VARIoT IoT vulnerabilities database
| VAR-200903-0249 | CVE-2009-0143 | Apple iTunes Information disclosure vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Apple iTunes before 8.1 does not properly inform the user about the origin of an authentication request, which makes it easier for remote podcast servers to trick a user into providing a username and password when subscribing to a crafted podcast. Apple iTunes is prone to an information-disclosure vulnerability and a denial-of-service vulnerability.
Successfully exploiting these issues may allow an attacker to obtain sensitive information or cause the affected application to crash, denying service to legitimate users.
Versions prior to Apple iTunes 8.1 are vulnerable. ----------------------------------------------------------------------
Did you know? Our assessment and impact rating along with detailed
information such as exploit code availability, or if an updated patch
is released by the vendor, is not part of this mailing-list?
Click here to learn more about our commercial solutions:
http://secunia.com/advisories/business_solutions/
Click here to trial our solutions:
http://secunia.com/advisories/try_vi/
----------------------------------------------------------------------
TITLE:
Apple iTunes Information Disclosure and Denial of Service
SECUNIA ADVISORY ID:
SA34254
VERIFY ADVISORY:
http://secunia.com/advisories/34254/
DESCRIPTION:
A vulnerability and a security issue have been reported in Apple
iTunes, which can be exploited by malicious people to cause a DoS
(Denial of Service) or to potentially disclose sensitive information.
1) An error in the processing of Digital Audio Access Protocol (DAAP)
messages can be exploited to trigger the execution of an infinite loop
via a specially crafted "Content-Length" parameter contained in the
header of a DAAP message.
NOTE: The vulnerability does not affect Mac OS X systems.
The vulnerability and security issue are reported in version 8.
SOLUTION:
Update to version 8.1.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Xiaopeng Zhang, Zhenhua Liu, and Junfeng Jia of Fortinet's
FortiGuard Global Security Research Team
2) Simon Bellwood
ORIGINAL ADVISORY:
http://support.apple.com/kb/HT3487
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200903-0240 | CVE-2009-0016 | Windows Work on Apple iTunes Denial of service in Japan (DoS) Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Apple iTunes before 8.1 on Windows allows remote attackers to cause a denial of service (infinite loop) via a Digital Audio Access Protocol (DAAP) message with a crafted Content-Length header. Apple iTunes is prone to an information-disclosure vulnerability and a denial-of-service vulnerability.
Successfully exploiting these issues may allow an attacker to obtain sensitive information or cause the affected application to crash, denying service to legitimate users.
Versions prior to Apple iTunes 8.1 are vulnerable.
Impact:
=======
Denial of service.
Risk:
=====
Medium
Affected Software:
==================
Apple iTunes 8 for Windows, other versions may be affected
This issue does not affect Mac OS X systems
References:
===========
FortiGuard Advisory: http://www.fortiguardcenter.com/advisory/FGA-2009-11.html
Apple Security Bulletin: http://support.apple.com/kb/HT3487
Apple Security Updates: http://support.apple.com/kb/ht1222
CVE ID: CVE-2009-0016
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0016
Acknowledgments:
================
Xiaopeng Zhang, Zhenhua Liu, and Junfeng Jia of Fortinet's FortiGuard Global Security Research Team
*** This email and any attachments thereto may contain private, confidential, and privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto. ***
. ----------------------------------------------------------------------
Did you know? Our assessment and impact rating along with detailed
information such as exploit code availability, or if an updated patch
is released by the vendor, is not part of this mailing-list?
Click here to learn more about our commercial solutions:
http://secunia.com/advisories/business_solutions/
Click here to trial our solutions:
http://secunia.com/advisories/try_vi/
----------------------------------------------------------------------
TITLE:
Apple iTunes Information Disclosure and Denial of Service
SECUNIA ADVISORY ID:
SA34254
VERIFY ADVISORY:
http://secunia.com/advisories/34254/
DESCRIPTION:
A vulnerability and a security issue have been reported in Apple
iTunes, which can be exploited by malicious people to cause a DoS
(Denial of Service) or to potentially disclose sensitive information.
NOTE: The vulnerability does not affect Mac OS X systems.
2) An error in the implementation of the iTunes podcast feature can
be exploited to entice a user into sending iTunes credentials to a
podcast server via an authentication dialog presented when
subscribing to a malicious podcast.
The vulnerability and security issue are reported in version 8.
SOLUTION:
Update to version 8.1.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Xiaopeng Zhang, Zhenhua Liu, and Junfeng Jia of Fortinet's
FortiGuard Global Security Research Team
2) Simon Bellwood
ORIGINAL ADVISORY:
http://support.apple.com/kb/HT3487
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200903-0267 | CVE-2009-0619 | Cisco 7600 For series routers Session Border Controller (SBC) Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the Session Border Controller (SBC) before 3.0(2) for Cisco 7600 series routers allows remote attackers to cause a denial of service (SBC card reload) via crafted packets to TCP port 2000.
A remote attacker may exploit this issue to cause the affected device to reload. Repeated attacks can result in a denial-of-service condition.
This issue is documented in Cisco Bug ID CSCsq18958.
Versions prior to Cisco SBC software 3.0(2) are vulnerable. This issue affects SBC for Cisco 7600 series routers. Cisco has
released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available.
To determine the version of the Cisco SBC software running on a
system, log in to the device and issue the show version command to
display the system banner.
card_A/Admin# show version
system image file: [LCP] disk0:c76-sbck9-mzg.3.0.1_AS3_0_00.bin
<output truncated>
Cisco SBC software version 3.0.1 is running in the device used in
this example. Additionally, the
Cisco ACE Module, Cisco ACE 4710 Application Control Engine, Cisco
ACE XML Gateway, Cisco ACE Web Application Firewall, and the Cisco
ACE GSS (Global Site Selector) 4400 Series are not affected by this
vulnerability. No other Cisco products are currently known to be
affected by this vulnerability.
Details
=======
The Session Border Controller (SBC) enables direct IP-to-IP
interconnect between multiple administrative domains for
session-based services providing protocol interworking, security, and
admission control and management. The SBC is a multimedia device that
sits on the border of a network and controls call admission to that
network.
Note: Only the Cisco SBC module reloads after successful
exploitation.
Note: TCP port 2000 is typically used by Skinny Call Control Protocol
(SCCP) applications. However, the Cisco SBC module uses TCP port 2000
for high availability (redundancy) communication, but does not use
the SCCP for this purpose.
This vulnerability is documented in Cisco Bug IDs CSCsq18958 (
registered customers only) ; and has been assigned the Common
Vulnerability and Exposures (CVE) IDs CVE-2009-0619.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerability in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability may cause a reload of
the affected device.
Cisco SBC software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/sbc-7600-crypto
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Workarounds
===========
As a workaround, configure an access control list (ACL) in the
signaling / media VLAN on the Route Processor (RP). The following
examples show how VLAN 140 is configured as the signaling / media
VLAN. A separate VLAN (VLAN 77) is configured as Fault Tolerance
(FT). An ACL is added to the signaling/media VLAN on the RP filtering
all TCP port 2000 packets to the alias IP address.
Cisco SBC configuration
interface vlan 140
ip address 10.140.1.90 255.255.255.0
alias 10.140.1.100 255.255.255.0
peer ip address 10.140.1.8 255.255.255.0
!
ft interface vlan 77
ip address 192.168.1.1 255.255.255.0
peer ip address 192.168.1. 255.255.255.0
RP Configuration
!- ACL blocking all TCP port 2000 traffic to the 10.140.1.0 internal network
!
access-list 100 deny tcp any host 10.140.1.100 eq 2000
access-list 100 permit ip any any
!
interface Vlan140
ip address 10.140.1.1 255.255.255.0
!- ACL is applied to the VLAN interface to egress traffic
ip access-group 100 out
!
The alias command under VLAN 140 is configured with an IP address
that floats between active and standby modules when using high
availability. Only TCP port 2000 traffic destined to this IP address
may trigger this vulnerability. An access control list (ACL) is
configured to deny TCP port 2000 destined to the alias IP address
(10.140.1.100). The ACL is applied egress in the RP.
Note: TCP port 2000 is used by Skinny Call Control Protocol (SCCP)
applications; however, in this case it is used by the SBC for
internal communications. The previous ACL only blocks TCP port 2000
traffic to the alias IP address. TCP port 2000 is not used by the
alias IP address. This ACL should not cause any collateral damage.
Additional mitigations that can be deployed on Cisco devices within
the network are available in the Cisco Applied Intelligence companion
document for this Advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20090304-sbc.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address this
vulnerability. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was found during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090304-sbc.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-March-04 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkmurgEACgkQ86n/Gc8U/uBrwwCfbQxCcSz4S4X3UpH4Mccg0Df1
KMoAn11BqKmRhw5mUuJOl3D/RrVxVrc7
=m2di
-----END PGP SIGNATURE-----
| VAR-200903-0570 | No CVE | JP1/Cm2/Network Node Manager Denial of Service (DoS) Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: Medium |
A vulnerability in JP1/Cm2/Network Node Manager (NNM) could cause a denial of service (DoS) condition when using the Shared Trace Service.A remote attacker could cause a denial of service (DoS) condition.
| VAR-200903-0571 | No CVE | Multiple Vulnerabilities in uCosminexus Portal Framework |
CVSS V2: 6.4 CVSS V3: - Severity: Medium |
uCosminexus Portal Framework contains multiple vulnerabilities.A remote attacker could perform malicious acts, such as information leaking, identity spoofing and updating data with wrong values.
