[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in the Cisco Wireless Control System
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in the Cisco Wireless Control System Advisory ID: cisco-sa-20070412-wcs http://www.cisco.com/warp/public/707/cisco-sa-20070412-wcs.shtml Revision 1.0 For Public Release 2007 April 12 1600 UTC (GMT) - - Summary === The Cisco Wireless Control System (WCS) works in conjunction with Cisco Aironet Lightweight Access Points, Cisco Wireless LAN Controllers, and the Cisco Wireless Location Appliance by providing tools for wireless LAN planning and design, system configuration, location tracking, security monitoring, and wireless LAN management. Cisco WCS contains multiple vulnerabilities that can result in information disclosure, privilege escalation, and unauthorized access through fixed authentication credentials. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070412-wcs.shtml. Affected Products = This section provides details on affected products. Vulnerable Products +-- Versions of WCS prior to 4.0.96.0 are affected by one or more of these vulnerabilities. To identify the first fixed version for a specific Cisco Bug ID, please see the Software Versions and Fixes section of this advisory. To determine the version of WCS running in a given environment, take the following steps: 1. Log in to the WCS graphical web interface. 2. From the menu, select Help About the Software. Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by these vulnerabilities. Details === The Cisco Wireless Control System (WCS) works in conjunction with Cisco Aironet Lightweight Access Points, Cisco Wireless LAN Controllers, and the Cisco Wireless Location Appliance by providing tools for wireless LAN planning and design, system configuration, location tracking, security monitoring, and wireless LAN management. Cisco WCS contains the following vulnerabilities: Fixed FTP Credentials For WCS Location Backup + WCS can be configured to back up the data stored on the Cisco Wireless Location Appliance via FTP. Affected versions of WCS include a fixed user name and password for this backup operation; these credentials cannot be changed or disabled. Knowledge of these credentials, when combined with other properties of the FTP server, could allow an attacker to read from and write to arbitrary files on the server hosting the WCS application. In some cases, this could be leveraged to alter system files and compromise the server. This vulnerability is documented by Cisco Bug ID CSCse93014. Account Group Privilege Escalation +- The WCS authentication system contains a privilege escalation vulnerability that allows any user with a valid user name and password to change their account group membership. For example, a user in the LobbyAmbassador group can add themselves to the SuperUsers group. This privilege escalation can allow full administrative control of WCS and the wireless networks it manages. This vulnerability is documented by Cisco Bug IDs CSCse78596 and CSCsg05190. Information Disclosure to Unauthenticated Users +-- On affected versions of WCS, several directories within the WCS page hierarchy are not password protected and could be accessed by an unauthenticated user. Although the information available would not allow an attacker to gain access to WCS, it would be possible to obtain information about the organization of the network, including access point locations. This vulnerability is documented by Cisco Bug ID CSCsg04301. Vulnerability Scoring Details = Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco PSIRT will set the bias in all cases to normal. Customers are encouraged to apply the bias parameter when determining the environmental impact of a particular vulnerability. CVSS is a standards based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html. Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss. CSCse93014 - Fixed FTP Credentials For WCS Location
[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco IOS While Processing SSL Packets
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco IOS While Processing SSL Packets Advisory ID: cisco-sa-20070522-SSL http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml Revision 1.0 For Public Release 2007 May 22 1300 UTC (GMT) - --- Summary === Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device. Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previusly encrypted information. Cisco IOS is affected by the following vulnerabilities: * Processing ClientHello messages, documented as Cisco bug ID CSCsb12598 * Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304 * Processing Finished messages, documented as Cisco bug ID CSCsd92405 Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml Note: Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml. Affected Products = Vulnerable Products +-- These vulnerabilities affect all Cisco devices running Cisco IOS software configured to use the SSL protocol. The following application layer protocols in Cisco IOS use SSL: * Hyper Text Transfer Protocol over SSL (HTTPS). This is the most commonly used protocol that employs SSL. * Cisco Network Security (CNS) Agent with SSL support * Firewall Support of HTTPS Authentication Proxy * Cisco IOS Clientless SSL VPN (WebVPN) support Other protocols that use encryption to provide security but do not use SSL are not affected by these vulnerabilities. Specifically, IPSec and Secure Shell (SSH) are not affected. To determine the software running on a Cisco IOS product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as Internetwork Operating System Software or simply IOS. On the next line of output, the image name will be displayed between parentheses, followed by Version and the Cisco IOS release name. Other Cisco devices will not have the show version command, or will give different output. Only Cisco IOS images that contain the Crypto Feature Set are vulnerable. Customers who are not running an IOS image with crypto support are not exposed to this vulnerability. Cisco IOS feature set naming indicates that IOS images with crypto support have 'K8' or 'K9' in the feature designator field. The following example shows output from a device running an IOS image with crypto support: Routershow version Cisco IOS Software, 7200 Software (C7200-IK9S-M), Version 12.3(14)T1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by Cisco Systems, Inc. Compiled Thu 31-Mar-05 08:04 by yiyan Since the feature set designator (IK9S) contains 'K9', it can be determine that this feature set contains crypto support. Additional information about Cisco IOS release naming is available at the following link: http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper09186a008018305e.shtml. The following text describes how to recognize if any of the affected services are enabled on a device. Hyper Text Transfer Protocol Over SSL (HTTPS) + To determine if a device has HTTPS enabled, enter the command show run | include ip http. The following example shows output from of a device that has HTTPS enabled: Router#show run | include secure-server ip http secure-server The following example shows output from a device that does not have HTTPS enabled: Router#show run | include secure-server no ip http secure-server CNS Agent With SSL Support +- CNS Agent with SSL
[c-nsp] Cisco Security Advisory: Vulnerability In Crypto Library
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Vulnerability In Crypto Library Advisory ID: cisco-sa-20070522-crypto.shtml http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml Revision 1.0 For Public Release 2007 May 22 1300 UTC (GMT) - -- Summary === A vulnerability has been discovered in a third party cryptographic library which is used by a number of Cisco products. This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password). Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previusly encrypted information. The vulnerable cryptographic library is used in the following Cisco products: * Cisco IOS * Cisco IOS XR * Cisco PIX and ASA Security Appliances * Cisco Firewall Service Module (FWSM) * Cisco Unified CallManager This vulnerability is assigned CVE ID CVE-2006-3894. It is externally coordinated and is tracked by the following external coordinators: * JPCERT/CC - tracked as JVNVU#754281 * CPNI - tracked as NISCC-362917 * CERT/CC - tracked as VU#754281 Cisco has made free software available to address this vulnerability for affected customers. There are no workarounds available to mitigate the effects of the vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml. Note: Another related advisory is posted together with this Advisory. It also describes vulnerabilities related to cryptography that affect Cisco IOS. A combined software table for Cisco IOS only is available at http://www.cisco.com /warp/public/707/cisco-sa-20070522-cry-bundle.shtml and can be used to choose a software release which fixes all security vulnerabilities published as of May 22, 2007. The related advisory is published at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml Affected Products = Vulnerable Products +-- This vulnerability affects all products that use affected versions of third party cryptographic libraries and enabled applications that are using crypto-related function. The following Cisco products are identified to be vulnerable: * Cisco IOS * Cisco IOS XR * Cisco PIX and ASA Security Appliances (only 7.x releases are affected) * Cisco Firewall Service Module (FWSM), all releases prior 2.3(5) and 3.1(6) are affected * Cisco Unified CallManager The following text lists application layer protocols or features that must be enabled in order for a device to be vulnerable. It is sufficient that only one protocol or feature is enabled in order for a devices to be vulnerable. In order to be not vulnerable, all of the listed application protocols or features must be disabled. Affected protocols in Cisco IOS +-- To determine the software running on a Cisco IOS product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as Internetwork Operating System Software or simply IOS. On the next line of output, the image name will be displayed between parentheses, followed by Version and the Cisco IOS release name. Other Cisco devices will not have the show version command, or will give different output. Only Cisco IOS images that contain the Crypto Feature Set are vulnerable. Customers who are not running an IOS image with crypto support are not exposed to this vulnerability. Cisco IOS feature set naming indicates that IOS images with crypto support have 'K8' or 'K9' in the feature designator field. The following example shows output from a device running an IOS image with crypto support: Routershow version Cisco IOS Software, 7200 Software (C7200-IK9S-M), Version 12.3(14)T1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by Cisco Systems, Inc. Compiled Thu 31-Mar-05 08:04 by yiyan Since the feature set designator (IK9S) contains 'K9', it can be determine that this feature set contains crypto support. Additional information about Cisco IOS release naming is available at the following link: http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper09186a008018305e.shtml. You are affected by this vulnerability if you are running one of the vulnerable IOS software releases and have, at least one, of the following protocols or features enabled:
[c-nsp] Cisco Security Advisory: Cisco Unified Communications Manager Overflow Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Unified Communications Manager Overflow Vulnerabilities Document ID: 92015 Advisory ID: cisco-sa-20070711-cucm http://www.cisco.com/warp/public/707/cisco-sa-20070711-cucm.shtml Revision 1.0 For Public Release 2007 July 11 1600 UTC (GMT) - - Contents Summary Affected Products Details Vulnerability Scoring Details Impact Software Version and Fixes Workarounds Obtaining Fixed Software Exploitation and Public Announcements Status of this Notice: FINAL Distribution Revision History Cisco Security Procedures - - Summary === Cisco Unified Communications Manager (CUCM), formerly CallManager, contains two overflow vulnerabilities that could allow a remote, unauthenticated user to cause a denial of service (DoS) condition or execute arbitrary code. A workaround exists for one of the vulnerabilities. Cisco has made free software available to address these vulnerabilities for affected customers. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070711-cucm.shtml Affected Products = Note: Cisco Unified CallManager versions 4.2, 4.3, 5.1 and 6.0 have been renamed as Cisco Unified Communications Manager. CUCM versions 3.3, 4.0, 4.1 and 5.0 retain the Cisco Unified CallManager name. Vulnerable Products +-- These products are vulnerable: * Cisco Unified CallManager 3.3 versions prior to 3.3(5)SR3 * Cisco Unified CallManager 4.1 versions prior to 4.1(3)SR5 * Cisco Unified CallManager 4.2 versions prior to 4.2(3)SR2 * Cisco Unified Communications Manager 4.3 versions prior to 4.3(1) SR1 * Cisco Unified CallManager 5.0 and Communications Manager 5.1 versions prior to 5.1(2) Administrators of systems running CUCM version 3.x and 4.x can determine the software version by navigating to Help About Cisco Unified CallManager and selecting the Details button via the CUCM Administration interface. Administrators of systems running CUCM version 5.0 can determine the software version by viewing the main page of the CUCM Administration interface. The software version can also be determined by running the command show version active via the Command Line Interface (CLI). Products Confirmed Not Vulnerable + Cisco Unified Communications Manager version 6.0 and Cisco CallManager Express are not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details === Cisco Unified Communications Manager (CUCM), formerly CallManager, is the call processing component of the Cisco IP telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimedia applications. * CTL Provider Service Overflow The Certificate Trust List (CTL) Provider service of CUCM contains a heap overflow vulnerability that could allow a remote, unauthenticated user to cause a DoS condition or execute arbitrary code. The CTL Provider service listens on TCP port 2444 by default, but the port is user-configurable. This vulnerability is corrected in CUCM versions 4.1(3)SR5, 4.2(3)SR2, 4.3(1)SR1 and 5.1(2). CUCM 3.x versions are not affected by this vulnerability. This issue is documented in Cisco Bug ID CSCsi03042. * RIS Data Collector Heap Overflow The Real-Time Information Server (RIS) Data Collector service of CUCM contains a heap overflow vulnerability that could allow a remote, unauthenticated user to cause a DoS condition or execute arbitrary code. The RIS Data Collector process listens on TCP port 2556 by default, but the port is user-configurable. This vulnerability is corrected in CUCM versions 3.3(5)SR2b, 4.1(3) SR5, 4.2(3)SR2, 4.3(1)SR1 and 5.1(2). This issue is documented in Cisco Bug ID CSCsi10509. Vulnerability Scoring Details = Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 1.0. Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco PSIRT will set the bias in all cases to normal. Customers are encouraged to apply the bias parameter when determining the environmental impact of a particular vulnerability. CVSS is a standards based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided an FAQ to answer additional
[c-nsp] Cisco Security Advisory: Denial of Service Vulnerability in Cisco Wide Area Application Services (WAAS) Software
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Denial of Service Vulnerability in Cisco Wide Area Application Services (WAAS) Software Advisory ID: cisco-sa-20070718-waas http://www.cisco.com/warp/public/707/cisco-sa-20070718-waas.shtml Revision 1.0 For Public Release 2007 July 18 1600 UTC (GMT) +-- Summary === The Cisco Wide Area Application Services (WAAS) software contains a denial of service (DoS) vulnerability that may cause some devices that run WAAS software (WAE appliance and NM-WAE-502 module) to stop processing all types of traffic, including data traffic and management traffic. This condition may occur if a device running WAAS software is configured for Edge Services, which utilizes Common Internet File System (CIFS) optimization and receives a flood of TCP SYN packets on port 139 or 445. Cisco has made free software available to address this vulnerability for affected customers. Workarounds are available to mitigate the effects of this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070718-waas.shtml. Affected Products = Vulnerable Products +-- The vulnerability described in this document applies to both the WAE appliance and the NM-WAE-502 network module with Edge Services configured, which use CIFS optimization. Edge Services and CIFS optimization are disabled by default. CIFS functionality is only available once Edge Services are manually configured from the WAAS Central Manager. Only WAAS software versions 4.0.7 and 4.0.9 are affected by this vulnerability. In order to determine whether Edge Services are configured and to display the WAAS software version information, use the WAAS Central Manager GUI. The show version EXEC command from the CLI will also display the WAAS software version information. Determine whether Edge Services are configured and display the WAAS software version information by following the steps below. 1. Log on to WAAS Central Manager. 2. Select the Devices tab. 3. Look under the Services column. Edge will denote if Edge Services are configured. 4. Look under the Software Version column. The software version for each device is identified. The example below shows the output of the show version command from a WAE appliance CLI. In this example, the WAE is running version 4.0.9. CE-115-16#show version Cisco Wide Area Application Services Software (WAAS) Copyright (c) 1999-2007 by Cisco Systems, Inc. Cisco Wide Area Application Services Software Release 4.0.9 (build b10 Apr 6 2007) Version: fe611-4.0.9.10 Compiled 15:26:06 Apr 6 2007 by cnbuild System was restarted on Sat Jun 16 05:03:41 2007. The system has been up for 33 minutes, 40 seconds. CE-115-16# Products Confirmed Not Vulnerable + No other Cisco products or versions of WAAS software that are not explicitly identified in this advisory are currently known to be affected by this vulnerability. WAE appliances and NM-WAE-502 modules that are not configured to provide Edge Services performing CIFS optimization are not affected. The NM-WAE-302 is not susceptible to this vulnerability as it cannot be configured for CIFS optimization. Details === The Cisco Wide Area Application Services solution uses a combination of application acceleration and WAN optimization techniques to mitigate application and transport latency. WAAS software is utilized on the Wide Area Application Engine appliance and the Wide Area Application Services Network Module that are incorporated in the solution. A DoS vulnerability exists in some versions of WAAS software that may cause some devices that run WAAS software (WAE appliance and NM-WAE-502 module) to stop processing all types of traffic, including traffic going through the device (data traffic) and traffic terminating on the device (management traffic). If the WAAS device has Edge Services, which uses CIFS optimization configured, and receives a flood of TCP SYN packets on ports 139 or 445, this vulnerability may be triggered, resulting in a DoS condition. Ports 139 and 445 are utilized by the CIFS functionality of the WAAS software. This condition may result from network traffic that is sent directly to the WAAS platform, or by automated systems such as hostscanners, portscanners, or network worms. This vulnerability is documented in Cisco Bug ID CSCsi58809. Vulnerability Scoring Details + Cisco is providing scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 1.0. Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco PSIRT
[c-nsp] Cisco Security Advisory: Local Privilege Escalation Vulnerabilities in Cisco VPN Client
