VARIoT IoT vulnerabilities database

The SIP Proxy (SIPD) service in Cisco Unified Presence before 6.0(3) allows remote attackers to cause a denial of service (core dump and service interruption) via a TCP port scan, aka Bug ID CSCsj64533. The problem is Bug ID : CSCsj64533 It is a problem.Please refer to the “Overview” for the impact of this vulnerability. An attacker can exploit this issue to cause denial-of-service conditions for legitimate users. These vulnerabilities were discovered internally by Cisco, and there are no workarounds. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080514-cup.shtml. Administrators of systems running all Cisco Unified Presence versions can determine the software version by viewing the main page of the Cisco Unified Presence Administration interface. The software version can be determined by running the command show version active via the Command Line Interface (CLI). Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco Unified Presence collects information about a user's availability status and communications capabilities. Using information captured by Cisco Unified Presence, applications such as Cisco Unified Personal Communicator and Cisco Unified Communications Manager can improve productivity by helping users connect with colleagues more efficiently by determining the most effective means for collaborative communication. There are no workarounds for these vulnerabilities. Cisco Unified Presence version 6.0(1) is the upgrade path for Cisco Unified Presence version 1.0. There is no workaround for this vulnerability. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCsh50164 - PE Service core dumps when it receives malformed packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsh20972 - PE Service core dumps under stress test CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsj64533 - SIPD service core dumps during TCP port scan CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of any of the vulnerabilities may result in the interruption of presence services. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Fixes for all the vulnerabilities listed in this advisory are included in Cisco Unified Presence version 6.0(3) that is available at the following link: http://www.cisco.com/pcgi-bin/tablebuild.pl/cup-60?psrtdcat20e2 Workarounds =========== There are no workarounds for these vulnerabilities. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http:/ www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. These vulnerabilities were internally discovered by Cisco. Status of this Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cup.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-May-14 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- iD8DBQFIKw1+86n/Gc8U/uARAlunAJ9UTjai8ZofKwUcH7B3CqyBetjIDwCdHgUI 91czchLkcIoB9pmUP9zWEI0= =gkID -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. performing a TCP port scan on an affected system. SOLUTION: Update to version 6.0(3). http://www.cisco.com/pcgi-bin/tablebuild.pl/cup-60?psrtdcat20e2 PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cup.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor

Memory leak in the Certificate Trust List (CTL) Provider service in Cisco Unified Communications Manager (CUCM) 5.x before 5.1(3) allows remote attackers to cause a denial of service (memory consumption and service interruption) via a series of malformed TCP packets, as demonstrated by TCPFUZZ, aka Bug ID CSCsj80609. TCPFUZZ A series of deliberately created, as demonstrated by TCP Service disruption via packets (DoS) There is a possibility of being put into a state. The problem is Bug ID : CSCsj80609 It is a problem.Please refer to the “Overview” for the impact of this vulnerability. These issues affect the following components: Certificate Trust List (CTL) Provider Certificate Authority Proxy Function (CAPF) Session Initiation Protocol (SIP) Simple Network Management Protocol (SNMP) Trap An attacker can exploit these issues to cause denial-of-service conditions in the affected application. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. This vulnerability is reported in version 5.x. 2) Another error within the CTL Provider service can be exploited to consume large amounts of memory resources via a series of specially crafted packets sent to default port 2444/TCP. This vulnerability is reported in versions 5.x and 6.x. This vulnerability is reported in versions 4.1, 4.2, and 4.3. This vulnerability is reported in versions 5.x and 6.x. This vulnerability is reported in versions 4.1, 4.2, 4.3, 5.x, and 6.x. SOLUTION: Update to the fixed versions. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. These vulnerabilities were discovered internally by Cisco. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml. The software version can also be determined by running the command show version active via the command line interface (CLI). No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimedia applications. The CTL Provider service listens by default on TCP port 2444 and is user configurable. The CTL Provider service is enabled by default. There is a workaround for this vulnerability. The CTL Provider service listens by default on TCP port 2444 and is user configurable. There is a workaround for this vulnerability. The CAPF service listens by default on TCP port 3804 and is user configurable. The CAPF service is disabled by default. There is a workaround for this vulnerability. SIP-Related Vulnerabilities Cisco Unified Communications Manager versions 5.x and 6.x contain a vulnerability in the handling of malformed SIP JOIN messages that may result in a DoS condition. There is no workaround for this vulnerability. There is no workaround for this vulnerability. There is no workaround for this vulnerability. The SNMP Trap Agent service listens by default on UDP port 61441. There is a workaround for this vulnerability. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCsj80609 - Memory Leak Due to TCPFUZZ on Port 2444 (CTLProvider) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsi98433 - CTLProvider leaks memory in certain scenarios CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk46770 - CAPF crash with network traffic CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsi48115 - CM 6.1 stops providing service when receiving malformed Join sip-header CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk46944 - CCM service restarts on receiving a valid SIP Packet CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsl22355 - CCM does not validate SIP URL input properly CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsj24113 - CCM Process Coredump/Restart During ISIC Execution Against Port 61441 CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities in this advisory may result in the interruption of voice services. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. It can downloaded at the following link: http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-61?psrtdcat20e2 Workarounds =========== CTL Provider Related Vulnerabilities To mitigate against the CTL Provider service vulnerabilities (CSCsj80609 and CSCsi98433), system administrators can disable the CTL Provider service if it is not needed. The CTL Provider service is controlled via the Cisco CTL Provider menu selection. It is possible to mitigate the CTL Provider vulnerabilities by implementing filtering on screening devices. Note: It is possible to change the default port of the CTL Provider service (TCP port 2444). If changed, filtering should be based on the values used. CAPF Related Vulnerability To mitigate against the CAPF service vulnerability (CSCsk46770), system administrators can disable the CAPF service if it is not needed. If phones are not configured to use certificates, then the CAPF service can be disabled. The CAPF service is controlled by the Cisco Certificate Authority Proxy Function menu selection. It is possible to mitigate the CAPF vulnerability by implementing filtering on screening devices. If the CAPF service is enabled, permit access to TCP port 3804 only from networks that contain IP phone devices needing to utilize the CAPF service. SIP-Related Vulnerabilities It is possible to mitigate the SIP vulnerabilities by implementing filtering on screening devices. SNMP Trap-Related Vulnerability To mitigate against the SNMP Trap service vulnerability (CSCsj24113), system administrators can disable the SNMP Trap service. To disable the Windows SNMP service, navigate to Start > Programs > Administrative Tools > Services, and stop the SNMP Service. Note: The SNMP Trap Service listed in the Windows Service configuration screen is not applicable to this vulnerability and disabling it does not provide any benefit as a workaround for this vulnerability. For Cisco Unified Communications Manager 5.x and 6.x systems, the SNMP Trap service is controlled via the Cisco CallManager SNMP Service selection on the Control Center Feature Services screen. It is possible to mitigate the SNMP Trap service vulnerability by implementing filtering on screening devices. Permit access to UDP port 61441 only from management systems that need access to the SNMP Trap service. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. ustomers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http:/ www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were discovered internally by Cisco. Status of this Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-May-14 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- iD8DBQFIKw3c86n/Gc8U/uARAo4iAJ461QSdwp9yXivfv/yWe4Xlj2wNaACcD/nW GpnghuWFfH2gIjp6Yk6857c= =L6xn -----END PGP SIGNATURE-----

Memory leak in the Certificate Trust List (CTL) Provider service in Cisco Unified Communications Manager (CUCM) 5.x before 5.1(3) and 6.x before 6.1(1) allows remote attackers to cause a denial of service (memory consumption and service interruption) via a series of malformed TCP packets, aka Bug ID CSCsi98433. The problem is Bug ID : CSCsi98433 It is a problem.Please refer to the “Overview” for the impact of this vulnerability. These issues affect the following components: Certificate Trust List (CTL) Provider Certificate Authority Proxy Function (CAPF) Session Initiation Protocol (SIP) Simple Network Management Protocol (SNMP) Trap An attacker can exploit these issues to cause denial-of-service conditions in the affected application. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. This vulnerability is reported in version 5.x. 2) Another error within the CTL Provider service can be exploited to consume large amounts of memory resources via a series of specially crafted packets sent to default port 2444/TCP. This vulnerability is reported in versions 5.x and 6.x. This vulnerability is reported in versions 4.1, 4.2, and 4.3. This vulnerability is reported in versions 5.x and 6.x. This vulnerability is reported in versions 4.1, 4.2, 4.3, 5.x, and 6.x. SOLUTION: Update to the fixed versions. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. These vulnerabilities were discovered internally by Cisco. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml. The software version can also be determined by running the command show version active via the command line interface (CLI). No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimedia applications. The CTL Provider service listens by default on TCP port 2444 and is user configurable. The CTL Provider service is enabled by default. There is a workaround for this vulnerability. The CTL Provider service listens by default on TCP port 2444 and is user configurable. There is a workaround for this vulnerability. The CAPF service listens by default on TCP port 3804 and is user configurable. The CAPF service is disabled by default. There is a workaround for this vulnerability. There is no workaround for this vulnerability. There is no workaround for this vulnerability. There is no workaround for this vulnerability. The SNMP Trap Agent service listens by default on UDP port 61441. There is a workaround for this vulnerability. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCsj80609 - Memory Leak Due to TCPFUZZ on Port 2444 (CTLProvider) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsi98433 - CTLProvider leaks memory in certain scenarios CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk46770 - CAPF crash with network traffic CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsi48115 - CM 6.1 stops providing service when receiving malformed Join sip-header CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk46944 - CCM service restarts on receiving a valid SIP Packet CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsl22355 - CCM does not validate SIP URL input properly CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsj24113 - CCM Process Coredump/Restart During ISIC Execution Against Port 61441 CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities in this advisory may result in the interruption of voice services. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. The CTL Provider service is controlled via the Cisco CTL Provider menu selection. It is possible to mitigate the CTL Provider vulnerabilities by implementing filtering on screening devices. Note: It is possible to change the default port of the CTL Provider service (TCP port 2444). If changed, filtering should be based on the values used. CAPF Related Vulnerability To mitigate against the CAPF service vulnerability (CSCsk46770), system administrators can disable the CAPF service if it is not needed. If phones are not configured to use certificates, then the CAPF service can be disabled. The CAPF service is controlled by the Cisco Certificate Authority Proxy Function menu selection. It is possible to mitigate the CAPF vulnerability by implementing filtering on screening devices. If the CAPF service is enabled, permit access to TCP port 3804 only from networks that contain IP phone devices needing to utilize the CAPF service. SIP-Related Vulnerabilities It is possible to mitigate the SIP vulnerabilities by implementing filtering on screening devices. SNMP Trap-Related Vulnerability To mitigate against the SNMP Trap service vulnerability (CSCsj24113), system administrators can disable the SNMP Trap service. To disable the Windows SNMP service, navigate to Start > Programs > Administrative Tools > Services, and stop the SNMP Service. Note: The SNMP Trap Service listed in the Windows Service configuration screen is not applicable to this vulnerability and disabling it does not provide any benefit as a workaround for this vulnerability. It is possible to mitigate the SNMP Trap service vulnerability by implementing filtering on screening devices. Permit access to UDP port 61441 only from management systems that need access to the SNMP Trap service. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. ustomers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http:/ www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were discovered internally by Cisco. Status of this Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-May-14 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- iD8DBQFIKw3c86n/Gc8U/uARAo4iAJ461QSdwp9yXivfv/yWe4Xlj2wNaACcD/nW GpnghuWFfH2gIjp6Yk6857c= =L6xn -----END PGP SIGNATURE-----

