be
terminated, but no new SIP connections will be established. If
exploited, this vulnerability will also prevent the device from
establishing any new HTTP, SSH or Telnet sessions.
* CSCsk13561 (registered customers only), CVE ID CVE-2010-1565
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this security advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsl39126 - Malformed MGCP packet can crash device
CVSS Base Score - 7.8
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
CVSS Temporal Score - 6.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCsk32606 - Malformed SIP packet can crash device
CSCsk40030 - Malformed Session Attribute can crash device
CSCsk38165 - Device crash during SIP testing
CSCsk44115 - Device crash while processing overly long message
CSCsj98521 - Device crash while processing malformed Contact Header
CSCsk04588 - Device crash while processing malformed header
CSCsz13590 - Malformed SIP header can crash device
CVSS Base Score - 7.8
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
CVSS Temporal Score - 6.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCsk13561 - Exhaustion of TCP sockets prevents device from accepting
new connections
CVSS Base Score - 7.8
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
CVSS Temporal Score - 6.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
Impact
======
Successful exploitation of all but one vulnerability in this advisory
can crash the affected device. The remaining vulnerability will not
crash the affected device, but it can lead to a DoS condition in
which no new TCP-based connections will be accepted or created.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
All vulnerabilities listed in this Security Advisory are addressed in
Cisco PGW 2200 Softswitch version 9.7(3)S11, version 9.8(1)S5, and
subsequent, software releases.
Workarounds
===========
There are no workarounds for the vulnerabilities in this advisory.
In the case of the vulnerability that corresponds to Cisco Bug ID
CSCsk13561, administrator must manually reboot the affected device to
restore the device's ability to accept new connections. Because
vulnerability prevents new TCP-based session to be created, this
reboot can be initiated only from the console. If a failover device
is configured, existing sessions will continue while the affected
device is reloading. Without a failover device, all active sessions
will be terminated while the affected device is reloading.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20100512-pgw.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20100512-pgw.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2010-May-12 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices.
All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAkvqxeUACgkQ86n/Gc8U/uDSSACaAkFu2uZrHTxH/nHA+t3EH05g
3LcAnjmSVqwTjrB3Ck5IuAopPY2iBssX
=dBOb
-----END PGP SIGNATURE-----
| VAR-201005-0073 | CVE-2010-0604 | Cisco PGW 2200 Softswitch of SIP Service disruption in implementation (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the SIP implementation on the Cisco PGW 2200 Softswitch with software before 9.7(3)S10 allows remote attackers to cause a denial of service (device crash) via unknown SIP traffic, as demonstrated by "SIP testing," aka Bug ID CSCsk38165. Cisco PGW 2200 Softswitch is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to cause an affected device to crash, effectively denying service to a legitimate user. This issue is tracked by Cisco BugID CSCsk38165.
NOTE: This issue was previously documented in BID 40110 (Cisco PGW 2200 Softswitch Multiple Denial of Service Vulnerabilities), but has been given its own record to better document it. The Cisco PGW 2200 is a carrier-grade software switch that can be used to perform call control in NGN and IMS infrastructures. For example, \"SIP Testing\" can be used, and the bug ID is CSCsk40030. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Multiple vulnerabilities in Cisco PGW Softswitch
Document ID: 111870
Advisory ID: cisco-sa-20100512-pgw
http://www.cisco.com/warp/public/707/cisco-sa-20100512-pgw.shtml
Revision 1.0
For Public Release 2010 May 12 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
=======
Multiple vulnerabilities exist in the Cisco PGW 2200 Softswitch
series of products. Each vulnerability described in this advisory is
independent from other. The vulnerabilities are related to processing
Session Initiation Protocol (SIP) or Media Gateway Control Protocol
(MGCP) messages.
Successful exploitation of all but one of these vulnerabilities can
crash the affected device. Exploitation of the remaining
vulnerability will not crash the affected device, but it can lead to
a denial-of-service (DoS) condition in which no new TCP-based
connections will be accepted or created.
Cisco has released free software updates that address these
vulnerabilities. There are no workarounds that mitigate these
vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20100512-pgw.shtml
Affected Products
=================
Vulnerable Products
+------------------
The Cisco PGW 2200 Softswitch is affected by these vulnerabilities.
The following table displays information about software releases that
are affected by individual vulnerabilities. Each vulnerability in the
table affects all software releases prior to the release that is
listed in the table.
+---------------------------------------+
| Cisco Bug | Affects All Software |
| ID | Releases Prior This |
| | Version(s) |
|------------+--------------------------|
| CSCsz13590 | 9.8(1)S5 |
|------------+--------------------------|
| CSCsl39126 | 9.7(3)S11 |
|------------+--------------------------|
| CSCsk32606 | 9.7(3)S11 |
|------------+--------------------------|
| CSCsk44115 | 9.7(3)S11, 9.7(3)P11 |
|------------+--------------------------|
| CSCsk40030 | 9.7(3)S10 |
|------------+--------------------------|
| CSCsk38165 | 9.7(3)S10 |
|------------+--------------------------|
| CSCsj98521 | 9.7(3)S9, 9.7(3)P9 |
|------------+--------------------------|
| CSCsk04588 | 9.7(3)S9, 9.7(3)P9 |
|------------+--------------------------|
| CSCsk13561 | 9.7(3)S9, 9.7(3)P9 |
+---------------------------------------+
To determine the software version running on a Cisco product, log in
to the device and issue the RTRV-NE command. This command displays
information about the Cisco PGW 2200 Softswitch hardware, software,
and current state.
The following example identifies a Cisco PGW 2200 Softswitch running
software release 9.7(3):
mml> RTRV-NE
Media Gateway Controller - MGC-01 2010-04-23 11:55:00.000
M RTRV
"Type:MGC (Switch Mode)"
"Hardware platform:sun4u sparc SUNW,Sun-Fire-V210"
"Vendor:"Cisco Systems, Inc.""