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Local Privilege Escalation Vulnerabilities in Cisco VPN Client Advisory ID: cisco-sa-20070815-vpnclient http://www.cisco.com/warp/public/707/cisco-sa-20070815-vpnclient.shtml Revision 1.0 For Public Release 2007 August 15 1600 UTC (GMT) - -- Summary === Two vulnerabilities exist in the Cisco VPN Client for Microsoft Windows that may allow unprivileged users to elevate their privileges to those of the LocalSystem account. A workaround exists for one of the two vulnerabilities disclosed in this advisory. Cisco has made free software available to address these vulnerabilities for affected customers. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070815-vpnclient.shtml. Affected Products = Vulnerable Products +-- The vulnerabilities described in this document apply to the Cisco VPN Client on the Microsoft Windows platform. The affected versions are included in the following table: ++ | Vulnerability Name | Versions | Cisco Bug ID | | | affected | | |-+--+---| | 1. Local Privilege | All versions up | CSCse89550| | Escalation Through | to but not | | | Microsoft Windows Dial-Up | including| | | Networking Interface| 4.8.02.0010 | | |-+--+---| | 2. Local Privilege | All versions up | CSCsj00785| | Escalation Through Default | to but not | | | cvpnd.exe File Permissions | including| | | | 5.0.01.0600 | | ++ Note: The VPN Client for Windows software is distributed as both a Microsoft Installer (MSI) package and an InstallShield (IS) package. Only the MSI package for version 5.0.01.0600 of the VPN Client contains the fix for the Local Privilege Escalation Through Default cvpnd.exe File Permissions vulnerability. The IS package does not contain the fix for that vulnerability and has been removed from http://www.cisco.com. Customers who have downloaded and installed the IS package for version 5.0.01.0600 of the VPN Client will need to apply the workaround listed in the Workarounds section of this advisory or migrate to the MSI package to address these vulnerabilities. Products Confirmed Not Vulnerable + Versions of the Cisco VPN Client for platforms other than Microsoft Windows are not affected by these vulnerabilities. Specifically, the following versions of the Cisco VPN client are not affected: * Cisco VPN Client for Solaris * Cisco VPN Client for Linux * Cisco VPN Client for Macintosh (Mac OS Classic and Mac OS X) The Cisco AnyConnect VPN Client is not affected by these vulnerabilities. No other Cisco products are known to be affected by the vulnerabilities described in this advisory. Determining the Cisco VPN Client Version +--- To determine which version of the Cisco VPN Client is running on a Microsoft Windows machine, follow the following steps: 1. Select Programs-Cisco Systems VPN Client-VPN Client from the Start menu. This action will open the Cisco VPN Client graphical user interface. 2. Select the option About VPN Client... from the Help menu. This menu option will display a dialog box that contains text similar to Cisco Systems VPN Client Version 4.8.01.0300. Note: By default, the Cisco Systems VPN Client folder is located in the Programs sub-menu of the Windows Start menu. The system administrator may have chosen to use a different name or location. Alternatively, the Cisco VPN Client version information can be obtained from a Microsoft Windows Command Prompt using the vpnclient.exe version command. For example: C:\Program Files\Cisco Systems\VPN Clientvpnclient version 4.8.01.0300 Details === The Cisco VPN Client is a software solution for the Microsoft Windows, Sun Solaris, Linux, and Apple MacOS Classic and MacOS X operating systems. It allows users to establish IPSec VPN tunnels to Cisco VPN-capable devices, such as Cisco IOS routers, the PIX Security Appliance, the VPN 3000 Series Concentrators, and the ASA 5500 Series Adaptive Security Appliances. Two vulnerabilities exist in the Cisco VPN Client for Microsoft Windows that may allow local, unprivileged users to elevate their privileges. Note: The following vulnerabilities are different from the vulnerability that was detailed in the Cisco Security Advisory for the Cisco VPN Client for Windows available at
[c-nsp] Cisco Security Advisory: XSS and SQL Injection in Cisco CallManager/Unified Communications Manager Logon Page
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: XSS and SQL Injection in Cisco CallManager/Unified Communications Manager Logon Page Advisory ID: cisco-sa-20070829-ccm http://www.cisco.com/warp/public/707/cisco-sa-20070829-ccm.shtml Revision 1.0 For Public Release 2007 August 29 1600 UTC (GMT) + Summary === Cisco CallManager and Unified Communications Manager are vulnerable to cross-site Scripting (XSS) and SQL Injection attacks in the lang variable of the admin and user logon pages. A successful attack may allow an attacker to run JavaScript on computer systems connecting to CallManager or Unified Communications Manager servers, and has the potential to disclose information within the database. Cisco has made free software available to address these vulnerabilities for affected customers. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070829-ccm.shtml. Affected Products = Vulnerable Products +-- Cisco CallManager and Unified Communications Manager versions prior to the following are affected by these vulnerabilities: * 3.3(5)sr2b * 4.1(3)sr5 * 4.2(3)sr2 * 4.3(1)sr1 The software version of a CallManager or Unified Communications Manager system can be determined by navigating to Show Software via the administration interface. For Unified Communications Manager version 5.0, the software version can also be determined by running the command show version active in the Command Line Interface (CLI). For CallManager and Unified Communications Manager version 3.x and 4.x systems, the software version can be determined by navigating to Help About Cisco Unified CallManager and selecting the Details button via the administration interface. Note: Cisco Unified CallManager versions 4.3, 5.1 and 6.0 have been renamed to Cisco Unified Communications Manager. Software versions 3.3, 4.0, 4.1, 4.2 and 5.0 retain the Cisco Unified CallManager name. Products Confirmed Not Vulnerable + No other Cisco products are known to be affected by this vulnerability. No other versions of CallManager or Unified Communications Manager are vulnerable. Details === Cisco Unified CallManager/Communications Manager (CUCM) is the call processing component of the Cisco IP telephony solution which extends enterprise telephony features and functions to packet telephony network devices such as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimedia applications. The cross-site scripting vulnerability and the SQL injection vulnerability are triggered when a specially crafted value is entered in the lang variable of either the admin or user logon pages. Attacks against these vulnerabilities are conducted through the web interface and use the http or https protocol. In the case of the cross-site scripting vulnerability, the malicious value includes scripting code enclosed by the script and /script tags. In the case of the SQL injection vulnerability, the value terminates the SQL call and completes a call to the back-end database. An attacker must be able to convince a user into following a specially crafted URL in order to successfully exploit the cross-site scripting vulnerability. The cross-site scripting vulnerability is documented as bug ID CSCsi10728. The SQL injection vulnerability is documented as bug ID CSCsi64265. Vulnerability Scoring Details + Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco PSIRT will set the bias in all cases to normal. Customers are encouraged to apply the bias parameter when determining the environmental impact of a particular vulnerability. CVSS is a standards based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss XSS in Cisco CallManager User Logon and Admin Page (CSCsi10728) CVSS Base Score - 4.3 Access Vector -Network Access Complexity -Medium Authentication - None Confidentiality Impact - Partial Integrity Impact - None Availability Impact - None CVSS Temporal Score - 3.6 Exploitability - Functional Remediation Level -Official-Fix
[c-nsp] Cisco Security Advisory: Cisco Video Surveillance IP Gateway and Services Platform Authentication Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Video Surveillance IP Gateway and Services Platform Authentication Vulnerabilities Advisory ID: cisco-sa-20070905-video http://www.cisco.com/warp/public/707/cisco-sa-20070905-video.shtml Revision 1.0 For Public Release 2007 September 5 1600 UTC (GMT) + Summary === Cisco Video Surveillance IP Gateway video encoder and decoder, Services Platform (SP), and Integrated Services Platform (ISP) devices contain authentication vulnerabilities that allow remote users with network connectivity to gain the complete administrative control of vulnerable devices. There are no workarounds for these vulnerabilities. Cisco has made free software available to address these vulnerabilities for affected customers. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070905-video.shtml. Affected Products = Vulnerable Products +-- These products are vulnerable: * Cisco Video Surveillance IP Gateway Encoder/Decoder (Standalone and Module) firmware version 1.8.1 and earlier * Cisco Video Surveillance SP/ISP Decoder Software firmware version 1.11.0 and earlier * Cisco Video Surveillance SP/ISP firmware version 1.23.7 and earlier Users should consult their Stream Manager configuration management tool to determine the versions of firmware installed on deployed video surveillance devices. Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by these vulnerabilities. Details === Cisco Video Surveillance IP Gateway video encoders and decoders allow the video feeds of cameras to be sent over an IP network. This function provides an upgrade path for users to convert from existing analog surveillance systems. Cisco Video Surveillance Services Platforms and Integrated Services Platforms record and aggregate video feeds received from IP Gateways. Stored video can be viewed and manipulated using the Cisco Video Surveillance Stream Manager software. * IP Gateway Encoder/Decoder Telnet Authentication Vulnerability: The Telnet server installed on Cisco Video Surveillance IP Gateway video encoders and decoders does not prompt for authentication. This may allow a remote user with network connectivity to gain interactive shell access with administrative privileges on vulnerable devices. This issue is documented in Cisco Bug ID CSCsj31729. * Services Platform/Integrated Services Platform Default Authentication Vulnerability: Cisco Video Surveillance Services Platform and Integrated Services Platform devices ship with default passwords for the sypixx and root user accounts. Users are not able to change these passwords due to application requirements. Users with knowledge of the default passwords may be able to gain interactive shell access with administrative privileges to vulnerable devices. This issue is documented in Cisco Bug ID CSCsj34681. Vulnerability Scoring Details + Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerabilities in individual networks. CVSS is a standards based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a FAQ to answer additional questions regarding VSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsj31729 - Encoder/Decoder Telnet Daemon Fails to Authenticate CVSS Base Score - 10.0 Access Vector -Network Access Complexity -Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.7 Exploitability - High Remediation Level -Official-Fix Report Confidence -Confirmed CSCsj34681 - Services Platform Contains Default Authentication Credentials CVSS Base Score - 9.0 Access Vector -Network Access Complexity -Low Authentication - Single Instance Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.8 Exploitability - High Remediation Level -Official-Fix Report Confidence -Confirmed Impact
[c-nsp] Cisco Security Advisory: Denial of Service Vulnerabilities in Content Switching Module
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Denial of Service Vulnerabilities in Content Switching Module Document ID: 97826 Advisory ID: cisco-sa-20070905-csm http://www.cisco.com/warp/public/707/cisco-sa-20070905-csm.shtml Revision 1.0 For Public Release 2007 September 5 1600 UTC (GMT) - - Summary === The Cisco Content Switching Modules (CSM) and Cisco Content Switching Module with SSL (CSM-S) contain two vulnerabilities that can lead to a denial of service (DoS) condition. The first vulnerability exists when processing TCP packets, and the second vulnerability affects devices with service termination enabled. Cisco has made free software available to address these vulnerabilities for affected customers. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070905-csm.shtml Affected Products = Vulnerable Products +-- These vulnerabilities were identified in CSM software version 4.2 and CSM-S software version 2.1. The following table helps illustrate the vulnerable software versions for these products: +---+ | Vulnerability |CSM| CSM-S | |---+---+---| | TCP packet| 4.2 Prior | 2.1 Prior | | Processing| to 4.2.3a | to 2.1.2a | | DOS | | | |---+---+---| | Service | 4.2 Prior | 2.1 Prior | | Termination | to 4.2.7 | to 2.1.6 | +---+ To determine the software running on a Content Switching Module, log in to the Catalyst switch and issue the show version command. The following example shows a CSM running software version 4.2(2) in a Supervisor running CatOS. Supervisors running CatOS or IOS will have similar output. The version of the CSM is shown on the module labeled WS-X6066-SLB-APC as illustrated in the following output. Consoleshow version WS-C6506 Software, Version NmpSW: 7.6(9) Copyright (c) 1995-2004 by Cisco Systems NMP S/W compiled on Aug 27 2004, 20:05:14 System Bootstrap Version: 7.1(1) System Boot Image File is 'disk0:cat6000-sup2k8.7-6-9.bin' System Configuration register is 0x2102 Hardware Version: 3.0 Model: WS-C6506 Serial #: TBA05360375 PS1 Module: WS-CAC-1300WSerial #: ACP05061071 PS2 Module: WS-CAC-1300WSerial #: ACP05060407 Mod Port Model Serial #Versions --- --- --- -- 1 2WS-X6K-SUP2-2GE SAD055104YY Hw : 3.2 Fw : 7.1(1) Fw1: 6.1(3) Sw : 7.6(9) Sw1: 7.6(9) WS-F6K-PFC2 SAD055104H5 Hw : 3.0 Sw : WS-X6K-SUP2-2GE SAD055104YY Hw : 3.2 Sw : 2 48 WS-X6248-RJ-45 SAD0501084U Hw : 1.4 Fw : 5.4(2) Sw : 7.6(9) 5 4WS-X6066-SLB-APCSAD105003DW Hw : 1.9 Fw : Sw : 4.2(2) DRAMFLASH NVRAM Module Total UsedFreeTotal UsedFreeTotal Used Free -- --- --- --- --- --- --- - - - 1 262144K 70354K 191790K 32768K 23251K 9517K 512K 253K 259K Uptime is 43 days, 22 hours, 7 minutes The following configuration segment shows a vserver with service terminations enabled: vserver WWW:2 virtual x.x.x.x tcp www service termination Products Confirmed Not Vulnerable + Only Catalyst CSM modules running indicated 4.2 versions are affected by these vulnerabilities. CSM software versions 4.1, 3.2 and 3.1 are not affected by these vulnerabilities. Catalyst CSM-S modules running indicated 2.1 versions are the only vulnerable versions of software for that product. No other Cisco products are currently known to be affected by this vulnerability. The Cisco Secure Content Accelerator is not affected by this vulnerability. Details === The Catalyst CSM is an integrated Server Load Balancing line card for the Catalyst 6500 and 7600 Series designed to enhance the response time for client traffic to end points including servers, caches, firewalls, Secure Sockets Layer (SSL) devices, and VPN termination devices. The Catalyst 6500 CSM-S combines high-performance server load balancing (SLB) with Secure Socket Layer (SSL) offload. The CSM-S is similar to the CSM; however, it can also terminate and
[c-nsp] Cisco Security Advisory: Cisco Wireless Control System Conversion Utility Adds Default Password
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Wireless Control System Conversion Utility Adds Default Password Advisory ID: cisco-sa-20071010-wcs http://www.cisco.com/warp/public/707/cisco-sa-20071010-wcs.shtml Revision 1.0 For Public Release 2007 October 10 1600 UTC (GMT) - --- Summary === Customers who use the CiscoWorks Wireless LAN Solution Engine (WLSE) may use a conversion utility to convert over to a Cisco Wireless Control System (WCS). This conversion utility creates and uses administrative accounts with default credentials. Because there is no requirement to change these credentials during the conversion process, an attacker may be able to leverage the accounts that have default credentials to take full administrative control of the WCS after the conversion has been completed. Customers who have converted their CiscoWorks WLSE to a Cisco WCS are advised to set strong passwords for all accounts on their Cisco WCS. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20071010-wcs.shtml. Affected Products = Vulnerable Products +-- Cisco WCS systems that have been converted from a CiscoWorks WLSE using the conversion utility for version 4.1.91.0 or earlier are vulnerable. Products Confirmed Not Vulnerable + Cisco WCS systems that have not been converted from a CiscoWorks WLSE using the conversion utility are not affected by this problem. Additionally, Cisco WCS systems that have been converted from a CiscoWorks WLSE using the conversion utility for version 4.2 or later are not vulnerable. For more information about Cisco Unified Wireless Network Software Release 4.2, visit: http://www.cisco.com/en/US/products/ps6973/prod_bulletin0900aecd806b7f8a.html No other Cisco products are currently known to be affected by this vulnerability. Details === CiscoWorks WLSE is a centralized, systems-level application for managing and controlling an entire autonomous Cisco wireless LAN (WLAN) infrastructure. The Cisco Wireless Control System (WCS) is a centralized, systems-level application for managing and controlling lightweight access points and wireless LAN controllers for the Cisco Unified Wireless Network. A CiscoWorks WLSE can be converted to a Cisco WCS using a utility that can be ordered from Cisco. There are two administrative accounts on the Wireless Control System (WCS): a Linux root account and Cisco WCS root account. Vulnerable versions of the conversion utility do not force the administrator to change the password for the Linux root user of the newly converted system. Non-vulnerable versions of the conversion utility force the administrator to change both account passwords. More information about the conversion utility is available in the Conversion of a WLSE Autonomous Deployment to a WCS Controller Deployment appendix in the Cisco Wireless Control System Configuration Guide. Vulnerability Scoring Details = Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco PSIRT will set the bias in all cases to normal. Customers are encouraged to apply the bias parameter when determining the environmental impact of a particular vulnerability. Cisco has provided a FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html. Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss. CSCsj71081 - Need to have installer on WLSE-WCS conversion procedures CVSS Base Score - 10.0 Access Vector -Network Access Complexity -Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level -Official-Fix Report Confidence -Confirmed Impact == Successful exploitation of the vulnerability may result in full administrative control of the Cisco WCS system or user-level access to the host Linux operating system. Software Versions and Fixes === When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain
[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Firewall Services Module
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Firewall Services Module Advisory ID: cisco-sa-20071017-fwsm http://www.cisco.com/warp/public/707/cisco-sa-20071017-fwsm.shtml Revision 1.0 For Public Release 2007 October 17 1600 UTC (GMT) + Summary === Two crafted packet vulnerabilities exist in the Cisco Firewall Services Module (FWSM) that may result in a reload of the FWSM. These vulnerabilities can be triggered during the processing of HTTPS requests, or during the processing of Media Gateway Control Protocol (MGCP) packets. A third vulnerability may cause access control list (ACL) entries to not be evaluated after the access list has been manipulated. Note: These vulnerabilities are independent of each other; a device may be affected by one and not by the others. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20071017-fwsm.shtml. Affected Products = Vulnerable Products +-- The FWSM is affected by a crafted HTTPS request vulnerability if the HTTPS server on the FWSM is enabled and is running software versions 3.1(5) and prior or 3.2(1). Version 2.3.x is not affected. The HTTPS server is not enabled by default. The FWSM is affected by a crafted MGCP packet vulnerability if MGCP application layer protocol inspection is enabled and the device is running software version 3.1(5) and prior. Versions 2.3.x and 3.2.x are not affected. MGCP inspection is not enabled by default. The FWSM is affected by an access control list corruption vulnerability that may result in the ACL not working properly, i.e. the ACL may allow traffic that would normally be denied, or would deny traffic that would normally be permitted. Affected versions include 3.1(6) and prior and 3.2(2) and prior. Version 2.3.x is not affected. In addition to the FWSM, the crafted MGCP packet vulnerability also affects the PIX 500 Series Security Appliances and the Cisco ASA 5500 Series Adaptive Security Appliances. More information regarding vulnerabilities affecting the PIX and ASA can be found in the companion advisory located at http://www.cisco.com/warp/public/707/cisco-sa-20071017-asa.shtml. To determine if you are running a vulnerable version of FWSM software, issue the show module command-line interface (CLI) command from Cisco IOS or Cisco CatOS to identify what modules and sub-modules are installed in the system. The following example shows a system with a Firewall Service Module (WS-SVC-FWM-1) installed in slot 4. switch#show module Mod Ports Card Type Model Serial No. --- - -- - --- 1 48SFM-capable 48 port 10/100/1000mb RJ45 WS-X6548-GE-TXSAx 46Firewall ModuleWS-SVC-FWM-1 SAx 52Supervisor Engine 720 (Active) WS-SUP720-BASESAx 62Supervisor Engine 720 (Hot)WS-SUP720-BASESAx After locating the correct slot, issue the show module slot number command to identify the software version that is running: switch#show module 4 Mod Ports Card Type Model Serial No. --- - -- - --- 46Firewall ModuleWS-SVC-FWM-1 SAx Mod MAC addresses Hw Fw Sw Status --- - -- --- 4 0003.e4xx. to 0003.e4xx. 3.07.2(1) 3.1(3) Ok The example above shows that the FWSM is running version 3.1(3) as indicated by the column under Sw above. Note: Recent versions of Cisco IOS will show the software version of each module in the output from the show module command; therefore, executing the show module slot number command is not necessary. Alternatively, the information may also be obtained directly from the FWSM through the show version command as seen below. FWSM#show version FWSM Firewall Version 3.1(3) Customers who use the Cisco Adaptive Security Device Manager (ASDM) to manage their devices can find the version of the software displayed in the table in the login window or in the upper left corner of the ASDM window. The version notation is similar to this: FWSM Version: 3.1(3) Products Confirmed Not Vulnerable + With the exception of the Cisco PIX 500 Series Security Appliances and the Cisco ASA 5500 Series Adaptive Security Appliances, no other Cisco products are known to be vulnerable to the issues described in this advisory. Details === This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities are independent of each other. 1. Crafted HTTPS Request A FWSM that has