The Certificate Authority Proxy Function (CAPF) service in Cisco Unified Communications Manager (CUCM) 4.1 before 4.1(3)SR7, 4.2 before 4.2(3)SR4, and 4.3 before 4.3(2) allows remote attackers to cause a denial of service (service crash) via malformed network traffic, aka Bug ID CSCsk46770. Cisco Unified Communications Manager (CUCM) There is a service disruption (DoS) Vulnerabilities exist. The problem is Bug ID : CSCsk46770 It is a problem.Please refer to the “Overview” for the impact of this vulnerability. These issues affect the following components: Certificate Trust List (CTL) Provider Certificate Authority Proxy Function (CAPF) Session Initiation Protocol (SIP) Simple Network Management Protocol (SNMP) Trap An attacker can exploit these issues to cause denial-of-service conditions in the affected application. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. This vulnerability is reported in version 5.x. 2) Another error within the CTL Provider service can be exploited to consume large amounts of memory resources via a series of specially crafted packets sent to default port 2444/TCP. This vulnerability is reported in versions 5.x and 6.x. This vulnerability is reported in versions 4.1, 4.2, and 4.3. This vulnerability is reported in versions 5.x and 6.x. This vulnerability is reported in versions 4.1, 4.2, 4.3, 5.x, and 6.x. SOLUTION: Update to the fixed versions. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. These vulnerabilities were discovered internally by Cisco. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml. The software version can also be determined by running the command show version active via the command line interface (CLI). No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimedia applications. The CTL Provider service listens by default on TCP port 2444 and is user configurable. The CTL Provider service is enabled by default. There is a workaround for this vulnerability. The CTL Provider service listens by default on TCP port 2444 and is user configurable. There is a workaround for this vulnerability. The CAPF service listens by default on TCP port 3804 and is user configurable. The CAPF service is disabled by default. There is a workaround for this vulnerability. There is no workaround for this vulnerability. There is no workaround for this vulnerability. There is no workaround for this vulnerability. The SNMP Trap Agent service listens by default on UDP port 61441. There is a workaround for this vulnerability. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCsj80609 - Memory Leak Due to TCPFUZZ on Port 2444 (CTLProvider) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsi98433 - CTLProvider leaks memory in certain scenarios CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk46770 - CAPF crash with network traffic CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsi48115 - CM 6.1 stops providing service when receiving malformed Join sip-header CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk46944 - CCM service restarts on receiving a valid SIP Packet CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsl22355 - CCM does not validate SIP URL input properly CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsj24113 - CCM Process Coredump/Restart During ISIC Execution Against Port 61441 CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities in this advisory may result in the interruption of voice services. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. It can downloaded at the following link: http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-61?psrtdcat20e2 Workarounds =========== CTL Provider Related Vulnerabilities To mitigate against the CTL Provider service vulnerabilities (CSCsj80609 and CSCsi98433), system administrators can disable the CTL Provider service if it is not needed. The CTL Provider service is controlled via the Cisco CTL Provider menu selection. It is possible to mitigate the CTL Provider vulnerabilities by implementing filtering on screening devices. If the CTL Provider service is enabled, permit access to TCP port 2444 only between the Cisco Unified Communications Manager systems where the CTL Provider service is active and the CTL Client, usually on the administrator's workstation, to mitigate the CTL Provider service overflow. Note: It is possible to change the default port of the CTL Provider service (TCP port 2444). If changed, filtering should be based on the values used. CAPF Related Vulnerability To mitigate against the CAPF service vulnerability (CSCsk46770), system administrators can disable the CAPF service if it is not needed. If phones are not configured to use certificates, then the CAPF service can be disabled. It is possible to mitigate the CAPF vulnerability by implementing filtering on screening devices. If the CAPF service is enabled, permit access to TCP port 3804 only from networks that contain IP phone devices needing to utilize the CAPF service. SIP-Related Vulnerabilities It is possible to mitigate the SIP vulnerabilities by implementing filtering on screening devices. SNMP Trap-Related Vulnerability To mitigate against the SNMP Trap service vulnerability (CSCsj24113), system administrators can disable the SNMP Trap service. To disable the Windows SNMP service, navigate to Start > Programs > Administrative Tools > Services, and stop the SNMP Service. Note: The SNMP Trap Service listed in the Windows Service configuration screen is not applicable to this vulnerability and disabling it does not provide any benefit as a workaround for this vulnerability. It is possible to mitigate the SNMP Trap service vulnerability by implementing filtering on screening devices. Permit access to UDP port 61441 only from management systems that need access to the SNMP Trap service. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. ustomers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http:/ www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were discovered internally by Cisco. Status of this Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-May-14 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- iD8DBQFIKw3c86n/Gc8U/uARAo4iAJ461QSdwp9yXivfv/yWe4Xlj2wNaACcD/nW GpnghuWFfH2gIjp6Yk6857c= =L6xn -----END PGP SIGNATURE-----

Cisco Unified Communications Manager (CUCM) 5.x before 5.1(2) and 6.x before 6.1(1) allows remote attackers to cause a denial of service (service interruption) via a SIP JOIN message with a malformed header, aka Bug ID CSCsi48115. Cisco Unified Communications Manager (CUCM) There is a service disruption (DoS) Vulnerabilities exist. The problem is Bug ID : CSCsi48115 It is a problem.Please refer to the “Overview” for the impact of this vulnerability. These issues affect the following components: Certificate Trust List (CTL) Provider Certificate Authority Proxy Function (CAPF) Session Initiation Protocol (SIP) Simple Network Management Protocol (SNMP) Trap An attacker can exploit these issues to cause denial-of-service conditions in the affected application. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. This vulnerability is reported in version 5.x. 2) Another error within the CTL Provider service can be exploited to consume large amounts of memory resources via a series of specially crafted packets sent to default port 2444/TCP. This vulnerability is reported in versions 5.x and 6.x. This vulnerability is reported in versions 4.1, 4.2, and 4.3. This vulnerability is reported in versions 5.x and 6.x. This vulnerability is reported in versions 4.1, 4.2, 4.3, 5.x, and 6.x. SOLUTION: Update to the fixed versions. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. These vulnerabilities were discovered internally by Cisco. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml. The software version can also be determined by running the command show version active via the command line interface (CLI). No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimedia applications. The CTL Provider service listens by default on TCP port 2444 and is user configurable. The CTL Provider service is enabled by default. There is a workaround for this vulnerability. The CTL Provider service listens by default on TCP port 2444 and is user configurable. There is a workaround for this vulnerability. Certificate Authority Proxy Function Related Vulnerability The Certificate Authority Proxy Function (CAPF) service of Cisco Unified Communications Manager versions 4.1, 4.2 and 4.3 contain a vulnerability when handling malformed input that may result in a DoS condition. The CAPF service listens by default on TCP port 3804 and is user configurable. The CAPF service is disabled by default. There is a workaround for this vulnerability. There is no workaround for this vulnerability. There is no workaround for this vulnerability. There is no workaround for this vulnerability. The SNMP Trap Agent service listens by default on UDP port 61441. There is a workaround for this vulnerability. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCsj80609 - Memory Leak Due to TCPFUZZ on Port 2444 (CTLProvider) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsi98433 - CTLProvider leaks memory in certain scenarios CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk46770 - CAPF crash with network traffic CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsi48115 - CM 6.1 stops providing service when receiving malformed Join sip-header CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk46944 - CCM service restarts on receiving a valid SIP Packet CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsl22355 - CCM does not validate SIP URL input properly CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsj24113 - CCM Process Coredump/Restart During ISIC Execution Against Port 61441 CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities in this advisory may result in the interruption of voice services. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. It can downloaded at the following link: http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-61?psrtdcat20e2 Workarounds =========== CTL Provider Related Vulnerabilities To mitigate against the CTL Provider service vulnerabilities (CSCsj80609 and CSCsi98433), system administrators can disable the CTL Provider service if it is not needed. The CTL Provider service is controlled via the Cisco CTL Provider menu selection. It is possible to mitigate the CTL Provider vulnerabilities by implementing filtering on screening devices. If the CTL Provider service is enabled, permit access to TCP port 2444 only between the Cisco Unified Communications Manager systems where the CTL Provider service is active and the CTL Client, usually on the administrator's workstation, to mitigate the CTL Provider service overflow. Note: It is possible to change the default port of the CTL Provider service (TCP port 2444). If changed, filtering should be based on the values used. CAPF Related Vulnerability To mitigate against the CAPF service vulnerability (CSCsk46770), system administrators can disable the CAPF service if it is not needed. If phones are not configured to use certificates, then the CAPF service can be disabled. The CAPF service is controlled by the Cisco Certificate Authority Proxy Function menu selection. It is possible to mitigate the CAPF vulnerability by implementing filtering on screening devices. If the CAPF service is enabled, permit access to TCP port 3804 only from networks that contain IP phone devices needing to utilize the CAPF service. SIP-Related Vulnerabilities It is possible to mitigate the SIP vulnerabilities by implementing filtering on screening devices. SNMP Trap-Related Vulnerability To mitigate against the SNMP Trap service vulnerability (CSCsj24113), system administrators can disable the SNMP Trap service. To disable the Windows SNMP service, navigate to Start > Programs > Administrative Tools > Services, and stop the SNMP Service. Note: The SNMP Trap Service listed in the Windows Service configuration screen is not applicable to this vulnerability and disabling it does not provide any benefit as a workaround for this vulnerability. It is possible to mitigate the SNMP Trap service vulnerability by implementing filtering on screening devices. Permit access to UDP port 61441 only from management systems that need access to the SNMP Trap service. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. ustomers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http:/ www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were discovered internally by Cisco. Status of this Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-May-14 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- iD8DBQFIKw3c86n/Gc8U/uARAo4iAJ461QSdwp9yXivfv/yWe4Xlj2wNaACcD/nW GpnghuWFfH2gIjp6Yk6857c= =L6xn -----END PGP SIGNATURE-----