"Location:MGC-01 - Media Gateway Controller"
"Version:"9.7(3)""
"Patch:"CSCOgs028/CSCOnn028""
"Platform State:ACTIVE"
;
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities. In particular, Cisco IOS Software is not affected by
these vulnerabilities.
Details
=======
SIP is a popular signaling protocol used to manage voice and video
calls across IP networks such as the Internet. SIP is responsible for
handling all aspects of call setup and termination. Voice and video
are the most popular types of sessions that SIP handles, but the
protocol is flexible to accommodate for other applications that
require call setup and termination. SIP call signaling can use UDP
(port 5060), TCP (port 5060), or Transport Layer Security (TLS; TCP
port 5061) as the underlying transport protocol.
MGCP is the protocol for controlling telephony gateways from external
call control elements known as media gateway controllers or call
agents. A telephony gateway is a network element that provides
conversion between the audio signals carried on telephone circuits
and data packets carried over the Internet or other packet networks.
The following vulnerabilities can cause affected devices to crash:
* CSCsl39126 (registered customers only), CVE ID CVE-2010-0601
* CSCsk32606 (registered customers only), CVE ID CVE-2010-0602
* CSCsk40030 (registered customers only), CVE ID CVE-2010-0603
* CSCsk38165 (registered customers only), CVE ID CVE-2010-0604
* CSCsk44115 (registered customers only), CVE ID CVE-2010-1561
* CSCsj98521 (registered customers only), CVE ID CVE-2010-1562
* CSCsk04588 (registered customers only), CVE ID CVE-2010-1563
* CSCsz13590 (registered customers only), CVE ID CVE-2010-1567
The following vulnerability may cause an affected device to be unable
to accept or create a new TCP connection. Existing calls will not be
terminated, but no new SIP connections will be established. If
exploited, this vulnerability will also prevent the device from
establishing any new HTTP, SSH or Telnet sessions.
* CSCsk13561 (registered customers only), CVE ID CVE-2010-1565
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this security advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsl39126 - Malformed MGCP packet can crash device
CVSS Base Score - 7.8
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
CVSS Temporal Score - 6.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCsk32606 - Malformed SIP packet can crash device
CSCsk40030 - Malformed Session Attribute can crash device
CSCsk38165 - Device crash during SIP testing
CSCsk44115 - Device crash while processing overly long message
CSCsj98521 - Device crash while processing malformed Contact Header
CSCsk04588 - Device crash while processing malformed header
CSCsz13590 - Malformed SIP header can crash device
CVSS Base Score - 7.8
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
CVSS Temporal Score - 6.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCsk13561 - Exhaustion of TCP sockets prevents device from accepting
new connections
CVSS Base Score - 7.8
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
CVSS Temporal Score - 6.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
Impact
======
Successful exploitation of all but one vulnerability in this advisory
can crash the affected device. The remaining vulnerability will not
crash the affected device, but it can lead to a DoS condition in
which no new TCP-based connections will be accepted or created.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
All vulnerabilities listed in this Security Advisory are addressed in
Cisco PGW 2200 Softswitch version 9.7(3)S11, version 9.8(1)S5, and
subsequent, software releases.
Workarounds
===========
There are no workarounds for the vulnerabilities in this advisory.
In the case of the vulnerability that corresponds to Cisco Bug ID
CSCsk13561, administrator must manually reboot the affected device to
restore the device's ability to accept new connections. Because
vulnerability prevents new TCP-based session to be created, this
reboot can be initiated only from the console. If a failover device
is configured, existing sessions will continue while the affected
device is reloading. Without a failover device, all active sessions
will be terminated while the affected device is reloading.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20100512-pgw.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20100512-pgw.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2010-May-12 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices.
All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAkvqxeUACgkQ86n/Gc8U/uDSSACaAkFu2uZrHTxH/nHA+t3EH05g
3LcAnjmSVqwTjrB3Ck5IuAopPY2iBssX
=dBOb
-----END PGP SIGNATURE-----
| VAR-201005-0171 | CVE-2010-1561 | Cisco PGW 2200 Softswitch of SIP Service disruption in implementation (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The SIP implementation on the Cisco PGW 2200 Softswitch with software 9.7(3)S before 9.7(3)S11 and 9.7(3)P before 9.7(3)P11 allows remote attackers to cause a denial of service (device crash) via a long message, aka Bug ID CSCsk44115. The Cisco PGW 2200 Softswitch is a software switch for Cisco's unified communications solution. The Cisco PGW 2200 Softswitch has a problem with SIP test requests. A remote attacker can exploit the vulnerability to perform a denial of service attack on the device. The Cisco PGW 2200 Softswitch has a problem handling SIP packets. A remote attacker can exploit the vulnerability to perform a denial of service attack on the device. The Cisco PGW 2200 Softswitch has problems handling MGCP packets. A remote attacker can exploit the vulnerability to perform a denial of service attack on the device. The Cisco PGW 2200 Softswitch has a denial of service attack and the affected device stops receiving or establishing a new TCP connection. The established call will not be terminated, but a new SIP connection cannot be established. Any new HTTP, SSH or telnet sessions will not be able to connect. This issue is tracked by Cisco BugID CSCsk44115. The bug ID is CSCsk44115. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Multiple vulnerabilities in Cisco PGW Softswitch
Document ID: 111870
Advisory ID: cisco-sa-20100512-pgw
http://www.cisco.com/warp/public/707/cisco-sa-20100512-pgw.shtml
Revision 1.0
For Public Release 2010 May 12 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
=======
Multiple vulnerabilities exist in the Cisco PGW 2200 Softswitch
series of products. Each vulnerability described in this advisory is
independent from other. The vulnerabilities are related to processing
Session Initiation Protocol (SIP) or Media Gateway Control Protocol
(MGCP) messages.
Successful exploitation of all but one of these vulnerabilities can
crash the affected device. Exploitation of the remaining
vulnerability will not crash the affected device, but it can lead to
a denial-of-service (DoS) condition in which no new TCP-based
connections will be accepted or created.