[c-nsp] Cisco Security Advisory: Cisco Unified Communications Manager Denial of Service Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Unified Communications Manager Denial of Service Vulnerabilities Document ID: 98833 Advisory ID: cisco-sa-20071017-cucm http://www.cisco.com/warp/public/707/cisco-sa-20071017-cucm.shtml Revision 1.0 For Public Release 2007 October 17 1600 UTC (GMT) - - Summary === Cisco Unified Communications Manager (CUCM), formerly CallManager, contains two denial of service (DoS) vulnerabilities. Large volumes of UDP Session Initiation Protocol (SIP) INVITE messages may cause a resource exhaustion condition on CUCM systems resulting in a kernel panic. The CUCM Trivial File Transfer Protocol (TFTP) service contains a buffer overflow vulnerability that may result in a denial of service condition or allow a remote, unauthenticated user to execute arbitrary code. There are no workarounds for these vulnerabilities. Cisco has made free software available to address these vulnerabilities for affected customers. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20071017-cucm.shtml. Affected Products = Note: Cisco Unified CallManager versions 4.2, 4.3, 5.1 and 6.0 have been renamed Cisco Unified Communications Manager. CUCM versions 3.3, 4.0, 4.1 and 5.0 retain the Cisco Unified CallManager name. Vulnerable Products +-- All Cisco Unified CallManager 5.0 versions and Communications Manager 5.1 versions prior to 5.1(2) are affected by both vulnerabilities. Cisco Unified Communications Manager version 5.1(2) is affected by the TFTP service overflow vulnerability. Note: Cisco Unified Communications Manager version 6.0(1) shipped containing the fixes for these vulnerabilities. Administrators of systems that are running CUCM versions 5.x and 6.x can determine the software version by viewing the main page of the CUCM Administration interface. The software version can also be determined by running the command show version active via the command line interface (CLI). Products Confirmed Not Vulnerable + Cisco Unified CallManager versions 3.x, 4.0 and 4.1, Communications Manager 4.2 and 4.3, and Cisco CallManager Express are not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details === Cisco Unified Communications Manager (CUCM), formerly CallManager, is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimedia applications. * SIP INVITE UDP Denial of Service: The CUCM Session Initiation Protocol (SIP) stack contains a DoS vulnerability. By flooding a CUCM system with normal SIP INVITE messages to UDP port 5060, it may be possible to trigger a resource exhaustion condition that will result in a kernel panic. This vulnerability is corrected in CUCM versions 5.1(2b), 5.1(3) and 6.0(1). This issue is documented in Cisco bug ID CSCsi75822. * Centralized TFTP File Locator Service Overflow: The CUCM TFTP service contains a buffer overflow vulnerability in the processing of filenames that may allow a remote, unauthenticated user to cause a DoS condition or execute arbitrary code. The TFTP service serves files via two methods: traditional TFTP (UDP port 69), and a HTTP server that listens on TCP port 6970. The HTTP server component is known as the Centralized TFTP File Locator Service. The Centralized TFTP File Locator Service allows CUCM administrators to store device configuration and software files in a central location. The Centralized TFTP File Locator Service becomes active when the CUCM TFTP service is enabled and an alternate TFTP path is configured. Please consult the following documentation for more information on configuring the Centralized TFTP File Locator Service and alternate TFTP paths: http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_administration_guide_chapter09186a008037e280.html#wp1044917 The overflow vulnerability only affects the Centralized TFTP File Locator Service component of the CUCM TFTP service. The Centralized TFTP File Locator Service is only used for communication between CUCM systems. The CUCM TFTP service is not enabled by default. This vulnerability is corrected in CUCM versions 5.1(2), 5.1(3) and 6.0(1). This issue is documented in Cisco bug ID CSCsh47712. Vulnerability Scoring Details = Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. Cisco will provide a base and
[c-nsp] Cisco Security Advisory: Cisco Security Agent for Windows System Driver Remote Buffer Overflow Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Security Agent for Windows System Driver Remote Buffer Overflow Vulnerability Advisory ID: cisco-sa-20071205-csa http://www.cisco.com/warp/public/707/cisco-sa-20071205-csa.shtml Revision 1.0 For Public Release 2007 December 05 1600 UTC (GMT) +- Summary === A buffer overflow vulnerability exists in a system driver used by the Cisco Security Agent for Microsoft Windows. This buffer overflow can be exploited remotely and causes corruption of kernel memory, which leads to a Windows stop error (blue screen) or to arbitrary code execution. The vulnerability is triggered during processing of a crafted TCP segment destined to TCP port 139 or 445. These ports are used by the Microsoft Server Message Block (SMB) protocol. Cisco has released free software updates that address this vulnerability. Common Vulnerabilities and Exposures (CVE) identifier CVE-2007-5580 has been assigned to this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20071205-csa.shtml. Affected Products = Vulnerable Products +-- All versions of Cisco Security Agent for Windows, either managed or standalone, are affected. Agents that are running on Cisco IP Communications application servers or agents on systems that are running the Cisco Security Manager are examples of a standalone implementation. Standalone agents are installed in the following Cisco IP Communications products: * Cisco Unified Communications Manager (CallManager) * Cisco Conference Connection (CCC) * Emergency Responder * IPCC Express * IPCC Enterprise * IPCC Hosted * IP Interactive Voice Response (IP IVR) * IP Queue Manager * Intelligent Contact Management (ICM) * Cisco Voice Portal (CVP) * Cisco Unified Meeting Place * Cisco Personal Assistant (PA) * Cisco Unity * Cisco Unity Connection * Cisco Unity Bridge * Cisco Internet Service Node (ISN) Cisco Security Manager installs a standalone version of Cisco Security Agent if an agent is not found when Cisco Security Manager is installed, so systems that are running Cisco Security Manager are also affected by this vulnerability. Products Confirmed Not Vulnerable + The Cisco Secure Access Control Server (ACS) Solution Engine, also known as the ACS appliance, integrates a standalone version of Cisco Security Agent. However, the ACS Solution Engine is not affected by this vulnerability because by default it blocks incoming traffic to the affected TCP ports (139 and 445). Additional information is in the Details section. Cisco Security Agents that are running on the Solaris and Linux operating systems are not affected by the vulnerability described in this advisory. No other Cisco products are currently known to be affected by this vulnerability. Details === Cisco Security Agent is a security software agent that provides threat protection for server and desktop computing systems. Cisco Security Agents can be managed by a Management Center for Cisco Security Agents or can be standalone agents that are not managed by a Cisco Security Agent Management Center. Some Cisco products integrate standalone Cisco Security Agents to protect the products against viruses, worms, and attacks. Examples of products that integrate standalone Cisco Security Agents include Cisco IP Communications application servers, the Cisco Secure Access Control Server (ACS) Solution Engine, and the Cisco Security Manager. A buffer overflow vulnerability exists in a system driver used by Cisco Security Agents, whether they are managed or unmanaged. Cisco Security Agents use this driver by default. Windows kernel memory becomes corrupted when this buffer is overflowed. Therefore, exploitation of this vulnerability will lead to a Windows stop error (kernel panic, or blue screen error), or to arbitrary code execution. The vulnerability can be exploited remotely via the network. The vulnerability is triggered when Cisco Security Agent is processing a crafted TCP segment destined to TCP port 139 or 445. These ports are used by the Microsoft Server Message Block (SMB) protocol. A TCP session needs to be established (that is, the TCP three-way handshake needs to be completed) for the vulnerability to be triggered. All systems that are running a vulnerable version of Cisco Security Agent for Windows are affected. This includes Cisco products that integrate standalone Cisco Security Agents, such as Cisco IP Communications applications servers and the Cisco Security Manager. Although the ACS Solution Engine integrates a standalone Cisco Security Agent, it is not affected because TCP ports 139 and 445 have been firewalled by the ACS Solution Engine itself. This blocking of traffic destined to TCP ports 139 and 445 is enabled by default and is not user-configurable.
[c-nsp] Cisco Security Advisory: Application Inspection Vulnerability in Cisco Firewall Services Module
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Application Inspection Vulnerability in Cisco Firewall Services Module Advisory ID: cisco-sa-20071219-fwsm Revision 1.0 Last Updated 2007 December 19 1600 UTC (GMT) For Public Release 2007 December 19 1600 UTC (GMT) Summary === A vulnerability exists in the Cisco Firewall Services Module (FWSM) - - - a high-speed, integrated firewall module for Cisco Catalyst 6500 switches and Cisco 7600 Series routers, that may result in a reload of the FWSM. The only affected FWSM System Software Version is 3.2(3). There are no known instances of intentional exploitation of this issue. However, Cisco has observed data streams that appear to be unintentionally triggering this vulnerability. Common Vulnerabilities and Exposures (CVE) identifier CVE-2007-5584 has been assigned to this vulnerability. Cisco will release free software updates that address this vulnerability. A workaround that mitigates this vulnerability is available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20071219-fwsm.shtml Affected Products = Vulnerable Products +-- The FWSM is vulnerable if running System Software version 3.2(3). To determine if the FWSM is vulnerable, issue the show module command-line interface (CLI) command from Cisco IOS or Cisco CatOS to identify what modules and sub-modules are installed in the system. The following example shows a system with a Firewall Service Module (WS-SVC-FWM-1) installed in slot 4. switch#show module Mod Ports Card Type Model Serial No. --- - -- - --- 1 48SFM-capable 48 port 10/100/1000mb RJ45 WS-X6548-GE-TXSAx 46Firewall ModuleWS-SVC-FWM-1 SAx 52Supervisor Engine 720 (Active) WS-SUP720-BASESAx 62Supervisor Engine 720 (Hot)WS-SUP720-BASESAx After locating the correct slot, issue the show module slot number command to identify the software version that is running. switch#show module 4 Mod Ports Card Type Model Serial No. --- - -- - --- 46Firewall ModuleWS-SVC-FWM-1 SAx Mod MAC addresses Hw Fw Sw Status --- - -- --- 4 0003.e4xx. to 0003.e4xx. 3.07.2(1) 3.2(3) Ok The preceding example shows that the FWSM is running version 3.2(3) as indicated by the column under Sw above. Note: Recent versions of Cisco IOS will show the software version of each module in the output from the show module command; therefore, executing the show module slot number command is not necessary. Alternatively, the information can also be obtained directly from the FWSM through the show version command as seen in the following example. FWSM#show version FWSM Firewall Version 3.2(3) Customers who use the Cisco Adaptive Security Device Manager (ASDM) to manage their devices can find the version of the software displayed in the table in the login window or in the upper left corner of the ASDM window. The version notation is similar to the following example. FWSM Version: 3.2(3) Products Confirmed Not Vulnerable + * FWSM System Software versions 3.2(2) and earlier. * FWSM System Software versions 3.1(x). * FWSM System Software versions 1.x(y) and 2.x(y). * The Cisco PIX 500 Series Security Appliance (PIX) * The Cisco 5500 Series Adaptive Security Appliance (ASA). No other Cisco products are currently known to be affected by this vulnerability. Details === A vulnerability exists in the processing of data in the control-plane path with Layer 7 Application Inspections, that may result in a reload of the FWSM. The vulnerability can be triggered with standard network traffic, which is passed through the Application Layer Protocol Inspection process. The only FWSM release affected by this vulnerability is FWSM System Software version 3.2(3). This vulnerability is documented in Cisco bug ID CSCsl08519. Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual
[c-nsp] Cisco Security Advisory: Cisco Unified Communications Manager CTL Provider Heap Overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Unified Communications Manager CTL Provider Heap Overflow Document ID: 100345 Advisory ID: cisco-sa-20080116-cucmctl http://www.cisco.com/warp/public/707/cisco-sa-20080116-cucmctl.shtml Revision 1.0 For Public Release 2008 January 16 1600 UTC (GMT) - - Summary === Cisco Unified Communications Manager (CUCM), formerly CallManager, contains a heap overflow vulnerability in the Certificate Trust List (CTL) Provider service that could allow a remote, unauthenticated user to cause a denial of service (DoS) condition or execute arbitrary code. There is a workaround for this vulnerability. Cisco has made free software available to address these vulnerabilities for affected customers. Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0027 has been assigned to this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080116-cucmctl.shtml. Affected Products = Note: Cisco Unified CallManager Versions 4.2, 4.3, 5.1 and 6.0 have been renamed as Cisco Unified Communications Manager. CUCM Versions 3.3, 4.0, 4.1 and 5.0 retain the Cisco Unified CallManager name. Vulnerable Products +-- These products are vulnerable: * Cisco Unified CallManager 4.0 * Cisco Unified CallManager 4.1 Versions prior to 4.1(3)SR5c * Cisco Unified Communications Manager 4.2 Versions prior to 4.2(3) SR3 * Cisco Unified Communications Manager 4.3 Versions prior to 4.3(1) SR1 The version of software running on a CUCM 4.x system can be determined by navigating to Help About Cisco Unified CallManager and selecting the Details button via the CUCM Administration interface. Products Confirmed Not Vulnerable + CUCM Versions 3.3, 5.0, 5.1, 6.0, 6.1 and Cisco CallManager Express are not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. Details === Cisco Unified Communications Manager (CUCM) is the call processing component of the Cisco IP telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimedia applications. When a CUCM server is deployed in secure mode, a Certificate Trust List (CTL) is used by Cisco Unified IP Phone devices to verify the identity of CUCM servers. The CTL contains public keys and other information to allow the Cisco IP Phone devices to establish a trusted relationship with a CUCM server. The CTL is provisioned using the CTL Provider service on a CUCM server and with the CTL Provider client on an administrator workstation. The CTL Provider service needs to be enabled during the initial configuration of a CUCM server /cluster or when changes are required to the CTL. Please consult the Workarounds section of this advisory for information on how to determine if the CTL Provider service is enabled on a CUCM server. The CTL Provider service of the CUCM contains a heap overflow vulnerability that could allow a remote, unauthenticated user to cause a DoS condition or execute arbitrary code. The CTL Provider service listens on TCP port 2444 by default, but the port can be modified by the user. This issue is documented in Cisco Bug ID CSCsj22605. Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS Version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsj22605 - CUCM CTL Provider Heap Overflow Vulnerability CVSS Base Score - 10 Access Vector -Network Access Complexity -Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level -Official-Fix Report Confidence -Confirmed Impact == Successful exploitation of this vulnerability may result in a DoS condition or the execution of arbitrary code. Software Versions and
[c-nsp] Cisco Security Advisory: Cisco PIX and ASA Time-to-Live Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco PIX and ASA Time-to-Live Vulnerability Advisory ID: cisco-sa-20080123-asa http://www.cisco.com/warp/public/707/cisco-sa-20080123-asa.shtml Revision 1.0 For Public Release 2008 January 23 1600 UTC (GMT) +- Summary === A crafted IP packet vulnerability exists in the Cisco PIX 500 Series Security Appliance (PIX) and the Cisco 5500 Series Adaptive Security Appliance (ASA) that may result in a reload of the device. This vulnerability is triggered during processing of a crafted IP packet when the Time-to-Live (TTL) decrement feature is enabled. Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0028 has been assigned to this vulnerability. Cisco has released free software updates that address this vulnerability. A workaround that mitigates this vulnerability is available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080123-asa.shtml. Affected Products = Vulnerable Products +-- The TTL decrement feature was introduced in version 7.2(2) and it is disabled by default. The Cisco PIX and ASA security appliances running software versions prior to 7.2(3)006 or 8.0(3) and that have the TTL decrement feature enabled are vulnerable. By default the PIX and ASA security appliance software does not decrement the TTL of transient packets. The ability to decrement the TTL of transient packets can be enabled on a selective or global basis by using the set connection decrement-ttl command in the policy-map class configuration mode. To determine whether you are running this feature use the show running-config command and search for the set connection decrement-ttl command. Alternatively you can use the include argument to search for this command as follows: ASA#show running-config | include decrement-ttl set connection decrement-ttl ASA# The set connection decrement-ttl command is part of a configured class-map. In order for this command to take effect it must be applied using a policy-map (assigned globally or to an interface). For more information about the Modular Policy Framework on the Cisco ASA and PIX refer to the following link: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mpc.html To determine whether you are running a vulnerable version of Cisco PIX or ASA software, issue the show version command-line interface (CLI) command. The following example shows a Cisco ASA Security Appliance that runs software release 7.2(3): ASA#show version Cisco Adaptive Security Appliance Software Version 7.2(3) [...] Customers who use the Cisco Adaptive Security Device Manager (ASDM) to manage their devices can find the version of the software displayed in the table in the login window or in the upper left corner of the ASDM window. The version notation is similar to the following: PIX Version 7.2(3) Products Confirmed Not Vulnerable + Cisco PIX and ASA security appliances which do not support the TTL decrement feature or are not explicitly configured for it are not vulnerable. Note: The TTL decrement feature was introduced in version 7.2(2), and it is disabled by default. The Cisco Firewall Services Module (FWSM) is not vulnerable. No other Cisco products are currently known to be affected by this vulnerability. Details === A crafted IP packet vulnerability exists in the Cisco PIX 500 Series Security Appliance (PIX) and the Cisco 5500 Series Adaptive Security Appliance (ASA) that may result in a reload of the device. This vulnerability is triggered during processing of a crafted IP packet when the Time-to-Live (TTL) decrement feature is enabled. This vulnerability is documented in Cisco Bug ID CSCsk48199. Vulnerability Scoring Details + Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html. Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss. * Cisco PIX and ASA TTL Vulnerability (CSCsk48199) CVSS Base Score - 7.8 Access Vector -Network Access Complexity -Low Authentication - None Confidentiality Impact -
[c-nsp] Cisco Security Advisory: Default Passwords in the Application Velocity System