The SNMP Trap Agent service in Cisco Unified Communications Manager (CUCM) 4.1 before 4.1(3)SR6, 4.2 before 4.2(3)SR3, 4.3 before 4.3(2), 5.x before 5.1(3), and 6.x before 6.1(1) allows remote attackers to cause a denial of service (core dump and service restart) via a series of malformed UDP packets, as demonstrated by the IP Stack Integrity Checker (ISIC), aka Bug ID CSCsj24113. Cisco Unified Communications Manager (CUCM) There is a service disruption (DoS) Vulnerabilities exist. The problem is Bug ID : CSCsj24113 It is a problem.Please refer to the “Overview” for the impact of this vulnerability. These issues affect the following components: Certificate Trust List (CTL) Provider Certificate Authority Proxy Function (CAPF) Session Initiation Protocol (SIP) Simple Network Management Protocol (SNMP) Trap An attacker can exploit these issues to cause denial-of-service conditions in the affected application. CISCO AKA BUG number CSCsj24113. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. This vulnerability is reported in version 5.x. 2) Another error within the CTL Provider service can be exploited to consume large amounts of memory resources via a series of specially crafted packets sent to default port 2444/TCP. This vulnerability is reported in versions 5.x and 6.x. This vulnerability is reported in versions 4.1, 4.2, and 4.3. This vulnerability is reported in versions 5.x and 6.x. This vulnerability is reported in versions 4.1, 4.2, 4.3, 5.x, and 6.x. SOLUTION: Update to the fixed versions. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. These vulnerabilities were discovered internally by Cisco. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml. The software version can also be determined by running the command show version active via the command line interface (CLI). No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimedia applications. The CTL Provider service listens by default on TCP port 2444 and is user configurable. The CTL Provider service is enabled by default. There is a workaround for this vulnerability. The CTL Provider service listens by default on TCP port 2444 and is user configurable. There is a workaround for this vulnerability. Certificate Authority Proxy Function Related Vulnerability The Certificate Authority Proxy Function (CAPF) service of Cisco Unified Communications Manager versions 4.1, 4.2 and 4.3 contain a vulnerability when handling malformed input that may result in a DoS condition. The CAPF service listens by default on TCP port 3804 and is user configurable. The CAPF service is disabled by default. There is a workaround for this vulnerability. There is no workaround for this vulnerability. There is no workaround for this vulnerability. There is no workaround for this vulnerability. The SNMP Trap Agent service listens by default on UDP port 61441. There is a workaround for this vulnerability. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCsj80609 - Memory Leak Due to TCPFUZZ on Port 2444 (CTLProvider) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsi98433 - CTLProvider leaks memory in certain scenarios CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk46770 - CAPF crash with network traffic CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsi48115 - CM 6.1 stops providing service when receiving malformed Join sip-header CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk46944 - CCM service restarts on receiving a valid SIP Packet CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsl22355 - CCM does not validate SIP URL input properly CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsj24113 - CCM Process Coredump/Restart During ISIC Execution Against Port 61441 CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities in this advisory may result in the interruption of voice services. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. It can downloaded at the following link: http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-61?psrtdcat20e2 Workarounds =========== CTL Provider Related Vulnerabilities To mitigate against the CTL Provider service vulnerabilities (CSCsj80609 and CSCsi98433), system administrators can disable the CTL Provider service if it is not needed. The CTL Provider service is controlled via the Cisco CTL Provider menu selection. It is possible to mitigate the CTL Provider vulnerabilities by implementing filtering on screening devices. If the CTL Provider service is enabled, permit access to TCP port 2444 only between the Cisco Unified Communications Manager systems where the CTL Provider service is active and the CTL Client, usually on the administrator's workstation, to mitigate the CTL Provider service overflow. Note: It is possible to change the default port of the CTL Provider service (TCP port 2444). If changed, filtering should be based on the values used. CAPF Related Vulnerability To mitigate against the CAPF service vulnerability (CSCsk46770), system administrators can disable the CAPF service if it is not needed. If phones are not configured to use certificates, then the CAPF service can be disabled. The CAPF service is controlled by the Cisco Certificate Authority Proxy Function menu selection. It is possible to mitigate the CAPF vulnerability by implementing filtering on screening devices. If the CAPF service is enabled, permit access to TCP port 3804 only from networks that contain IP phone devices needing to utilize the CAPF service. SIP-Related Vulnerabilities It is possible to mitigate the SIP vulnerabilities by implementing filtering on screening devices. SNMP Trap-Related Vulnerability To mitigate against the SNMP Trap service vulnerability (CSCsj24113), system administrators can disable the SNMP Trap service. To disable the Windows SNMP service, navigate to Start > Programs > Administrative Tools > Services, and stop the SNMP Service. Note: The SNMP Trap Service listed in the Windows Service configuration screen is not applicable to this vulnerability and disabling it does not provide any benefit as a workaround for this vulnerability. It is possible to mitigate the SNMP Trap service vulnerability by implementing filtering on screening devices. Permit access to UDP port 61441 only from management systems that need access to the SNMP Trap service. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. ustomers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http:/ www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were discovered internally by Cisco. Status of this Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-May-14 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- iD8DBQFIKw3c86n/Gc8U/uARAo4iAJ461QSdwp9yXivfv/yWe4Xlj2wNaACcD/nW GpnghuWFfH2gIjp6Yk6857c= =L6xn -----END PGP SIGNATURE-----

Unspecified vulnerability in Cisco Unified Communications Manager 4.1 before 4.1(3)SR6, 4.2 before 4.2(3)SR3, 4.3 before 4.3(2), 5.x before 5.1(3), and 6.x before 6.1(1) allows remote attackers to cause a denial of service (CCM service restart) via an unspecified SIP INVITE message, aka Bug ID CSCsk46944. Cisco Unified Communications Manager There is a service disruption (DoS) An unknown vulnerability exists. The problem is Bug ID : CSCsk46944 It is a problem.Please refer to the “Overview” for the impact of this vulnerability. These issues affect the following components: Certificate Trust List (CTL) Provider Certificate Authority Proxy Function (CAPF) Session Initiation Protocol (SIP) Simple Network Management Protocol (SNMP) Trap An attacker can exploit these issues to cause denial-of-service conditions in the affected application. The vulnerability stems from the failure of the network system or product to properly validate the input data. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. This vulnerability is reported in version 5.x. 2) Another error within the CTL Provider service can be exploited to consume large amounts of memory resources via a series of specially crafted packets sent to default port 2444/TCP. This vulnerability is reported in versions 5.x and 6.x. This vulnerability is reported in versions 4.1, 4.2, and 4.3. This vulnerability is reported in versions 5.x and 6.x. This vulnerability is reported in versions 4.1, 4.2, 4.3, 5.x, and 6.x. SOLUTION: Update to the fixed versions. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. These vulnerabilities were discovered internally by Cisco. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml. The software version can also be determined by running the command show version active via the command line interface (CLI). No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimedia applications. The CTL Provider service listens by default on TCP port 2444 and is user configurable. The CTL Provider service is enabled by default. There is a workaround for this vulnerability. The CTL Provider service listens by default on TCP port 2444 and is user configurable. There is a workaround for this vulnerability. The CAPF service listens by default on TCP port 3804 and is user configurable. The CAPF service is disabled by default. There is a workaround for this vulnerability. There is no workaround for this vulnerability. There is no workaround for this vulnerability. There is no workaround for this vulnerability. The SNMP Trap Agent service listens by default on UDP port 61441. There is a workaround for this vulnerability. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCsj80609 - Memory Leak Due to TCPFUZZ on Port 2444 (CTLProvider) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsi98433 - CTLProvider leaks memory in certain scenarios CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk46770 - CAPF crash with network traffic CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsi48115 - CM 6.1 stops providing service when receiving malformed Join sip-header CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk46944 - CCM service restarts on receiving a valid SIP Packet CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsl22355 - CCM does not validate SIP URL input properly CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsj24113 - CCM Process Coredump/Restart During ISIC Execution Against Port 61441 CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities in this advisory may result in the interruption of voice services. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. It can downloaded at the following link: http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-61?psrtdcat20e2 Workarounds =========== CTL Provider Related Vulnerabilities To mitigate against the CTL Provider service vulnerabilities (CSCsj80609 and CSCsi98433), system administrators can disable the CTL Provider service if it is not needed. The CTL Provider service is controlled via the Cisco CTL Provider menu selection. It is possible to mitigate the CTL Provider vulnerabilities by implementing filtering on screening devices. If the CTL Provider service is enabled, permit access to TCP port 2444 only between the Cisco Unified Communications Manager systems where the CTL Provider service is active and the CTL Client, usually on the administrator's workstation, to mitigate the CTL Provider service overflow. Note: It is possible to change the default port of the CTL Provider service (TCP port 2444). If changed, filtering should be based on the values used. CAPF Related Vulnerability To mitigate against the CAPF service vulnerability (CSCsk46770), system administrators can disable the CAPF service if it is not needed. If phones are not configured to use certificates, then the CAPF service can be disabled. The CAPF service is controlled by the Cisco Certificate Authority Proxy Function menu selection. It is possible to mitigate the CAPF vulnerability by implementing filtering on screening devices. If the CAPF service is enabled, permit access to TCP port 3804 only from networks that contain IP phone devices needing to utilize the CAPF service. SIP-Related Vulnerabilities It is possible to mitigate the SIP vulnerabilities by implementing filtering on screening devices. SNMP Trap-Related Vulnerability To mitigate against the SNMP Trap service vulnerability (CSCsj24113), system administrators can disable the SNMP Trap service. To disable the Windows SNMP service, navigate to Start > Programs > Administrative Tools > Services, and stop the SNMP Service. Note: The SNMP Trap Service listed in the Windows Service configuration screen is not applicable to this vulnerability and disabling it does not provide any benefit as a workaround for this vulnerability. It is possible to mitigate the SNMP Trap service vulnerability by implementing filtering on screening devices. Permit access to UDP port 61441 only from management systems that need access to the SNMP Trap service. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. ustomers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http:/ www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were discovered internally by Cisco. Status of this Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-May-14 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- iD8DBQFIKw3c86n/Gc8U/uARAo4iAJ461QSdwp9yXivfv/yWe4Xlj2wNaACcD/nW GpnghuWFfH2gIjp6Yk6857c= =L6xn -----END PGP SIGNATURE-----

Cisco Unified Communications Manager 4.1 before 4.1(3)SR7, 4.2 before 4.2(3)SR4, 4.3 before 4.3(2), 5.x before 5.1(3), and 6.x before 6.1(1) does not properly validate SIP URLs, which allows remote attackers to cause a denial of service (service interruption) via a SIP INVITE message, aka Bug ID CSCsl22355. Cisco Unified Communications Manager There is a service disruption (DoS) Vulnerabilities exist. The problem is Bug ID : CSCsl22355 It is a problem.Please refer to the “Overview” for the impact of this vulnerability. These issues affect the following components: Certificate Trust List (CTL) Provider Certificate Authority Proxy Function (CAPF) Session Initiation Protocol (SIP) Simple Network Management Protocol (SNMP) Trap An attacker can exploit these issues to cause denial-of-service conditions in the affected application. Cisco CUCM 4.1 prior to 4.1(3)SR7, 4.2 prior to 4.2(3)SR4, 4.3 prior to 4.3(2), 5.x prior to 5.1(3), 6. There is an input validation error vulnerability in version x, which is caused by not validating the SIP URL properly. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. This vulnerability is reported in version 5.x. 2) Another error within the CTL Provider service can be exploited to consume large amounts of memory resources via a series of specially crafted packets sent to default port 2444/TCP. This vulnerability is reported in versions 5.x and 6.x. This vulnerability is reported in versions 4.1, 4.2, and 4.3. This vulnerability is reported in versions 5.x and 6.x. This vulnerability is reported in versions 4.1, 4.2, 4.3, 5.x, and 6.x. SOLUTION: Update to the fixed versions. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. These vulnerabilities were discovered internally by Cisco. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml. The software version can also be determined by running the command show version active via the command line interface (CLI). No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimedia applications. The CTL Provider service listens by default on TCP port 2444 and is user configurable. The CTL Provider service is enabled by default. There is a workaround for this vulnerability. The CTL Provider service listens by default on TCP port 2444 and is user configurable. There is a workaround for this vulnerability. Certificate Authority Proxy Function Related Vulnerability The Certificate Authority Proxy Function (CAPF) service of Cisco Unified Communications Manager versions 4.1, 4.2 and 4.3 contain a vulnerability when handling malformed input that may result in a DoS condition. The CAPF service listens by default on TCP port 3804 and is user configurable. The CAPF service is disabled by default. There is a workaround for this vulnerability. There is no workaround for this vulnerability. There is no workaround for this vulnerability. There is no workaround for this vulnerability. The SNMP Trap Agent service listens by default on UDP port 61441. There is a workaround for this vulnerability. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCsj80609 - Memory Leak Due to TCPFUZZ on Port 2444 (CTLProvider) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsi98433 - CTLProvider leaks memory in certain scenarios CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk46770 - CAPF crash with network traffic CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsi48115 - CM 6.1 stops providing service when receiving malformed Join sip-header CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk46944 - CCM service restarts on receiving a valid SIP Packet CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsl22355 - CCM does not validate SIP URL input properly CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsj24113 - CCM Process Coredump/Restart During ISIC Execution Against Port 61441 CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities in this advisory may result in the interruption of voice services. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. It can downloaded at the following link: http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-61?psrtdcat20e2 Workarounds =========== CTL Provider Related Vulnerabilities To mitigate against the CTL Provider service vulnerabilities (CSCsj80609 and CSCsi98433), system administrators can disable the CTL Provider service if it is not needed. The CTL Provider service is controlled via the Cisco CTL Provider menu selection. It is possible to mitigate the CTL Provider vulnerabilities by implementing filtering on screening devices. If the CTL Provider service is enabled, permit access to TCP port 2444 only between the Cisco Unified Communications Manager systems where the CTL Provider service is active and the CTL Client, usually on the administrator's workstation, to mitigate the CTL Provider service overflow. Note: It is possible to change the default port of the CTL Provider service (TCP port 2444). If changed, filtering should be based on the values used. CAPF Related Vulnerability To mitigate against the CAPF service vulnerability (CSCsk46770), system administrators can disable the CAPF service if it is not needed. If phones are not configured to use certificates, then the CAPF service can be disabled. The CAPF service is controlled by the Cisco Certificate Authority Proxy Function menu selection. It is possible to mitigate the CAPF vulnerability by implementing filtering on screening devices. If the CAPF service is enabled, permit access to TCP port 3804 only from networks that contain IP phone devices needing to utilize the CAPF service. SIP-Related Vulnerabilities It is possible to mitigate the SIP vulnerabilities by implementing filtering on screening devices. SNMP Trap-Related Vulnerability To mitigate against the SNMP Trap service vulnerability (CSCsj24113), system administrators can disable the SNMP Trap service. To disable the Windows SNMP service, navigate to Start > Programs > Administrative Tools > Services, and stop the SNMP Service. Note: The SNMP Trap Service listed in the Windows Service configuration screen is not applicable to this vulnerability and disabling it does not provide any benefit as a workaround for this vulnerability. It is possible to mitigate the SNMP Trap service vulnerability by implementing filtering on screening devices. Permit access to UDP port 61441 only from management systems that need access to the SNMP Trap service. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. ustomers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http:/ www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were discovered internally by Cisco. Status of this Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-May-14 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- iD8DBQFIKw3c86n/Gc8U/uARAo4iAJ461QSdwp9yXivfv/yWe4Xlj2wNaACcD/nW GpnghuWFfH2gIjp6Yk6857c= =L6xn -----END PGP SIGNATURE-----