Cisco has released free software updates that address these
vulnerabilities. There are no workarounds that mitigate these
vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20100512-pgw.shtml
Affected Products
=================
Vulnerable Products
+------------------
The Cisco PGW 2200 Softswitch is affected by these vulnerabilities.
The following table displays information about software releases that
are affected by individual vulnerabilities. Each vulnerability in the
table affects all software releases prior to the release that is
listed in the table.
+---------------------------------------+
| Cisco Bug | Affects All Software |
| ID | Releases Prior This |
| | Version(s) |
|------------+--------------------------|
| CSCsz13590 | 9.8(1)S5 |
|------------+--------------------------|
| CSCsl39126 | 9.7(3)S11 |
|------------+--------------------------|
| CSCsk32606 | 9.7(3)S11 |
|------------+--------------------------|
| CSCsk44115 | 9.7(3)S11, 9.7(3)P11 |
|------------+--------------------------|
| CSCsk40030 | 9.7(3)S10 |
|------------+--------------------------|
| CSCsk38165 | 9.7(3)S10 |
|------------+--------------------------|
| CSCsj98521 | 9.7(3)S9, 9.7(3)P9 |
|------------+--------------------------|
| CSCsk04588 | 9.7(3)S9, 9.7(3)P9 |
|------------+--------------------------|
| CSCsk13561 | 9.7(3)S9, 9.7(3)P9 |
+---------------------------------------+
To determine the software version running on a Cisco product, log in
to the device and issue the RTRV-NE command.
The following example identifies a Cisco PGW 2200 Softswitch running
software release 9.7(3):
mml> RTRV-NE
Media Gateway Controller - MGC-01 2010-04-23 11:55:00.000
M RTRV
"Type:MGC (Switch Mode)"
"Hardware platform:sun4u sparc SUNW,Sun-Fire-V210"
"Vendor:"Cisco Systems, Inc.""
"Location:MGC-01 - Media Gateway Controller"
"Version:"9.7(3)""
"Patch:"CSCOgs028/CSCOnn028""
"Platform State:ACTIVE"
;
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities. In particular, Cisco IOS Software is not affected by
these vulnerabilities.
Details
=======
SIP is a popular signaling protocol used to manage voice and video
calls across IP networks such as the Internet. Voice and video
are the most popular types of sessions that SIP handles, but the
protocol is flexible to accommodate for other applications that
require call setup and termination. SIP call signaling can use UDP
(port 5060), TCP (port 5060), or Transport Layer Security (TLS; TCP
port 5061) as the underlying transport protocol.
MGCP is the protocol for controlling telephony gateways from external
call control elements known as media gateway controllers or call
agents. A telephony gateway is a network element that provides
conversion between the audio signals carried on telephone circuits
and data packets carried over the Internet or other packet networks.
Multiple DoS vulnerabilities exist in the Cisco PGW 2200 Softswitch
SIP implementation, and one vulnerability is in the MGCP
implementation.
The following vulnerabilities can cause affected devices to crash:
* CSCsl39126 (registered customers only), CVE ID CVE-2010-0601
* CSCsk32606 (registered customers only), CVE ID CVE-2010-0602
* CSCsk40030 (registered customers only), CVE ID CVE-2010-0603
* CSCsk38165 (registered customers only), CVE ID CVE-2010-0604
* CSCsk44115 (registered customers only), CVE ID CVE-2010-1561
* CSCsj98521 (registered customers only), CVE ID CVE-2010-1562
* CSCsk04588 (registered customers only), CVE ID CVE-2010-1563
* CSCsz13590 (registered customers only), CVE ID CVE-2010-1567
The following vulnerability may cause an affected device to be unable
to accept or create a new TCP connection.
* CSCsk13561 (registered customers only), CVE ID CVE-2010-1565
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this security advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsl39126 - Malformed MGCP packet can crash device
CVSS Base Score - 7.8
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
CVSS Temporal Score - 6.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCsk32606 - Malformed SIP packet can crash device
CSCsk40030 - Malformed Session Attribute can crash device
CSCsk38165 - Device crash during SIP testing
CSCsk44115 - Device crash while processing overly long message
CSCsj98521 - Device crash while processing malformed Contact Header
CSCsk04588 - Device crash while processing malformed header
CSCsz13590 - Malformed SIP header can crash device
CVSS Base Score - 7.8
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
CVSS Temporal Score - 6.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCsk13561 - Exhaustion of TCP sockets prevents device from accepting
new connections
CVSS Base Score - 7.8
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
CVSS Temporal Score - 6.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
Impact
======
Successful exploitation of all but one vulnerability in this advisory
can crash the affected device. The remaining vulnerability will not
crash the affected device, but it can lead to a DoS condition in
which no new TCP-based connections will be accepted or created.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
All vulnerabilities listed in this Security Advisory are addressed in
Cisco PGW 2200 Softswitch version 9.7(3)S11, version 9.8(1)S5, and
subsequent, software releases.
Workarounds
===========
There are no workarounds for the vulnerabilities in this advisory.
In the case of the vulnerability that corresponds to Cisco Bug ID
CSCsk13561, administrator must manually reboot the affected device to
restore the device's ability to accept new connections. Because
vulnerability prevents new TCP-based session to be created, this
reboot can be initiated only from the console. If a failover device
is configured, existing sessions will continue while the affected
device is reloading. Without a failover device, all active sessions
will be terminated while the affected device is reloading.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20100512-pgw.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20100512-pgw.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2010-May-12 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices.
All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAkvqxeUACgkQ86n/Gc8U/uDSSACaAkFu2uZrHTxH/nHA+t3EH05g
3LcAnjmSVqwTjrB3Ck5IuAopPY2iBssX
=dBOb
-----END PGP SIGNATURE-----
| VAR-201005-0172 | CVE-2010-1562 | Cisco PGW 2200 Softswitch of SIP Service disruption in implementation (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The SIP implementation on the Cisco PGW 2200 Softswitch with software 9.7(3)S before 9.7(3)S9 and 9.7(3)P before 9.7(3)P9 allows remote attackers to cause a denial of service (device crash) via a malformed Contact header, aka Bug ID CSCsj98521. Cisco PGW 2200 Softswitch is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to cause an affected device to crash, effectively denying service to a legitimate user. This issue is tracked by Cisco BugID CSCsj98521.