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Default Passwords in the Application Velocity System Advisory ID: cisco-sa-20080123-avs http://www.cisco.com/warp/public/707/cisco-sa-20080123-avs.shtml Revision 1.0 For Public Release 2008 January 23 1600 UTC (GMT) +- Summary === Versions of the Cisco Application Velocity System (AVS) prior to software version AVS 5.1.0 do not prompt users to modify system account passwords during the initial configuration process. Because there is no requirement to change these credentials during the initial configuration process, an attacker may be able to leverage the accounts that have default credentials, some of which have root privileges, to take full administrative control of the AVS system. After upgrading to software version AVS 5.1.0, users will be prompted to modify these credentials. Cisco will make free upgrade software available to address this vulnerability for affected customers. The software upgrade will be applicable only for the AVS 3120, 3180, and 3180A systems. The workaround identified in this document describes how to change the passwords in current releases of software for the AVS 3110. Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0029 has been assigned to this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080123-avs.shtml. Affected Products = Vulnerable Products +-- This vulnerability affects the Cisco AVS 3110, 3120, 3180, and 3180A Management Station appliances that are running software versions prior to AVS 5.1.0. Administrators can determine the software version of the AVS appliances by logging in to the Management Station web-based user interface or from the command-line interface (CLI) of the appliance operating system. Customers who use the AVS 3180 or 3180A Management Station can determine their node software versions by navigating to the Cluster Information Page. Each registered node will display the corresponding software version when the node is selected. The AVS appliance version can also be determined from the host operating system by using the Show Version command. The following example shows Show Version output for an AVS 3120 appliance that is running version 5.1.0: velocityShow Version Cisco Application Velocity System,(AVS) AVS 3120-K9 005.001(000.034) The following example shows Show Version output for an AVS 3180 or 3180A appliance that is running version 5.1.0: velocityShow Version Cisco Application Velocity System,(AVS) AVS 3180-MGMT 005.001(000.034) Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by this vulnerability. Details === The Cisco AVS 3110 and 3120 are enterprise data center appliances for improving web application performance, measuring end-user response time, and managing application security. The Cisco AVS 3120 enforces application security with an integrated web application firewall. The Cisco AVS 3180 and 3180A Management Stations provide web-based tools for the configuration and application performance monitoring for a cluster of AVS 3110s and 3120s or individual nodes. The Cisco AVS 3110, 3120, 3180, and 3180A Management Stations use some system accounts that are initially configured with default passwords. Vulnerable versions of the AVS software do not prompt the administrator to change the passwords for these accounts, including accounts with root privileges, during the initial configuration process. Non-vulnerable versions of AVS software will now prompt administrators to change these accounts after installation. Note: If the passwords for the AVS 3110 or 3120 are changed on the device itself and it has previously been registered with an AVS 3180 or 3180A Management Station, the node must be re-registered with the Management Station console. Otherwise, communication between the AVS 3180 or 3180A Management Station and AVS 3110 or 3120 node will be lost. For additional details about the AVS node registration process, refer to the Register Node section of the Cisco AVS User's Guide. After upgrading the appliance software to version AVS 5.1.0 and logging in for the first time, the administrator will now be prompted to change the system account passwords. The following example shows the new password change prompts and the subsequent password change dialog for the AVS 3120 after upgrade: velocity login: fgn Password: **WARNING** System wide secrets are in factory default state. Would you like to change these
[c-nsp] Cisco Security Advisory: SQL injection in Cisco Unified Communications Manager
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: SQL injection in Cisco Unified Communications Manager Document ID: 100358 Advisory ID: cisco-sa-20080213-cucmsql http://www.cisco.com/warp/public/707/cisco-sa-20080213-cucmsql.shtml Revision 1.0 For Public Release 2008 February 13 1600 UTC (GMT) - - Summary === Cisco Unified Communications Manager is vulnerable to a SQL Injection attack in the parameter key of the admin and user interface pages. A successful attack could allow an authenticated attacker to access information such as usernames and password hashes that are stored in the database. Cisco has released free software updates that address this vulnerability. Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0026 leavingcisco.com has been assigned to this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080213-cucmsql.shtml. Affected Products = Vulnerable Products +-- Cisco Unified Communication Manager 5.0/5.1 versions prior to 5.1(3a) and 6.0/6.1 versions prior to 6.1(1a) are affected by this vulnerability. The software version of a CallManager or Unified Communications Manager system can be determined by navigating to Show Software via the administration interface. For Unified Communications Manager, the software version can also be determined by running the show version active command in the Command Line Interface (CLI). Products Confirmed Not Vulnerable + Cisco CallManager or Unified Communication Manager systems prior to 5.0 are not affected by this vulnerability. No 3.x and 4.x releases are vulnerable. No other Cisco products are known to be affected by this vulnerability. Details === Cisco Unified CallManager/Communications Manager (CUCM) is the call processing component of the Cisco IP telephony solution. This solution extends enterprise telephony features and functions to packet telephony network devices such as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimedia applications. An attacker can trigger this SQL injection vulnerability by entering a specially crafted value is entered in the key parameter of either the admin or user interface page. Attacks against this vulnerability are conducted through the web interface and use the http or https protocol. A successful attack could terminate a SQL call and force a connection to the back-end database resulting in the disclosure of potentially sensitive information such as usernames and password hashes. This vulnerability is documented as bug ID CSCsk64286 Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is performed in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsl08519 - SQL Injection Vulnerability in User And Admin Interface Pages CVSS Base Score - 4 Access Vector -Network Access Complexity -Low Authentication - Single Confidentiality Impact - Partial Integrity Impact - None Availability Impact - None CVSS Temporal Score - 3.3 Exploitability - Functional Remediation Level -Official-Fix Report Confidence -Confirmed Impact == An authenticated attacker may be able to exploit this vulnerability to extract records from the Cisco Unified Communications Manager database. A successful attack might retrieve sensitive data such as user names, passwords hashes, and information from call records. An attacker cannot use this vulnerability to alter or delete call record information from the database. Software Versions and Fixes === When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not
[c-nsp] Cisco Security Advisory: Cisco Secure Access Control Server for Windows User-Changeable Password Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Secure Access Control Server for Windows User-Changeable Password Vulnerabilities Advisory ID: cisco-sa-20080312-ucp http://www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml Revision 1.0 For Public Release 2008 March 12 1600 UTC (GMT) Summary === Two sets of vulnerabilities were discovered in the Cisco Secure Access Control Server (ACS) for Windows User-Changeable Password (UCP) application and reported to Cisco by Felix 'FX' Lindner, Recurity Labs GmbH. The first set of vulnerabilities address several buffer overflow conditions in the UCP application that could result in remote execution of arbitrary code on the host system where UCP is installed. The second set of vulnerabilities address cross-site scripting in the UCP application pages. Both sets of vulnerabilities could be remotely exploited, and do not require valid user credentials. Cisco has released a free software update for UCP that addresses these vulnerabilities. There are no workarounds that mitigate these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml Affected Products = UCP is the vulnerable application and can be installed to inter-operate with: * Cisco Secure ACS for Windows * Cisco Secure ACS Solution Engine (Appliance) NOTE: In Cisco Secure ACS for Windows, UCP may be installed on the same or different host as the Cisco Secure ACS for Windows application. In the Cisco Secure ACS Solution Engine (Appliance) the UCP will be installed on a different host other than the appliance. UCP is not installed by default with ACS installations. Vulnerable Products +-- UCP versions prior to 4.2 are affected. Users can perform the following steps to determine the version of UCP installed on a system: 1. Log in to the system where UCP is installed 2. Open a Windows command prompt 3. Change the current working directory to the default directory of the CGI scripts that was specified during installation of UCP. The default installation directory is C:\Inetpub\Wwwroot\securecgi-bin. Within this directory execute the command CSuserCGI ver. The output returned will indicate a CSuserCGI version. Any version earlier than 4.2 is vulnerable. The following example shows a system with UCP version 4.2 installed. C:\ c: C:\ cd c:\inetpub\Wwwroot\securecgi-bin C:\Inetpub\Wwwroot\securecgi-binCSuserCGI ver CSuserCGI 4.2, Copyright 2008 Cisco Systems Inc Products Confirmed Not Vulnerable + Installations of Cisco Secure ACS for Windows or Cisco Secure ACS Solution Engine without UCP installed, are not vulnerable. Cisco Secure ACS for UNIX, does not support the UCP utility and is not vulnerable. No other Cisco products are currently known to be affected by these vulnerabilities. Details === The UCP application enables end users to change their ACS passwords with a web-based utility. When users need to change their own passwords, they can access the UCP web page by using a supported web browser, validate their existing credentials, and then change their password via the utility. For more information about the UCP application please see http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/installation/guide/user_passwords/ucp.html. Several vulnerabilities exist within the UCP application. * Multiple Buffer Overflow Vulnerabilities. Multiple buffer overflows exist within the UCP CSuserCGI.exe code. CSuserGCI.exe is the HTTP interface to the server. This vulnerability is addressed by Cisco Bug ID CSCsl49180 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0532 * Cross Site Scripting Vulnerabilities. Cross-site scripting vulnerabilities exist within the UCP CSuserCGI.exe code. This vulnerability is addressed by Cisco Bug ID CSCsl49205 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0533. Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator
[c-nsp] Cisco Security Advisory: CiscoWorks Internetwork Performance Monitor Remote Command Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: CiscoWorks Internetwork Performance Monitor Remote Command Execution Vulnerability Advisory ID: cisco-sa-20080313-ipm Revision 1.0 For Public Release 2008 March 13 Summary === CiscoWorks Internetwork Performance Monitor (IPM) version 2.6 for Sun Solaris and Microsoft Windows operating systems contains a vulnerability that allows remote, unauthenticated users to execute arbitrary commands. There are no workarounds for this vulnerability. Cisco has made free software available to address this issue for affected customers. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080313-ipm.shtml. Affected Products = Vulnerable Products +-- IPM version 2.6 for Solaris and Windows operating systems is vulnerable. Products Confirmed Not Vulnerable + IPM versions 2.5 and earlier as well as IPM version 4.0 are not vulnerable. No other Cisco products are known to be vulnerable. Details === CiscoWorks IPM is a troubleshooting application that gauges network response time and availability. It is available as a component within the CiscoWorks LAN Management Solution (LMS) bundle. IPM version 2.6 for Solaris and Windows contains a process that causes a command shell to automatically be bound to a randomly selected TCP port. Remote, unauthenticated users are able to connect to the open port and execute arbitrary commands with casuser privileges on Solaris systems and with SYSTEM privileges on Windows systems. This vulnerability is documented in CVE-2008-1157 and Cisco Bug ID CSCsj06260. Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCsj06260 - Remote command execution possible using the Process Mgr CVSS Base Score - 10 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact:Complete CVSS Temporal Score - 8.3 Exploitability: Functional Remediation Level: Official-Fix Report Confidence: Confirmed Impact == Successful exploitation of the vulnerability may result in the ability to execute arbitrary commands with the non-privileged casuser user account on Solaris systems and with full administrative SYSTEM privileges on Windows systems. Software Versions and Fixes === When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. This vulnerability is corrected in the IPM version 2.6 CSCsj06260 patch for Solaris and Windows operating systems. Fixed software can be obtained here: http://www.cisco.com/pcgi-bin/tablebuild.pl/ipm-sol?psrtdcat20e2 In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Workarounds === There are no workarounds for this vulnerability. It is possible to mitigate this vulnerability by restricting network access to TCP ports on a system running IPM version 2.6 to trusted systems. Administrators are strongly encouraged to upgrade to a fixed version of IPM. Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20080313-ipm.shtml Obtaining Fixed Software Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature
[c-nsp] Cisco Security Advisory: Vulnerability in Cisco IOS with OSPF, MPLS VPN, and Supervisor 32, Supervisor 720, or Route Switch Processor 720
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Vulnerability in Cisco IOS with OSPF, MPLS VPN, and Supervisor 32, Supervisor 720, or Route Switch Processor 720 Advisory ID: cisco-sa-20080326-queue http://www.cisco.com/warp/public/707/cisco-sa-20080326-queue.shtml Revision 1.0 For Public Release 2008 March 26 1600 UTC (GMT) Summary === Certain Cisco Catalyst 6500 Series and Cisco 7600 Router devices that run branches of Cisco IOS based on 12.2 can be vulnerable to a denial of service vulnerability that can prevent any traffic from entering an affected interface. For a device to be vulnerable, it must be configured for Open Shortest Path First (OSPF) Sham-Link and Multi Protocol Label Switching (MPLS) Virtual Private Networking (VPN). This vulnerability only affects Cisco Catalyst 6500 Series or Catalyst 7600 Series devices with the Supervisor Engine 32 (Sup32), Supervisor Engine 720 (Sup720) or Route Switch Processor 720 (RSP720) modules. The Supervisor 32, Supervisor 720, Supervisor 720-3B, Supervisor 720-3BXL, Route Switch Processor 720, Route Switch Processor 720-3C, and Route Switch Processor 720-3CXL are all potentially vulnerable. The OSPF and MPLS VPNs are not enabled by default. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-queue.shtml Note: The March 26, 2008 publication includes five Security Advisories. The Advisories all affect Cisco IOS. Each Advisory lists the releases that correct the vulnerability described in the Advisory, and the Advisories also detail the releases that correct the vulnerabilities in all five Advisories. Please reference the following software table to find a release which fixes all published Security Advisories as of March 26th, 2008. * March 26th bundled IOS Advisory Table http://www.cisco.com/warp/public/707/cisco-sa-20080326-bundle.shtml Individual publication links are listed below: * Cisco IOS Virtual Private Dial-up Network Denial of Service Vulnerability http://www.cisco.com/warp/public/707/cisco-sa-20080326-pptp.shtml * Multiple DLSw Denial of Service Vulnerabilities in Cisco IOS http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml * Cisco IOS User Datagram Protocol Delivery Issue For IPv4/IPv6 Dual-stack Routers http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml * Vulnerability in Cisco IOS with OSPF, MPLS VPN, and Supervisor 32, Supervisor 720, or Route Switch Processor 720 http://www.cisco.com/warp/public/707/cisco-sa-20080326-queue.shtml * Cisco IOS Multicast Virtual Private Network (MVPN) Data Leak http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml Affected Products Vulnerable Products +-- All Cisco products based on the Supervisor Engine 32 (Sup32), Supervisor Engine 720 (Sup720) or Route Switch Processor 720 (RSP720) are potentially vulnerable. Cisco Sup720 and RSP720 products have support for daughter cards that enhance their functionality. These daughter cards attach directly to the Sup720 or RSP720 and have names like PFC-3B, PFC-3BXL, PFC-3C, and PFC-3CXL. The product number of the Sup720 or RSP720 can change to reflect the daughter card that is installed, such as RSP720-3CXL. Because the vulnerability affects the Sup720 and RSP720, all versions of the Sup720 or RSP720 are vulnerable, regardless of the daughter card that is installed. * Cisco Catalyst 6500 Series devices with the Sup32, Sup720, Sup720-3B, or Sup720-3BXL * Cisco 7600 Series devices with the Sup32, Sup720, Sup720-3B, or Sup720-3BXL * Cisco 7600 Series devices with the RSP720, RSP720-3C, or RSP720-3CXL * Cisco ME 6524 Ethernet Switch Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by this vulnerability. Cisco Bug ID CSCsf12082 was integrated into additional IOS releases that do not run on the vulnerable hardware, but only the platforms mentioned in the Vulnerable Products section above are affected by this vulnerability. Details === Vulnerable Cisco devices, when configured for Multi Protocol Label Switching (MPLS) Virtual Private Networking (VPN) and Open Shortest Path First (OSPF) sham-link, can suffer from a blocked queue, memory leak and/or restart of the device This vulnerability is documented in Cisco bug ID CSCsf12082, and has been assigned CVE ID CVE-2008-0057. The following combination of hardware and software configuration must be present for the device to be vulnerable: * Cisco Catalyst Sup32, Sup720, or RSP720 is present * MPLS VPN is configured * OSPF sham-link is configured In order to determine whether you are running this feature, use the show running-config command and search for the address-family vpnv4 and area sham-link router configuration commands. The following command
[c-nsp] Cisco Security Advisory: Cisco IOS Virtual Private Dial-up Network Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco IOS Virtual Private Dial-up Network Denial of Service Vulnerability Advisory ID: cisco-sa-20080326-pptp http://www.cisco.com/warp/public/707/cisco-sa-20080326-pptp.shtml Revision 1.0 For Public Release 2008 March 26 1600 UTC (GMT) Summary === Two vulnerabilities exist in the virtual private dial-up network (VPDN) solution when Point-to-Point Tunneling Protocol (PPTP) is used in certain Cisco IOS releases prior to 12.3. PPTP is only one of the supported tunneling protocols used to tunnel PPP frames within the VPDN solution. The first vulnerability is a memory leak that occurs as a result of PPTP session termination. The second vulnerability may consume all interface descriptor blocks on the affected device because those devices will not reuse virtual access interfaces. If these vulnerabilities are repeatedly exploited, the memory and/or interface resources of the attacked device may be depleted. Cisco has made free software available to address these vulnerabilities for affected customers. There are no workarounds available to mitigate the effects of these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-pptp.shtml Note: The March 26, 2008 publication includes five security advisories. The advisories all address vulnerabilities in Cisco's Internetwork Operating System (IOS) software. Each advisory lists the releases that correct the vulnerability described in the advisory, and also lists the releases that correct the vulnerabilities in the other five advisories. Please reference the following software table to find a release that fixes all published software advisories as of March 26th, 2008: * March 26th Bundled IOS Advisory Table http://www.cisco.com/warp/public/707/cisco-sa-20080326-bundle.shtml Individual publication links are listed below: * Cisco IOS Virtual Private Dial-up Network Denial of Service Vulnerability http://www.cisco.com/warp/public/707/cisco-sa-20080326-pptp.shtml * Multiple DLSw Denial of Service Vulnerabilities in Cisco IOS http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml * Cisco IOS User Datagram Protocol Delivery Issue For IPv4/IPv6 Dual-stack Routers http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml * Vulnerability in Cisco IOS with OSPF, MPLS VPN, and Supervisor 32, Supervisor 720, or Route Switch Processor 720 http://www.cisco.com/warp/public/707/cisco-sa-20080326-queue.shtml * Cisco IOS Multicast Virtual Private Network (MVPN) Data Leak http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml Affected Products = Devices that are running certain Cisco IOS versions prior to 12.3 with VPDN enabled may be affected by these vulnerabilities. Vulnerable Products +-- Devices that are running affected versions of Cisco IOS with VPDN enabled and are configured to accept termination of PPTP sessions are vulnerable. To determine whether VPDN is enabled on your device, log in to the device and issue the command-line interface (CLI) command show running-config. If the output contains vpdn enable along with a vpdn-group name command, VPDN is enabled on the device. The device will accept termination of PPTP sessions if the command protocol any or protocol pptp is defined under the vpdn-group name command. The following example shows a device that is running VPDN and will accept termination of PPTP sessions: Router#show running-config Building configuration... ! !--- Output truncated. ! vpdn enable ! vpdn-group test_only ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 ! !---Remaining output truncated. To determine the software version running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as Internetwork Operating System Software or simply IOS. On the next line of output, the image name will be displayed between parentheses, followed by Version and the IOS release name. Other Cisco devices will not have the show version command or will give different output. The following example identifies a Cisco product that is running Cisco IOS release 12.2(7): Cisco Internetwork Operating System Software IOS (tm) 7200 Software (C7200-IS-M), Version 12.2(7), RELEASE SOFTWARE (fc1) Copyright (c) 1986-2002 by cisco Systems, Inc. Compiled Tue 15-Jan-02 18:31 by pwade Image text-base: 0x600089C0, data-base: 0x613A6000 Additional information about Cisco IOS release naming can be found at http://www.cisco.com/warp/public/620/1.html. Products Confirmed Not Vulnerable + Devices that are running Cisco IOS versions 12.3 and