Memory leak in Cisco Content Switching Module (CSM) 4.2(3) up to 4.2(8) and Cisco Content Switching Module with SSL (CSM-S) 2.1(2) up to 2.1(7) allows remote attackers to cause a denial of service (memory consumption) via TCP segments with an unspecified combination of TCP flags. Cisco Unified Communications Manager is prone to multiple denial-of-service vulnerabilities. These issues affect the following components: Certificate Trust List (CTL) Provider Certificate Authority Proxy Function (CAPF) Session Initiation Protocol (SIP) Simple Network Management Protocol (SNMP) Trap An attacker can exploit these issues to cause denial-of-service conditions in the affected application. This issue occurs when CSM and CSM-S are configured to use layer 7 load balancing. An attacker can exploit this issue to cause devices using the module to stop accepting TCP connections or to overload, denying service to legitimate users. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. Cisco CSM 4.2.9: http://www.cisco.com/pcgi-bin/tablebuild.pl/cat6000-csm?psrtdcat20e2 Cisco CSM 2.1.8: http://www.cisco.com/pcgi-bin/tablebuild.pl/cat6000-csms?psrtdcat20e2 PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080514-csm.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080514-csm.shtml. Affected Products ================= Vulnerable Products +------------------ The Cisco CSM and Cisco CSM-S are affected by the vulnerability described in this document if they are running an affected software version and are configured for layer 7 load balancing. The following versions of the Cisco CSM software are affected by this vulnerability: 4.2(3), 4.2(3a), 4.2(4), 4.2(5), 4.2(6), 4.2(7), and 4.2(8). The following versions of the Cisco CSM-S software are also affected by this vulnerability: 2.1(2), 2.1(3), 2.1(4), 2.1(5), 2.1(6), and 2.1(7). To determine the software version in use by the CSM or CSM-S, log into the supervisor of the chassis that hosts the CSM or CSM-S modules and issue the command "show module version" (Cisco IOS) or "show version" (Cisco CatOS). CSM modules will display as model "WS-X6066-SLB-APC", CSM-S modules will display as model "WS-X6066-SLB-S-K9", and the software version will be indicated next to the "Sw:" label. Note that the output from "show module version" (for Cisco IOS) is slightly different from the output from "show version" (for Cisco CatOS). However, in both cases the model names will read as previously described, and the software version will be easily identified by looking for the "Sw:" label. The following example shows a CSM in slot number 4 running software version 4.2(3): switch>show module version Mod Port Model Serial # Versions +--- ---- ------------------ ----------- ------------------------------------- 1 3 WS-SVC-AGM-1-K9 SAD092601W5 Hw : 1.0 Fw : 7.2(1) Sw : 5.0(3) 2 6 WS-SVC-FWM-1 SAD093200X8 Hw : 3.0 Fw : 7.2(1) Sw : 3.2(3)1 3 8 WS-SVC-IDSM-2 SAD0932089Z Hw : 5.0 Fw : 7.2(1) Sw : 5.1(6)E1 4 4 WS-X6066-SLB-APC SAD093004BD Hw : 1.7 Fw : Sw : 4.2(3) 5 2 WS-SUP720-3B SAL0934888E Hw : 4.4 Fw : 8.1(3) Sw : 12.2(18)SXF11 Sw1: 8.6(0.306)R3V15 WS-SUP720 SAL09348488 Hw : 2.3 Fw : 12.2(17r)S2 Sw : 12.2(18)SXF11 WS-F6K-PFC3B SAL0934882R Hw : 2.1 A Cisco CSM or CSM-S is configured for layer 7 load balancing if one or more layer 7 Server Load Balancing (SLB) policies are referenced in the configuration of a virtual server. There are six possible types of SLB policies: "client-group", "cookie-map", "header-map", "reverse-sticky", "sticky-group", and "url-map". Of these, the "client-group" policy type is always a layer 4 policy. The remaining policy types are layer 7 policies and, if used, would render a device affected by the vulnerability described in this document. Note the SLB policy "TEST-SPORTS-50", which uses "url-map" and "header-map" layer 7 policies, and that is applied to the virtual server named "WEB": module ContentSwitchingModule 5 [...] ! policy TEST-SPORTS-50 url-map SPORTS header-map TEST client-group 50 serverfarm WEBFARM2 ! vserver WEB virtual 10.20.221.100 tcp www serverfarm WEBFARM persistent rebalance slb-policy TEST-SPORTS-50 inservice Products Confirmed Not Vulnerable +-------------------------------- Only Cisco CSM modules running indicated 4.2 versions are affected by this vulnerability. CSM software versions 4.1, 3.2 and 3.1 are not affected by this vulnerability. Cisco CSM-S modules running indicated 2.1 versions are the only vulnerable versions of software for that product. The Cisco IOS SLB feature is not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. The Cisco Secure Content Accelerator is not affected by this vulnerability. Details ======= The Cisco CSM is an integrated SLB line card for the Catalyst 6500 and 7600 Series that is designed to enhance the response time for client traffic to end points including servers, caches, firewalls, Secure Sockets Layer (SSL) devices, and VPN termination devices. The Cisco CSM-S combines high-performance SLB with SSL offload. The CSM-S is similar to the CSM; however, unlike the CSM, the CSM-S can terminate and initiate SSL-encrypted traffic. This ability allows the CSM-S to perform intelligent load balancing while ensuring secure end-to-end encryption. The memory leak can be detected by issuing the command "show module ContentSwitchingModule <slot #> tech-support all | include Outstanding" on the supervisor and checking the command output for a high number of outstanding buffers as seen in the following example: switch#show module ContentSwitchingModule 10 tech-support all | include Outstanding Outstanding slowpath(low pri) buffers 0 0 Outstanding slowpath(high pri) buffers 0 0 Outstanding blocks 0 0 Outstanding small buffers 0 0 Outstanding medium buffers 823 0 Outstanding large buffers 0 0 Outstanding sessions 0 0 Outstanding Closes 0 0 Close Relinquish Outstanding 0 Because small, medium, and large buffers can be affected by the memory leak, administrators are advised to check the number of these buffers in the output from the preceding command to accurately detect a memory leak condition. This vulnerability is documented in Cisco Bug ID CSCsl40722 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2008-1749. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding VSS Cat http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html. Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss. * CSM: Potential buffer loss with irregular client streams (CSCsl40722) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of this vulnerability against a system running a vulnerable version of the Cisco CSM or the Cisco CSM-S software may cause the CSM or CSM-S to stop passing traffic. Repeated attacks may result in a prolonged DoS condition, which could affect the services that are offered by the end point devices behind the CSM or CSM-S. Note that the supervisor or any other non-CSM or non-CSM-S service module in the same chassis of the Catalyst 6500 switch or 7600 Series router that hosts the CSM or CSM-S will not be affected by this vulnerability. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. This vulnerability is fixed in version 4.2.9 of the Cisco CSM software, and in version 2.1.8 of the Cisco CSM-S software. CSM software can be downloaded from http://www.cisco.com/pcgi-bin/tablebuild.pl/cat6000-csm?psrtdcat20e2. Information on how to upgrade the CSM software is available at http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080094526.shtml. CSM-S software can be downloaded from http://www.cisco.com/pcgi-bin/tablebuild.pl/cat6000-csms?psrtdcat20e2. Information on how to upgrade the CSM-S software is available at http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csms/2.1.1/configuration/guide/getstart.html#wp1041858. Workarounds =========== There are no workarounds for this vulnerability. When the Cisco CSM or Cisco CSM-S has run out of memory it will simply stop passing traffic and it will have to be reloaded. The CSM and CSM-S can be reloaded via the command "hw-module module <CSM or CSM-S slot number> reset" (Cisco IOS) or via the command "reset <CSM or CSM-S slot number>" (Cisco CatOS) from the privileged EXEC prompt of the supervisor. There is no need to reload the supervisor. Obtaining Fixed Software ======================== Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was discovered during the investigation of customer support cases. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080514-csm.shtml. In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2008-May-14 | Initial public release | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- All contents are Copyright (C) 2007-2008 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: May 14, 2008 Document ID: 105450 +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIKvyq86n/Gc8U/uARAknKAJ4h3Cv1kvEwebcrqEaYQ8J+AWcfvACggljK o0g1JsSfpI6hXBtkEYmWJj4= =B29t -----END PGP SIGNATURE-----