| VAR-200902-0665 | CVE-2009-0742 | Catalyst 6500 Switch and 7600 For router Cisco ACE Application Control Engine Modules and Cisco ACE 4710 Application Control Engine Appliance of username Information disclosure vulnerability in commands |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The username command in Cisco ACE Application Control Engine Module for Catalyst 6500 Switches and 7600 Routers and Cisco ACE 4710 Application Control Engine Appliance stores a cleartext password by default, which allows context-dependent attackers to obtain sensitive information. Ace 4710 is prone to a information disclosure vulnerability
| VAR-200902-0666 | CVE-2009-0743 | Cisco Unified MeetingPlace Web Conferencing of Web Server Account change page cross-site scripting vulnerability |
CVSS V2: 3.5 CVSS V3: - Severity: LOW |
Cross-site scripting (XSS) vulnerability in the edit account page in the Web Server in Cisco Unified MeetingPlace Web Conferencing 6.0 before 6.0(517.0) (aka 6.0 MR4) and 7.0 before 7.0(2) (aka 7.0 MR1) allows remote authenticated users to inject arbitrary web script or HTML via the E-mail Address field. Cisco Unified MeetingPlace Web Conferencing is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied data.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible. Cisco Unified MeetingPlace is a set of multimedia conferencing solutions of Cisco (Cisco). This solution provides a user environment that integrates voice, video and Web conferencing. Unified MeetingPlace allows users to modify their own account settings, such as name, telephone extension, email address, etc. If the user sets a specially crafted E-mail Address field on the configuration file page, other users will cause cross-site scripting attacks when viewing the user's configuration file or the details of the meeting created by the user, in the browser session Execute the embedded malicious code
| VAR-200902-0540 | CVE-2009-0624 |
Catalyst 6500 Switch and 7600 For router Cisco ACE Application Control Engine Modules and Cisco ACE 4710 Application Control Engine Appliance of SNMPv2c Service disruption in implementations (DoS) Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-200902-0505 |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in the SNMPv2c implementation in Cisco ACE Application Control Engine Module for Catalyst 6500 Switches and 7600 Routers before A2(1.3) and Cisco ACE 4710 Application Control Engine Appliance before A3(2.1) allows remote attackers to cause a denial of service (device reload) via a crafted SNMPv1 packet. Other attacks are also possible. Remote authentication users can cause denial of service by constructing SNMPv1 packets
| VAR-200902-0541 | CVE-2009-0625 |
Catalyst 6500 Switch and 7600 For router Cisco ACE Application Control Engine Modules and Cisco ACE 4710 Application Control Engine Appliance Service disruption in (DoS) Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-200902-0505 |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in Cisco ACE Application Control Engine Module for Catalyst 6500 Switches and 7600 Routers before A2(1.2) and Cisco ACE 4710 Application Control Engine Appliance before A1(8.0) allows remote attackers to cause a denial of service (device reload) via a crafted SNMPv3 packet. Other attacks are also possible
| VAR-200902-0531 | CVE-2009-0614 | Cisco Unified MeetingPlace Web Conferencing of Web Server Authentication bypass vulnerability |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the Web Server in Cisco Unified MeetingPlace Web Conferencing 6.0 before 6.0(517.0) (aka 6.0 MR4) and 7.0 before 7.0(2) (aka 7.0 MR1) allows remote attackers to bypass authentication and obtain administrative access via a crafted URL.
An attacker can exploit this issue to gain administrative access to the affected application. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.
This issue is tracked by Cisco Bug ID CSCsv65815.
Unified MeetingPlace Web Conferencing 6.0 and 7.0 are vulnerable. Cisco has released free software updates
that address this vulnerability.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20090225-mtgplace.shtml
Affected Products
=================
Cisco Unified MeetingPlace conferencing solution provides
functionality that allows organizations to host integrated voice,
video, and web conferencing. The solution is deployed on-network,
behind the firewall and integrated directly into an organization's
private voice/data networks and enterprise applications. Cisco
Unified MeetingPlace servers can be deployed so that the server is
accessible from the Internet, allowing external parties to
participate in meetings.
No other Cisco products are currently known to be affected by this
vulnerability.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsv65815 - Authentication Bypass in MeetingPlace Web Server
CVSS Base Score - 9
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - Partial
Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability may result in
unauthorized access to the administrative functions of the Cisco
Unified MeetingPlace application.
Software Versions and Fixes
===========================
This vulnerability is fixed in Cisco Unified MeetingPlace Web
Conferencing software version 6.0(517.0) also known as Maintenance
Release 4 (MR4) for the 6.0 release, and version 7.0(2) also known as
Maintenance Release 1 (MR1) for the 7.0 release.
The latest versions of Cisco MeetingPlace software can be downloaded
from:
http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=278875240
The Cisco Unified MeetingPlace Web Server software is available at:
http://tools.cisco.com/support/downloads/go/Model.x?mdfid=278816725&mdfLevel=Software%20Version/Option&treeName=Voice%20and%20Unified%20Communications&modelName=Cisco%20Unified%20MeetingPlace%20Web%20Conferencing&treeMdfId=278875240
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Workarounds
===========
There are no workarounds for this vulnerability.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various languages.
Exploitation and Public Announcements
=====================================
This vulnerability was reported to Cisco by National Australia Bank's
Security Assurance team.
Cisco would like to thank the National Australia Bank's Security
Assurance team for the discovery and reporting of the vulnerability.
The Cisco PSIRT is not aware of any malicious use of the
vulnerability described in this advisory.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090225-mtgplace.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-February-25 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iD8DBQFJpWeb86n/Gc8U/uARAty+AKCIt9MQ0A+BzIMX+MBZHjiod59WBACeMUgH
rPsjG9qKmCDQlA6XlaLFMr0=
=6x6Q
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-200902-0532 | CVE-2009-0615 | Cisco ANM and ACE Device Manager Vulnerable to directory traversal |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
Directory traversal vulnerability in Cisco Application Networking Manager (ANM) before 2.0 and Application Control Engine (ACE) Device Manager before A3(2.1) allows remote authenticated users to read or modify arbitrary files via unspecified vectors, related to "invalid directory permissions.".
A successful exploit may allow attackers to obtain sensitive information, view or modify files, cause denial-of-service conditions, or gain unauthorized access to the affected application. This may aid in the complete compromise of the underlying computer. These vulnerabilities are independent of each
other. Successful exploitation of these vulnerabilities may result in
unauthorized system or host operating system access. A workaround that mitigates one of the issues is
available.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml.
Note: This advisory is being released simultaneously with a multiple
vulnerabilities advisory impacting the ACE appliance and module
software, which is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090225-ace.shtml.
Affected Products
=================
Vulnerable Products
- -------------------
The following are the products and versions affected by each
vulnerability described within this advisory.
+---------------------------------------+
| Vulnerability | Product | Version |
| | Affected | Affected |
|---------------+----------+------------|
| Invalid | ACE | All |
| Directory | Device | versions |
| Permissions | Manager | prior to |
| | | A3(2.1) |
|---------------+----------+------------|
| Invalid | | All |
| Directory | ANM | versions |
| Permissions | | prior to |
| | | ANM 2.0 |
|---------------+----------+------------|
| | | All |
| Default User | ANM | versions |
| Credentials | | prior to |
| | | ANM 2.0 |
|---------------+----------+------------|
| | | All |
| MySQL Default | ANM | versions |
| Credentials | | prior to |
| | | ANM 2.0 |
|---------------+----------+------------|
| | | All |
| Java Agent | | versions |
| Privilege | ANM | prior to |
| Escalation | | ANM 2.0 |
| | | Update A |
+---------------------------------------+
Determining ACE Device Manager Software Version
+----------------------------------------------
The ACE Device Manager is embedded with the ACE appliance software.
To display the version of system software that is currently running
on the device, use the "show version" command. The following example
includes the output of the "show version" command on a Cisco ACE
appliance running software version A3(2.1):
ACE-4710/Admin# show version
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2008 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
Software
loader: Version 0.95
system: Version A3(2.1) [build 3.0(0)A3(2.1) adbuild_14:33:29-2008/11/19_/auto/adbu-rel4/rel_a3_2_1_throttle_build/REL_3_0_0_A3_2_1]
system image file: (nd)/192.168.65.32/scimitar.bin
Device Manager version 1.1 (0) 20081113:2052
---
Determining ANM Software Version
+-------------------------------
To display the version of ANM software that is currently installed,
login to the ANM server and select the "About" keyword in the upper
right. An informational pop up window will be displayed. ANM Version 2.0
Update A is indicated in the example output below.
Version: 2.0(0), Update: A
Build Number: 709
Build Timestamp: 20081031:1226
Products Confirmed Not Vulnerable
- ---------------------------------
The Cisco ACE XML Gateway, Cisco ACE GSS (Global Site Selector) 4400
Series and Cisco ACE Web Application Firewall are not affected by any of
these vulnerabilities.
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
ANM is a network management application that manages Cisco ACE modules
or appliances. ANM is installed on customer provided servers with a Red
Hat Enterprise Linux operating system. The ACE Device Manager provides
a browser-based interface for configuring and managing a single ACE
appliance. The ACE Device Manager resides in flash memory on the ACE
appliance. The following details are provided for each
vulnerability addressed in this security advisory. These vulnerabilities could allow
unauthorized access to ACE operating system and host operating system
files. To exploit these vulnerabilities authentication is required to
initially access either product.
This vulnerability is documented in the following Cisco Bug IDs:
* CSCsv66063
* CSCsv70130
This vulnerability has been assigned the Common Vulnerability and
Exposures (CVE) ID CVE-2009-0615.
Default User Credentials
+-----------------------
Versions of Cisco ANM prior to software version ANM 2.0 do not force
credential changes during installation.
This vulnerability is documented in the following Cisco Bug ID:
* CSCsu52724
This vulnerability has been assigned the Common Vulnerability and
Exposures (CVE) ID CVE-2009-0616.
MySQL Default Credentials
+------------------------
ANM versions prior to ANM 2.0 use a default MySQL root user password
during installation. The MySQL database is installed by default when
ANM is initially installed. This vulnerability can be exploited
remotely with default credential authentication and without end-user
interaction. Unauthorized access to the database may allow
modification of system files that could impact the function of ANM or
allow execution of commands on the underlying host operating system.
The ACE appliance and module device configuration files in the MySQL
database are encrypted.
This vulnerability is documented in the following Cisco Bug ID:
* CSCsu52632
This vulnerability has been assigned the Common Vulnerability and
Exposures (CVE) ID CVE-2009-0617.
Java Agent Privilege Escalation
+------------------------------
ANM versions prior to ANM 2.0 Update A contain a remotely exploitable
vulnerability that could allow an attacker to view configuration
files and modify ANM processes including the capability to stop
services. Exploitation of this issue could result in system
information disclosure or denial of services.
This vulnerability is documented in the following Cisco Bug ID:
* CSCsu73001
This vulnerability has been assigned the Common Vulnerability and
Exposures (CVE) ID CVE-2009-0618.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* ACE Device Manager invalid directory permissions (CSCsv66063)
CVSS Base Score - 9.0
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* ANM invalid directory permissions (CSCsv70130)
CVSS Base Score - 9.0
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* ANM default user credentials during installation (CSCsu52724)
CVSS Base Score - 10.0
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.7
Exploitability - High
Remediation Level - Official-Fix
Report Confidence - Confirmed
* ANM embedded MySQL default credentials (CSCsu52632)
CVSS Base Score - 10.0
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.7
Exploitability - High
Remediation Level - Official-Fix
Report Confidence - Confirmed
* ANM Java agent privilege escalation (CSCsu73001)
CVSS Base Score - 8.5
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - High
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the ACE Device Manager and ANM invalid
directory permission vulnerabilities may allow unauthorized access to
view or modify the ACE Device Manager or ANM file system, including host
operating system files. Modification of some system files could result
in a denial of service condition.