[c-nsp] Cisco Security Advisory: Cisco Network Admission Control Shared Secret Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Network Admission Control Shared Secret Vulnerability Advisory ID: cisco-sa-20080416-nac http://www.cisco.com/warp/public/707/cisco-sa-20080416-nac.shtml Revision 1.0 For Public Release 2008 April 16 1600 UTC (GMT) Summary === A vulnerability exists in the Cisco Network Admission Control (NAC) Appliance that can allow an attacker to obtain the shared secret that is used between the Cisco Clean Access Server (CAS) and the Cisco Clean Access Manager (CAM). Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080416-nac.shtml. Affected Products = Vulnerable Products +-- The following table lists all Cisco NAC Appliance software versions affected by this vulnerability. +---+ | NAC Software | Vulnerable Versions | | Release|| |--+| | 3.5.x| All 3.5.x versions | |--+| | 3.6.x| All 3.6.x versions | | | prior to 3.6.4.4 | |--+| | 4.0.x| All 4.0.x versions | | | prior to 4.0.6 | |--+| | 4.1.x| All 4.1.x versions | | | prior to 4.1.2 | +---+ Products Confirmed Not Vulnerable + Cisco NAC Appliance software versions 3.6.4.4 and later in the 3.6.x train; 4.0.6 and later in the 4.0.x train; and 4.1.2 and later in the 4.1.x train are not vulnerable. No other Cisco products are currently known to be affected by this vulnerability. Details === The Cisco NAC Appliance solution allows network administrators to authenticate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines prior to allowing users onto the network. The solution identifies whether machines are compliant with security policies and repairs vulnerabilities before permitting access to the network. A vulnerability exists in the Cisco NAC Appliance that can allow an attacker to obtain the shared secret used by the CAS and the CAM from error logs that are transmitted over the network. Obtaining this information could enable an attacker to gain complete control of the CAS remotely over the network. This vulnerability is documented in Cisco Bug ID CSCsj33976 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-1155. Vulnerability Scoring Details + Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss. * NAC Appliance Shared Secret Vulnerability (CSCsj33976) CVSS Base Score - 10.0 Access Vector -Network Access Complexity -Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level -Official-Fix Report Confidence -Confirmed Impact == Successful exploitation of the vulnerability could allow an attacker to take complete control of the CAS remotely over the network. Software Versions and Fixes === Each row of the following software table (below) describes the earliest possible releases that contain the fix for this vulnerability. These are shown in the First Fixed Release column. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label). +---+ | Affected Releases| First Fixed| | | Releases | |--+| | NAC Appliance| Vulnerable - | | software version | Contact TAC| |
[c-nsp] Cisco Security Advisory: Cisco Content Switching Module Memory Leak Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Content Switching Module Memory Leak Vulnerability Advisory ID: cisco-sa-20080514-csm http://www.cisco.com/warp/public/707/cisco-sa-20080514-csm.shtml Revision 1.0 For Public Release 2008 May 14 1600 UTC (GMT) Summary === The Cisco Content Switching Module (CSM) and Cisco Content Switching Module with SSL (CSM-S) contain a memory leak vulnerability that can result in a denial of service condition. The vulnerability exists when the CSM or CSM-S is configured for layer 7 load balancing. An attacker can trigger this vulnerability when the CSM or CSM-S processes TCP segments with a specific combination of TCP flags while servers behind the CSM/CSM-S are overloaded and/or fail to accept a TCP connection. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080514-csm.shtml. Affected Products = Vulnerable Products +-- The Cisco CSM and Cisco CSM-S are affected by the vulnerability described in this document if they are running an affected software version and are configured for layer 7 load balancing. The following versions of the Cisco CSM software are affected by this vulnerability: 4.2(3), 4.2(3a), 4.2(4), 4.2(5), 4.2(6), 4.2(7), and 4.2(8). The following versions of the Cisco CSM-S software are also affected by this vulnerability: 2.1(2), 2.1(3), 2.1(4), 2.1(5), 2.1(6), and 2.1(7). To determine the software version in use by the CSM or CSM-S, log into the supervisor of the chassis that hosts the CSM or CSM-S modules and issue the command show module version (Cisco IOS) or show version (Cisco CatOS). CSM modules will display as model WS-X6066-SLB-APC, CSM-S modules will display as model WS-X6066-SLB-S-K9, and the software version will be indicated next to the Sw: label. Note that the output from show module version (for Cisco IOS) is slightly different from the output from show version (for Cisco CatOS). However, in both cases the model names will read as previously described, and the software version will be easily identified by looking for the Sw: label. The following example shows a CSM in slot number 4 running software version 4.2(3): switchshow module version Mod Port Model Serial #Versions +--- -- --- - 13 WS-SVC-AGM-1-K9SAD092601W5 Hw : 1.0 Fw : 7.2(1) Sw : 5.0(3) 26 WS-SVC-FWM-1 SAD093200X8 Hw : 3.0 Fw : 7.2(1) Sw : 3.2(3)1 38 WS-SVC-IDSM-2 SAD0932089Z Hw : 5.0 Fw : 7.2(1) Sw : 5.1(6)E1 44 WS-X6066-SLB-APC SAD093004BD Hw : 1.7 Fw : Sw : 4.2(3) 52 WS-SUP720-3B SAL0934888E Hw : 4.4 Fw : 8.1(3) Sw : 12.2(18)SXF11 Sw1: 8.6(0.306)R3V15 WS-SUP720 SAL09348488 Hw : 2.3 Fw : 12.2(17r)S2 Sw : 12.2(18)SXF11 WS-F6K-PFC3B SAL0934882R Hw : 2.1 A Cisco CSM or CSM-S is configured for layer 7 load balancing if one or more layer 7 Server Load Balancing (SLB) policies are referenced in the configuration of a virtual server. There are six possible types of SLB policies: client-group, cookie-map, header-map, reverse-sticky, sticky-group, and url-map. Of these, the client-group policy type is always a layer 4 policy. The remaining policy types are layer 7 policies and, if used, would render a device affected by the vulnerability described in this document. The following example shows a CSM module that is configured for layer 7 load balancing. Note the SLB policy TEST-SPORTS-50, which uses url-map and header-map layer 7 policies, and that is applied to the virtual server named WEB: module ContentSwitchingModule 5 [...] ! policy TEST-SPORTS-50 url-map SPORTS header-map TEST client-group 50 serverfarm WEBFARM2 ! vserver WEB virtual 10.20.221.100 tcp www serverfarm WEBFARM persistent rebalance slb-policy TEST-SPORTS-50 inservice Products Confirmed Not Vulnerable + Only Cisco CSM modules running indicated 4.2 versions are affected by this vulnerability. CSM software versions 4.1, 3.2 and 3.1 are not affected by this vulnerability. Cisco CSM-S modules running indicated 2.1 versions are the only vulnerable versions of software for that product. Cisco CSM and CSM-S modules that are not
[c-nsp] Cisco Security Advisory: Cisco Unified Communications Manager Denial of Service Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Unified Communications Manager Denial of Service Vulnerabilities Advisory ID: cisco-sa-20080514-cucmdos Revision 1.0 +- Summary === Cisco Unified Communications Manager, formerly Cisco CallManager, contains multiple denial of service (DoS) vulnerabilities that may cause an interruption in voice services, if exploited. These vulnerabilities were discovered internally by Cisco. The following Cisco Unified Communications Manager services are affected: * Certificate Trust List (CTL) Provider * Certificate Authority Proxy Function (CAPF) * Session Initiation Protocol (SIP) * Simple Network Management Protocol (SNMP) Trap Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml. Affected Products = Vulnerable Products +-- These products are vulnerable: * Cisco Unified CallManager 4.1 versions prior to 4.1.3SR7 * Cisco Unified Communications Manager 4.2 versions prior to 4.2(3)SR4 * Cisco Unified Communications Manager 4.3 versions prior to 4.3(2) * Cisco Unified Communications Manager 5.x versions prior to 5.1(3) * Cisco Unified Communications Manager 6.x versions prior to 6.1(1) Administrators of systems running Cisco Unified Communications Manager version 4.x can determine the software version by navigating to Help About Cisco Unified CallManager and selecting the Details button via the Cisco Unified Communications Manager Administration interface. Administrators of systems that are running Cisco Unified Communications Manager versions 5.x and 6.x can determine the software version by viewing the main page of the Cisco Unified Communications Manager Administration interface. The software version can also be determined by running the command show version active via the command line interface (CLI). Products Confirmed Not Vulnerable + Cisco Unified Communications Manager Express is not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details === Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimedia applications. Certificate Trust List Provider Related Vulnerabilities The Certificate Trust List (CTL) Provider service of Cisco Unified Communications Manager version 5.x contains a memory consumption vulnerability that occurs when a series of malformed TCP packets are received by a vulnerable Cisco Unified Communications Manager system and may result in a DoS condition. The CTL Provider service listens by default on TCP port 2444 and is user configurable. The CTL Provider service is enabled by default. There is a workaround for this vulnerability. The vulnerability is fixed in Cisco Unified Communications Manager version 5.1(3). The vulnerability is documented in Cisco Bug ID CSCsj80609 and has been assigned the CVE identifier CVE-2008-1742. The CTL Provider service of Cisco Unified Communications Manager versions 5.x and 6.x contain a memory consumption vulnerability that occurs when a series of malformed TCP packets are received by a vulnerable Cisco Unified Communications Manager system and may result in a DoS condition. The CTL Provider service listens by default on TCP port 2444 and is user configurable. There is a workaround for this vulnerability. The vulnerability is fixed in Cisco Unified Communications Manager versions 5.1(3) and 6.1(1). This vulnerability is documented in Cisco Bug ID CSCsi98433 and has been assigned the CVE identifier CVE-2008-1743. Certificate Authority Proxy Function Related Vulnerability The Certificate Authority Proxy Function (CAPF) service of Cisco Unified Communications Manager versions 4.1, 4.2 and 4.3 contain a vulnerability when handling malformed input that may result in a DoS condition. The CAPF service listens by default on TCP port 3804 and is user configurable. The CAPF service is disabled by default. There is a workaround for this vulnerability. This vulnerability is fixed in Cisco Unified Communications Manager versions 4.1(3)SR7, 4.2(3)SR4 and 4.3(2). This vulnerability is documented in Cisco Bug ID CSCsk46770 and has been assigned the CVE identifier CVE-2008-1744. SIP-Related Vulnerabilities Cisco Unified Communications Manager versions 5.x and 6.x contain a vulnerability in the handling of malformed SIP JOIN messages that may result in a DoS condition. SIP processing cannot be disabled in Cisco
[c-nsp] Cisco Security Advisory: Cisco Unified Presence Denial of Service Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Unified Presence Denial of Service Vulnerabilities Advisory ID: cisco-sa-20080514-cup Revision 1.0 +- Summary === Cisco Unified Presence contains three denial of service (DoS) vulnerabilities that may cause an interruption in presence services. These vulnerabilities were discovered internally by Cisco, and there are no workarounds. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080514-cup.shtml. Affected Products = Vulnerable Products +-- Cisco Unified Presence versions prior to 6.0(3) are affected by the vulnerabilities described in this advisory. Administrators of systems running all Cisco Unified Presence versions can determine the software version by viewing the main page of the Cisco Unified Presence Administration interface. The software version can be determined by running the command show version active via the Command Line Interface (CLI). Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by these vulnerabilities. Details === Cisco Unified Presence collects information about a user's availability status and communications capabilities. Using information captured by Cisco Unified Presence, applications such as Cisco Unified Personal Communicator and Cisco Unified Communications Manager can improve productivity by helping users connect with colleagues more efficiently by determining the most effective means for collaborative communication. The Presence Engine service of Cisco Unified Presence version 1.0 contains two vulnerabilities that occur when a series of malformed IP packets are received by a vulnerable Cisco Unified Presence system and may result in a DoS condition. There are no workarounds for these vulnerabilities. These vulnerabilities are fixed in Cisco Unified Presence version 6.0(1). Cisco Unified Presence version 6.0(1) is the upgrade path for Cisco Unified Presence version 1.0. The first vulnerability is documented in CVE-2008-1158 and Cisco Bug ID CSCsh50164. The second vulnerability is documented in CVE-2008-1740 and Cisco Bug ID CSCsh20972. The SIP Proxy service of Cisco Unified Presence versions 6.0(1) and 6.0(2) contain a vulnerability that occurs when a TCP port scan is received by a vulnerable Cisco Unified Presence system and may result in a DoS condition. There is no workaround for this vulnerability. This vulnerability is fixed in Cisco Unified Presence version 6.0(3). This vulnerability is documented in CVE-2008-1741 and Cisco Bug ID CSCsj64533. Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCsh50164 - PE Service core dumps when it receives malformed packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication -None Confidentiality Impact -None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability -Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsh20972 - PE Service core dumps under stress test CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication -None Confidentiality Impact -None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability -Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsj64533 - SIPD service core dumps during TCP port scan CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication -None Confidentiality Impact -None Integrity Impact - None Availability Impact - Complete CVSS
[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco PIX and Cisco ASA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco PIX and Cisco ASA Document ID: 105444 Advisory ID: cisco-sa-20080604-asa http://www.cisco.com/warp/public/707/cisco-sa-20080604-asa.shtml Revision 1.0 For Public Release 2008 June 04 1600 UTC (GMT) - - Summary === Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances. This security advisory outlines details of these vulnerabilities: * Crafted TCP ACK Packet Vulnerability * Crafted TLS Packet Vulnerability * Instant Messenger Inspection Vulnerability * Vulnerability Scan Denial of Service * Control-plane Access Control List Vulnerability The first four vulnerabilities may lead to a denial of service (DoS) condition and the fifth vulnerability may allow an attacker to bypass control-plane access control lists (ACL). Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080604-asa.shtml Affected Products = Vulnerable Products +-- The following are the details about each vulnerability described within this advisory. Crafted TCP ACK Packet Vulnerability +--- Cisco ASA and Cisco PIX devices are affected by a crafted TCP acknowledgment (ACK) packet vulnerability. Software versions prior to 7.1(2)70 on the 7.1.x release, 7.2(4) on the 7.2.x release, and 8.0 (3)10 on the 8.0.x release are affected. Cisco ASA or Cisco PIX security appliances running software version 7.0.x, or 8.1.x are not vulnerable. Cisco ASA and Cisco PIX devices running versions 7.1.x and 7.2.x with WebVPN, SSL VPN, or ASDM enabled are affected by this vulnerability. Devices running software versions on the 8.0 release that are configured for Telnet, Secure Shell (SSH), WebVPN, SSL VPN, or ASDM enabled are affected by this vulnerability. Note: Devices running IPv4 and IPv6 are affected by this vulnerability. Crafted TLS Packet Vulnerability +--- Cisco ASA and Cisco PIX devices are affected by a crafted TLS request vulnerability if the HTTPS server on the Cisco ASA or Cisco PIX device is enabled and is running software versions prior to 8.0(3)9 on the 8.0.x release or prior to version 8.1(1)1 on the 8.1.x release. Cisco ASA and Cisco PIX appliances running software versions 7.x are not vulnerable. Instant Messenger Inspection Vulnerability +- Cisco ASA and Cisco PIX devices are affected by a crafted packet vulnerability if Instant Messaging Inspection is enabled and the device is running software versions prior to 7.2(4) on the 7.2.x release, 8.0(3)10 on the 8.0.x release, or 8.1(1)2 on the 8.1.x release. Devices running software versions in the 7.0.x and 7.1.x releases are not vulnerable. Additionally, devices that do not have Instant Messaging Inspection enabled are not vulnerable. Note: Instant Messaging Inspection is disabled by default. Vulnerability Scan Denial of Service +--- Cisco ASA and Cisco PIX devices are affected by a vulnerability (port) scan denial of service vulnerability if the device is running software versions prior to 7.2(3)2 on the 7.2.x release or 8.0(2)17 on the 8.0.x release. Cisco ASA and Cisco PIX devices running software versions 7.0.x, 7.1.x, or 8.1.x are not vulnerable. Control-plane Access Control List Vulnerability +-- Cisco ASA and Cisco PIX devices are affected by a vulnerability if the device is configured to use control-plane ACLs and if it is running software versions prior to 8.0(3)9 on the 8.0.x release. Devices running software versions 7.x or 8.1.x are not vulnerable. Note: Control-plane ACLs were first introduced in software version 8.0(2). The control-plane ACLs are not enabled by default. The show version command-line interface (CLI) command can be used to determine if a vulnerable version of the Cisco PIX or Cisco ASA software is running. The following example shows a Cisco ASA Security Appliance that runs software release 8.0(2): ASA# show version Cisco Adaptive Security Appliance Software Version 8.0(2) Device Manager Version 6.0(1) [...] Customers who use the Cisco Adaptive Security Device Manager (ASDM) to manage their devices can find the version of the software displayed in the table in the login window or in the upper left corner of the ASDM window. Products Confirmed Not Vulnerable + The Cisco Firewall Services Module (FWSM) is not affected by