Cross-site scripting (XSS) vulnerability in AccessCodeStart.asp in Cisco Building Broadband Service Manager (BBSM) Captive Portal 5.3 allows remote attackers to inject arbitrary web script or HTML via the msg parameter. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Cisco BBSM 5.3 is vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. Input passed to the "msg" parameter in AccessCodeStart.asp is not properly sanitised before being returned to a user. SOLUTION: Apply patch BBSMPatch5332.zip. http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=5.3&mdfid=278455427&sftType=Building%20Broadband%20Service%20Manager%20(BBSM)%20Updates&optPlat=&nodecount=2&edesignator=null&modelName=Cisco%20Building%20Broadband%20Service%20Manager%205.3&treeMdfId=281527126&treeName=Network%20Monitoring%20and%20Management PROVIDED AND/OR DISCOVERED BY: Brad Antoniewicz ORIGINAL ADVISORY: http://archives.neohapsis.com/archives/bugtraq/2008-05/0166.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Microsoft Malware Protection Engine (mpengine.dll) 1.1.3520.0 and 0.1.13.192, as used in multiple Microsoft products, allows context-dependent attackers to cause a denial of service (engine hang and restart) via a crafted file, a different vulnerability than CVE-2008-1438. Attackers can exploit this issue to cause an affected computer to stop responding or to restart. Successful attacks will deny service to legitimate users. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. PROVIDED AND/OR DISCOVERED BY: The vendor credits SoWhat, Nevis Labs. ORIGINAL ADVISORY: MS08-029 (KB952044): http://www.microsoft.com/technet/security/Bulletin/MS08-029.mspx ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Microsoft Malware Protection Engine TWO DoS Vulnerabilities By Sowhat of Nevis Labs Date: 2008.05.14 http://www.nevisnetworks.com http://secway.org/advisory/AD20080514.txt CVE: CVE-2008-1437 CVE-2008-1438 Vendor Microsoft Affected: Windows Live OneCare Microsoft Antigen for Exchange Microsoft Antigen for SMTP Gateway Microsoft Windows Defender Microsoft Forefront Client Security Microsoft Forefront Security for Exchange Server Microsoft Forefront Security for SharePoint Standalone System Sweeper located in Diagnostics and Recovery Toolset 6.0 Details: There are two vulnerabilities idenitified in Microsoft Antivirus product. These vulnerabilities can be exploited to cause Denial of service. 1. CVE-2008-1437 PE Parsing Memory Corruption While scanning a specially crafted PE file, Malware orotection engine (MsMpEng.exe/mpengine.dll for Windows Live OneCare) will crash. Currently, There's no evidence of code execution found. Please note that this vulnerability can be triggered in various ways: a. by sending emails to target mail server which is protected by MS antivirus b. by sending emails to victim who is using Windows Onecare or Windows Defender. c. by convining the victim to visit some websites. d. by sending files (can be any extension) to victims through P2P/IM. Real Time protection is enabled by default, so in the case b&c, the vulnerability can be exploited without any further user interaction after the victim recieved the email or opened the website. 2. CVE-2008-1438 PE Parsing Disk Space D.o.S While parsing a specially crafted file with a malformed "size of header" is scanned by Microsoft Windows OneCare, there will be Disk Space DOS condition. Microsoft Malware protection engine will allocate disk space as much as the PE file "claimed", It can "eat" several Gb disk space of Windows installation driver. Proof of Concept: No POC will be released. Fix: Microsoft has released an update address this issue. http://www.microsoft.com/technet/security/Bulletin/MS08-029.mspx Vendor Response: 2008.04.18 Vendor notified via email 2008.04.18 Vendor response, developing for patch 2008.05.14 Patch Release 2008.05.14 Advisory released -- Sowhat http://secway.org "Life is like a bug, Do you know how to exploit it ?" . The most severe vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code. II. Impact A remote, unauthenticated attacker could execute arbitrary code, gain elevated privileges, or cause a denial of service. III. Solution Apply updates from Microsoft Microsoft has provided updates for these vulnerabilities in the May 2008 Security Bulletin Summary. The security bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. Administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). IV. References * US-CERT Vulnerability Notes for Microsoft May 2008 updates - <http://www.kb.cert.org/vuls/byid?searchview&query=ms08-may> * Microsoft Security Bulletin Summary for May 2008 - <http://www.microsoft.com/technet/security/bulletin/ms08-may.mspx> * Microsoft Update - <https://www.update.microsoft.com/microsoftupdate/> * Windows Server Update Services - <http://www.microsoft.com/windowsserversystem/updateservices/default.mspx> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA08-134A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA08-134A Feedback VU#534907" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History May 13, 2008: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBSCnrE/RFkHkM87XOAQJAoAf/XrkJlT9AS30/CZwAMO9qta8TbtLQTZR3 /yAV/h2CmOKhFsbjdh8L4+GcP0n66twWhmMBfBs6BosOoaqqhkeJcE6JoyQ2Kso1 MnhXjPJuGtgEPcfYX9bg42rnZ5WDXGh9EuhoZVyUV4UeUQ8qRM8LL3OIWBHubE7R fcOqIVDz/qtCC1U+RUdrbdeV8XB48mshiLoWjxzOT0FzeOKsBwsyHzaO5mAeEy4E 1hsLC2u4idGlq9Ezl82XODyH6vtHBKq7yKDv+FkVHbCqwB+thqPkUo2es+amASra shcJggg39WWmPWphqnBz94rkdwitsvW3ymOWt1F27GecX1sveofLDQ== =rhf4 -----END PGP SIGNATURE-----

Unspecified vulnerability in Microsoft Malware Protection Engine (mpengine.dll) 1.1.3520.0 and 0.1.13.192, as used in multiple Microsoft products, allows context-dependent attackers to cause a denial of service (disk space exhaustion) via a file with "crafted data structures" that trigger the creation of large temporary files, a different vulnerability than CVE-2008-1437. (DoS) There is a vulnerability that becomes a condition.The processing of a file crafted by a third party can create a large temporary file that can run out of disk space. Attackers can exploit this issue to cause an affected computer to stop responding or to restart. Successful attacks will deny service to legitimate users. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. PROVIDED AND/OR DISCOVERED BY: The vendor credits SoWhat, Nevis Labs. ORIGINAL ADVISORY: MS08-029 (KB952044): http://www.microsoft.com/technet/security/Bulletin/MS08-029.mspx ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Microsoft Malware Protection Engine TWO DoS Vulnerabilities By Sowhat of Nevis Labs Date: 2008.05.14 http://www.nevisnetworks.com http://secway.org/advisory/AD20080514.txt CVE: CVE-2008-1437 CVE-2008-1438 Vendor Microsoft Affected: Windows Live OneCare Microsoft Antigen for Exchange Microsoft Antigen for SMTP Gateway Microsoft Windows Defender Microsoft Forefront Client Security Microsoft Forefront Security for Exchange Server Microsoft Forefront Security for SharePoint Standalone System Sweeper located in Diagnostics and Recovery Toolset 6.0 Details: There are two vulnerabilities idenitified in Microsoft Antivirus product. These vulnerabilities can be exploited to cause Denial of service. 1. CVE-2008-1437 PE Parsing Memory Corruption While scanning a specially crafted PE file, Malware orotection engine (MsMpEng.exe/mpengine.dll for Windows Live OneCare) will crash. Currently, There's no evidence of code execution found. Please note that this vulnerability can be triggered in various ways: a. by sending emails to target mail server which is protected by MS antivirus b. by sending emails to victim who is using Windows Onecare or Windows Defender. c. by convining the victim to visit some websites. d. by sending files (can be any extension) to victims through P2P/IM. Real Time protection is enabled by default, so in the case b&c, the vulnerability can be exploited without any further user interaction after the victim recieved the email or opened the website. 2. Proof of Concept: No POC will be released. Fix: Microsoft has released an update address this issue. http://www.microsoft.com/technet/security/Bulletin/MS08-029.mspx Vendor Response: 2008.04.18 Vendor notified via email 2008.04.18 Vendor response, developing for patch 2008.05.14 Patch Release 2008.05.14 Advisory released -- Sowhat http://secway.org "Life is like a bug, Do you know how to exploit it ?" . The most severe vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code. II. Impact A remote, unauthenticated attacker could execute arbitrary code, gain elevated privileges, or cause a denial of service. III. Solution Apply updates from Microsoft Microsoft has provided updates for these vulnerabilities in the May 2008 Security Bulletin Summary. The security bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. Administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). IV. References * US-CERT Vulnerability Notes for Microsoft May 2008 updates - <http://www.kb.cert.org/vuls/byid?searchview&query=ms08-may> * Microsoft Security Bulletin Summary for May 2008 - <http://www.microsoft.com/technet/security/bulletin/ms08-may.mspx> * Microsoft Update - <https://www.update.microsoft.com/microsoftupdate/> * Windows Server Update Services - <http://www.microsoft.com/windowsserversystem/updateservices/default.mspx> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA08-134A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA08-134A Feedback VU#534907" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History May 13, 2008: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBSCnrE/RFkHkM87XOAQJAoAf/XrkJlT9AS30/CZwAMO9qta8TbtLQTZR3 /yAV/h2CmOKhFsbjdh8L4+GcP0n66twWhmMBfBs6BosOoaqqhkeJcE6JoyQ2Kso1 MnhXjPJuGtgEPcfYX9bg42rnZ5WDXGh9EuhoZVyUV4UeUQ8qRM8LL3OIWBHubE7R fcOqIVDz/qtCC1U+RUdrbdeV8XB48mshiLoWjxzOT0FzeOKsBwsyHzaO5mAeEy4E 1hsLC2u4idGlq9Ezl82XODyH6vtHBKq7yKDv+FkVHbCqwB+thqPkUo2es+amASra shcJggg39WWmPWphqnBz94rkdwitsvW3ymOWt1F27GecX1sveofLDQ== =rhf4 -----END PGP SIGNATURE-----

Multiple cross-site scripting (XSS) vulnerabilities in Phoenix View CMS Pre Alpha2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) ltarget parameter to (a) admin/admin_frame.php and the (2) conf parameter to (b) gbuch.admin.php, (c) links.admin.php, (d) menue.admin.php, (e) news.admin.php, and (f) todo.admin.php in admin/module/. (a) admin/admin_frame.php To ltarget Parameters (b) admin/module Subordinate gbuch.admin.php To conf Parameters (c) admin/module Subordinate links.admin.php To conf Parameters (d) admin/module Subordinate menue.admin.php To conf Parameters (e) admin/module Subordinate news.admin.php To conf Parameters (f) admin/module Subordinate todo.admin.php To conf Parameters. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. UPDATE (June 2, 2008): The vendor reports that the application is not vulnerable to the issue, but this has not been confirmed

Unspecified vulnerability in Citrix Access Gateway Standard Edition 4.5.7 and earlier and Advanced Edition 4.5 HF2 and earlier allows attackers to bypass authentication and gain "access to network resources" via unspecified vectors. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. 4.5.7 Rev A: http://support.citrix.com/article/CTX116762 4.5.5, 4.5.6 and 4.5.7 patch: http://support.citrix.com/article/CTX117001 * may cause custom software configurations to become non-functional PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Citrix (CTX116930): http://support.citrix.com/article/CTX116930 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in ZyXEL ZyWALL 100 allows remote attackers to inject arbitrary web script or HTML via the Referer header, which is not properly handled in a 404 Error page. ZyWALL 100 is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. Learn more: http://secunia.com/network_software_inspector_2/ ---------------------------------------------------------------------- TITLE: ZyXEL ZyWALL 100 "Referer" Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA30142 VERIFY ADVISORY: http://secunia.com/advisories/30142/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote OPERATING SYSTEM: ZyXEL ZyWALL Series http://secunia.com/product/147/ DESCRIPTION: Deniz Cevik has reported a vulnerability in ZyXEL ZyWALL 100, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed via the "Referer" HTTP header to the web management interface is not properly sanitised before being returned to the user. SOLUTION: Do not browse untrusted websites or follow untrusted links while being logged in to the web management interface. PROVIDED AND/OR DISCOVERED BY: Deniz Cevik ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2008-May/062152.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in SonicWall Email Security 6.1.1 allows remote attackers to inject arbitrary web script or HTML via the Host header in a request to a non-existent web page, which is not properly sanitized in an error page. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. SonicWALL Email Security 6.1.1 is vulnerable; other versions may also be affected. The vulnerability was not filtered out in the error page