Exploitation of the ANM default user credential and ANM MySQL database
default credential vulnerabilities may allow an attacker to gain
unauthorized system access. Modification of ANM settings with the
default user credentials could result in a denial of service condition.
Unauthorized access to the MySQL database may allow modification of
system files that could impact the function of ANM or allow execution of
commands on the underlying host operating system.
Successful exploitation of the ANM privilege escalation vulnerability
may result in unauthorized remote access to system processes and
services with the ability to modify. Modification of these services
could result in a denial of service condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the following software table identifies the earliest
possible software release that contains the fix listed in the "First
Fixed Release" column of the table. The "Recommended Release"
column indicates the release which have fixes for all the published
vulnerabilities at the time of this Advisory.
+---------------------------------------+
| | First | Recommended |
| Vulnerability | Fixed | Release |
| | Release | |
|---------------+---------+-------------|
| ACE Device | | |
| Manager | | |
| Invalid | A3(2.1) | A3(2.1) |
| Directory | | |
| Permissions | | |
|---------------+---------+-------------|
| ANM Invalid | | ANM 2.0 |
| Directory | ANM 2.0 | Update A |
| Permissions | | |
|---------------+---------+-------------|
| ANM Default | | ANM 2.0 |
| User | ANM 2.0 | Update A |
| Credentials | | |
|---------------+---------+-------------|
| ANM MySQL | | ANM 2.0 |
| Default | ANM 2.0 | Update A |
| Credentials | | |
|---------------+---------+-------------|
| ANM Java | ANM 2.0 | |
| Agent | Update | ANM 2.0 |
| Privilege | A | Update A |
| Escalation | | |
+---------------------------------------+
ANM 2.0 Update A can be downloaded from:
http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=/cisco/crypto/3DES/netmgmt/anm/1.2/anm2.0-update-A.bin
ACE Device Manager A3(2.1) can be downloaded from:
http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=/cisco/crypto/3DES/ans/DNSS/ace4710/c4710ace-mz.A3_2_1.bin
Workarounds
===========
While this Security Advisory describes multiple distinct
vulnerabilities, a workaround exists for only the following
vulnerability.
ANM Default User Credentials
+---------------------------
The ANM user "admin" account password may be modified after installation
by following the procedures documented for "Changing the Admin Password"
located in the ANM User Guide at:
http://www.cisco.com/en/US/docs/net_mgmt/application_networking_manager/2.0/user/guide/UG_admin.html#wp1053216
Applied Mitigation Bulletin
+--------------------------
Additional mitigation techniques that can be deployed on Cisco devices
within the network are available in the Cisco Applied Mitigation
Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20090225-anm.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for software
upgrades.
Customers with Service Contracts
- --------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.
Customers using Third Party Support Organizations
- -------------------------------------------------
Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.
Customers without Service Contracts
- -----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
Acknowledgement to the National Australia Bank's Security Assurance team
for the discovery and reporting of the ACE Device Manager directory
permissions vulnerability.
The remaining vulnerabilities were identified through internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2009 February 25 | Initial public release |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2008 - 2009 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
Updated: Feb 25, 2009 Document ID: 109451
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkmlezoACgkQ86n/Gc8U/uAexwCfYI7DnCQWq4XF2Id8o6bO4+zJ
a6IAn0r51YyfdsXPFgYII7OPUWLzJHLU
=xUPr
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-200902-0533 | CVE-2009-0616 | Cisco Application Networking Manager (ANM) Service disruption in (DoS) Vulnerabilities |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Cisco Application Networking Manager (ANM) before 2.0 uses default usernames and passwords, which makes it easier for remote attackers to access the application, or cause a denial of service via configuration changes, related to "default user credentials during installation.".
A successful exploit may allow attackers to obtain sensitive information, view or modify files, cause denial-of-service conditions, or gain unauthorized access to the affected application. This may aid in the complete compromise of the underlying computer. These vulnerabilities are independent of each
other. Successful exploitation of these vulnerabilities may result in
unauthorized system or host operating system access. A workaround that mitigates one of the issues is
available.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml.
Note: This advisory is being released simultaneously with a multiple
vulnerabilities advisory impacting the ACE appliance and module
software, which is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090225-ace.shtml.
Affected Products
=================
Vulnerable Products
- -------------------
The following are the products and versions affected by each
vulnerability described within this advisory.
+---------------------------------------+
| Vulnerability | Product | Version |
| | Affected | Affected |
|---------------+----------+------------|
| Invalid | ACE | All |
| Directory | Device | versions |
| Permissions | Manager | prior to |
| | | A3(2.1) |
|---------------+----------+------------|
| Invalid | | All |
| Directory | ANM | versions |
| Permissions | | prior to |
| | | ANM 2.0 |
|---------------+----------+------------|
| | | All |
| Default User | ANM | versions |
| Credentials | | prior to |
| | | ANM 2.0 |
|---------------+----------+------------|
| | | All |
| MySQL Default | ANM | versions |
| Credentials | | prior to |
| | | ANM 2.0 |
|---------------+----------+------------|
| | | All |
| Java Agent | | versions |
| Privilege | ANM | prior to |
| Escalation | | ANM 2.0 |
| | | Update A |
+---------------------------------------+
Determining ACE Device Manager Software Version
+----------------------------------------------
The ACE Device Manager is embedded with the ACE appliance software.
To display the version of system software that is currently running
on the device, use the "show version" command. The following example
includes the output of the "show version" command on a Cisco ACE
appliance running software version A3(2.1):
ACE-4710/Admin# show version
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2008 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
Software
loader: Version 0.95
system: Version A3(2.1) [build 3.0(0)A3(2.1) adbuild_14:33:29-2008/11/19_/auto/adbu-rel4/rel_a3_2_1_throttle_build/REL_3_0_0_A3_2_1]
system image file: (nd)/192.168.65.32/scimitar.bin
Device Manager version 1.1 (0) 20081113:2052
---
Determining ANM Software Version
+-------------------------------
To display the version of ANM software that is currently installed,
login to the ANM server and select the "About" keyword in the upper
right. An informational pop up window will be displayed. ANM Version 2.0
Update A is indicated in the example output below.
Version: 2.0(0), Update: A
Build Number: 709
Build Timestamp: 20081031:1226
Products Confirmed Not Vulnerable
- ---------------------------------
The Cisco ACE XML Gateway, Cisco ACE GSS (Global Site Selector) 4400
Series and Cisco ACE Web Application Firewall are not affected by any of
these vulnerabilities.
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
ANM is a network management application that manages Cisco ACE modules
or appliances. ANM is installed on customer provided servers with a Red
Hat Enterprise Linux operating system. The ACE Device Manager provides
a browser-based interface for configuring and managing a single ACE
appliance. The ACE Device Manager resides in flash memory on the ACE
appliance. The following details are provided for each
vulnerability addressed in this security advisory.
Invalid Directory Permissions
+----------------------------
Versions of the Cisco ACE Device Manager prior to software version
A3(2.1) and Cisco ANM prior software version ANM 2.0 contain directory
traversal vulnerabilities. These vulnerabilities could allow
unauthorized access to ACE operating system and host operating system
files. To exploit these vulnerabilities authentication is required to
initially access either product.
This vulnerability is documented in the following Cisco Bug IDs:
* CSCsv66063
* CSCsv70130
This vulnerability has been assigned the Common Vulnerability and
Exposures (CVE) ID CVE-2009-0615.
This vulnerability is documented in the following Cisco Bug ID:
* CSCsu52724
This vulnerability has been assigned the Common Vulnerability and
Exposures (CVE) ID CVE-2009-0616.
MySQL Default Credentials
+------------------------
ANM versions prior to ANM 2.0 use a default MySQL root user password
during installation. The MySQL database is installed by default when
ANM is initially installed. This vulnerability can be exploited
remotely with default credential authentication and without end-user
interaction. Unauthorized access to the database may allow
modification of system files that could impact the function of ANM or
allow execution of commands on the underlying host operating system.
The ACE appliance and module device configuration files in the MySQL
database are encrypted.
This vulnerability is documented in the following Cisco Bug ID:
* CSCsu52632
This vulnerability has been assigned the Common Vulnerability and
Exposures (CVE) ID CVE-2009-0617.
Java Agent Privilege Escalation
+------------------------------
ANM versions prior to ANM 2.0 Update A contain a remotely exploitable
vulnerability that could allow an attacker to view configuration
files and modify ANM processes including the capability to stop
services. Exploitation of this issue could result in system
information disclosure or denial of services.
This vulnerability is documented in the following Cisco Bug ID:
* CSCsu73001
This vulnerability has been assigned the Common Vulnerability and
Exposures (CVE) ID CVE-2009-0618.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* ACE Device Manager invalid directory permissions (CSCsv66063)
CVSS Base Score - 9.0
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* ANM invalid directory permissions (CSCsv70130)
CVSS Base Score - 9.0
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* ANM default user credentials during installation (CSCsu52724)
CVSS Base Score - 10.0
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.7
Exploitability - High
Remediation Level - Official-Fix
Report Confidence - Confirmed
* ANM embedded MySQL default credentials (CSCsu52632)
CVSS Base Score - 10.0
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.7
Exploitability - High
Remediation Level - Official-Fix
Report Confidence - Confirmed
* ANM Java agent privilege escalation (CSCsu73001)
CVSS Base Score - 8.5
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - High
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the ACE Device Manager and ANM invalid
directory permission vulnerabilities may allow unauthorized access to
view or modify the ACE Device Manager or ANM file system, including host
operating system files. Modification of some system files could result
in a denial of service condition.
Exploitation of the ANM default user credential and ANM MySQL database
default credential vulnerabilities may allow an attacker to gain
unauthorized system access.
Unauthorized access to the MySQL database may allow modification of
system files that could impact the function of ANM or allow execution of
commands on the underlying host operating system.
Successful exploitation of the ANM privilege escalation vulnerability
may result in unauthorized remote access to system processes and
services with the ability to modify. Modification of these services
could result in a denial of service condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the following software table identifies the earliest
possible software release that contains the fix listed in the "First
Fixed Release" column of the table. The "Recommended Release"
column indicates the release which have fixes for all the published
vulnerabilities at the time of this Advisory.