NOTE: This issue was previously documented in BID 40110 (Cisco PGW 2200 Softswitch Multiple Denial of Service Vulnerabilities), but has been given its own record to better document it. The Cisco PGW 2200 is a carrier-grade software switch that can be used to perform call control in NGN and IMS infrastructures. The bug ID is CSCsj98521. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Multiple vulnerabilities in Cisco PGW Softswitch
Document ID: 111870
Advisory ID: cisco-sa-20100512-pgw
http://www.cisco.com/warp/public/707/cisco-sa-20100512-pgw.shtml
Revision 1.0
For Public Release 2010 May 12 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
=======
Multiple vulnerabilities exist in the Cisco PGW 2200 Softswitch
series of products. Each vulnerability described in this advisory is
independent from other. The vulnerabilities are related to processing
Session Initiation Protocol (SIP) or Media Gateway Control Protocol
(MGCP) messages.
Successful exploitation of all but one of these vulnerabilities can
crash the affected device. Exploitation of the remaining
vulnerability will not crash the affected device, but it can lead to
a denial-of-service (DoS) condition in which no new TCP-based
connections will be accepted or created.
Cisco has released free software updates that address these
vulnerabilities. There are no workarounds that mitigate these
vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20100512-pgw.shtml
Affected Products
=================
Vulnerable Products
+------------------
The Cisco PGW 2200 Softswitch is affected by these vulnerabilities.
The following table displays information about software releases that
are affected by individual vulnerabilities. Each vulnerability in the
table affects all software releases prior to the release that is
listed in the table.
+---------------------------------------+
| Cisco Bug | Affects All Software |
| ID | Releases Prior This |
| | Version(s) |
|------------+--------------------------|
| CSCsz13590 | 9.8(1)S5 |
|------------+--------------------------|
| CSCsl39126 | 9.7(3)S11 |
|------------+--------------------------|
| CSCsk32606 | 9.7(3)S11 |
|------------+--------------------------|
| CSCsk44115 | 9.7(3)S11, 9.7(3)P11 |
|------------+--------------------------|
| CSCsk40030 | 9.7(3)S10 |
|------------+--------------------------|
| CSCsk38165 | 9.7(3)S10 |
|------------+--------------------------|
| CSCsj98521 | 9.7(3)S9, 9.7(3)P9 |
|------------+--------------------------|
| CSCsk04588 | 9.7(3)S9, 9.7(3)P9 |
|------------+--------------------------|
| CSCsk13561 | 9.7(3)S9, 9.7(3)P9 |
+---------------------------------------+
To determine the software version running on a Cisco product, log in
to the device and issue the RTRV-NE command. This command displays
information about the Cisco PGW 2200 Softswitch hardware, software,
and current state.
The following example identifies a Cisco PGW 2200 Softswitch running
software release 9.7(3):
mml> RTRV-NE
Media Gateway Controller - MGC-01 2010-04-23 11:55:00.000
M RTRV
"Type:MGC (Switch Mode)"
"Hardware platform:sun4u sparc SUNW,Sun-Fire-V210"
"Vendor:"Cisco Systems, Inc.""
"Location:MGC-01 - Media Gateway Controller"
"Version:"9.7(3)""
"Patch:"CSCOgs028/CSCOnn028""
"Platform State:ACTIVE"
;
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities. In particular, Cisco IOS Software is not affected by
these vulnerabilities.
Details
=======
SIP is a popular signaling protocol used to manage voice and video
calls across IP networks such as the Internet. SIP is responsible for
handling all aspects of call setup and termination. Voice and video
are the most popular types of sessions that SIP handles, but the
protocol is flexible to accommodate for other applications that
require call setup and termination. SIP call signaling can use UDP
(port 5060), TCP (port 5060), or Transport Layer Security (TLS; TCP
port 5061) as the underlying transport protocol.
MGCP is the protocol for controlling telephony gateways from external
call control elements known as media gateway controllers or call
agents. A telephony gateway is a network element that provides
conversion between the audio signals carried on telephone circuits
and data packets carried over the Internet or other packet networks.
Multiple DoS vulnerabilities exist in the Cisco PGW 2200 Softswitch
SIP implementation, and one vulnerability is in the MGCP
implementation.
The following vulnerabilities can cause affected devices to crash:
* CSCsl39126 (registered customers only), CVE ID CVE-2010-0601
* CSCsk32606 (registered customers only), CVE ID CVE-2010-0602
* CSCsk40030 (registered customers only), CVE ID CVE-2010-0603
* CSCsk38165 (registered customers only), CVE ID CVE-2010-0604
* CSCsk44115 (registered customers only), CVE ID CVE-2010-1561
* CSCsj98521 (registered customers only), CVE ID CVE-2010-1562
* CSCsk04588 (registered customers only), CVE ID CVE-2010-1563
* CSCsz13590 (registered customers only), CVE ID CVE-2010-1567
The following vulnerability may cause an affected device to be unable
to accept or create a new TCP connection. Existing calls will not be
terminated, but no new SIP connections will be established. If
exploited, this vulnerability will also prevent the device from
establishing any new HTTP, SSH or Telnet sessions.
* CSCsk13561 (registered customers only), CVE ID CVE-2010-1565
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this security advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsl39126 - Malformed MGCP packet can crash device
CVSS Base Score - 7.8
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
CVSS Temporal Score - 6.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCsk32606 - Malformed SIP packet can crash device
CSCsk40030 - Malformed Session Attribute can crash device
CSCsk38165 - Device crash during SIP testing
CSCsk44115 - Device crash while processing overly long message
CSCsj98521 - Device crash while processing malformed Contact Header
CSCsk04588 - Device crash while processing malformed header
CSCsz13590 - Malformed SIP header can crash device
CVSS Base Score - 7.8
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
CVSS Temporal Score - 6.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCsk13561 - Exhaustion of TCP sockets prevents device from accepting
new connections
CVSS Base Score - 7.8
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
CVSS Temporal Score - 6.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
Impact
======
Successful exploitation of all but one vulnerability in this advisory
can crash the affected device. The remaining vulnerability will not
crash the affected device, but it can lead to a DoS condition in
which no new TCP-based connections will be accepted or created.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
All vulnerabilities listed in this Security Advisory are addressed in
Cisco PGW 2200 Softswitch version 9.7(3)S11, version 9.8(1)S5, and
subsequent, software releases.