The SuiteLink Service (aka slssvc.exe) in WonderWare SuiteLink before 2.0 Patch 01, as used in WonderWare InTouch 8.0, allows remote attackers to cause a denial of service (NULL pointer dereference and service shutdown) and possibly execute arbitrary code via a large length value in a Registration packet to TCP port 5413, which causes a memory allocation failure. Wonderware SuiteLink Crafted by TCP Denial of service when processing packets (DoS) There are vulnerabilities that may be affected. Wonderware SuiteLink Is the protocol used in the control system. Implemented this protocol Wonderware SuiteLink Service(slssvc.exe) Is Windows As a service on 5413/tcp Use to communicate. Wonderware SuiteLink Service(slssvc.exe) In TCP There is a problem with the processing of the packet, and receiving a specially crafted packet can cause a service outage.Denial of service by remote third party (DoS) There is a possibility of being attacked. WonderWare is a supplier of industrial automation and information software solutions. WonderWare has a vulnerability in processing malformed request data, which could be exploited by remote attackers to render services unavailable. WonderWare's SuiteLink service listens for connections on port 5413 / TCP. Non-authenticated client programs connected to the service can send malformed messages, and by calling the new () operator, the memory allocation operation fails and returns a null pointer. Due to the lack of error checking on the results of memory allocation operations, the program may later use null pointers as targets for memory copy operations, which may trigger memory access exceptions and terminate services. An attacker can trigger a memory allocation operation failure by specifying an oversized field in the Registration message. The following binary program segment describes the cause of the vulnerability: .text: 00405C1B mov esi, [ebp + dwLen]; Our value from packet  ...  .text: 00405C20 push edi  .text: 00405C21 test esi, esi; Check value! = 0  ...  .text: 00405C31 push esi; Alloc with our length  .text: 00405C32 mov [ebp + var_4], 0  .text: 00405C39 call operator new (uint); Big values return NULL  .text: 00405C3E mov ecx, esi; Memcpy with our length  .text: 00405C40 mov esi, [ebp + pDestionationAddr]  .text: 00405C43 mov [ebx + 4], eax; new result is used as dest  .text: 00405C46 mov edi, eax; address without checks.  .text: 00405C48 mov eax, ecx  .text: 00405C4A add esp, 4  .text: 00405C4D shr ecx, 2  .text: 00405C50 rep movsd; AV due to invalid  .text: 00405C52 mov ecx, eax; destination pointer.  .text: 00405C54 and ecx, 3  ------------ /. Wonderware SuiteLink is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to crash the affected application, denying service to legitimate users. Given the nature of this issue, the attacker may also be able to execute arbitrary code, but this has not been confirmed. Versions prior to Wonderware SuiteLink 2.0 Patch 01 are vulnerable. UPDATE: References to Wonderware InTouch 8.0 have been removed; that software is not affected by this vulnerability. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. PROVIDED AND/OR DISCOVERED BY: Sebastian Muniz, Core Security Technologies ORIGINAL ADVISORY: Wonderware (requires login): http://www.wonderware.com/support/mmi/comprehensive/kbcd/html/t002260.htm CORE-2008-0129: http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=2187 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://www.coresecurity.com/corelabs/ Wonderware SuiteLink Denial of Service vulnerability *Advisory Information* Title: Wonderware SuiteLink Denial of Service vulnerability Advisory ID: CORE-2008-0129 Advisory URL: http://www.coresecurity.com/?action=item&id=2187 Date published: 2008-05-05 Date of last update: 2008-05-05 Vendors contacted: Wonderware Release mode: Coordinated release *Vulnerability Information* Class: Denial of service Remotely Exploitable: Yes Locally Exploitable: No Bugtraq ID: 28974 CVE Name: CVE-2008-2005 *Vulnerability Description* WonderWare is supplier of industrial automation and information software solutions. According to the company's website [1]: "one third of the world's plants run Wonderware software solutions. Having sold more than 500,000 software licenses in over 100,000 plants worldwide, Wonderware has customers in virtually every global industry - including Oil & Gas, Food & Beverage, Utilities, Pharmaceuticals, Electronics, Metals, Automotive and more". WonderWare offers software solutions in the areas of Production and Performance Management, and Geographical SCADA and Supervisory HMI (Human-Machine Interface). Several of these solutions running on Microsoft Windows Operating Systems use a common software component, the SuiteLink Service, to implement communications between components using a proprietary protocol over TCP/IP networks. Exploitation of the vulnerability for remote code execution has not been proven, but it has not been eliminated as a potential scenario. *Vulnerable Packages* . *Non-vulnerable Packages* . Contact WonderWare for details. *Vendor Information, Solutions and Workarounds* The vendor has made a technical document available to registered customers detailing how to address this issue [2]. Additionally, an extensive guide detailing how to deploy and secure Industrial Control Systems is available at the vendor's support site [3]. Vendor Statement: Wonderware, a business unit of Invensys, is committed to collaborate with our customers and industry standards committees to provide secure applications, security best practices, deployment guidelines, tools and prescriptive guidance for maintaining a secure environment. A potential denial of service issue on an insecure network which could have been instigated by a hostile internal user has been addressed in SuiteLink 2.0 Patch 01. More details can be found in Wonderware's Tech Alert 106 posted on our website along with the Patch. (Please note that access to the Tech Alert and the Patch will require that you register on our web site.) Wonderware users interested in upgrading should contact Wonderware or their local distributor. *Credits* This vulnerability was discovered and researched by Sebastian Muniz from the Exploit Writers Team (EWT) at Core Security Technologies. *Technical Description / Proof of Concept Code* WonderWare SuiteLink is a service that runs on Microsoft Windows Operating Systems listening for connections on port 5413/tcp. .text:00405C54 and ecx, 3 - -----------/ *Report Timeline* . 2008-01-30: Initial contact email sent by to Wonderware setting the estimated publication date of the advisory to February 25th. 2008-01-30: Contact email re-sent to Wonderware asking for a software security contact for Wonderware InTouch. 2008-02-06: New email sent to Wonderware asking for a response and for a software security contact for Wonderware InTouch. 2008-02-28: Core makes direct phone calls to Wonderware headquarters informing of the previous emails and requesting acknowledgement of the notification of a security vulnerability. 2008-02-28: As requested during the phone call, Core re-sends the original notification mail, stating that an advisory draft describing the vulnerability is available since January 30th. The publication of the advisory is re-scheduled to March 24th. 2008-02-28: Vendor acknowledges the email notification. 2008-02-28: Core sends the advisory draft to Wonderware support team. 2008-02-29: Vendor acknowledges reception of the report and states that it understands the seriousness of the problem and that its development team will look into it. 2008-02-29: Vendor asks for a copy of the proof of concept code used to demonstrate the vulnerability. 2008-03-03: Core sends proof-of-concept code written in Python. 2008-03-05: Vendor asks for compiler tools required to use the PoC code. 2008-03-05: Core sends a link to http://www.python.org where a Python interpreter can be downloaded. 2008-03-10: Vendor requests more information about the network and the firewall settings used during the tests and inquires about conformance (or lack thereof) of the tested network with the vendor's security policies and recommendations. 2008-03-10: Vendor asks for details about how the advisory will be published. 2008-03-12: Core responds that the workstation running the vulnerable service had no firewall activated in the tests, but since the Wonderware SuiteLink Service allows incoming connections it is assumed that the corresponding port should be allowed to receive inbound session establishment packets. Core offers the vendor the opportunity to include additional information in the "vendor information" section of the advisory. Core explains that the advisory will be published on Core's website and sent to security mailing lists. Core also reminds the vendor that the publication date of the advisory has been moved from February 25th to March 24th, and explains that it is willing to discuss a new publication date on the basis of having concrete plans, with a specific date for the fix release. 2008-03-21: Vendor indicates that it will be unable to commit to releasing fixes by March 24th and requests publication of the advisory to be delayed to create a fix for vulnerable customers. The development team is investigating how long it will take to make such a fix available. The vendor indicates that the previous questions about firewall setup referred to the vendor's recommended practices to secure networks on which their systems run using firewalls and IPsec. 2008-03-21: Vendor indicates that it is issuing a Tech Alert to its customers to address the issue. Details about the vulnerability have been minimized in the Tech Alert. The vendor expresses concern about the level of detail included in Core's advisory and requests that those details be removed from the advisory because they give more detail than what is needed to make people aware of the issue, and may lend itself to use by people who might want to exploit it. Early estimates put the delivery time for a fix at approximately three months, and the estimate is not final. Vendor asks Core to delay any publication until it is able to have a software fix ready. 2008-03-21: Core asks if the three-month estimate should be assumed to have begun since the vendor's initial acknowledgement of Core's notification -- which puts the estimated date for the release of a fix at the end of May -- or since the date of the last email received (fix released at the end of June). Core indicates that as of today it still has no confirmation from the vendor that the vulnerability was replicated and identified, and that the fix is already under development or testing, and that is the information needed to re-schedule the publication date. Core is expecting to receive that information from the vendor, but in the meantime publication of the advisory is re-scheduled to March 31st 2008. With regards to the questions and requests about the contents of the security advisory, Core indicates that Core's technical publications are aimed at providing legitimate security practitioners worldwide with the technical details necessary to understand the nature of the security issues reported; so they are able to devise, by their own judgment, the risk mitigation approach that fits them the best. For that purpose, Core believes that it is fundamental that they have precise and accurate technical details about security issues -- as Wonderware itself has demonstrated with the request for further technical details and proof-of-concept code -- and that the whole reporting and disclosure process is transparent for scrutiny of all interested parties. 2008-03-21: Vendor acknowledges Core's email and provides a copy of the issued Technical Alert 106 and indicates that will provide more information by March 25th 2008. 2008-03-26: Vendor confirms to have replicated the issue reported and indicated that the Tech Alert 106 sent to customers confirms and recognizes the issue. The Tech Alert also points out what measures can be taken to mitigate risk. A project has been charter and is in progress to fix this issue and properly QA the fix. With regard to the contents of Core's report, it says that stating that a Denial of Service of SuiteLink communication can be created from a remote node sends a corrupted data packet seems to be sufficient to make people aware. The vendor says that is having trouble understanding what the value is in providing specific detail as to what technical issue is happening and asks for clarification to understand how this information would benefit organizations. The vendor acknowledges that the proof of concept code did help to replicate the issue and that without it, it would have needed more time to identify it from the report alone. The concern is that the details provided in the report may give a hacker a specific direction to look for the vulnerability. Finally, the vendor indicates that will have a better estimation for the rlease date of a fix by Friday March 28th, 2008. 2008-03-27: Core acknowledges the vendor's email and indicates that is looking forward to having the new estimate by Friday. 2008-03-28: Vendor informs that it has brought the estimated release date in to May 2nd. If things go well during QA, they may be able to bring that date in sooner and vendor requests that Core postpone publication until that time. 2008-03-28: Core re-schedules publication of the advisory to May 2nd 2008 and says that it considers this date final unless the vendor indicates any deviation from the current estimate with at least a week in advance of the publication date, in which case Core would re-evaluate postponing publication up to 5 working days. With regard to the previous inquiry about the advisory's content, Core states that the purpose of publishing security advisories and the rationale used to define their content is simple and hopefully, once explained, both reasonable and understandable. Core publishes advisories not only to make users aware of the existence of a given vulnerability but also to facilitate its mitigation by either official or any other means that the security community and/or the vulnerable user population may devise. In order to do so, Core has learned over the course of 13 years working in this particular field that it is fundamental to provide precise and accurate technical information about problems. It is that information that can help other security practitioners to determine how to prevent exploitation, detect attacks or to verify that a fix or workaround is actually functioning properly. Thus, Core believes that it is necessary not only to indicate the mere existence of the bug, but also to explain how to uniquely identify it in the vulnerable software (to avoid confusion with all other known bugs or to differentiate it from others that may be discovered in the future). It is also important to determine how the vulnerability could be used by potential attackers so that proper detection mechanisms can be built, for example firewall rules, or IDS and antivirus signatures. While Core recognizes that this may provide some additional data to would-be attackers, clearly it also provides preciously needed information to the defenders thus, leveling a field on which Core believes the attackers are initially at advantage. 2008-04-01: Vendor acknowledges previous email and indicates that it will provide a new update as soon as is available. 2008-04-28: Vendor informs Core that a fix for the vulnerability in SuiteLink has been released. 2008-04-28: Core acknowledges previous emails and requests an official vendor statement for the security advisory and more details about the vulnerable packages and versions. Multiple products use SuiteLink. 2008-04-30: The advisory is ready for release, but the publication date is re-scheduled to May 5th because May 1st is a public holiday in many countries (International Workers' Day) and Core does not usually publish advisories on Fridays (to avoid IT work on weekends). 2008-05-05: CORE-2008-0129 advisory is published. *References* [1] WonderWare website http://us.wonderware.com/ [2] Tech Alert 106 http://www.wonderware.com/support/mmi/comprehensive/kbcd/html/t002260.htm [3] WonderWare Security Manual - Securing Industrial Control Systems http://www.wonderware.com/support/mmi/esupport/securitycentral/documents/BestPractices/WWSecGd041707_External.pdf *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs/. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. *Disclaimer* The contents of this advisory are copyright (c) 2008 Core Security Technologies and (c) 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. *GPG/PGP Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIH2eAyNibggitWa0RAtlcAKCgV83vS0v4aLVTRtFmkBsEg0UPXgCdHL4p si+I8mGJwJuglh+QESsZ9ZE= =705O -----END PGP SIGNATURE-----