+---------------------------------------+
| | First | Recommended |
| Vulnerability | Fixed | Release |
| | Release | |
|---------------+---------+-------------|
| ACE Device | | |
| Manager | | |
| Invalid | A3(2.1) | A3(2.1) |
| Directory | | |
| Permissions | | |
|---------------+---------+-------------|
| ANM Invalid | | ANM 2.0 |
| Directory | ANM 2.0 | Update A |
| Permissions | | |
|---------------+---------+-------------|
| ANM Default | | ANM 2.0 |
| User | ANM 2.0 | Update A |
| Credentials | | |
|---------------+---------+-------------|
| ANM MySQL | | ANM 2.0 |
| Default | ANM 2.0 | Update A |
| Credentials | | |
|---------------+---------+-------------|
| ANM Java | ANM 2.0 | |
| Agent | Update | ANM 2.0 |
| Privilege | A | Update A |
| Escalation | | |
+---------------------------------------+
ANM 2.0 Update A can be downloaded from:
http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=/cisco/crypto/3DES/netmgmt/anm/1.2/anm2.0-update-A.bin
ACE Device Manager A3(2.1) can be downloaded from:
http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=/cisco/crypto/3DES/ans/DNSS/ace4710/c4710ace-mz.A3_2_1.bin
Workarounds
===========
While this Security Advisory describes multiple distinct
vulnerabilities, a workaround exists for only the following
vulnerability.
ANM Default User Credentials
+---------------------------
The ANM user "admin" account password may be modified after installation
by following the procedures documented for "Changing the Admin Password"
located in the ANM User Guide at:
http://www.cisco.com/en/US/docs/net_mgmt/application_networking_manager/2.0/user/guide/UG_admin.html#wp1053216
Applied Mitigation Bulletin
+--------------------------
Additional mitigation techniques that can be deployed on Cisco devices
within the network are available in the Cisco Applied Mitigation
Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20090225-anm.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for software
upgrades.
Customers with Service Contracts
- --------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.
Customers using Third Party Support Organizations
- -------------------------------------------------
Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.
Customers without Service Contracts
- -----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
Acknowledgement to the National Australia Bank's Security Assurance team
for the discovery and reporting of the ACE Device Manager directory
permissions vulnerability.
The remaining vulnerabilities were identified through internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2009 February 25 | Initial public release |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2008 - 2009 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
Updated: Feb 25, 2009 Document ID: 109451
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkmlezoACgkQ86n/Gc8U/uAexwCfYI7DnCQWq4XF2Id8o6bO4+zJ
a6IAn0r51YyfdsXPFgYII7OPUWLzJHLU
=xUPr
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-200902-0534 | CVE-2009-0617 | Cisco Application Networking Manager (ANM) Vulnerable to executing arbitrary operating system commands or modifying system files |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Cisco Application Networking Manager (ANM) before 2.0 uses a default MySQL root password, which makes it easier for remote attackers to execute arbitrary operating-system commands or change system files. Cisco Application Network Manager (ANM) and Application Control Engine (ACE) Device Manager are prone to multiple security vulnerabilities, including directory-traversal issues, unauthorized access via default credentials, and a privilege-escalation issue.
A successful exploit may allow attackers to obtain sensitive information, view or modify files, cause denial-of-service conditions, or gain unauthorized access to the affected application. This may aid in the complete compromise of the underlying computer. These vulnerabilities are independent of each
other. Successful exploitation of these vulnerabilities may result in
unauthorized system or host operating system access. A workaround that mitigates one of the issues is
available.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml.
Note: This advisory is being released simultaneously with a multiple
vulnerabilities advisory impacting the ACE appliance and module
software, which is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090225-ace.shtml.
Affected Products
=================
Vulnerable Products
- -------------------
The following are the products and versions affected by each
vulnerability described within this advisory.
+---------------------------------------+
| Vulnerability | Product | Version |
| | Affected | Affected |
|---------------+----------+------------|
| Invalid | ACE | All |
| Directory | Device | versions |
| Permissions | Manager | prior to |
| | | A3(2.1) |
|---------------+----------+------------|
| Invalid | | All |
| Directory | ANM | versions |
| Permissions | | prior to |
| | | ANM 2.0 |
|---------------+----------+------------|
| | | All |
| Default User | ANM | versions |
| Credentials | | prior to |
| | | ANM 2.0 |
|---------------+----------+------------|
| | | All |
| MySQL Default | ANM | versions |
| Credentials | | prior to |
| | | ANM 2.0 |
|---------------+----------+------------|
| | | All |
| Java Agent | | versions |
| Privilege | ANM | prior to |
| Escalation | | ANM 2.0 |
| | | Update A |
+---------------------------------------+
Determining ACE Device Manager Software Version
+----------------------------------------------
The ACE Device Manager is embedded with the ACE appliance software.
To display the version of system software that is currently running
on the device, use the "show version" command. The following example
includes the output of the "show version" command on a Cisco ACE
appliance running software version A3(2.1):
ACE-4710/Admin# show version
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2008 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
Software
loader: Version 0.95
system: Version A3(2.1) [build 3.0(0)A3(2.1) adbuild_14:33:29-2008/11/19_/auto/adbu-rel4/rel_a3_2_1_throttle_build/REL_3_0_0_A3_2_1]
system image file: (nd)/192.168.65.32/scimitar.bin
Device Manager version 1.1 (0) 20081113:2052
---
Determining ANM Software Version
+-------------------------------
To display the version of ANM software that is currently installed,
login to the ANM server and select the "About" keyword in the upper
right. An informational pop up window will be displayed. ANM Version 2.0
Update A is indicated in the example output below.
Version: 2.0(0), Update: A
Build Number: 709
Build Timestamp: 20081031:1226
Products Confirmed Not Vulnerable
- ---------------------------------
The Cisco ACE XML Gateway, Cisco ACE GSS (Global Site Selector) 4400
Series and Cisco ACE Web Application Firewall are not affected by any of
these vulnerabilities.
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
ANM is a network management application that manages Cisco ACE modules
or appliances. ANM is installed on customer provided servers with a Red
Hat Enterprise Linux operating system. The ACE Device Manager provides
a browser-based interface for configuring and managing a single ACE
appliance. The ACE Device Manager resides in flash memory on the ACE
appliance. The following details are provided for each
vulnerability addressed in this security advisory.
Invalid Directory Permissions
+----------------------------
Versions of the Cisco ACE Device Manager prior to software version
A3(2.1) and Cisco ANM prior software version ANM 2.0 contain directory
traversal vulnerabilities. These vulnerabilities could allow
unauthorized access to ACE operating system and host operating system
files. To exploit these vulnerabilities authentication is required to
initially access either product.
This vulnerability is documented in the following Cisco Bug IDs:
* CSCsv66063
* CSCsv70130
This vulnerability has been assigned the Common Vulnerability and
Exposures (CVE) ID CVE-2009-0615.
Default User Credentials
+-----------------------
Versions of Cisco ANM prior to software version ANM 2.0 do not force
credential changes during installation.
This vulnerability is documented in the following Cisco Bug ID:
* CSCsu52724
This vulnerability has been assigned the Common Vulnerability and
Exposures (CVE) ID CVE-2009-0616.
MySQL Default Credentials
+------------------------
ANM versions prior to ANM 2.0 use a default MySQL root user password
during installation. The MySQL database is installed by default when
ANM is initially installed. This vulnerability can be exploited
remotely with default credential authentication and without end-user
interaction.
The ACE appliance and module device configuration files in the MySQL
database are encrypted.
This vulnerability is documented in the following Cisco Bug ID:
* CSCsu52632
This vulnerability has been assigned the Common Vulnerability and
Exposures (CVE) ID CVE-2009-0617.
Java Agent Privilege Escalation
+------------------------------
ANM versions prior to ANM 2.0 Update A contain a remotely exploitable
vulnerability that could allow an attacker to view configuration
files and modify ANM processes including the capability to stop
services. Exploitation of this issue could result in system
information disclosure or denial of services.
This vulnerability is documented in the following Cisco Bug ID:
* CSCsu73001
This vulnerability has been assigned the Common Vulnerability and
Exposures (CVE) ID CVE-2009-0618.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* ACE Device Manager invalid directory permissions (CSCsv66063)
CVSS Base Score - 9.0
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* ANM invalid directory permissions (CSCsv70130)
CVSS Base Score - 9.0
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* ANM default user credentials during installation (CSCsu52724)
CVSS Base Score - 10.0
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.7
Exploitability - High
Remediation Level - Official-Fix
Report Confidence - Confirmed
* ANM embedded MySQL default credentials (CSCsu52632)
CVSS Base Score - 10.0
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.7
Exploitability - High
Remediation Level - Official-Fix
Report Confidence - Confirmed
* ANM Java agent privilege escalation (CSCsu73001)
CVSS Base Score - 8.5
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - High
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the ACE Device Manager and ANM invalid
directory permission vulnerabilities may allow unauthorized access to
view or modify the ACE Device Manager or ANM file system, including host
operating system files. Modification of some system files could result
in a denial of service condition.
Exploitation of the ANM default user credential and ANM MySQL database
default credential vulnerabilities may allow an attacker to gain
unauthorized system access. Modification of ANM settings with the
default user credentials could result in a denial of service condition.
Successful exploitation of the ANM privilege escalation vulnerability
may result in unauthorized remote access to system processes and
services with the ability to modify. Modification of these services
could result in a denial of service condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the following software table identifies the earliest
possible software release that contains the fix listed in the "First
Fixed Release" column of the table. The "Recommended Release"
column indicates the release which have fixes for all the published
vulnerabilities at the time of this Advisory.
+---------------------------------------+
| | First | Recommended |
| Vulnerability | Fixed | Release |
| | Release | |
|---------------+---------+-------------|
| ACE Device | | |
| Manager | | |
| Invalid | A3(2.1) | A3(2.1) |
| Directory | | |
| Permissions | | |
|---------------+---------+-------------|
| ANM Invalid | | ANM 2.0 |
| Directory | ANM 2.0 | Update A |
| Permissions | | |
|---------------+---------+-------------|
| ANM Default | | ANM 2.0 |
| User | ANM 2.0 | Update A |
| Credentials | | |
|---------------+---------+-------------|
| ANM MySQL | | ANM 2.0 |
| Default | ANM 2.0 | Update A |
| Credentials | | |
|---------------+---------+-------------|
| ANM Java | ANM 2.0 | |
| Agent | Update | ANM 2.0 |
| Privilege | A | Update A |
| Escalation | | |
+---------------------------------------+
ANM 2.0 Update A can be downloaded from:
http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=/cisco/crypto/3DES/netmgmt/anm/1.2/anm2.0-update-A.bin
ACE Device Manager A3(2.1) can be downloaded from:
http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=/cisco/crypto/3DES/ans/DNSS/ace4710/c4710ace-mz.A3_2_1.bin
Workarounds
===========
While this Security Advisory describes multiple distinct
vulnerabilities, a workaround exists for only the following
vulnerability.