Workarounds
===========
There are no workarounds for the vulnerabilities in this advisory.
In the case of the vulnerability that corresponds to Cisco Bug ID
CSCsk13561, administrator must manually reboot the affected device to
restore the device's ability to accept new connections. Because
vulnerability prevents new TCP-based session to be created, this
reboot can be initiated only from the console. If a failover device
is configured, existing sessions will continue while the affected
device is reloading. Without a failover device, all active sessions
will be terminated while the affected device is reloading.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20100512-pgw.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20100512-pgw.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2010-May-12 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices.
All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAkvqxeUACgkQ86n/Gc8U/uDSSACaAkFu2uZrHTxH/nHA+t3EH05g
3LcAnjmSVqwTjrB3Ck5IuAopPY2iBssX
=dBOb
-----END PGP SIGNATURE-----
| VAR-201005-0070 | CVE-2010-0601 | Cisco PGW 2200 Softswitch of MGCP Service disruption in implementation (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The MGCP implementation on the Cisco PGW 2200 Softswitch with software before 9.7(3)S11 allows remote attackers to cause a denial of service (device crash) via a malformed packet, aka Bug ID CSCsl39126. Cisco PGW 2200 Softswitch is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to cause an affected device to crash, effectively denying service to a legitimate user. This issue is tracked by Cisco BugID CSCsl39126.
NOTE: This issue was previously documented in BID 40110 (Cisco PGW 2200 Softswitch Multiple Denial of Service Vulnerabilities), but has been given its own record to better document it. The PGW 2200 is a carrier-grade software switch that can be used to perform call control in NGN and IMS infrastructures. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Multiple vulnerabilities in Cisco PGW Softswitch
Document ID: 111870
Advisory ID: cisco-sa-20100512-pgw
http://www.cisco.com/warp/public/707/cisco-sa-20100512-pgw.shtml
Revision 1.0
For Public Release 2010 May 12 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
=======
Multiple vulnerabilities exist in the Cisco PGW 2200 Softswitch
series of products. Each vulnerability described in this advisory is
independent from other. The vulnerabilities are related to processing
Session Initiation Protocol (SIP) or Media Gateway Control Protocol
(MGCP) messages.
Successful exploitation of all but one of these vulnerabilities can
crash the affected device. Exploitation of the remaining
vulnerability will not crash the affected device, but it can lead to
a denial-of-service (DoS) condition in which no new TCP-based
connections will be accepted or created.
Cisco has released free software updates that address these
vulnerabilities. There are no workarounds that mitigate these
vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20100512-pgw.shtml
Affected Products
=================
Vulnerable Products
+------------------
The Cisco PGW 2200 Softswitch is affected by these vulnerabilities.
The following table displays information about software releases that
are affected by individual vulnerabilities. Each vulnerability in the
table affects all software releases prior to the release that is
listed in the table. This command displays
information about the Cisco PGW 2200 Softswitch hardware, software,
and current state.
The following example identifies a Cisco PGW 2200 Softswitch running
software release 9.7(3):
mml> RTRV-NE
Media Gateway Controller - MGC-01 2010-04-23 11:55:00.000
M RTRV
"Type:MGC (Switch Mode)"
"Hardware platform:sun4u sparc SUNW,Sun-Fire-V210"
"Vendor:"Cisco Systems, Inc.""
"Location:MGC-01 - Media Gateway Controller"
"Version:"9.7(3)""
"Patch:"CSCOgs028/CSCOnn028""
"Platform State:ACTIVE"
;
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities. In particular, Cisco IOS Software is not affected by
these vulnerabilities.
Details
=======
SIP is a popular signaling protocol used to manage voice and video
calls across IP networks such as the Internet. SIP is responsible for
handling all aspects of call setup and termination. Voice and video
are the most popular types of sessions that SIP handles, but the
protocol is flexible to accommodate for other applications that
require call setup and termination. SIP call signaling can use UDP
(port 5060), TCP (port 5060), or Transport Layer Security (TLS; TCP
port 5061) as the underlying transport protocol.
MGCP is the protocol for controlling telephony gateways from external
call control elements known as media gateway controllers or call
agents. A telephony gateway is a network element that provides
conversion between the audio signals carried on telephone circuits
and data packets carried over the Internet or other packet networks.
Multiple DoS vulnerabilities exist in the Cisco PGW 2200 Softswitch
SIP implementation, and one vulnerability is in the MGCP
implementation.
The following vulnerabilities can cause affected devices to crash:
* CSCsl39126 (registered customers only), CVE ID CVE-2010-0601
* CSCsk32606 (registered customers only), CVE ID CVE-2010-0602
* CSCsk40030 (registered customers only), CVE ID CVE-2010-0603
* CSCsk38165 (registered customers only), CVE ID CVE-2010-0604
* CSCsk44115 (registered customers only), CVE ID CVE-2010-1561
* CSCsj98521 (registered customers only), CVE ID CVE-2010-1562
* CSCsk04588 (registered customers only), CVE ID CVE-2010-1563
* CSCsz13590 (registered customers only), CVE ID CVE-2010-1567
The following vulnerability may cause an affected device to be unable
to accept or create a new TCP connection. Existing calls will not be
terminated, but no new SIP connections will be established. If
exploited, this vulnerability will also prevent the device from
establishing any new HTTP, SSH or Telnet sessions.