Comodo Firewall Pro before 3.0 does not properly validate certain parameters to hooked System Service Descriptor Table (SSDT) functions, which allows local users to cause a denial of service (system crash) via (1) a crafted OBJECT_ATTRIBUTES structure in a call to the NtDeleteFile function, which leads to improper validation of a ZwQueryObject result; and unspecified calls to the (2) NtCreateFile and (3) NtSetThreadContext functions, different vectors than CVE-2007-0709. This vulnerability CVE-2007-0709 Is a different vulnerability.Service disruption by local users via: ( System crash ) There is a possibility of being put into a state. (1) NtDeleteFile Crafted in a call to a function OBJECT_ATTRIBUTES Through the structure ZwQueryObject Trigger improper validation of results (2) NtCreateFile Call to function (3) NtSetThreadContext Call to function. Comodo Firewall Pro is prone to multiple local vulnerabilities. Attackers might also be able to gain elevated privileges by executing arbitrary machine code in the context of the kernel, but this has not been confirmed. Comodo Firewall Pro 2.4.18.184 is vulnerable; other versions may also be affected. The NtDeleteFile, NtCreateFile, and NtSetThreadContext functions of the Comodo firewall do not validate parameters correctly. … . ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. These can be exploited to cause a DoS by calling the affected functions with specially crafted arguments. The vulnerabilities are reported in version 2.4.18.184. SOLUTION: Upgrade to version 3.0. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://www.coresecurity.com/corelabs/ Insufficient argument validation of hooked SSDT functions on multiple Antivirus and Firewalls *Advisory Information* Title: Insufficient argument validation of hooked SSDT functions on multiple Antivirus and Firewalls Advisory ID: CORE-2008-0320 Advisory URL: http://www.coresecurity.com/?action=item&id=2249 Date published: 2008-04-28 Date of last update: 2008-04-28 Vendors contacted: BitDefender, Comodo, Sophos and Rising Release mode: Coordinated release (BitDefender, Comodo, Rising), User release (Sophos) *Vulnerability Information* Class: Invalid memory reference Remotely Exploitable: No Locally Exploitable: Yes Bugtraq ID: 28741, 28742, 28743, 28744 CVE Name: CVE-2008-1735, CVE-2008-1736, CVE-2008-1737, CVE-2008-1738 *Vulnerability Description* Insufficient argument validation of hooked SSDT functions on multiple Antivirus and Firewalls (BitDefender Antivirus [1], Comodo Firewall [2], Sophos Antivirus [3] and Rising Antivirus [4]) have been found that could lead to a Denial of Service (DoS) and possibly to code execution attacks. An attacker, utilizing these flaws, could be able to locally reboot the whole system shutting down the firewall or anti-virus protection. *Vulnerable Packages* . BitDefender Antivirus 2008 Build 11.0.11 . Sophos Antivirus 7.0.5 . Rising Antivirus 19.60.0.0 and 19.66.0.0 . Older versions may be affected, but were not checked. *Non-vulnerable Packages* . BitDefender Antivirus 2008 builds available through automatic updates, posterior to January 18th. Rising Antivirus 20.38.20 *Vendor Information, Solutions and Workarounds* 1) BITDEFENDER ANTIVIRUS (BID 28741, CVE-2008-1735) According to BitDefender, the flaw was not exploited by any malicious application, and it was corrected through automatic updates. Information on this issue can be found on BitDefender website at this location: http://kb.bitdefender.com/KB419-en--Security-vulnerability-in-BitDefender-2008.html. Non-vulnerable products from Sophos are earlier versions of Sophos Anti-Virus for Windows, Sophos Anti-Virus for non-Windows platforms and all other Sophos products. The vulnerability is only exploitable if Runtime Behavioural Analysis is switched on. Even then the exploit will only be effective if the end user is using security settings that are lower than the defaults for most web browsers today, or if the end user agrees to activate an ActiveX or Java Applet from the webpage hosting the exploit. Workarounds to avoid this vulnerability include: a. Using the default security settings or higher on the latest version of your chosen web browser. In line with general security best practice we would also encourage end users not to download ActiveX or Java Applets unless confident about their content. b. Turning off the Runtime Behavioural Analysis functionality within Sophos Anti-Virus (customers will still benefit from Sophos Behavioural Genotype protection and other means of protecting endpoints against malware). N.B. Should an exploit be released into the wild, Sophos will deploy protection against that exploit. The fix for this vulnerability requires customers to reboot their endpoints. Given the low severity of the vulnerability, to minimise disruption to our customers Sophos will release the fix at the earliest opportunity that coincides with a necessary reboot of the product." 4) RISING ANTIVIRUS (BID 28744, CVE-2008-1738) A fixed version of Rising Antivirus can be downloaded from: http://rsdownload.rising.com.cn/for_down/rsfree/ravolusrfree.exe All Rising customers can also update up to a patched version through automatic updates. *Credits* These vulnerabilities (except the Rising one) were discovered by Damian Saura, Anibal Sacco, Dario Menichelli, Norberto Kueffner, Andres Blanco y Rodrigo Carvalho from Core Security Technologies, during Bugweek 2007. The Rising vulnerability was discovered by Anibal Sacco from Core Security Technologies exploit writers team. These vulnerabilities were researched by Anibal Sacco and Damian Saura from Core Security Technologies. *Technical Description / Proof of Concept Code* We have found that BitDefender Antivirus, Rising Antivirus, Comodo Firewall and Sophos Antivirus have hooks that do not properly validate the arguments of the hooked functions before accessing them, and lead to the program trying to reference some invalid memory, leading in some scenarios to a BSOD (Blue Screen of Death). In our tests we used the kernel hooks probing tool BSODhook [5] in order to find any kind of insufficient argument validation of hooked SSDT functions. From Matousec paper [6]: "Hooking kernel functions by modifying the System Service Descriptor Table (SSDT) is a very popular method of implementation of additional security features and is used frequently by personal firewalls and other security and low-level software. Although undocumented and despised by Microsoft, this technique can be implemented in a correct and stable way. However, many software vendors do not follow the rules and recommendations for kernel-mode code writing and many drivers that implement SSDT hooking do not properly validate the parameters of the hooking functions." "Hooking SSDT functions requires extra caution. SSDT function handlers are executed in the kernel mode but their callers are executed in the user mode. Hence all function arguments come from the user mode. This is why it is necessary to validate these arguments properly. Otherwise a simple user call can easily crash the whole system. This bug usually results in a system crash. However, it may happen that this bug is even more dangerous and may lead to the execution of an arbitrary code in the privileged kernel mode." A local DoS attack, despite not being a very sophisticated intrusion attack, could be used as an accessory under several scenarios. It is commonly used by viruses as added feature, when the specific AV is detected on the infected machine, crashing the system just to annoy. Or by a human attacker, after a succesful remote intrusion with unprivileged credentials to make a computer resource unavailable to its intended users. Besides, this could be a very valuable resource when trying to fake some service that answers broadcasts request like a DHCP, allowing to start the service in another location replacing the original one. 1) BITDEFENDER ANTIVIRUS (BID 28741, CVE-2008-1735) BitDefender fails to validate the pointer to the 'CLIENT_ID' structure provided to 'NtOpenProcess'. So, if we pass an invalid pointer, we will crash the whole system. /----------- NtOpenProcess(PHANDLE ProcessHandle, ACCESS_MASK AccessMask, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId ) .text:00010ADE push 0Ch .text:00010AE0 push offset stru_114E8 .text:00010AE5 call __SEH_prolog .text:00010AEA call KeGetCurrentThread .text:00010AEF xor ebx, ebx .text:00010AF1 cmp [eax+140h], bl .text:00010AF7 jz short loc_10B0D .text:00010AF9 call PsGetCurrentProcessId .text:00010AFE call PsGetCurrentProcessId .text:00010B03 push eax .text:00010B04 call sub_10724 .text:00010B09 test eax, eax .text:00010B0B jnz short loc_10B12 .text:00010B0D .text:00010B0D loc_10B0D: ; CODE XREF: sub_10ADE+19_j .text:00010B0D push [ebp+ClientId] .text:00010B10 jmp short loc_10B73 .text:00010B12 ; - --------------------------------------------------------------------------- .text:00010B12 .text:00010B12 loc_10B12: ; CODE XREF: sub_10ADE+2D_j .text:00010B12 mov edi, [ebp+ClientId] .text:00010B15 cmp edi, ebx ; Little check to avoid a Null Pointer - -----------/ Here it gets the pointer to the 'ClientId' value, and if it is non zero ('!= 0') it does not care where it is pointing to. /----------- .text:00010B17 jnz short loc_10B1C .text:00010B19 push ebx .text:00010B1A jmp short loc_10B73 .text:00010B1C ; - --------------------------------------------------------------------------- .text:00010B1C .text:00010B1C loc_10B1C: ; CODE XREF: sub_10ADE+39_j .text:00010B1C mov [ebp+ms_exc.disabled], ebx .text:00010B1F mov esi, [edi] ; Here it crashes - -----------/ It access to that memory, and if that is invalid memory the system will crash. /----------- .text:00010B21 mov [ebp+var_1C], esi .text:00010B24 or [ebp+ms_exc.disabled], 0FFFFFFFFh .text:00010B28 jmp short loc_10B3B .text:00010B28 sub_10ADE endp - -----------/ 2) COMODO FIREWALL PRO (BID 28742, CVE-2008-1736) In Comodo there are problems in the arguments validation of 'NtDeleteFile', 'NtCreateFile' and 'NtSetThreadContext' functions. 'NtDeleteFile' receives just one parameter, a pointer to an 'OBJECT_ATTRIBUTES' structure. These attributes would include the 'ObjectName' and the 'SECURITY_DESCRIPTOR', for example. This is the hook placed by Comodo at 'NtDeleteFile'. /----------- NTDeleteFile (POBJECT_ATTRIBUTES ObjectAttributes) .text:0001ACB0 push 1Ch .text:0001ACB2 push offset stru_1E3F0 .text:0001ACB7 call __SEH_prolog .text:0001ACBC xor ebx, ebx .text:0001ACBE inc ebx .text:0001ACBF mov [ebp+var_1C], ebx .text:0001ACC2 xor esi, esi .text:0001ACC4 mov [ebp+var_24], esi .text:0001ACC7 mov [ebp+var_20], ebx .text:0001ACCA mov [ebp+var_28], esi .text:0001ACCD mov [ebp+ms_exc.disabled], esi .text:0001ACD0 call ds:ExGetPreviousMode .text:0001ACD6 mov edi, [ebp+ObjectAttributes] - -----------/ Here it does a lot of 'ProbeForRead' checks to see if the pointers of the structure are valid. Nice! ('EDI' still has a pointer to the 'OBJECT_ATTRIBUTES' structure) /----------- .... sub_1A692 .text:0001A692 push 28h .text:0001A694 push offset stru_1E3C0 .text:0001A699 call __SEH_prolog .text:0001A69E xor edi, edi .... .text:0001A6B3 mov [ebp+ms_exc.disabled], edi .text:0001A6B6 push 72747052h ; Tag .text:0001A6BB mov ebx, 400h .text:0001A6C0 push ebx ; NumberOfBytes .text:0001A6C1 push 1 ; PoolType .text:0001A6C3 call ds:ExAllocatePoolWithTag ; Allocates memory to hold the data retrieved by ZwQueryObject .text:0001A6C9 mov esi, eax .text:0001A6CB mov [ebp+var_28], esi .text:0001A6CE cmp esi, edi .text:0001A6D0 jz short loc_1A74F .text:0001A6D2 mov edi, [ebp+ObjectAttributes] .text:0001A6D5 mov eax, [edi+OBJECT_ATTRIBUTES.RootDirectory] ; Here, the code retrieves the RootDirectory's field value from the structure, controled by us. .text:0001A6D8 test eax, eax .text:0001A6DA jz short loc_1A71B .text:0001A6DC push 0 ; ReturnLength .text:0001A6DE push ebx ; ObjectInformationLength .text:0001A6DF push esi ; ObjectInformation ; buffer where ZwQueryObject will put the object information .text:0001A6E0 push 1 ; ObjectInformationClass ; Specifies an OBJECT_INFORMATION_CLASS value that determines the type ; of information returned in the ObjectInformation buffer. It's using ; an undocumented type (OBJECT_NAME_INFORMATION) which returns an UNICODE_STRING structure .text:0001A6E2 push eax ; ObjectHandle ; Now, the user-controlled handle 'll be used here to identify the object by ZwQueryObject, .text:0001A6E3 call ds:ZwQueryObject .text:0001A6E9 mov [ebp+var_20], eax .text:0001A6EC test eax, eax .text:0001A6EE jl short loc_1A746 - -----------/ Here is where the problem shows up. The code does not properly validates the data retrieved by 'ZwQueryObject', expecting an 'UNICODE_STRING' structure. But it is possible to make multiple calls to the function using different handlers to obtain a null structure crashing the system when the code tries to dereference its 'Buffer' field. /----------- .text:0001A6F0 movzx eax, [esi+UNICODE_STRING.Length] .text:0001A6F3 shr eax, 1 .text:0001A6F5 mov ecx, [esi+UNICODE_STRING.Buffer] .text:0001A6F8 movzx eax, word ptr [ecx+eax*2-2] ; Here is the problem .text:0001A6FD mov [ebp+var_30], eax .text:0001A700 cmp ax, 5Ch .text:0001A704 jz short loc_1A725 - -----------/ 3) SOPHOS ANTIVIRUS (BID 28743, CVE-2008-1737) Insufficient argument validation of hooked SSDT functions on Sophos lead to a DoS. An attacker, utilizing this flaw, would be able to locally reboot the whole system shutting down the Firewall or AV protection. Although neither the vendor nor Core Security has found a means of exploiting the flaw to execute arbitrary code, it has not been possible to rule this out. In Sophos AV there is a problem in the arguments validation of 'NtCreateKey' function. /----------- int __cdecl NtCreateKeyHook(PHANDLE pKeyHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, ULONG TitleIndex,PUNICODE_STRING Class, ULONG CreateOptions, PULONG Disposition) [...] .text:0001C01C push 4 ; Alignment .text:0001C01E push 18h ; Length .text:0001C020 mov esi, [ebp+ObjectAttributes] .text:0001C023 push esi ; Address .text:0001C024 call ds:ProbeForRead - -----------/ Here it checks for 'ObjectAttributes' to be pointing to a valid address. /----------- .text:0001C02A mov eax, [esi+OBJECT_ATTRIBUTES.RootDirectory] .text:0001C02D mov [ebp+Handle], eax .text:0001C030 mov esi, [esi+OBJECT_ATTRIBUTES.ObjectName] .text:0001C033 mov [ebp+pUnicodeString], esi - -----------/ Now, it gets from 'OBJECT_ATTRIBUTES' a handle and a pointer to an 'UNICODE_STRING' structure. /----------- .text:0001C095 push 4 .text:0001C097 push 8 .text:0001C099 push esi .text:0001C09A mov ebx, ds:ProbeForRead .text:0001C0A0 call ebx ; ProbeForRead, it checks the pointer before the dereference. .text:0001C0A2 mov eax, dword ptr [esi+UNICODE_STRING.Length] .text:0001C0A4 mov dword ptr [ebp+stUnicodeString.Length], eax .text:0001C0A7 mov esi, [esi+UNICODE_STRING.Buffer] ; And gets from the UNICODE_STRING structure ; a pointer to the unicode buffer. .text:0001C0AA mov [ebp+stUnicodeString.Buffer], esi .text:0001C0AD push 2 ; Alignment .text:0001C0AF shr eax, 10h .text:0001C0B2 push eax ; Length .text:0001C0B3 push esi ; Address .text:0001C0B4 call ebx ; ProbeForRead - -----------/ It does the check, but here is the problem /----------- .text:0001C0B6 push gdwValue .text:0001C0BC lea eax, [ebp+stUnicodeString] .text:0001C0BF push eax .text:0001C0C0 push [ebp+Object] .text:0001C0C3 call sub_1cb40 - -----------/ The problem relies in the function not properly checking the 'Length' field of the 'UNICODE_STRING' structure. When doing the check, 'ProbeForRead' receives the length field of the structure as a parameter without any kind of validation. So, if we set this field to 0, 'ProbeForRead' will not raise any exception even though we were passing it an invalid address. And it will crash when trying to access to the desired invalid memory. /----------- sub_1cb40 [...] .text:0001CB5E xor esi, esi .text:0001CB60 mov [ebp+ms_exc.disabled], esi .text:0001CB63 mov edi, [ebp+pUnicodeString] .text:0001CB66 mov eax, [edi+UNICODE_STRING.Buffer] - -----------/ And here is where it will crash: /----------- .text:0001CB69 cmp word ptr [eax], '\' ; Reference the first pointed byte - -----------/ 4) RISING ANTIVIRUS (BID 28744, CVE-2008-1738) In Rising antivirus the code of the 'NtOpenProcess' hook does not validates if the pointer to the structure /----------- typedef struct _CLIENT_ID { HANDLE UniqueProcess; HANDLE UniqueThread;} - -----------/ is really pointing to mapped memory. So, when the code tries to dereference the pointer to check the 'CLIENT_ID->UniqueProcess' value, if it is pointing to invalid memory, will crash. /----------- NtOpenProcess( OUT PHANDLE ProcessHandle, IN ACCESS_MASK AccessMask, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId ) .text:00010EAA push ebp .text:00010EAB mov ebp, esp .text:00010EAD push esi .text:00010EAE mov esi, offset Addend .text:00010EB3 push edi .text:00010EB4 mov ecx, esi ; Addend .text:00010EB6 call ds:InterlockedIncrement .text:00010EBC call PsGetCurrentProcessId .text:00010EC1 cmp eax, dword_11C8C .text:00010EC7 jnz short loc_10ECE .text:00010EC9 .text:00010EC9 loc_10EC9: ; CODE XREF: sub_10EAA+37_j .text:00010EC9 push [ebp+ClientId] .text:00010ECC jmp short loc_10EF0 .text:00010ECE ; - --------------------------------------------------------------------------- .text:00010ECE .text:00010ECE loc_10ECE: ; CODE XREF: sub_10EAA+1D_j .text:00010ECE call PsGetCurrentProcessId .text:00010ED3 mov ecx, dword_11C80 .text:00010ED9 push eax .text:00010EDA call sub_11070 .text:00010EDF test al, al .text:00010EE1 jnz short loc_10EC9 .text:00010EE3 call PsGetCurrentProcessId .text:00010EE8 mov edi, [ebp+ClientId] ; Here is the bug, if ClientId is pointing to an invalid address .text:00010EEB cmp eax, [edi] ; it will crash. .text:00010EED jnz short loc_10F0D - -----------/ *Report Timeline* . 2008-01-11: Core Security Technologies found a security vulnerability in BitDefender antivirus. 2008-01-14: BitDefender team is contacted by Core. 2008-01-15: BitDefender team asks Core for technical description of the vulnerability. 2008-01-15: Technical details are sent to BitDefender team by Core. 2008-01-22: BitDefender notifies Core that a fix has been produced and the flaw was corrected through automatic updates. 2008-02-04: According to the original schedule, the CORE-2008-0320 advisory would be released at this date, but similar flaws in other antivirus products were discovered by Core exploit writers team. Considering all BitDefender users are patched, Core Security Technologies does not release the advisory and continues the research of this issue in other products. 2008-03-20: Core analyzes similar vulnerabilities in Comodo Firewall, Sophos Antivirus and Rising Antivirus. 2008-03-25: Core notifies the Comodo, Sophos and Rising teams of the vulnerabilities. 2008-03-27: Comodo team asks Core for technical description of the vulnerability. 2008-03-27: Technical details are sent to Comodo team by Core. 2008-03-31: Rising team asks Core for technical description of the vulnerability. 2008-04-01: Technical details are sent to Rising team by Core. 2008-04-02: Rising team inform Core that the flaw has been fixed in the Rising AV 2008 version. 2008-04-02: Sophos team asks Core for technical description of the vulnerability. 2008-04-07: Technical details are sent to Sophos team by Core. 2008-04-11: Sophos team informs that the flaw is found in one of the antivirus drivers, and fixing it will require a reboot for all of Sophos Windows customers. Sophos would like to fix the bug in the next major version (second quarter 2009), in particular considering the fact that they were unable to come up with any practical use of this vulnerability. 2008-04-14: Comodo notifies Core that a fix has been produced. 2008-04-14: Sophos informs Core that they will be able to release a fix to the vulnerability at the end of October 2008. 2008-04-21: Core responds that they will reschedule the publication to April 24th, 2008. Since the vulnerability is not critical, and has been found using publicly available tools, like the other vulnerabilities included in the advisory, Core doesn't see a reason to postpone the publication of the Sophos bug until October 2008. 2008-04-21: Sophos asks Core not to release details of the vulnerability until a fix is available, and not to publish Proof of Concept code. Sophos informs that they do not believe that arbitrary code execution is possible. 2008-04-24: Core responds that the advisory does not contain Proof of Concept code. Core confirms its intention of publishing the advisory, including the technical description, but decides to postpone it to April 28th, to give the participants more time to coordinate the release of public information. 2008-04-25: Sophos provides additional information, included in the "vendor information" section of the advisory. 2008-04-28: CORE-2008-0320 advisory is published. *References* [1] http://www.bitdefender.com [2] http://www.comodo.com [3] http://www.sophos.com [4] http://www.rising-global.com [5] http://www.matousec.com/downloads [6] http://www.matousec.com/info/articles/plague-in-security-software-drivers.php *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs/. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. *Disclaimer* The contents of this advisory are copyright (c) 2008 Core Security Technologies and (c) 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. *GPG/PGP Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIFj4WyNibggitWa0RAkUcAJ9yUGXQQV5ZQ1J0R2U+MSTMRuHa4wCgkXh1 UGe5qGGTXrCSFfFX3JH6ovE= =3mt3 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Unspecified vulnerability in Apple Safari 3.1.1 allows remote attackers to cause a denial of service (application crash) via JavaScript code that calls document.write in an infinite loop. Safari is prone to a denial-of-service vulnerability