ANM Default User Credentials
+---------------------------
The ANM user "admin" account password may be modified after installation
by following the procedures documented for "Changing the Admin Password"
located in the ANM User Guide at:
http://www.cisco.com/en/US/docs/net_mgmt/application_networking_manager/2.0/user/guide/UG_admin.html#wp1053216
Applied Mitigation Bulletin
+--------------------------
Additional mitigation techniques that can be deployed on Cisco devices
within the network are available in the Cisco Applied Mitigation
Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20090225-anm.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for software
upgrades.
Customers with Service Contracts
- --------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.
Customers using Third Party Support Organizations
- -------------------------------------------------
Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.
Customers without Service Contracts
- -----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
Acknowledgement to the National Australia Bank's Security Assurance team
for the discovery and reporting of the ACE Device Manager directory
permissions vulnerability.
The remaining vulnerabilities were identified through internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2009 February 25 | Initial public release |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2008 - 2009 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
Updated: Feb 25, 2009 Document ID: 109451
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkmlezoACgkQ86n/Gc8U/uAexwCfYI7DnCQWq4XF2Id8o6bO4+zJ
a6IAn0r51YyfdsXPFgYII7OPUWLzJHLU
=xUPr
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-200902-0535 | CVE-2009-0618 | Cisco Application Networking Manager (ANM) of Java Elevation of privilege vulnerability in agents |
CVSS V2: 8.5 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the Java agent in Cisco Application Networking Manager (ANM) before 2.0 Update A allows remote attackers to gain privileges, and cause a denial of service (service outage) by stopping processes, or obtain sensitive information by reading configuration files. Cisco Application Network Manager (ANM) and Application Control Engine (ACE) Device Manager are prone to multiple security vulnerabilities, including directory-traversal issues, unauthorized access via default credentials, and a privilege-escalation issue. This may aid in the complete compromise of the underlying computer. These vulnerabilities are independent of each
other. Successful exploitation of these vulnerabilities may result in
unauthorized system or host operating system access. A workaround that mitigates one of the issues is
available.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml.
Note: This advisory is being released simultaneously with a multiple
vulnerabilities advisory impacting the ACE appliance and module
software, which is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090225-ace.shtml.
Affected Products
=================
Vulnerable Products
- -------------------
The following are the products and versions affected by each
vulnerability described within this advisory.
+---------------------------------------+
| Vulnerability | Product | Version |
| | Affected | Affected |
|---------------+----------+------------|
| Invalid | ACE | All |
| Directory | Device | versions |
| Permissions | Manager | prior to |
| | | A3(2.1) |
|---------------+----------+------------|
| Invalid | | All |
| Directory | ANM | versions |
| Permissions | | prior to |
| | | ANM 2.0 |
|---------------+----------+------------|
| | | All |
| Default User | ANM | versions |
| Credentials | | prior to |
| | | ANM 2.0 |
|---------------+----------+------------|
| | | All |
| MySQL Default | ANM | versions |
| Credentials | | prior to |
| | | ANM 2.0 |
|---------------+----------+------------|
| | | All |
| Java Agent | | versions |
| Privilege | ANM | prior to |
| Escalation | | ANM 2.0 |
| | | Update A |
+---------------------------------------+
Determining ACE Device Manager Software Version
+----------------------------------------------
The ACE Device Manager is embedded with the ACE appliance software.
To display the version of system software that is currently running
on the device, use the "show version" command. The following example
includes the output of the "show version" command on a Cisco ACE
appliance running software version A3(2.1):
ACE-4710/Admin# show version
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2008 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
Software
loader: Version 0.95
system: Version A3(2.1) [build 3.0(0)A3(2.1) adbuild_14:33:29-2008/11/19_/auto/adbu-rel4/rel_a3_2_1_throttle_build/REL_3_0_0_A3_2_1]
system image file: (nd)/192.168.65.32/scimitar.bin
Device Manager version 1.1 (0) 20081113:2052
---
Determining ANM Software Version
+-------------------------------
To display the version of ANM software that is currently installed,
login to the ANM server and select the "About" keyword in the upper
right. An informational pop up window will be displayed. ANM Version 2.0
Update A is indicated in the example output below.
Version: 2.0(0), Update: A
Build Number: 709
Build Timestamp: 20081031:1226
Products Confirmed Not Vulnerable
- ---------------------------------
The Cisco ACE XML Gateway, Cisco ACE GSS (Global Site Selector) 4400
Series and Cisco ACE Web Application Firewall are not affected by any of
these vulnerabilities.
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
ANM is a network management application that manages Cisco ACE modules
or appliances. ANM is installed on customer provided servers with a Red
Hat Enterprise Linux operating system. The ACE Device Manager provides
a browser-based interface for configuring and managing a single ACE
appliance. The ACE Device Manager resides in flash memory on the ACE
appliance. The following details are provided for each
vulnerability addressed in this security advisory.
Invalid Directory Permissions
+----------------------------
Versions of the Cisco ACE Device Manager prior to software version
A3(2.1) and Cisco ANM prior software version ANM 2.0 contain directory
traversal vulnerabilities. These vulnerabilities could allow
unauthorized access to ACE operating system and host operating system
files. To exploit these vulnerabilities authentication is required to
initially access either product.
This vulnerability is documented in the following Cisco Bug IDs:
* CSCsv66063
* CSCsv70130
This vulnerability has been assigned the Common Vulnerability and
Exposures (CVE) ID CVE-2009-0615.
Default User Credentials
+-----------------------
Versions of Cisco ANM prior to software version ANM 2.0 do not force
credential changes during installation.
This vulnerability is documented in the following Cisco Bug ID:
* CSCsu52724
This vulnerability has been assigned the Common Vulnerability and
Exposures (CVE) ID CVE-2009-0616.
MySQL Default Credentials
+------------------------
ANM versions prior to ANM 2.0 use a default MySQL root user password
during installation. The MySQL database is installed by default when
ANM is initially installed. This vulnerability can be exploited
remotely with default credential authentication and without end-user
interaction. Unauthorized access to the database may allow
modification of system files that could impact the function of ANM or
allow execution of commands on the underlying host operating system.
The ACE appliance and module device configuration files in the MySQL
database are encrypted.
This vulnerability is documented in the following Cisco Bug ID:
* CSCsu52632
This vulnerability has been assigned the Common Vulnerability and
Exposures (CVE) ID CVE-2009-0617. Exploitation of this issue could result in system
information disclosure or denial of services.
This vulnerability is documented in the following Cisco Bug ID:
* CSCsu73001
This vulnerability has been assigned the Common Vulnerability and
Exposures (CVE) ID CVE-2009-0618.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* ACE Device Manager invalid directory permissions (CSCsv66063)
CVSS Base Score - 9.0
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* ANM invalid directory permissions (CSCsv70130)
CVSS Base Score - 9.0
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* ANM default user credentials during installation (CSCsu52724)
CVSS Base Score - 10.0
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.7
Exploitability - High
Remediation Level - Official-Fix
Report Confidence - Confirmed
* ANM embedded MySQL default credentials (CSCsu52632)
CVSS Base Score - 10.0
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.7
Exploitability - High
Remediation Level - Official-Fix
Report Confidence - Confirmed
* ANM Java agent privilege escalation (CSCsu73001)
CVSS Base Score - 8.5
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - High
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the ACE Device Manager and ANM invalid
directory permission vulnerabilities may allow unauthorized access to
view or modify the ACE Device Manager or ANM file system, including host
operating system files. Modification of some system files could result
in a denial of service condition.
Exploitation of the ANM default user credential and ANM MySQL database
default credential vulnerabilities may allow an attacker to gain
unauthorized system access. Modification of ANM settings with the
default user credentials could result in a denial of service condition.
Unauthorized access to the MySQL database may allow modification of
system files that could impact the function of ANM or allow execution of
commands on the underlying host operating system.
Successful exploitation of the ANM privilege escalation vulnerability
may result in unauthorized remote access to system processes and
services with the ability to modify. Modification of these services
could result in a denial of service condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the following software table identifies the earliest
possible software release that contains the fix listed in the "First
Fixed Release" column of the table. The "Recommended Release"
column indicates the release which have fixes for all the published
vulnerabilities at the time of this Advisory.
+---------------------------------------+
| | First | Recommended |
| Vulnerability | Fixed | Release |
| | Release | |
|---------------+---------+-------------|
| ACE Device | | |
| Manager | | |
| Invalid | A3(2.1) | A3(2.1) |
| Directory | | |
| Permissions | | |
|---------------+---------+-------------|
| ANM Invalid | | ANM 2.0 |
| Directory | ANM 2.0 | Update A |
| Permissions | | |
|---------------+---------+-------------|
| ANM Default | | ANM 2.0 |
| User | ANM 2.0 | Update A |
| Credentials | | |
|---------------+---------+-------------|
| ANM MySQL | | ANM 2.0 |
| Default | ANM 2.0 | Update A |
| Credentials | | |
|---------------+---------+-------------|
| ANM Java | ANM 2.0 | |
| Agent | Update | ANM 2.0 |
| Privilege | A | Update A |
| Escalation | | |
+---------------------------------------+
ANM 2.0 Update A can be downloaded from:
http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=/cisco/crypto/3DES/netmgmt/anm/1.2/anm2.0-update-A.bin
ACE Device Manager A3(2.1) can be downloaded from:
http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=/cisco/crypto/3DES/ans/DNSS/ace4710/c4710ace-mz.A3_2_1.bin
Workarounds
===========
While this Security Advisory describes multiple distinct
vulnerabilities, a workaround exists for only the following
vulnerability.
ANM Default User Credentials
+---------------------------
The ANM user "admin" account password may be modified after installation
by following the procedures documented for "Changing the Admin Password"
located in the ANM User Guide at:
http://www.cisco.com/en/US/docs/net_mgmt/application_networking_manager/2.0/user/guide/UG_admin.html#wp1053216
Applied Mitigation Bulletin
+--------------------------
Additional mitigation techniques that can be deployed on Cisco devices
within the network are available in the Cisco Applied Mitigation
Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20090225-anm.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for software
upgrades.
Customers with Service Contracts
- --------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.
Customers using Third Party Support Organizations
- -------------------------------------------------
Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.
Customers without Service Contracts
- -----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
Acknowledgement to the National Australia Bank's Security Assurance team
for the discovery and reporting of the ACE Device Manager directory
permissions vulnerability.