[c-nsp] Cisco Security Advisory: Cisco Intrusion Prevention System Jumbo Frame Denial of Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Intrusion Prevention System Jumbo Frame Denial of Service Advisory ID: cisco-sa-20080618-ips Revision 1.0 For Public Release 2008 June 18 1600 UTC (GMT) +- Summary === Cisco Intrusion Prevention System (IPS) platforms that have gigabit network interfaces installed and are deployed in inline mode contain a denial of service vulnerability in the handling of jumbo Ethernet frames. This vulnerability may lead to a kernel panic that requires a power cycle to recover platform operation. Platforms deployed in promiscuous mode only or that do not contain gigabit network interfaces are not vulnerable. Cisco has released free software updates that address this vulnerability. There is a workaround for this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080618-ips.shtml. Affected Products = Vulnerable Products +-- The following Cisco IPS versions are affected: * Cisco Intrusion Prevention System version 5.x prior to 5.1(8)E2 * Cisco Intrusion Prevention System version 6.x prior to 6.0(5)E2 The following Cisco IPS platforms ship with gigabit network interfaces and are vulnerable if they are deployed in inline mode: * 4235 * 4240 * 4250 * 4250SX * * 4250TX * 4250XL * * 4255 * 4260 * 4270 * The 4250SX and 4250XL models ship with gigabit network interfaces that are normally used for remote administration and monitoring. If the gigabit network interfaces are configured for use with inline mode, the platform is vulnerable. To determine the version of software that is running on a Cisco IPS platform, log into the platform using the console or Secure Shell (SSH) and issue the show version command. sensor# show version Application Partition: Cisco Intrusion Prevention System, Version 6.0(4a)E1 To determine whether a Cisco IPS platform has interfaces configured for inline mode, log into the platform using the console or SSH and issue the show interfaces command. Look for paired interfaces in the Inline Mode statement of the command output. sensor# show interfaces ... MAC statistics from interface GigabitEthernet0/1 Interface function = Sensing interface Description = Media Type = TX Missed Packet Percentage = 0 Inline Mode = Paired with interface GigabitEthernet0/0 ... MAC statistics from interface GigabitEthernet0/0 Interface function = Sensing interface Description = Media Type = TX Missed Packet Percentage = 0 Inline Mode = Paired with interface GigabitEthernet0/1 Products Confirmed Not Vulnerable + The following Cisco IPS platforms are not vulnerable: * 4210 * 4215 * SSM-AIP10 * SSM-AIP20 * SSM-AIP40 * AIM-IPS * NM-CIDS * IDSM2 Cisco IPS version 6.1(1) is not vulnerable. Cisco IOS with the Intrusion Prevention System feature is not vulnerable. No other Cisco products are currently known to be affected by this vulnerability. Details === Certain Cisco IPS platforms contain a denial of service vulnerability in the handling of jumbo ethernet frames. When a specific series of jumbo Ethernet frames is received on a gigabit network interface of a vulnerable Cisco IPS platform that is deployed in inline mode, a kernel panic may occur that results in the complete failure of the platform and causes a network denial of service condition. Cisco IPS platforms that are deployed in promiscuous mode only or that do not contain gigabit network interfaces are not vulnerable. Jumbo Ethernet support is usually deployed in data center environments to increase inter-server communication performance and is not a default configuration for Cisco routers and switches. Support for jumbo Ethernet frames must be enabled on each device that require the feature. In order to exploit this vulnerability, an attacker must be able to inject jumbo Ethernet frames to a vulnerable Cisco IPS platform that is deployed in inline mode. If they are configured to use bypass mode to allow traffic to pass in the event of a system failure, all Cisco IPS platforms will fail to forward traffic except for the 4260 and 4270 platforms. The Cisco IPS 4260 and 4270 platforms contain a hardware bypass feature that allows them to pass network traffic in the event of a kernel panic or power outage. They will pass traffic by default if the hardware bypass feature is engaged. This vulnerability is documented in Cisco Bug ID CSCso64762 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2008-2060. Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this
[c-nsp] Cisco Security Advisory: Cisco Unified Communications Manager Denial of Service and Authentication Bypass Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Unified Communications Manager Denial of Service and Authentication Bypass Vulnerabilities Advisory ID: cisco-sa-20080625-cucm Revision 1.0 For Public Release 2008 June 25 1600 UTC (GMT) +- Summary === Cisco Unified Communications Manager (CUCM), formerly Cisco CallManager, contains a denial of service (DoS) vulnerability in the Computer Telephony Integration (CTI) Manager service that may cause an interruption in voice services and an authentication bypass vulnerability in the Real-Time Information Server (RIS) Data Collector that may expose information that is useful for reconnaissance. Cisco has released free software updates that address these vulnerabilities. There are no workarounds for these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080625-cucm.shtml. Affected Products = Vulnerable Products +-- The following products are vulnerable: * Cisco Unified CallManager 4.1 versions * Cisco Unified Communications Manager 4.2 versions prior to 4.2(3)SR4 * Cisco Unified Communications Manager 4.3 versions prior to 4.3(2)SR1 * Cisco Unified Communications Manager 5.x versions prior to 5.1(3c) * Cisco Unified Communications Manager 6.x versions prior to 6.1(2) Administrators of systems running Cisco Unified Communications Manager (CUCM) version 4.x can determine the software version by navigating to Help About Cisco Unified CallManager and selecting the Details button via the CUCM administration interface. Administrators of systems that are running CUCM versions 5.x and 6.x can determine the software version by viewing the main page of the CUCM administration interface. The software version can also be determined by running the command show version active via the command line interface (CLI). Products Confirmed Not Vulnerable + Cisco Unified Communications Manager Express is not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details === Cisco Unified Communications Manager (CUCM) is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, VoIP gateways, and multimedia applications. Computer Telephony Integration Manager Related Vulnerability The Computer Telephony Integration (CTI) Manager service of CUCM versions 5.x and 6.x contains a vulnerability when handling malformed input that may result in a DoS condition. The CTI Manager service listens by default on TCP port 2748 and is not user-configurable. There is no workaround for this vulnerability. This vulnerability is fixed in CUCM versions 5.1(3c) and 6.1(2). This vulnerability is documented in Cisco Bug ID CSCso75027 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-2061. Real-Time Information Server Data Collector Related Vulnerability The Real-Time Information Server (RIS) Data Collector service of CUCM versions 4.x, 5.x, and 6.x contains an authentication bypass vulnerability that may result in the unauthorized disclosure of certain CUCM cluster information. In normal operation, Real-Time Monitoring Tool (RTMT) clients gather CUCM cluster statistics by authenticating to a Simple Object Access Protocol (SOAP) based web interface. The SOAP interface proxies authenticated connections to the RIS Data Collector process. The RIS Data Collector service listens on TCP port 2556 by default and is user configurable. By connecting directly to the port that the RIS Data Collector process listens on, it may be possible to bypass authentication checks and gain read-only access to information about a CUCM cluster. The information available includes performance statistics, user names, and configured IP phones. This information may be used to mount further attacks. No passwords or other sensitive CUCM configuration may be obtained via this vulnerability. No CUCM configuration changes can be made. There is no workaround for this vulnerability. This vulnerability is fixed in CUCM versions 4.2(3)SR4, 4.3(2)SR1, 5.1(3), and 6.1(1). For CUCM 4.x versions, this vulnerability is documented in Cisco Bug ID CSCsq35151 and has been assigned CVE identifier CVE-2008-2062. For CUCM 5.x and 6.x versions, this vulnerability is documented in Cisco Bug ID CSCsj90843 and has been assigned CVE identifier CVE-2008-2730. Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS
[c-nsp] Cisco Security Advisory: Vulnerability in Cisco WebEx Meeting Manager ActiveX Control
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Vulnerability in Cisco WebEx Meeting Manager ActiveX Control Advisory ID: cisco-sa-20080814-webex Revision 1.0 For Public Release 2008 August 14 2230 UTC (GMT) +- Summary === An ActiveX control (atucfobj.dll) that is used by the Cisco WebEx Meeting Manager contains a buffer overflow vulnerability that may result in a denial of service or remote code execution. The WebEx Meeting Manager is a client-side program that is provided by the Cisco WebEx meeting service. The Cisco WebEx meeting service automatically downloads, installs, and configures Meeting Manager the first time a user begins or joins a meeting. When users connect to the WebEx meeting service, the WebEx Meeting Manager is automatically upgraded to the latest version. There is a manual workaround available for users who are not able to connect to the WebEx meeting service. Cisco WebEx is in the process of upgrading the meeting service infrastructure with fixed versions of the affected file. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20080814-webex.shtml Affected Products = Vulnerable Products +-- The WebEx Meeting Manager downloads several components to meeting participants before they join a WebEx meeting. The vulnerability in this Security Advisory affects the atucfobj.dll library. Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by this vulnerability. Details === The WebEx meeting service is a hosted multimedia conferencing solution that is managed by and maintained by Cisco WebEx. When a meeting participant connects to the WebEx meeting service through a web browser, the WebEx meeting service installs several components of the WebEx Meeting Manager browser plugin on the meeting participant's system. WebEx Meeting Manager includes atucfobj.dll, a DLL that allows meeting participants to view Unicode fonts. This library contains a buffer overflow vulnerability that could allow an attacker to execute arbitrary code. The WebEx meeting service currently maintains three different versions of software. WebEx meeting service servers run one of the following versions: WBS 23, WBS 25, or WBS 26. This vulnerability is documented in WebEx Bug IDs 292551 for WBS 26 and 306639 for WBS 25. This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-2737. Identifying WebEx Meeting Service Version + The following procedure allows meeting participants to identify the version of client software that is provided by a WebEx server. The procedure varies slightly depending on the version of the WebEx server software. The URL in all the following examples is provided to meeting participants as part of the WebEx meeting invite. Client build numbers adhere to the format of XX.YY.ZZ.. The first number indicates the major version number of the software build. For example, a client build number of 26.49.9.2838 indicates a WBS 26-based software version. For the WBS 26 version: 1. Browse to the WebEx meeting server at https://servername.webex.com/. 2. Select Support from the left side of the web page. 3. Select Downloads from the left side of the web page. 4. The version of the client software that is provided by the server is listed next to Client build. For WebEx servers that are running WBS 26, the first fixed version is 26.49.9.2838. Client build versions prior to 26.49.9.2838 are vulnerable. For the WBS 25 version: 1. Browse to the WebEx meeting server at https://servername.webex.com/. 2. Select Assistant on the left side of the page. 3. Select the Support link. 4. Select the Version link, which is displayed on the right side of the top of the page. 5. The Client Build version is displayed in a pop-up window. There is currently no fixed version for the WBS 25-based WebEx meeting service. This section of the Security Advisory will be updated when fixed version information is available. For the WBS 23 version: Servers that run WBS 23-based WebEx meeting service display version information using the following URL format: https://servername.webex.com/version/wbxversionlist.do?siteurl=servername On the redisplayed page the Client versions in files field will indicate the Client Build. For example: The 'T23' in WBXclient-T23L10NSP33EP13-1092.txt indicates a WBS 23-based system. Cisco WebEx is not planning to repair WBS 23-based software. Affected WBS 23-based servers will be upgraded to fixed WBS 25 or WBS 26-based software. Attack Vector Details + This Security Advisory addresses a vulnerable ActiveX control (atucfobj.dll). If atucfobj.dll is present on a client's computer, it may be possible for an
[c-nsp] Cisco Security Advisory: Remote Access VPN and SIP Vulnerabilities in Cisco PIX and Cisco ASA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Remote Access VPN and SIP Vulnerabilities in Cisco PIX and Cisco ASA Advisory ID: cisco-sa-20080903-asa Revision 1.0 For Public Release 2008 September 3 1600 UTC (GMT) +- Summary === Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances that may result in a reload of the device or disclosure of confidential information. This security advisory outlines details of the following vulnerabilities: * Erroneous SIP Processing Vulnerabilities * IPSec Client Authentication Processing Vulnerability * SSL VPN Memory Leak Vulnerability * URI Processing Error Vulnerability in SSL VPNs * Potential Information Disclosure in Clientless VPNs Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml Affected Products = The following paragraphs describe the affected Cisco ASA and Cisco PIX software versions: Vulnerable Products +-- The following sections provide details on the versions of Cisco ASA that are affected by each vulnerability. The show version command-line interface (CLI) command can be used to determine if a vulnerable version of the Cisco PIX or Cisco ASA software is running. The following example shows a Cisco ASA device that runs software release 8.0(2): ASA# show version Cisco Adaptive Security Appliance Software Version 8.0(2) Device Manager Version 6.0(1) [...] Customers who use the Cisco Adaptive Security Device Manager (ASDM) to manage their devices can find their software version displayed in a table in the login window or in the upper left corner of the ASDM window. Erroneous SIP Processing Vulnerabilities Cisco PIX and Cisco ASA devices configured for SIP inspection are vulnerable to multiple processing errors that may result in denial of service attacks. Cisco PIX and ASA software versions prior to 7.0(7) 16, 7.1(2)71, 7.2(4)7, 8.0(3)20, and 8.1(1)8 are vulnerable to these SIP processing errors. IPSec Client Authentication Processing Vulnerability Cisco PIX and Cisco ASA devices that terminate remote access VPN connections are vulnerable to a denial of service attack if the device is running software versions prior to 7.2(4)2, 8.0(3)14, and 8.1(1)4. Cisco PIX and Cisco ASA devices that run software versions 7.0 and 7.1 are not affected by this vulnerability. SSL VPN Memory Leak Vulnerability Cisco ASA devices that terminate clientless remote access VPN connections are vulnerable to a denial of service attack affecting the SSL processing software if the device is running a software version prior to 7.2(4)2, 8.0(3)14, or 8.1(1)4. Cisco ASA devices that run software versions 7.0 and 7.1 are not affected by this vulnerability. URI Processing Error Vulnerability in SSL VPNs Cisco ASA devices that terminate clientless remote access VPN connections are vulnerable to a denial of service attack in the HTTP server if the device is running software versions prior to 8.0(3)15, and 8.1(1)5. Cisco ASA devices that run software versions 7.0, 7.1, or 7.2 are not affected by this vulnerability. Potential Information Disclosure in Clientless VPNs Cisco ASA devices that terminate clientless remote access VPN connections are vulnerable to potential information disclosure if the device is running affected 8.0 or 8.1 software versions. Cisco ASA devices running software versions 7.0, 7.1, or 7.2 are not affected by this vulnerability. Cisco ASA devices the run software versions prior to 8.0(3)15 and 8.1(1)4, or after 8.0(3)16 and 8.1(1)5 are also not affected by this vulnerability. Products Confirmed Not Vulnerable + The Cisco Firewall Services Module (FWSM) is not affected by any of these vulnerabilities. Cisco PIX security appliances running software versions 6.x are not vulnerable. IOS, IOS XR, and Cisco Unified Boarder Elements (CUBE) are not vulnerable to these issues. No other Cisco products are currently known to be affected by these vulnerabilities. Details === The following sections provide details to help determine if a device may be affected by any of the vulnerabilities. Erroneous SIP Processing Vulnerabilities Cisco PIX and Cisco ASA devices configured for SIP inspection are vulnerable to multiple processing errors that may result in denial of service attacks. All Cisco PIX and Cisco ASA software releases may be vulnerable to these SIP processing vulnerabilities. A successful attack may result in a reload of the device. SIP
[c-nsp] Cisco Security Advisory: Cisco IOS IPS Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco IOS IPS Denial of Service Vulnerability Advisory ID: cisco-sa-20080924-iosips http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml Revision 1.0 For Public Release 2008 September 24 1600 UTC (GMT) - - Summary === The Cisco IOS Intrusion Prevention System (IPS) feature contains a vulnerability in the processing of certain IPS signatures that use the SERVICE.DNS engine. This vulnerability may cause a router to crash or hang, resulting in a denial of service condition. Cisco has released free software updates that address this vulnerability. There is a workaround for this vulnerability. Note: This vulnerability is not related in any way to CVE-2008-1447 - Cache poisoning attacks. Cisco Systems has published a Cisco Security Advisory for that vulnerability, which can be found at http://www.cisco.com/en/US/products/products_security_advisory09186a00809c2168.shtml This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml Note: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml Affected Products = Vulnerable Products +-- Any Cisco IOS device configured with the Cisco IOS IPS feature is vulnerable, regardless if it is configured to use the built-in signatures or an external signature file. Devices using either version 4 or version 5 signatures are affected by this vulnerability. The Cisco IOS IPS feature is not enabled by default. The command show ip ips interfaces can be used to determine if the Cisco IOS IPS feature has been configured and applied to any interface on the device, as in the following example: Router#show ip ips interfaces Interface Configuration Interface FastEthernet0/0 Inbound IPS rule is ios-ips-incoming Outgoing IPS rule is not set Interface FastEthernet0/1 Inbound IPS rule is not set Outgoing IPS rule is ios-ips-outgoing Router# The output of the show ip ips interfaces command when the Cisco IOS IPS feature has not been configured is dependent on which Cisco IOS release is installed and running on the device. It may be similar to the following example: Router#show ip ips interfaces Router# or it may be similar to the following: Router#show ip ips interfaces Interface Configuration IPS is not configured on any interface Router# Any version of Cisco IOS prior to the versions which are listed in the Software Versions and Fixes section below is vulnerable. To determine the version of the Cisco IOS software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as Internetwork Operating System Software or simply IOS. On the next line of output, the image name will be displayed between parentheses, followed by Version and the IOS release name. Other Cisco devices will not have the show version command or will give different output. The following example identifies a Cisco product running Cisco IOS Software release 12.3(26) with an installed image name of C2500-IS-L: Router#show version Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by cisco Systems, Inc. Compiled Mon 17-Mar-08 14:39 by dchih output truncated Router# The next example shows a product running
[c-nsp] Cisco Security Advisory: Cisco IOS Software Layer 2 Tunneling Protocol (L2TP) Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco IOS Software Layer 2 Tunneling Protocol (L2TP) Denial of Service Vulnerability Advisory ID: cisco-sa-20080924-l2tp http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml Revision 1.0 For Public Release 2008 September 24 1600 UTC (GMT) - - Summary === A vulnerability exists in the Cisco IOS software implementation of Layer 2 Tunneling Protocol (L2TP), which affects limited Cisco IOS software releases. Several features enable the L2TP mgmt daemon process within Cisco IOS software, including but not limited to Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP) and Cisco Virtual Private Dial-Up Networks (VPDN). Once this process is enabled the device is vulnerable. This vulnerability will result in a reload of the device when processing a specially crafted L2TP packet. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml Note: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml Affected Products = All devices running affected versions of 12.2 or 12.4 Cisco IOS system software and that have a vulnerable configuration are affected by this vulnerability. Vulnerable Products +-- To determine if a device is vulnerable, first confirm that the device is running an affected version of 12.2 or 12.4 Cisco IOS system software. Then check for the process L2TP mgmt daemon running on the device. To determine the software version running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as Internetwork Operating System Software or simply IOS. On the next line of output, the image name will be displayed between parentheses, followed by Version and the IOS release name. Other Cisco devices will not have the show version command or will give different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 12.4(11)T2: Router#show version Cisco IOS Software, 7200 Software (C7200-ADVSECURITYK9-M), Version 12.4(11)T2, RELEASE SOFTWARE (fc4) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Tue 01-May-07 04:19 by prod_rel_team output truncated Additional information on the Cisco IOS release naming conventions can be found in the document entitled White Paper: Cisco IOS Reference Guide, which is available at http://www.cisco.com/warp/public/620/1.html To check if the process L2TP mgmt daemon is running on a device, log into the command line interface (CLI) and issue the command show processes | include L2TP . (NOTE: The command is case sensitive.) If the output returns a line with the process name L2TP mgmt daemon, the device is vulnerable. The following example shows a device running the L2TP mgmt daemon process: Router#show processes | include L2TP 158 Mwe 62590FE44 3133322900/24000 0 L2TP mgmt daemon Router# The L2TP mgmt daemon is started by several different types of configurations that may be deployed in networks that leverage the L2TP protocol. If any of the following commands appear within a device's configuration, show running-config, then the device will have started the L2TP mgmt daemon and is vulnerable.