* CSCsk13561 (registered customers only), CVE ID CVE-2010-1565
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this security advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsl39126 - Malformed MGCP packet can crash device
CVSS Base Score - 7.8
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
CVSS Temporal Score - 6.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCsk32606 - Malformed SIP packet can crash device
CSCsk40030 - Malformed Session Attribute can crash device
CSCsk38165 - Device crash during SIP testing
CSCsk44115 - Device crash while processing overly long message
CSCsj98521 - Device crash while processing malformed Contact Header
CSCsk04588 - Device crash while processing malformed header
CSCsz13590 - Malformed SIP header can crash device
CVSS Base Score - 7.8
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
CVSS Temporal Score - 6.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCsk13561 - Exhaustion of TCP sockets prevents device from accepting
new connections
CVSS Base Score - 7.8
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
CVSS Temporal Score - 6.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
Impact
======
Successful exploitation of all but one vulnerability in this advisory
can crash the affected device. The remaining vulnerability will not
crash the affected device, but it can lead to a DoS condition in
which no new TCP-based connections will be accepted or created.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
All vulnerabilities listed in this Security Advisory are addressed in
Cisco PGW 2200 Softswitch version 9.7(3)S11, version 9.8(1)S5, and
subsequent, software releases.
Workarounds
===========
There are no workarounds for the vulnerabilities in this advisory.
In the case of the vulnerability that corresponds to Cisco Bug ID
CSCsk13561, administrator must manually reboot the affected device to
restore the device's ability to accept new connections. Because
vulnerability prevents new TCP-based session to be created, this
reboot can be initiated only from the console. If a failover device
is configured, existing sessions will continue while the affected
device is reloading. Without a failover device, all active sessions
will be terminated while the affected device is reloading.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20100512-pgw.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20100512-pgw.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2010-May-12 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices.
All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAkvqxeUACgkQ86n/Gc8U/uDSSACaAkFu2uZrHTxH/nHA+t3EH05g
3LcAnjmSVqwTjrB3Ck5IuAopPY2iBssX
=dBOb
-----END PGP SIGNATURE-----
| VAR-201005-0072 | CVE-2010-0603 | Cisco PGW 2200 Softswitch of SIP Service disruption in implementation (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The SIP implementation on the Cisco PGW 2200 Softswitch with software before 9.7(3)S10 allows remote attackers to cause a denial of service (device crash) via a malformed session attribute, aka Bug ID CSCsk40030. Cisco PGW 2200 Softswitch is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to cause an affected device to crash, effectively denying service to a legitimate user. This issue is tracked by Cisco BugID CSCsk40030.
NOTE: This issue was previously documented in BID 40110 (Cisco PGW 2200 Softswitch Multiple Denial of Service Vulnerabilities), but has been given its own record to better document it. The Cisco PGW 2200 is a carrier-grade software switch that can be used to perform call control in NGN and IMS infrastructures. The bug ID is CSCsk40030. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Multiple vulnerabilities in Cisco PGW Softswitch
Document ID: 111870
Advisory ID: cisco-sa-20100512-pgw
http://www.cisco.com/warp/public/707/cisco-sa-20100512-pgw.shtml
Revision 1.0
For Public Release 2010 May 12 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
=======
Multiple vulnerabilities exist in the Cisco PGW 2200 Softswitch
series of products. Each vulnerability described in this advisory is
independent from other. The vulnerabilities are related to processing
Session Initiation Protocol (SIP) or Media Gateway Control Protocol
(MGCP) messages.
Successful exploitation of all but one of these vulnerabilities can
crash the affected device. Exploitation of the remaining
vulnerability will not crash the affected device, but it can lead to
a denial-of-service (DoS) condition in which no new TCP-based
connections will be accepted or created.
Cisco has released free software updates that address these
vulnerabilities. There are no workarounds that mitigate these
vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20100512-pgw.shtml
Affected Products
=================
Vulnerable Products
+------------------
The Cisco PGW 2200 Softswitch is affected by these vulnerabilities.
The following table displays information about software releases that
are affected by individual vulnerabilities. Each vulnerability in the
table affects all software releases prior to the release that is
listed in the table.
+---------------------------------------+
| Cisco Bug | Affects All Software |
| ID | Releases Prior This |
| | Version(s) |
|------------+--------------------------|
| CSCsz13590 | 9.8(1)S5 |
|------------+--------------------------|
| CSCsl39126 | 9.7(3)S11 |
|------------+--------------------------|
| CSCsk32606 | 9.7(3)S11 |
|------------+--------------------------|
| CSCsk44115 | 9.7(3)S11, 9.7(3)P11 |
|------------+--------------------------|
| CSCsk40030 | 9.7(3)S10 |
|------------+--------------------------|
| CSCsk38165 | 9.7(3)S10 |
|------------+--------------------------|
| CSCsj98521 | 9.7(3)S9, 9.7(3)P9 |
|------------+--------------------------|
| CSCsk04588 | 9.7(3)S9, 9.7(3)P9 |
|------------+--------------------------|
| CSCsk13561 | 9.7(3)S9, 9.7(3)P9 |
+---------------------------------------+
To determine the software version running on a Cisco product, log in
to the device and issue the RTRV-NE command. This command displays
information about the Cisco PGW 2200 Softswitch hardware, software,
and current state.
The following example identifies a Cisco PGW 2200 Softswitch running
software release 9.7(3):
mml> RTRV-NE
Media Gateway Controller - MGC-01 2010-04-23 11:55:00.000
M RTRV
"Type:MGC (Switch Mode)"
"Hardware platform:sun4u sparc SUNW,Sun-Fire-V210"
"Vendor:"Cisco Systems, Inc.""
"Location:MGC-01 - Media Gateway Controller"
"Version:"9.7(3)""
"Patch:"CSCOgs028/CSCOnn028""
"Platform State:ACTIVE"
;
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities. In particular, Cisco IOS Software is not affected by
these vulnerabilities.
Details
=======
SIP is a popular signaling protocol used to manage voice and video
calls across IP networks such as the Internet. SIP is responsible for
handling all aspects of call setup and termination. Voice and video
are the most popular types of sessions that SIP handles, but the
protocol is flexible to accommodate for other applications that
require call setup and termination. SIP call signaling can use UDP
(port 5060), TCP (port 5060), or Transport Layer Security (TLS; TCP
port 5061) as the underlying transport protocol.