The remaining vulnerabilities were identified through internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2009 February 25 | Initial public release |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2008 - 2009 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
Updated: Feb 25, 2009 Document ID: 109451
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkmlezoACgkQ86n/Gc8U/uAexwCfYI7DnCQWq4XF2Id8o6bO4+zJ
a6IAn0r51YyfdsXPFgYII7OPUWLzJHLU
=xUPr
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-200902-0536 | CVE-2009-0620 |
Catalyst 6500 Switch and 7600 For router Cisco ACE Application Control Engine Elevation of privilege vulnerability in module
Related entries in the VARIoT exploits database: VAR-E-200902-0505 |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Cisco ACE Application Control Engine Module for Catalyst 6500 Switches and 7600 Routers before A2(1.1) uses default (1) usernames and (2) passwords for (a) the administrator and (b) web management, which makes it easier for remote attackers to perform configuration changes or obtain operating-system access. Other attacks are also possible. Workarounds that mitigate some of the vulnerabilities are
available.
Note: These vulnerabilities are independent of each other. A device
may be affected by one vulnerability and not affected by another.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090225-ace.shtml
Note: This advisory is being released simultaneously with a multiple
vulnerability disclosure advisory that impacts the Cisco 4700 Series
Application Control Engine Device Manager and Application Networking
Manager module software.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml
Affected Products
=================
Vulnerable Products
+------------------
The following table displays the products that are affected by each
vulnerability that is described within this advisory.
+-------------------------------------------------------------------+
| | Products and Versions |
| | Affected |
|Vulnerability |-----------------------------|
| | Cisco ACE | Cisco ACE |
| | 4710 | Module |
| | Appliance | |
|-------------------------------------+--------------+--------------|
| | All versions | All versions |
| Default Usernames and Passwords | prior to A1 | prior to A2 |
| | (8a) | (1.1) |
|-------------------------------------+--------------+--------------|
| | All versions | All versions |
| Privilege Escalation Vulnerability | prior to A1 | prior to A2 |
| | (8a) | (1.2) |
|-------------------------------------+--------------+--------------|
| | All versions | All versions |
| Crafted SSH Packet Vulnerability | prior to A3 | prior to A2 |
| | (2.1) | (1.3) |
|-------------------------------------+--------------+--------------|
| Crafted Simple Network Management | All versions | All versions |
| Protocol version 2 (SNMPv2) Packet | prior to A3 | prior to A2 |
| Vulnerability | (2.1) | (1.3) |
|-------------------------------------+--------------+--------------|
| | All versions | All versions |
| Crafted SNMPv3 Packet Vulnerability | prior to A1 | prior to A2 |
| | (8.0) | (1.2) |
+-------------------------------------------------------------------+
Determining Software Versions
+----------------------------
To display the version of system software that is currently running
on Cisco ACE Application Control Engine, use the show version
command. The following example displays the output of the show
version command on the Cisco ACE Application Control Engine software
version A3(1.0):
ACE-4710/Admin# show version
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2008 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html
Software
loader: Version 0.95
system: Version A3(1.0) [build 3.0(0)A3(0.0.148) adbuild_03:31:25-2008/08/06_/auto/adbure_nightly2/nightly_rel_a3_1_0_throttle/REL_3_0_0_A3_0_0
system image file: (nd)/192.168.65.31/scimitar.bin
Device Manager version 1.1 (0) 20080805:0415
...
<output truncated>
The following example displays the output of the show version command
on a Cisco ACE Application Control Engine module software version A1(1):
ACE-mod/Admin# show version
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2006, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html
Software
loader: Version 12.2[117]
system: Version 3.0(0)A1(1) [build 3.0(0)A1(1) _01:26:21-2006/03/13_/auto/adbu-rel/ws/REL_3_0_0_A1_1]
system image file: [LCP] disk0:c6ace-t1k9-mzg.3.0.0_A1_1.bin
licensed features: no feature license is installed
...
<output truncated>
Products Confirmed Not Vulnerable
+--------------------------------
The Cisco ACE XML Gateway, the Cisco ACE Web Application Firewall,
and the Cisco ACE GSS 4400 Series Global Site Selector Appliances are
not affected by any of the vulnerabilities that are described in this
advisory. No other Cisco products are currently known to be affected
by these vulnerabilities. Multiple
vulnerabilities exist in both products. The following information
provides the details about each of the vulnerabilities that are
addressed in this advisory. The appliance and module do not prompt users
to modify system account passwords during the initial configuration
process. An attacker with knowledge of these accounts could modify
the application configuration and, in certain instances, gain user
access to the host operating system. This vulnerability is documented in Cisco Bug
ID CSCsq32379 ( registered customers only) and has also been assigned
the Common Vulnerability and Exposures (CVE) ID CVE-2009-0621. An
authenticated user could exploit this vulnerability to invoke
administrative commands via the device command line interface (CLI).
An attacker could exploit this vulnerability to cause the device to
reload by sending a crafted SSH packet to it.
Note: SSH access must be configured on the affected device for it to
be vulnerable. SSH access is not enabled by default. A full TCP
three-way handshake is not necessary to trigger the effects of this
vulnerability.
An authenticated attacker could send a crafted SNMPv1 packet to an
affected device to cause it to reload.
Note: SNMPv2c must be explicitly configured in an affected device in
order to process any SNMPv2c transactions. SNMPv2c is not enabled by
default.
An where an attacker may could cause the a device to reload by
sending a crafted SNMPv3 packet to it.
Note: SNMPv3 must be explicitly configured in an affected device in
order to process any SNMPv3 transactions. SNMPv3 is not enabled by
default.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsq43828 and CSCsq43229 - Default users and passwords on ACE module
and appliance
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.7
Exploitability - High
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsq32379 - DM Default Account Credentials
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.7
Exploitability - High
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsq48546 and CSCsq09839 - Privilege escalation issue on ACE Module
and ACE Appliance
CVSS Base Score - 9
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsv01877 and CSCsv01738 - Crafted SSH packet may cause ACE module
or appliance to reload
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsu36038 and CSCsu47876 - Crafted SNMPv2c packet may crash ACE
module and appliance
CVSS Base Score - 6.8
Access Vector - Network
Access Complexity - Single
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 5.6
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCso83126 and CSCsq45432 - Crafted SNMPv3 packet may crash ACE
appliance
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
An attacker with knowledge of the Default Usernames and Passwords
Vulnerability accounts could modify the device configuration and, in
certain instances, gain user access to the host operating system.
An exploit of the Privilege Escalation Vulnerability could allow an
authenticated attacker to execute host operating system
administrative commands.
Successful exploitation of the Crafted SSH Packet Vulnerability,
Crafted SNMPv2 Packet Vulnerability, and Crafted SNMPv3 Packet
Vulnerability may cause a reload of the affected device. Repeated
exploitation could result in a sustained DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the software table (below) describes the earliest
possible releases that contain the fix (along with the anticipated
date of availability for each, if applicable) are listed in the
"First Fixed Release" column of the table. The "Recommended Release"
column indicates the releases which have fixes for all the published
vulnerabilities at the time of this Advisory. A device running a
release in the given train that is earlier than the release in a
specific column (less than the First Fixed Release) is known to be
vulnerable. Cisco recommends upgrading to a release equal to or later
than the release in the "Recommended Releases" column of the table.
+----------------------------------------------------------------------------------------------------------+
| | Products and Versions Affected |
| |---------------------------------------------------------------------|
| | Cisco ACE 4710 Appliance | Cisco ACE Module |
|Vulnerability |----------------------------------+----------------------------------|
| | First Fixed | Recommended | First | |
| | Release | Release | Fixed | Recommended Release |
| | | | Release | |
|------------------------------------+---------------+------------------+------------+---------------------|
| Default Usernames and Passwords | A1(8a) | A3(2.1) | A2(1.1) | A2(1.3) |
|------------------------------------+---------------+------------------+------------+---------------------|
| Privilege Escalation Vulnerability | A1(8a) | A3(2.1) | A2(1.2) | A2(1.3) |
|------------------------------------+---------------+------------------+------------+---------------------|
| Crafted SSH Packet Vulnerability | A3(2.1) | A3(2.1) | A2(1.3) | A2(1.3) |
|------------------------------------+---------------+------------------+------------+---------------------|
| Crafted SNMPv2 Packet | A3(2.1) | A3(2.1) | A2(1.3) | A2(1.3) |
| Vulnerability | | | | |
|------------------------------------+---------------+------------------+------------+---------------------|
| Crafted SNMPv2 Packet | A1(8.0) | A3(2.1) | A2(1.2) | A2(1.3) |
| Vulnerability | | | | |
+----------------------------------------------------------------------------------------------------------+
Cisco ACE module software can be downloaded from:
http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=280557289
Cisco ACE 4710 Application Control Engine appliance software can be
downloaded from:
http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=281222179
Workarounds
===========
This Security Advisory describes multiple distinct vulnerabilities.
These vulnerabilities and their respective workarounds are
independent of each other.
Default Usernames and Passwords
+------------------------------
To change the default administrative password, use the username
command in configuration mode. The syntax of this command is as
follows:
username admin [password [0 | 5] {password}]
The keywords, arguments, and options are:
admin--Specifies the default administrative user name.
password--(Optional) Keyword that indicates that a password follows.
0--(Optional) Specifies a clear text password.
5--(Optional) Specifies an MD5-hashed strong encryption password.
password--The password in clear text, encrypted text, or MD5 strong
encryption, depending on the numbered option (0 or 5) that you enter.
If you do not enter a numbered option, the password is in clear text
by default. Enter a password as an unquoted text string with a
maximum of 64 characters.
For example, to create a user named admin that uses the clear text
password my_super_secret_88312, enter the following command:
ACE(config)# username admin password 0 my_super_secret_88312
Note: This process can also be followed to change the www user
account credentials. The dm user is for accessing the Device Manager
GUI and cannot be modified or deleted. The dm user is an internal
user required by the Device Manager GUI; it is hidden on the ACE CLI.
For more information refer to:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/virtualization/guide/config.html
Privilege Escalation Vulnerability
+---------------------------------
There are no workarounds for this vulnerability.
Crafted SSH Packet Vulnerability
+-------------------------------
SSH management traffic that can be received by the ACE is controlled
through the use of class maps, policy maps, and service policies.
This Management Traffic Service example denies unauthorized SSH
packets that are sent to an affected device. In the following
example, 192.168.100.1 is considered a trusted source that requires
SSH access to the affected device. Care should be taken to allow all
required management access to the affected device. An attacker could
exploit this vulnerability using spoofed packets. This workaround
cannot provide complete protection against this vulnerability when
the attack comes from a trusted source address.
The following example demonstrates how SSH access to the ACE is only
allowed from the 192.168.100.1 host:
!-- Configure a class to allow SSH from the trusted source
!
class-map type management match-all Permit_SSH_Class
description Allow SSH from trusted sources Class
match protocol ssh source-address 192.168.100.1 255.255.255.255
!