[c-nsp] Cisco Security Advisory: Cisco IOS MPLS Forwarding Infrastructure Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco IOS MPLS Forwarding Infrastructure Denial of Service Vulnerability Advisory ID: cisco-sa-20080924-mfi http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml Revision 1.0 For Public Release 2008 September 24 1600 UTC (GMT) - - Summary === Cisco IOS Software Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) is vulnerable to a Denial of Service (DoS) attack from specially crafted packets. Only the MFI is affected by this vulnerability. Older Label Forwarding Information Base (LFIB) implementation, which is replaced by MFI, is not affected. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml NOTE: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml Affected Products = Devices that run Cisco IOS software (including those that support Cisco IOS Software Modularity) and support MFI are affected if they are configured for MPLS. Vulnerable Products +-- A device that runs Cisco IOS software and supports MFI will have mfi_ios in the output of the show subsys command. The following example shows output from a device that supports MFI: Router#show subsys name mfi_ios Class Version mfi_ios Protocol1.000.001 Router# The following example shows output from a device that is configured for MPLS: Router#show mpls interface Interface IP Tunnel BGP Static Operational Ethernet0/0Yes (ldp)No No No Yes Router# To determine the software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as Internetwork Operating System Software or simply IOS. On the next line of output, the image name will be displayed between parentheses, followed by Version and the IOS release name. Other Cisco devices will not have the show version command or will give different output. The following example identifies a Cisco product that is running Cisco IOS release 12.4(11)T2: Router#show version Cisco IOS Software,7200 Software (C7200-ADVSECURITYK9-M), Version 12.4(11)T2, RELEASE SOFTWARE (fc4) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Tue 01-May-07 04:19 by prod_rel_team output truncated Additional information on the Cisco IOS release naming conventions can be found on the document entitled White Paper: Cisco IOS Reference Guide, which is available at http://www.cisco.com/warp/public/620/1.html Products Confirmed Not Vulnerable + Devices running Cisco IOS software versions that do not include MFI are not vulnerable. Devices that are not configured for MPLS are not vulnerable. Devices that are running Cisco IOS XR software are not vulnerable. No other Cisco products are currently known to be affected by these vulnerabilities. Details === In newer versions of Cisco IOS software, a new packet forwarding infrastructure was introduced to improve scalability and performance. This forwarding infrastructure, called MFI, is transparent to the user. MFI manages MPLS data structures used for forwarding and replaces the older implementation, Label Forwarding Information Base (LFIB). Cisco IOS MFI implementation is vulnerable to a DoS attack from specially crafted packets that are handled in the
[c-nsp] Cisco Security Advisory: Cisco IOS NAT Skinny Call Control Protocol Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco IOS NAT Skinny Call Control Protocol Vulnerability Advisory ID: cisco-sa-20080924-sccp http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml Revision 1.0 For Public Release 2008 September 24 1600 UTC (GMT) - - Summary === A series of segmented Skinny Call Control Protocol (SCCP) messages may cause a Cisco IOS device that is configured with the Network Address Translation (NAT) SCCP Fragmentation Support feature to reload. Cisco has released free software updates that address this vulnerability. A workaround that mitigates this vulnerability is available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml Note: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml Affected Products = Vulnerable Products +-- This security advisory applies to all Cisco products that run Cisco IOS Software configured for NAT and that support the NAT SCCP Fragmentation Support feature. This feature was first introduced in Cisco IOS version 12.4(6)T. To verify if NAT is enabled on a Cisco IOS device log into the device and issue the command show ip nat statistics. The following example shows a device configured with NAT: Router# show ip nat statistics Total translations: 2 (0 static, 2 dynamic; 0 extended) Outside interfaces: Serial0 Inside interfaces: Ethernet1 Hits: 135 Misses: 5 Expired translations: 2 Dynamic mappings: -- Inside Source access-list 1 pool mypool refcount 2 pool mypool: netmask 255.255.255.0 start 192.168.10.1 end 192.168.10.254 type generic, total addresses 14, allocated 2 (14%), misses 0 Alternatively, you can use the show running-config | include ip nat command to verify if NAT has been enabled on the router interfaces. Note: With reference to NAT, the term inside refers to those networks that will be translated. Inside this domain, hosts will have addresses in one address space, while on the outside, they will appear to have addresses in another address space when NAT is configured. The first address space is referred to as the local address space and the second is referred to as the global address space. The ip nat inside and ip nat outside interface commands must be present on the corresponding router interfaces in order for NAT to be enabled. In order to determine the software that runs on a Cisco IOS product, log in to the device and issue the show version command to display the system banner. Cisco IOS software identifies itself as Internetwork Operating System Software or simply IOS. On the next line of output, the image name displays between parentheses, followed by Version and the Cisco IOS release name. Other Cisco devices do not have the show version command or give different output. The following example shows output from a device that runs an IOS image: routershow version Cisco IOS Software, 7200 Software (C7200-ADVSECURITYK9-M), Version 12.4(6)T2, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Tue 16-May-06 16:09 by kellythw more output removed for brevity Products Confirmed Not Vulnerable + Cisco IOS XR and IOS XE are not affected by this vulnerability. Cisco IOS devices not explicitly configured for NAT are not vulnerable. No other Cisco products are currently known to
[c-nsp] Cisco Security Advisory: Vulnerability in Cisco IOS While Processing SSL Packet
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Vulnerability in Cisco IOS While Processing SSL Packet Advisory ID: cisco-sa-20080924-ssl http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml Revision 1.0 For Public Release 2008 September 24 1600 UTC (GMT) - - Summary === A Cisco IOS device may crash while processing an SSL packet. This can happen during the termination of an SSL-based session. The offending packet is not malformed and is normally received as part of the packet exchange. Cisco has released free software updates that address this vulnerability. Aside from disabling affected services, there are no available workarounds to mitigate an exploit of this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml Note: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml Affected Products = Vulnerable Products +-- Devices running Cisco IOS and using SSL-based services are susceptible to this vulnerability. Some of the services that utilize SSL are: * HTTP server supporting SSL encryption (HTTPS) The following example shows a device that has the standard Cisco IOS HTTP server disabled, but the SSL-enabled Cisco IOS HTTP server enabled: Router#show running-config | include ip http no ip http server ip http secure-server Router# * SSL Virtual Private Network (SSL VPN) also known as AnyConnect VPN The following example shows a device that has the SSL VPN feature enabled: Router#show running-config | include webvpn webvpn enable webvpn Router# * Open Settlement Protocol (OSP) for Packet Telephony feature The following example shows a device that has the OSP feature enabled and uses HTTPS protocol that is vulnerable: Router#show running-config | include url url https://host_ip_address:443/ Router# The Cisco IOS Bug Toolkit may not accurately reflect the affected releases for this advisory. The affected releases are as follows: * 12.4(16)MR, 12.4(16)MR1, 12.4(16)MR2 * 12.4(17) To determine the version of the Cisco IOS software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS Software will identify itself as Internetwork Operating System Software or simply IOS. On the next line of output, the image name will be displayed between parentheses, followed by Version and the IOS release name. Other Cisco devices will not have the show version command or will give different output. Router#show version Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(15)T2, RELEASE SOFTWARE (fc7) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 17-Jan-08 23:12 by prod_rel_team Additional information about Cisco IOS software release naming is available at the following link: http://www.cisco.com/warp/public/620/1.html Products Confirmed Not Vulnerable + No other Cisco products and Cisco IOS releases are currently known to be affected by this vulnerability. Details === This vulnerability is triggered during the termination of an SSL session. Possession of valid credentials such as a username, password or a certificate is not required. SSL protocol uses TCP as a transport protocol. The requirement of the complete TCP 3-way handshake reduces the probability that this
[c-nsp] Cisco Security Advisory: Cisco uBR10012 Series Devices SNMP Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco uBR10012 Series Devices SNMP Vulnerability Advisory ID: cisco-sa-20080924-ubr http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml Revision 1.0 For Public Release 2008 September 24 1600 UTC (GMT) - - Summary === Cisco uBR10012 series devices automatically enable Simple Network Management Protocol (SNMP) read/write access to the device if configured for linecard redundancy. This can be exploited by an attacker to gain complete control of the device. Only Cisco uBR10012 series devices that are configured for linecard redundancy are affected. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml NOTE: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS^ software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml Affected Products = Vulnerable Products +-- Cisco uBR10012 series devices that are running Cisco IOS and configured for linecard redundancy are affected. Cisco uBR10012 series devices can be identified by issuing the show version command. The following example shows output from a Cisco uBR10012 series device running Cisco IOS software release 12.3(17b)BC7: ubr10k#show version | include IOS IOS (tm) 1 Software (UBR10K-K8P6U2-M), Version 12.3(17b)BC7, RELEASE SOFTWARE (fc1) ubr10k# Please refer to the document entitled White Paper: Cisco IOS Reference Guide for additional information on the Cisco IOS release naming conventions. This document is available at the following link: http://www.cisco.com/warp/public/620/1.html A Cisco uBR10012 series device configured for linecard redundancy will have a line similar to the following in the output of show running-config command: member subslot slot/card working or hccp group protect worker-member-id worker-ip-address Any version of Cisco IOS prior to the versions listed in the Software Versions and Fixes section below is vulnerable. Products Confirmed Not Vulnerable + Cisco uBR10012 series devices that are not configured for linecard redundancy are not affected. Cisco 1 series devices are not affected even if they are configured for linecard redundancy. Other uBR platforms are not affected. No other Cisco products are currently known to be affected by this vulnerability. Details === Cisco uBR10012 series devices need to communicate with an RF Switch when configured for linecard redundancy. This communication is based on SNMP (Simple Network Management Protocol). When linecard redundancy is enabled on a Cisco uBR10012 series device, SNMP is also automatically enabled with a default community string of private that has read/write privileges. Since there are no access restrictions on this community string, it may be exploited by an attacker to gain complete control of the device. Changing the default community string, adding access restrictions on SNMP or doing both will mitigate this vulnerability. The recommended mitigation is to do both. This vulnerability is documented in the Cisco Bug ID CSCek57932 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2008-3807. Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security
[c-nsp] Cisco Security Advisory: Cisco IOS MPLS VPN May Leak Information
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco IOS MPLS VPN May Leak Information Advisory ID: cisco-sa-20080924-vpn http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml Revision 1.0 For Public Release 2008 September 24 1600 UTC (GMT) - - Summary === Devices running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and configured for Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs) or VPN Routing and Forwarding Lite (VRF Lite) and using Border Gateway Protocol (BGP) between Customer Edge (CE) and Provider Edge (PE) devices may permit information to propagate between VPNs. Workarounds are available to help mitigate this vulnerability. This issue is triggered by a logic error when processing extended communities on the PE device. This issue cannot be deterministically exploited by an attacker. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml NOTE: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml Affected Products = Products running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and configured for MPLS VPNs or VRF Lite are potentially affected. Cisco IOS releases based on 12.1 are not affected. Vulnerable Products +-- Cisco IOS devices are vulnerable if they are configured for MPLS VPN or VRF Lite and have a BGP session between the CE and PE devices, and process extended communities. If a device is configured for MPLS VPN or VRF Lite the command address-family ipv4 vrf vrf-name or address-family ipv6 vrf vrf-name will be present in the device configuration. The following shows a command executed on a device configured for MPLS VPN: router#show running-config | include address-family [ipv4|ipv6] address-family ipv4 vrf vrf-name The following shows a PE device configured for an IPv4 BGP session between the PE and the CE: router bgp Local AS address-family ipv4 vrf one neighbor neighbor IP remote-as Remote AS neighbor neighbor IP activate To determine the software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as Internetwork Operating System Software or simply IOS. On the next line of output, the image name will be displayed between parentheses, followed by Version and the IOS release name. Other Cisco devices will not have the show version command or will give different output. The following example identifies a Cisco product that is running Cisco IOS release 12.4(11)T2: Router#show version Cisco IOS Software, 7200 Software (C7200-ADVSECURITYK9-M), Version 12.4(11)T2, RELEASE SOFTWARE (fc4) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Tue 01-May-07 04:19 by prod_rel_team output truncated Additional information on the Cisco IOS release naming conventions can be found on the document entitled White Paper: Cisco IOS Reference Guide, which is available at http://www.cisco.com/warp/public/620/1.html Products Confirmed Not Vulnerable + Cisco products not configured for MPLS VPNs or VRF Lite are unaffected by this vulnerability. Cisco products that do not run IOS are unaffected by this vulnerability. Cisco IOS-XR is not affected. No other Cisco products are currently known to be affected by this
[c-nsp] Cisco Security Advisory: Cisco Unified Communications Manager Session Initiation Protocol Denial of Service Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Unified Communications Manager Session Initiation Protocol Denial of Service Vulnerabilities Advisory ID: cisco-sa-20080924-cucm http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml Revision 1.0 For Public Release 2008 September 24 1600 UTC (GMT) - - Summary === Cisco Unified Communications Manager, formerly Cisco Unified CallManager, contains two denial of service (DoS) vulnerabilities in the Session Initiation Protocol (SIP) service. An exploit of these vulnerabilities may cause an interruption in voice services. Cisco will release free software updates that address these vulnerabilities and this advisory will be updated as fixed software becomes available. There are no workarounds for these vulnerabilities. Note: Cisco IOS software is also affected by the vulnerabilities described in this advisory. A companion advisory for Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml Affected Products = The vulnerabilities described in this document apply to the Cisco Unified Communications Manager. Vulnerable Products +-- The following Cisco Unified Communications Manager versions are affected: * Cisco Unified CallManager 4.1 versions prior to 4.1.3SR8 * Cisco Unified CallManager 4.2 versions prior to 4.2(3)SR4b * Cisco Unified CallManager 4.3 versions prior to 4.3(2)SR1a * Cisco Unified Communications Manager 5.x versions prior to 5.1 (3d) * Cisco Unified Communications Manager 6.x versions prior to 6.1(2) su1 Administrators of systems running Cisco Unified CallManager version 4.x can determine the software version by navigating to Help About Cisco Unified CallManager and selecting the Details button via the Cisco Unified Communications Manager Administration interface. Administrators of systems that are running Cisco Unified Communications Manager versions 5.x and 6.x can determine the software version by viewing the main page of the Cisco Unified Communications Manager Administration interface. The software version can also be determined by running the command show version active via the command line interface. In Cisco Unified CallManager version 4.x, the use of SIP as a call signaling protocol is not enabled by default, and for the Cisco Unified CallManager server to start listening for SIP messages on TCP and UDP ports 5060 and 5061 a SIP trunk needs to be configured. In Cisco Unified Communications Manager versions 5.x and later, the use of SIP as a call signaling protocol is enabled by default in Cisco Unified Communications Manager and cannot be disabled. Cisco IOS software is also affected by these vulnerabilities, although they are tracked by different Cisco bug IDs. A companion security advisory for Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml Products Confirmed Not Vulnerable + With the exception of Cisco IOS software, no other Cisco products are currently known to be vulnerable to the issues described in this advisory. Cisco Unified Communications Manager version 7.x is not affected by these vulnerabilities. Cisco Unified CallManager version 4.x is not affected by these vulnerabilities if it does not have any SIP trunks configured. Details === Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, voice-over-IP gateways, and multimedia applications. SIP is a popular signaling protocol that is used to manage voice and video calls across IP networks such as the Internet. SIP is responsible for handling all aspects of call setup and termination. Voice and video are the most popular types of sessions that SIP handles, but the protocol is flexible to accommodate for other applications that require call setup and termination. SIP call signaling can use UDP (port 5060), TCP (port 5060), or TLS (TCP port 5061) as the underlying transport protocol. Two DoS vulnerabilities exist in the SIP implementation of the Cisco Unified Communications Manager. These vulnerabilities can be triggered while processing specific and valid SIP messages and can lead to a reload of the main Cisco Unified Communications Manager process. Version 4.x of Cisco Unified CallManager do not have SIP enabled by default unless a SIP trunk is configured. Versions 5.x and later of the Cisco Unified Communications Manager have SIP is enabled by default and cannot be disabled. The vulnerabilities are being tracked by the following Cisco bug IDs: * CSCsu38644, assigned CVE ID
[c-nsp] Cisco Security Advisory: Authentication Bypass in Cisco Unity