Apple Safari 3.1.1 allows remote attackers to spoof the address bar by placing many "invisible" characters in the userinfo subcomponent of the authority component of the URL (aka the user field), as demonstrated by %E3%80%80 sequences. Safari is prone to a remote security vulnerability. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta 4 days left of beta period. The 1st generation of the Secunia Network Software Inspector (NSI) has been available for corporate users for almost 1 year and its been a tremendous success. The 2nd generation Secunia NSI is built on the same technology as the award winning Secunia PSI, which has already been downloaded and installed on more than 400,000 computers world wide. Learn more / Download (instant access): http://secunia.com/network_software_inspector_2/ ---------------------------------------------------------------------- TITLE: Safari Address Bar URL Spoofing Security Issue SECUNIA ADVISORY ID: SA29900 VERIFY ADVISORY: http://secunia.com/advisories/29900/ CRITICAL: Less critical IMPACT: Spoofing WHERE: >From remote SOFTWARE: Safari 3.x http://secunia.com/product/17989/ Safari for Windows 3.x http://secunia.com/product/17978/ DESCRIPTION: Juan Pablo Lopez Yacubian has discovered a security issue in Safari, which can be exploited by malicious people to display a fake URL in the address bar. The security issue is confirmed in version 3.1.1 on Mac OS X and Vista. Other versions may also be affected. SOLUTION: Do not browse untrusted websites or follow untrusted links. PROVIDED AND/OR DISCOVERED BY: Juan Pablo Lopez Yacubian ORIGINAL ADVISORY: http://es.geocities.com/jplopezy/pruebasafari3.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------