!-- Configure a management policy that allows ssh from the
!--trusted source configured in the above class
!
policy-map type management first-match Permit_SSH_Policy
description Allow SSH from trusted sources Policy
class Permit_SSH_Class
permit
!
!-- Apply the management policy globally
!
service-policy input Permit_SSH_Policy
Additional information about "Configuring SSH Management Sessions" is
available at:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/access.html#wp1049450
Additional information about "Configuring Class Maps and Policy Maps"
is available at:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/mapolcy.html
warning Warning: It is possible to easily spoof the sender's IP
address, which may defeat class maps and access control lists (ACLs)
that permit communication to the device from trusted IP addresses.
Crafted SNMPv2 and SNMPv3 Packet Vulnerabilities
+-----------------------------------------------
SNMP management traffic that can be received by the ACE is controlled
through the use of class maps, policy maps, and service policies.
This Management Traffic Service example denies unauthorized SNMP
packets on UDP port 161 that are sent to an affected device. In the
following example, 192.168.100.1 is considered a trusted source that
requires SNMP access to the affected device. Care should be taken to
allow all required management access to the affected device. An
attacker could exploit this vulnerability using spoofed packets. This
workaround cannot provide complete protection against this
vulnerability when the attack comes from a trusted source address.
!-- Configure a class to allow SNMP from the trusted source
!
class-map type management match-all Permit_SNMP_Class
description Allow SNMP from trusted sources Class
2 match protocol snmp source-address 192.168.100.1 255.255.255.255
!
!-- Configure a management policy that allows snmp from the
!--trusted source configured in the above class
!
policy-map type management first-match Permit_SNMP_Policy
description Allow SNMP from trusted sources Policy
class Permit_SNMP_Class
permit
!-- Apply the management policy globally
!
service-policy input Permit_SNMP_Policy
Additional information about "SNMP Management Traffic Services" is
available at:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/snmp.html#wp1034011
Additional information about "Configuring Class Maps and Policy Maps"
is available at:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/mapolcy.html
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20090225-ace.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized
telephone numbers, and instructions and e-mail addresses for use in
various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
These vulnerabilities were found during internal testing.
Status of this Notice: FINAL
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090225-ace.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+-------------------------------------------------------------------+
| Revision 1.0 | 2009-February-25 | Initial public release |
+-------------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkmlbsoACgkQ86n/Gc8U/uA9egCgiM1YYI9hZhS8iZ5kbEw6vxaq
gM8AnjpFAJaZ/RK593w/5j/mRHxjkLVo
=rWBu
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-200902-0537 | CVE-2009-0621 |
Cisco ACE 4710 Application Control Engine Appliance In Device Manager Vulnerabilities that change the settings of and other components or gain access to the operating system
Related entries in the VARIoT exploits database: VAR-E-200902-0505 |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Cisco ACE 4710 Application Control Engine Appliance before A1(8a) uses default (1) usernames and (2) passwords for (a) the administrator, (b) web management, and (c) device management, which makes it easier for remote attackers to perform configuration changes to the Device Manager and other components, or obtain operating-system access. Cisco ACE Application Control Engine Module and Cisco ACE 4710 Application Control Engine are prone to multiple remote vulnerabilities:
- Multiple authentication-bypass issues
- A remote privilege-escalation issue
- Multiple denial-of-service issues
Attackers can exploit these issues to execute arbitrary commands, gain administrative access, and cause denial-of-service conditions. Other attacks are also possible. Workarounds that mitigate some of the vulnerabilities are
available.
Note: These vulnerabilities are independent of each other. A device
may be affected by one vulnerability and not affected by another.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090225-ace.shtml
Note: This advisory is being released simultaneously with a multiple
vulnerability disclosure advisory that impacts the Cisco 4700 Series
Application Control Engine Device Manager and Application Networking
Manager module software.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml
Affected Products
=================
Vulnerable Products
+------------------
The following table displays the products that are affected by each
vulnerability that is described within this advisory.
+-------------------------------------------------------------------+
| | Products and Versions |
| | Affected |
|Vulnerability |-----------------------------|
| | Cisco ACE | Cisco ACE |
| | 4710 | Module |
| | Appliance | |
|-------------------------------------+--------------+--------------|
| | All versions | All versions |
| Default Usernames and Passwords | prior to A1 | prior to A2 |
| | (8a) | (1.1) |
|-------------------------------------+--------------+--------------|
| | All versions | All versions |
| Privilege Escalation Vulnerability | prior to A1 | prior to A2 |
| | (8a) | (1.2) |
|-------------------------------------+--------------+--------------|
| | All versions | All versions |
| Crafted SSH Packet Vulnerability | prior to A3 | prior to A2 |
| | (2.1) | (1.3) |
|-------------------------------------+--------------+--------------|
| Crafted Simple Network Management | All versions | All versions |
| Protocol version 2 (SNMPv2) Packet | prior to A3 | prior to A2 |
| Vulnerability | (2.1) | (1.3) |
|-------------------------------------+--------------+--------------|
| | All versions | All versions |
| Crafted SNMPv3 Packet Vulnerability | prior to A1 | prior to A2 |
| | (8.0) | (1.2) |
+-------------------------------------------------------------------+
Determining Software Versions
+----------------------------
To display the version of system software that is currently running
on Cisco ACE Application Control Engine, use the show version
command. The following example displays the output of the show
version command on the Cisco ACE Application Control Engine software
version A3(1.0):
ACE-4710/Admin# show version
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2008 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html
Software
loader: Version 0.95
system: Version A3(1.0) [build 3.0(0)A3(0.0.148) adbuild_03:31:25-2008/08/06_/auto/adbure_nightly2/nightly_rel_a3_1_0_throttle/REL_3_0_0_A3_0_0
system image file: (nd)/192.168.65.31/scimitar.bin
Device Manager version 1.1 (0) 20080805:0415
...
<output truncated>
The following example displays the output of the show version command
on a Cisco ACE Application Control Engine module software version A1(1):
ACE-mod/Admin# show version
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2006, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html
Software
loader: Version 12.2[117]
system: Version 3.0(0)A1(1) [build 3.0(0)A1(1) _01:26:21-2006/03/13_/auto/adbu-rel/ws/REL_3_0_0_A1_1]
system image file: [LCP] disk0:c6ace-t1k9-mzg.3.0.0_A1_1.bin
licensed features: no feature license is installed
...
<output truncated>
Products Confirmed Not Vulnerable
+--------------------------------
The Cisco ACE XML Gateway, the Cisco ACE Web Application Firewall,
and the Cisco ACE GSS 4400 Series Global Site Selector Appliances are
not affected by any of the vulnerabilities that are described in this
advisory. No other Cisco products are currently known to be affected
by these vulnerabilities. Multiple
vulnerabilities exist in both products. The following information
provides the details about each of the vulnerabilities that are
addressed in this advisory. The appliance and module do not prompt users
to modify system account passwords during the initial configuration
process. An attacker with knowledge of these accounts could modify
the application configuration and, in certain instances, gain user
access to the host operating system. This vulnerability is documented in Cisco Bug
ID CSCsq32379 ( registered customers only) and has also been assigned
the Common Vulnerability and Exposures (CVE) ID CVE-2009-0621. An
authenticated user could exploit this vulnerability to invoke
administrative commands via the device command line interface (CLI).
An attacker could exploit this vulnerability to cause the device to
reload by sending a crafted SSH packet to it.
Note: SSH access must be configured on the affected device for it to
be vulnerable. SSH access is not enabled by default. A full TCP
three-way handshake is not necessary to trigger the effects of this
vulnerability.
An authenticated attacker could send a crafted SNMPv1 packet to an
affected device to cause it to reload.
Note: SNMPv2c must be explicitly configured in an affected device in
order to process any SNMPv2c transactions. SNMPv2c is not enabled by
default.
An where an attacker may could cause the a device to reload by
sending a crafted SNMPv3 packet to it.
Note: SNMPv3 must be explicitly configured in an affected device in
order to process any SNMPv3 transactions. SNMPv3 is not enabled by
default.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsq43828 and CSCsq43229 - Default users and passwords on ACE module
and appliance
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.7
Exploitability - High
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsq32379 - DM Default Account Credentials
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.7
Exploitability - High
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsq48546 and CSCsq09839 - Privilege escalation issue on ACE Module
and ACE Appliance
CVSS Base Score - 9
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsv01877 and CSCsv01738 - Crafted SSH packet may cause ACE module
or appliance to reload
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsu36038 and CSCsu47876 - Crafted SNMPv2c packet may crash ACE
module and appliance
CVSS Base Score - 6.8
Access Vector - Network
Access Complexity - Single
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 5.6
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCso83126 and CSCsq45432 - Crafted SNMPv3 packet may crash ACE
appliance
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
An attacker with knowledge of the Default Usernames and Passwords
Vulnerability accounts could modify the device configuration and, in
certain instances, gain user access to the host operating system.
An exploit of the Privilege Escalation Vulnerability could allow an
authenticated attacker to execute host operating system
administrative commands.
Successful exploitation of the Crafted SSH Packet Vulnerability,
Crafted SNMPv2 Packet Vulnerability, and Crafted SNMPv3 Packet
Vulnerability may cause a reload of the affected device. Repeated
exploitation could result in a sustained DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the software table (below) describes the earliest
possible releases that contain the fix (along with the anticipated
date of availability for each, if applicable) are listed in the
"First Fixed Release" column of the table. The "Recommended Release"
column indicates the releases which have fixes for all the published
vulnerabilities at the time of this Advisory. A device running a
release in the given train that is earlier than the release in a
specific column (less than the First Fixed Release) is known to be
vulnerable. Cisco recommends upgrading to a release equal to or later
than the release in the "Recommended Releases" column of the table.
+----------------------------------------------------------------------------------------------------------+
| | Products and Versions Affected |
| |---------------------------------------------------------------------|
| | Cisco ACE 4710 Appliance | Cisco ACE Module |
|Vulnerability |----------------------------------+----------------------------------|
| | First Fixed | Recommended | First | |
| | Release | Release | Fixed | Recommended Release |
| | | | Release | |
|------------------------------------+---------------+------------------+------------+---------------------|
| Default Usernames and Passwords | A1(8a) | A3(2.1) | A2(1.1) | A2(1.3) |
|------------------------------------+---------------+------------------+------------+---------------------|
| Privilege Escalation Vulnerability | A1(8a) | A3(2.1) | A2(1.2) | A2(1.3) |
|------------------------------------+---------------+------------------+------------+---------------------|
| Crafted SSH Packet Vulnerability | A3(2.1) | A3(2.1) | A2(1.3) | A2(1.3) |
|------------------------------------+---------------+------------------+------------+---------------------|
| Crafted SNMPv2 Packet | A3(2.1) | A3(2.1) | A2(1.3) | A2(1.3) |
| Vulnerability | | | | |
|------------------------------------+---------------+------------------+------------+---------------------|
| Crafted SNMPv2 Packet | A1(8.0) | A3(2.1) | A2(1.2) | A2(1.3) |
| Vulnerability | | | | |
+----------------------------------------------------------------------------------------------------------+
Cisco ACE module software can be downloaded from:
http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=280557289
Cisco ACE 4710 Application Control Engine appliance software can be
downloaded from:
http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=281222179
Workarounds
===========
This Security Advisory describes multiple distinct vulnerabilities.