MGCP is the protocol for controlling telephony gateways from external
call control elements known as media gateway controllers or call
agents. A telephony gateway is a network element that provides
conversion between the audio signals carried on telephone circuits
and data packets carried over the Internet or other packet networks.
Multiple DoS vulnerabilities exist in the Cisco PGW 2200 Softswitch
SIP implementation, and one vulnerability is in the MGCP
implementation.
The following vulnerabilities can cause affected devices to crash:
* CSCsl39126 (registered customers only), CVE ID CVE-2010-0601
* CSCsk32606 (registered customers only), CVE ID CVE-2010-0602
* CSCsk40030 (registered customers only), CVE ID CVE-2010-0603
* CSCsk38165 (registered customers only), CVE ID CVE-2010-0604
* CSCsk44115 (registered customers only), CVE ID CVE-2010-1561
* CSCsj98521 (registered customers only), CVE ID CVE-2010-1562
* CSCsk04588 (registered customers only), CVE ID CVE-2010-1563
* CSCsz13590 (registered customers only), CVE ID CVE-2010-1567
The following vulnerability may cause an affected device to be unable
to accept or create a new TCP connection. Existing calls will not be
terminated, but no new SIP connections will be established. If
exploited, this vulnerability will also prevent the device from
establishing any new HTTP, SSH or Telnet sessions.
* CSCsk13561 (registered customers only), CVE ID CVE-2010-1565
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this security advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsl39126 - Malformed MGCP packet can crash device
CVSS Base Score - 7.8
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
CVSS Temporal Score - 6.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCsk32606 - Malformed SIP packet can crash device
CSCsk40030 - Malformed Session Attribute can crash device
CSCsk38165 - Device crash during SIP testing
CSCsk44115 - Device crash while processing overly long message
CSCsj98521 - Device crash while processing malformed Contact Header
CSCsk04588 - Device crash while processing malformed header
CSCsz13590 - Malformed SIP header can crash device
CVSS Base Score - 7.8
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
CVSS Temporal Score - 6.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCsk13561 - Exhaustion of TCP sockets prevents device from accepting
new connections
CVSS Base Score - 7.8
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
CVSS Temporal Score - 6.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
Impact
======
Successful exploitation of all but one vulnerability in this advisory
can crash the affected device. The remaining vulnerability will not
crash the affected device, but it can lead to a DoS condition in
which no new TCP-based connections will be accepted or created.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
All vulnerabilities listed in this Security Advisory are addressed in
Cisco PGW 2200 Softswitch version 9.7(3)S11, version 9.8(1)S5, and
subsequent, software releases.
Workarounds
===========
There are no workarounds for the vulnerabilities in this advisory.
In the case of the vulnerability that corresponds to Cisco Bug ID
CSCsk13561, administrator must manually reboot the affected device to
restore the device's ability to accept new connections. Because
vulnerability prevents new TCP-based session to be created, this
reboot can be initiated only from the console. If a failover device
is configured, existing sessions will continue while the affected
device is reloading. Without a failover device, all active sessions
will be terminated while the affected device is reloading.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20100512-pgw.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20100512-pgw.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2010-May-12 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices.
All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAkvqxeUACgkQ86n/Gc8U/uDSSACaAkFu2uZrHTxH/nHA+t3EH05g
3LcAnjmSVqwTjrB3Ck5IuAopPY2iBssX
=dBOb
-----END PGP SIGNATURE-----
| VAR-201005-0332 | CVE-2010-1568 | Cisco IronPort Desktop Flag Plug-in for Outlook of Send Secure Vulnerability in retrieving plain text content of e-mail in the function |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Send Secure functionality in the Cisco IronPort Desktop Flag Plug-in for Outlook before 6.5.0-006 does not properly handle simultaneously composed messages, which might allow remote attackers to obtain cleartext contents of e-mail messages that were intended to be encrypted, aka bug 65623. Cisco IronPort Desktop Flag Plug-in for Outlook is prone to an information-disclosure vulnerability.
An attacker can exploit this issue to gain access to sensitive information that may lead to further attacks.
Cisco IronPort Desktop Flag Plug-in for Outlook versions 6.2.4.3, up to but not including 6.5.0-006, are vulnerable.
This issue is being tracked by Cisco IronPort bug 65623
| VAR-201005-0110 | CVE-2010-1291 | Adobe Shockwave Player Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Adobe Shockwave Player before 11.5.7.609 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-1284, CVE-2010-1286, CVE-2010-1287, CVE-2010-1289, and CVE-2010-1290. Adobe Shockwave Player is prone to a memory-corruption vulnerability.
Adobe Shockwave Player 11.5.6.606 and prior are vulnerable.
NOTE: This issue was previously discussed in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities) but has been given its own record to better document it. These people now have access to some of the best the Web has to offer - including dazzling 3D games and entertainment, interactive product demonstrations, and online learning applications. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English). ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
6) A boundary error when processing embedded fonts can be exploited
to cause a heap-based buffer overflow via a specially crafted
Director file.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
8) An error in the implementation of ordinal function 1409 in
iml32.dll can be exploited to corrupt heap memory via a specially
crafted Director file.
9) An error when processing a 4-byte field inside FFFFFF49h Shockwave
3D blocks can be exploited to corrupt heap memory.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
The vulnerabilities are reported in versions 11.5.6.606 and prior on
Windows and Macintosh.
SOLUTION:
Update to version 11.5.7.609.
http://get.adobe.com/shockwave/
PROVIDED AND/OR DISCOVERED BY:
1-6) Alin Rad Pop, Secunia Research
The vendor also credits:
2) Nahuel Riva of Core Security Technologies.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0109 | CVE-2010-1290 | Adobe Shockwave Player Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Adobe Shockwave Player before 11.5.7.609 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-1284, CVE-2010-1286, CVE-2010-1287, CVE-2010-1289, and CVE-2010-1291. Adobe Shockwave Player is prone to a memory-corruption vulnerability.
Adobe Shockwave Player 11.5.6.606 and prior are vulnerable.
NOTE: This issue was previously discussed in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities) but has been given its own record to better document it. These people now have access to some of the best the Web has to offer - including dazzling 3D games and entertainment, interactive product demonstrations, and online learning applications. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English). ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
6) A boundary error when processing embedded fonts can be exploited
to cause a heap-based buffer overflow via a specially crafted
Director file.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
8) An error in the implementation of ordinal function 1409 in
iml32.dll can be exploited to corrupt heap memory via a specially
crafted Director file.
9) An error when processing a 4-byte field inside FFFFFF49h Shockwave
3D blocks can be exploited to corrupt heap memory.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
The vulnerabilities are reported in versions 11.5.6.606 and prior on
Windows and Macintosh.
SOLUTION:
Update to version 11.5.7.609.
http://get.adobe.com/shockwave/
PROVIDED AND/OR DISCOVERED BY:
1-6) Alin Rad Pop, Secunia Research
The vendor also credits:
2) Nahuel Riva of Core Security Technologies.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201005-0108 | CVE-2010-1289 | Adobe Shockwave Player Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Adobe Shockwave Player before 11.5.7.609 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-1284, CVE-2010-1286, CVE-2010-1287, CVE-2010-1290, and CVE-2010-1291. Adobe Shockwave Player is prone to an unspecified remote code-execution vulnerability. Failed exploit attempts will likely result in denial-of-service conditions.
Adobe Shockwave Player 11.5.6.606 and prior are vulnerable.
NOTE: This issue was previously discussed in BID 40066 (Adobe Shockwave Player APSB10-12 Multiple Remote Vulnerabilities) but has been given its own record to better document it. These people now have access to some of the best the Web has to offer - including dazzling 3D games and entertainment, interactive product demonstrations, and online learning applications. The vulnerable software fails to sanitize user input when processing .dir files resulting in a crash and overwrite of a few memory registers.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code> (f94.ae4): Access violation - code c0000005 (first chance)<br/> First chance exceptions are reported before any exception handling.<br/> This exception may be expected and handled.<br/> eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8<br/> eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc<br/> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206<br/> *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll<br/> *** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll - <br/> DIRAPI!Ordinal14+0x3b16:<br/> 68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????<br/><br/>-----------------------<br/><br/>EAX FFFFFFFF<br/>ECX 41414141<br/>EDX FFFFFFFF<br/>EBX 00000018<br/>ESP 0012F3B4<br/>EBP 02793578<br/>ESI 0012F3C4<br/>EDI 02793578<br/>EIP 69009F1F IML32.69009F1F<br/></code><br/>--------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows XP Professional SP3 (English). ----------------------------------------------------------------------
Looking for a job?
Secunia is hiring skilled researchers and talented developers.
1) A boundary error while processing FFFFFF45h Shockwave 3D blocks
can be exploited to corrupt memory.
2) A signedness error in the processing of Director files can be
exploited to corrupt memory.
3) An array indexing error when processing Director files can be
exploited to corrupt memory.
4) An integer overflow error when processing Director files can be
exploited to corrupt memory.
5) An error when processing asset entries contained in Director files
can be exploited to corrupt memory.
6) A boundary error when processing embedded fonts can be exploited
to cause a heap-based buffer overflow via a specially crafted
Director file.
7) An error when processing Director files can be exploited to
overwrite 4 bytes of memory.
8) An error in the implementation of ordinal function 1409 in
iml32.dll can be exploited to corrupt heap memory via a specially
crafted Director file.
9) An error when processing a 4-byte field inside FFFFFF49h Shockwave
3D blocks can be exploited to corrupt heap memory.
10) An unspecified error can be exploited to corrupt memory.
11) A second unspecified error can be exploited to corrupt memory.
12) A third unspecified error can be exploited to corrupt memory.
13) A fourth unspecified error can be exploited to cause a buffer
overflow.
14) A fifth unspecified error can be exploited to corrupt memory.
15) A sixth unspecified error can be exploited to corrupt memory.
16) A seventh unspecified error can be exploited to corrupt memory.
17) An error when processing signed values encountered while parsing
"pami" RIFF chunks can be exploited to corrupt memory.
The vulnerabilities are reported in versions 11.5.6.606 and prior on
Windows and Macintosh.
SOLUTION:
Update to version 11.5.7.609.
http://get.adobe.com/shockwave/
PROVIDED AND/OR DISCOVERED BY:
1-6) Alin Rad Pop, Secunia Research
The vendor also credits:
2) Nahuel Riva of Core Security Technologies.
3) Chaouki Bekrar of Vupen, Code Audit Labs, and an anonymous person
working with iDefense.
7) Chaouki Bekrar and Sebastien Renaud of Vupen, Code Audit Labs,
Gjoko Krstic of Zero Science Lab, and Chro HD of Fortinet's
FortiGuard Labs.
8, 17) an anonymous person working with ZDI.
9) Chaouki Bekrar of Vupen and an anonymous person working with ZDI.
10) Chaouki Bekrar of Vupen.
11-16) Chro HD of Fortinet's FortiGuard Labs.
CHANGELOG:
2010-05-12: Updated "Extended Description" and added PoCs for
vulnerabilities #2, #3, #4, and #6.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
Secunia Research:
http://secunia.com/secunia_research/2010-17/
http://secunia.com/secunia_research/2010-19/
http://secunia.com/secunia_research/2010-20/
http://secunia.com/secunia_research/2010-22/
http://secunia.com/secunia_research/2010-34/
http://secunia.com/secunia_research/2010-50/
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-087/
http://www.zerodayinitiative.com/advisories/ZDI-10-088/
http://www.zerodayinitiative.com/advisories/ZDI-10-089/
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=869
Code Audit Labs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0137.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0138.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0139.html
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php
Core Security Technologies:
http://www.coresecurity.com/content/adobe-director-invalid-read
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------