These vulnerabilities and their respective workarounds are
independent of each other.
Default Usernames and Passwords
+------------------------------
To change the default administrative password, use the username
command in configuration mode. The syntax of this command is as
follows:
username admin [password [0 | 5] {password}]
The keywords, arguments, and options are:
admin--Specifies the default administrative user name.
password--(Optional) Keyword that indicates that a password follows.
0--(Optional) Specifies a clear text password.
5--(Optional) Specifies an MD5-hashed strong encryption password.
password--The password in clear text, encrypted text, or MD5 strong
encryption, depending on the numbered option (0 or 5) that you enter.
If you do not enter a numbered option, the password is in clear text
by default. Enter a password as an unquoted text string with a
maximum of 64 characters.
For example, to create a user named admin that uses the clear text
password my_super_secret_88312, enter the following command:
ACE(config)# username admin password 0 my_super_secret_88312
Note: This process can also be followed to change the www user
account credentials. The dm user is for accessing the Device Manager
GUI and cannot be modified or deleted. The dm user is an internal
user required by the Device Manager GUI; it is hidden on the ACE CLI.
For more information refer to:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/virtualization/guide/config.html
Privilege Escalation Vulnerability
+---------------------------------
There are no workarounds for this vulnerability.
Crafted SSH Packet Vulnerability
+-------------------------------
SSH management traffic that can be received by the ACE is controlled
through the use of class maps, policy maps, and service policies.
This Management Traffic Service example denies unauthorized SSH
packets that are sent to an affected device. In the following
example, 192.168.100.1 is considered a trusted source that requires
SSH access to the affected device. Care should be taken to allow all
required management access to the affected device. An attacker could
exploit this vulnerability using spoofed packets. This workaround
cannot provide complete protection against this vulnerability when
the attack comes from a trusted source address.
The following example demonstrates how SSH access to the ACE is only
allowed from the 192.168.100.1 host:
!-- Configure a class to allow SSH from the trusted source
!
class-map type management match-all Permit_SSH_Class
description Allow SSH from trusted sources Class
match protocol ssh source-address 192.168.100.1 255.255.255.255
!
!-- Configure a management policy that allows ssh from the
!--trusted source configured in the above class
!
policy-map type management first-match Permit_SSH_Policy
description Allow SSH from trusted sources Policy
class Permit_SSH_Class
permit
!
!-- Apply the management policy globally
!
service-policy input Permit_SSH_Policy
Additional information about "Configuring SSH Management Sessions" is
available at:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/access.html#wp1049450
Additional information about "Configuring Class Maps and Policy Maps"
is available at:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/mapolcy.html
warning Warning: It is possible to easily spoof the sender's IP
address, which may defeat class maps and access control lists (ACLs)
that permit communication to the device from trusted IP addresses.
Crafted SNMPv2 and SNMPv3 Packet Vulnerabilities
+-----------------------------------------------
SNMP management traffic that can be received by the ACE is controlled
through the use of class maps, policy maps, and service policies.
This Management Traffic Service example denies unauthorized SNMP
packets on UDP port 161 that are sent to an affected device. In the
following example, 192.168.100.1 is considered a trusted source that
requires SNMP access to the affected device. Care should be taken to
allow all required management access to the affected device. An
attacker could exploit this vulnerability using spoofed packets. This
workaround cannot provide complete protection against this
vulnerability when the attack comes from a trusted source address.
!-- Configure a class to allow SNMP from the trusted source
!
class-map type management match-all Permit_SNMP_Class
description Allow SNMP from trusted sources Class
2 match protocol snmp source-address 192.168.100.1 255.255.255.255
!
!-- Configure a management policy that allows snmp from the
!--trusted source configured in the above class
!
policy-map type management first-match Permit_SNMP_Policy
description Allow SNMP from trusted sources Policy
class Permit_SNMP_Class
permit
!-- Apply the management policy globally
!
service-policy input Permit_SNMP_Policy
Additional information about "SNMP Management Traffic Services" is
available at:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/snmp.html#wp1034011
Additional information about "Configuring Class Maps and Policy Maps"
is available at:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/mapolcy.html
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20090225-ace.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized
telephone numbers, and instructions and e-mail addresses for use in
various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
These vulnerabilities were found during internal testing.
Status of this Notice: FINAL
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090225-ace.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+-------------------------------------------------------------------+
| Revision 1.0 | 2009-February-25 | Initial public release |
+-------------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkmlbsoACgkQ86n/Gc8U/uA9egCgiM1YYI9hZhS8iZ5kbEw6vxaq
gM8AnjpFAJaZ/RK593w/5j/mRHxjkLVo
=rWBu
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-200902-0538 | CVE-2009-0622 |
Catalyst 6500 Switch and 7600 For router Cisco ACE Application Control Engine Modules and Cisco ACE 4710 Application Control Engine Appliance In any OS Command execution vulnerability
Related entries in the VARIoT exploits database: VAR-E-200902-0505 |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in Cisco ACE Application Control Engine Module for Catalyst 6500 Switches and 7600 Routers before A2(1.2) and Cisco ACE 4710 Application Control Engine Appliance before A1(8a) allows remote authenticated users to execute arbitrary operating-system commands through a command line interface (CLI). Other attacks are also possible. Remote authentication users can execute arbitrary system commands through the command line interface
| VAR-200902-0539 | CVE-2009-0623 |
Catalyst 6500 Switch and 7600 For router Cisco ACE Application Control Engine Modules and Cisco ACE 4710 Application Control Engine Appliance Service disruption in (DoS) Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-200902-0505 |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in Cisco ACE Application Control Engine Module for Catalyst 6500 Switches and 7600 Routers before A2(1.3) and Cisco ACE 4710 Application Control Engine Appliance before A3(2.1) allows remote attackers to cause a denial of service (device reload) via a crafted SSH packet. Other attacks are also possible. Remote authentication users can cause denial of service by constructing SSH packets
| VAR-200902-0667 | CVE-2009-0744 | Apple Safari Denial of service in Japan (DoS) Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Apple Safari 4 Beta build 528.16 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a feeds: URI beginning with a (1) % (percent), (2) { (open curly bracket), (3) } (close curly bracket), (4) ^ (caret), (5) ` (backquote), or (6) | (pipe) character, followed by an & (ampersand) character. Apple Safari is prone to a denial-of-service vulnerability that stems from a NULL-pointer dereference.
Attackers can exploit this issue to crash the affected application, denying service to legitimate users.
Apple Safari 4 Beta is vulnerable; other versions may also be affected. Safari is the web browser bundled by default in the Apple family operating system. Malformed feeds in Apple Safari: URI Null Pointer Reference Denial of Service Vulnerability. Since the user input provided in the feeds: URI is not adequately filtered, if the user is tricked into following a malicious link, a null pointer dereference will be triggered, causing the Safari process to crash
| VAR-200902-0677 | CVE-2008-4308 | Apache Tomcat POST Data Information Disclosure Vulnerability |
CVSS V2: 2.6 CVSS V3: - Severity: LOW |
The doRead method in Apache Tomcat 4.1.32 through 4.1.34 and 5.5.10 through 5.5.20 does not return a -1 to indicate when a certain error condition has occurred, which can cause Tomcat to send POST content from one request to a different request. Apache Tomcat from The Apache Software Foundation contains an information disclosure vulnerability. Apache Tomcat from the Apache Software Foundation is an implementation of the Java Servlet and JavaServer Page (JSP) technologies. This vulnerability was addressed and solved in ASF Bugzilla - Bug 40771. However there was no description regarding this vulnerability in ASF Bugzilla - Bug 40771. Therefore, The Apache Tomcat Development Team has decided to publish an advisory regarding this issue.A remote attacker could possibly obtain user credentials such as password, session ID, user ID, etc. According to the developer, unsupported Apache Tomcat 3.x, 4.0.x, and 5.0.x may also be affected. They have confirmed that Apache Tomcat 6.0.x is not affected.
Remote attackers can exploit this issue to obtain sensitive data stored on the server. Information obtained may lead to further attacks. Publication of this issue was then
postponed until now at the request of the reporter. For
a vulnerability to exist the content read from the input stream must be
disclosed, eg via writing it to the response and committing the
response, before the ArrayIndexOutOfBoundsException occurs which will
halt processing of the request.
Mitigation:
Upgrade to:
4.1.35 or later
5.5.21 or later
6.0.0 or later
Example:
See original bug report for example of how to create the error condition.
Credit:
This issue was discovered by Fujitsu and reported to the Tomcat Security
Team via JPCERT.
References:
http://tomcat.apache.org/security.html
Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFJpdGRb7IeiTPGAkMRAkK+AKC1m5WunqOmwuFYSYEoASF/AokgDQCffmxM
U3IdbfYNVtRIzCW5XTvhv2E=
=rJGg
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Did you know? Our assessment and impact rating along with detailed
information such as exploit code availability, or if an updated patch
is released by the vendor, is not part of this mailing-list?
Click here to learn more about our commercial solutions:
http://secunia.com/advisories/business_solutions/
Click here to trial our solutions:
http://secunia.com/advisories/try_vi/
----------------------------------------------------------------------
TITLE:
Apache Tomcat POST Content Disclosure Vulnerability
SECUNIA ADVISORY ID:
SA34057
VERIFY ADVISORY:
http://secunia.com/advisories/34057/
DESCRIPTION:
A vulnerability has been reported in Apache Tomcat, which can be
exploited by malicious people to potentially disclose sensitive
information.
The vulnerability is reported in versions 4.1.32 through 4.1.34 and
5.5.10 through 5.5.20.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits Fujitsu, reporting via JPCERT.
ORIGINAL ADVISORY:
Apache Tomcat:
http://tomcat.apache.org/security-4.html
http://tomcat.apache.org/security-5.html
http://www.mail-archive.com/users@tomcat.apache.org/msg57428.html
JVN:
http://jvn.jp/jp/JVN66905322/index.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------