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Authentication Bypass in Cisco Unity Advisory ID: cisco-sa-20081008-unity http://www.cisco.com/warp/public/707/cisco-sa-20081008-unity.shtml Revision 1.0 For Public Release 2008 October 08 1600 UTC (GMT) Summary === A vulnerability exists in Cisco Unity that could allow an unauthenticated user to view or modify some of the configuration parameters of the Cisco Unity server. Cisco has released free software updates that address this vulnerability. A workaround that mitigates this vulnerability is available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20081008-unity.shtml. Affected Products = Cisco Unity is a voice and unified messaging platform. Cisco Unity can be configured to interoperate with Microsoft Exchange or IBM Lotus Domino enabling users to access e-mail, voice, and fax messages from a single inbox. Vulnerable Products +-- All Cisco Unity versions, 4.x, 5.x and 7.x, may be affected by this vulnerability. Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by this vulnerability. Details === Cisco Unity servers may be affected by an authentication bypass when they are configured for anonymous authentication. Anonymous authentication is used when Cisco Unity servers are authenticated to the subscriber instead of Microsoft Windows (Integrated Windows authentication). By default, Cisco Unity is configured so that the administrator uses the Integrated Windows authentication method for authentication. Details on authentication mechanisms can be found in the Installation Guide for Cisco Unity in the Authentication Methods Available for the Cisco Unity Administrator section, located at: http://www.cisco.com/en/US/docs/voice_ip_comm/unity/5x/installation/guide/umexnofo/5xcuigumenofo100.html#wp1533581 This authentication bypass vulnerability allows an unauthenticated user the ability to view or modify some system configuration parameters. No credentials, personally identifiable, or user information can be obtained through exploitation of this vulnerability. This vulnerability is documented in Cisco Bug ID CSCsr86943 and has been assigned Common Vulnerability and Exposures (CVE) ID CVE-2008-3814. Vulnerability Scoring Details + Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss. * Authentication bypass w/ anonymous auth (CSCsr86943) CVSS Base Score - 5.8 Access Vector -Network Access Complexity -Medium Authentication - None Confidentiality Impact - Partial Integrity Impact - Partial Availability Impact - None CVSS Temporal Score - 5.2 Exploitability - Functional Remediation Level -Official-Fix Report Confidence -Confirmed Impact == Successful exploitation of the vulnerability may result in an unauthenticated user viewing or altering some configuration parameters of the Cisco Unity server. Software Versions and Fixes === This vulnerability will be fixed in Cisco Unity software version 4.0ES161 for the 4.x release, 5.0ES53 for the 5.x release, and 7.0ES8 for the 7.x release. The latest versions of Cisco Unity software can be downloaded from http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=274246502. Software for each releases is available at: 4.2(1) ES release, 5.0(1) ES release, 7.0(2) ES release. When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Workarounds === Integrated Windows authentication is not affected by this vulnerability and
[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco PIX and Cisco ASA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco PIX and Cisco ASA Advisory ID: cisco-sa-20081022-asa http://www.cisco.com/warp/public/707/cisco-sa-20081022-asa.shtml Revision 1.0 For Public Release 2008 October 22 1600 UTC (GMT) Summary === Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances. This security advisory outlines details of these vulnerabilities: * Windows NT Domain Authentication Bypass Vulnerability * IPv6 Denial of Service Vulnerability * Crypto Accelerator Memory Leak Vulnerability Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20081022-asa.shtml. Affected Products = Vulnerable Products +-- The following are the details about each vulnerability described within this advisory. Windows NT Domain Authentication Bypass Vulnerability + Because of a Microsoft Windows NT Domain authentication issue the Cisco ASA and Cisco PIX devices may be susceptible to a VPN authentication bypass vulnerability. Cisco ASA or Cisco PIX security appliances that are configured for IPSec or SSL-based remote access VPN using Microsoft Windows NT Domain authentication may be vulnerable. Devices that are using any other type of external authentication (that is, LDAP, RADIUS, TACACS+, SDI, or local database) are not affected by this vulnerability. The following example demonstrates how Windows NT domain authentication is configured using the command line interface (CLI) on the Cisco ASA: aaa-server NTAuth protocol nt aaa-server NTAuth (inside) host 10.1.1.4 nt-auth-domain-controller primary1 Alternatively, to see if a device is configured for Windows NT Domain authentication use the show running-config | include nt-auth-domain-controller command. IPv6 Denial of Service Vulnerability +--- Cisco ASA and Cisco PIX security appliances that are running software version 7.2(4)9 or 7.2(4)10 and configured for IPv6 may be vulnerable. This vulnerability does not affect devices configured only for IPv4. Note: IPv6 functionality is turned off by default. IPv6 is enabled on the Cisco ASA and Cisco PIX security appliance using the ipv6 address interface command. To verify if a device is configured for IPv6 use the show running-config | include ipv6 command. Alternatively, you can display the status of interfaces configured for IPv6 using the show ipv6 interface command in privileged EXEC mode, as shown in the following example: hostname# show ipv6 interface brief outside [up/up] unassigned inside [up/up] fe80::20d:29ff:fe1d:69f0 fec0::a:0:0:a0a:a70 dmz [up/up] unassigned In this example, the outside and dmz interfaces are not configured for IPv6. Crypto Accelerator Memory Leak Vulnerability +--- Cisco ASA security appliances may experience a memory leak that can be triggered by a series of crafted packets. This memory leak occurs in the initialization code for the hardware crypto accelerator. Devices that are running software versions in the 8.0.x release are vulnerable. Note: Cisco ASA appliances that are running software versions in the 7.0, 7.1, and 7.2 releases are not vulnerable. The Cisco PIX security appliance is not affected by this vulnerability. Determination of Software Versions +- The show version command-line interface (CLI) command can be used to determine whether a vulnerable version of the Cisco PIX or Cisco ASA software is running. The following example shows a Cisco ASA Security Appliance that runs software release 8.0(4): ASA# show version Cisco Adaptive Security Appliance Software Version 8.0(4) Device Manager Version 6.0(1) [...] Customers who use the Cisco Adaptive Security Device Manager (ASDM) to manage their devices can find the version of the software displayed in the table in the login window or in the upper left corner of the ASDM window. Products Confirmed Not Vulnerable + The Cisco Firewall Services Module (FWSM) is not affected by any of these vulnerabilities. Cisco PIX security appliances running versions 6.x are not vulnerable. No other Cisco products are currently known to be affected by these vulnerabilities. Details === This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities are independent of each other. Windows NT Domain Authentication Bypass Vulnerability
[c-nsp] Cisco Security Advisory: Cisco Global Site Selector Appliances DNS Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Global Site Selector Appliances DNS Vulnerability Advisory ID: cisco-sa-20090107-gss http://www.cisco.com/warp/public/707/cisco-sa-20090107-gss.shtml Revision 1.0 For Public Release 2009 January 07 1600 UTC (GMT) - - Summary === The Cisco Application Control Engine Global Site Selector (GSS) contains a vulnerability when processing specific Domain Name System (DNS) requests that may lead to a crash of the DNS service on the GSS. Cisco has released free software updates that address this vulnerability. A workaround that mitigates this vulnerability is available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090107-gss.shtml Affected Products = All versions of GSS system software prior to 3.0(1) are affected by this vulnerability. If the GSS is configured with the optional Cisco Network Registrar (CNR) software, the device is not vulnerable. Vulnerable Products +-- The following GSS products are affected by this vulnerability: * Cisco GSS 4480 Global Site Selector * Cisco GSS 4490 Global Site Selector * Cisco GSS 4491 Global Site Selector * Cisco GSS 4492R Global Site Selector In order to determine the software that runs on a GSS device, users should log in to the device and issue the show version command to display the system software banner. The version is indicated on the line starting with Version. The following example shows a GSS that runs system software 2.0(1): gss.cisco.com#show version Global Site Selector (GSS) Model Number: GSS-4491-k9 Copyright (c) 1999-2007 by Cisco Systems, Inc. Version 2.0(1) Uptime: 19 Hours 18 Minutes and 14 seconds gss.cisco.com# In order to determine if CNR is enabled on the GSS device, users should log in to the device and issue the show running-config | grep cnr command to display the system CNR configuration. If CNR is enabled, cnr enable will be displayed in the output. If CNR is disabled, no cnr enable will be displayed. The following example shows a GSS that does not have CNR enabled: GSS.cisco.com#show running-config | grep cnr no cnr enable GSS.cisco.com# Products Confirmed Not Vulnerable + The following products have been confirmed not vulnerable: * Cisco Global Site Selector using interaction with Cisco Network Registrar * Cisco Application Control Engine Module * Cisco Network Registrar * Cisco Content Services Switch (CSS) No other Cisco products are currently known to be affected by this vulnerability. Details === The Cisco GSS platform allows customers to leverage global content deployment across multiple distributed and mirrored data locations, optimizing site selection, improving Domain Name System (DNS) responsiveness, and ensuring data center availability. The GSS is inserted into the traditional DNS hierarchy and is closely integrated with the Cisco CSS, Cisco Content Switching Module (CSM), or third-party server load balancers (SLBs) to monitor the health and load of the SLBs in customers data centers. The GSS uses this information and user-specified routing algorithms to select the best-suited and least-loaded data center in real time. A vulnerability exists in the GSS when processing a specific sequence of DNS requests. An exploit of the vulnerability may result in a crash of the DNS service on the GSS. When the DNS server crashes, an error message will appear in the logs similar to the following example: Dec 18 04:47:21 gss NMR-6-LAUNCHSVR_EXIT[27261] dnsserver' has exited [ExitUnknown(139)] This vulnerability is documented in Cisco Bug ID: CSCsj70093 This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-3819. Vulnerability Scoring Details == Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsj70093: GSS DNS service may crash when processing specific DNS requests. CVSS Base Score - 7.8 Access Vector : Network Access
[c-nsp] Cisco Security Advisory: IronPort Encryption Appliance / PostX and PXE Encryption Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: IronPort Encryption Appliance / PostX and PXE Encryption Vulnerabilities Advisory ID: cisco-sa-20090114-ironport Revision 1.0 For Public Release 2009 January 14 1600 UTC (GMT) +- Summary === IronPort PXE Encryption is an e-mail encryption solution that is designed to secure e-mail communications without the need for a Public Key Infrastructure (PKI) or special agents on receiving systems. When an e-mail message is targeted for encryption, the PXE encryption engine on an IronPort e-mail gateway encrypts the original e-mail message as an HTML file and attaches it to a notification e-mail message that is sent to the recipient. The per-message key used to decrypt the HTML file attachment is stored on a local IronPort Encryption Appliance, PostX software installation or the Cisco Registered Envelope Service, which is a Cisco-managed software service. PXE Encryption Privacy Vulnerabilities +- The IronPort PXE Encryption solution is affected by two vulnerabilities that could allow unauthorized individuals to view the contents of secure e-mail messages. To exploit the vulnerabilities, attackers must first intercept secure e-mail messages on the network or via a compromised e-mail account. IronPort Encryption Appliance Administration Interface Vulnerabilities +- IronPort Encryption Appliance devices contain two vulnerabilities that could allow unauthorized users to gain access to the IronPort Encryption Appliance administration interface and modify other users' settings. These vulnerabilities do not affect Cisco Registered Envelope Service users. Cisco has released free software updates that address these vulnerabilities. There are no workarounds for the vulnerabilities that are described in this advisory. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20090114-ironport.shtml Affected Products = Vulnerable Products +-- The following IronPort Encryption Appliance/PostX versions are affected by these vulnerabilities: * All PostX 6.2.1 versions prior to 6.2.1.1 * All PostX 6.2.2 versions prior to 6.2.2.3 * All IronPort Encryption Appliance/PostX 6.2.4 versions prior to 6.2.4.1.1 * All IronPort Encryption Appliance/PostX 6.2.5 versions * All IronPort Encryption Appliance/PostX 6.2.6 versions * All IronPort Encryption Appliance/PostX 6.2.7 versions prior to 6.2.7.7 * All IronPort Encryption Appliance 6.3 versions prior to 6.3.0.4 * All IronPort Encryption Appliance 6.5 versions prior to 6.5.0.2 The version of software that is running on an IronPort Encryption Appliance is located on the About page of the IronPort Encryption Appliance administration interface. Note: Customers should contact IronPort support to determine which software fixes are applicable for their environment. Please consult the Obtaining Fixed Software section of this advisory for more information. Products Confirmed Not Vulnerable + IronPort C, M and S-Series appliances are not affected by these vulnerabilities. Although C-Series appliances can be configured to use a local IronPort Encryption Appliance for per-message key retention, the C-Series appliances are not vulnerable. The Cisco Registered Envelope Service is not vulnerable. No other Cisco products are currently known to be affected by these vulnerabilities. Details === Note: IronPort tracks bugs using an internal system that is not available to customers. The IronPort bug tracking identifiers are provided for reference only. PXE Encryption Privacy Vulnerabilities +- Individual PXE Encryption users are vulnerable to two message privacy vulnerabilities that could allow an attacker to gain access to sensitive information. All the vulnerabilities require an attacker to first intercept a secure e-mail message as a condition for successful exploitation. Attackers can obtain secure e-mail messages by monitoring a network or a compromised user e-mail account. The IronPort Encryption Appliance contains a logic error that could allow an attacker to obtain the unique, per-message decryption key that is used to protect the content of an intercepted secure e-mail message without user interaction. Using the decryption key, an attacker could decrypt the contents of the secure e-mail message. This vulnerability is documented in IronPort bug 8062 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-0053. By modifying the contents of intercepted secure e-mail messages or by forging a close copy of the e-mail message, it may be possible for an attacker to convince a user to view a modified secure e-mail message and then cause the exposure
[c-nsp] Cisco Security Advisory: Cisco Security Manager Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Security Manager Vulnerability Advisory ID: cisco-sa-20090121-csm http://www.cisco.com/warp/public/707/cisco-sa-20090121-csm.shtml Revision 1.0 For Public Release 2009 January 21 1600 UTC (GMT) - - Summary === Cisco Security Manager contains a vulnerability when it is used with Cisco IPS Event Viewer (IEV) that results in open TCP ports on both the Cisco Security Manager server and IEV client. An unauthenticated, remote attacker could leverage this vulnerability to access the MySQL databases or IEV server. Cisco has released free software updates that address this vulnerability. A workaround is also available to mitigate this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090121-csm.shtml Affected Products = Vulnerable Products +-- All 3.1 and 3.2 versions prior to 3.2.2 of Cisco Security Manager are affected by this vulnerability. Cisco IEV is installed with Cisco Security Manager by default, but the vulnerability is not exposed until IEV has been launched. Products Confirmed Not Vulnerable + The following products have been confirmed not vulnerable: * Cisco Security Manager 3.2.2 * Cisco Security Manager 3.0.x and earlier * Standalone implementations of Cisco IEV * Cisco IPS Manager Express No other Cisco products are currently known to be affected by this vulnerability. Details === Cisco Security Manager is an enterprise-class management application that is designed to configure firewall, VPN, and intrusion prevention security services on Cisco network and security devices. As part of Cisco Security Manager installation, the Cisco IEV is installed by default. The IEV is a Java-based application that allows users to view and manage alerts for up to five sensors, including the ability to report top alerts, attackers, and victims over a specified number of hours or days. Users can connect to and view alerts in real time or via imported log files, configure filters and views to help manage alerts, and import and export event data for further analysis. A vulnerability exists in the Cisco Security Manager server. When the IEV is launched, it opens several remotely available TCP ports on the Cisco Security Manager server and client. These ports could allow remote, unauthenticated root access to the IEV database and server. When IEV is closed, it closes open ports on the Cisco Security Manager client that launched the IEV but fails to close open ports on the server. If the IEV has never been used on the system, the Cisco Security Manager server is not vulnerable. The IEV database contains events that are collected from Cisco Intrusion Prevention System (IPS) devices. The IEV server allows an unauthenticated user to add, delete, or modify the devices that are added into the IEV. This vulnerability is documented in Cisco Bug ID: CSCsv66897 This vulnerability have been assigned the Common Vulnerabilities and Exposures (CVE) identifiers CVE-2008-3820. Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsv66897: Cisco Security Manager/IEV: TCP Ports open for remote connection without any authentication CVSS Base Score - 8.8 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact- Complete Availability Impact - None CVSS Temporal Score - 7.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact == Successful exploitation of this vulnerability may result in remote root access to the IEV database or to the IEV Server. Upon launching the IEV remotely accessible ports are opened on the Cisco Security Manager server and the client where the IEV is launched. When the IEV application is closed these ports are subsequently closed on the client however remain open on the Cisco Security Manager server.
[c-nsp] Cisco Security Advisory: Cisco Unified Communications Manager CAPF Denial of Service Vulnerability`
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Unified Communications Manager CAPF Denial of Service Vulnerability Advisory ID: cisco-sa-20090121-cucmcapf Revision 1.0 For Public Release 2009 January 21 1600 UTC (GMT) +- Summary === Cisco Unified Communications Manager, formerly Cisco CallManager, contains a denial of service (DoS) vulnerability in the Certificate Authority Proxy Function (CAPF) service. Exploitation of this vulnerability could cause an interruption in voice services. The CAPF service is disabled by default. Cisco has released free software updates that address this vulnerability. Workarounds available that mitigate this vulnerability are available. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20090121-cucmcapf.shtml Affected Products = Vulnerable Products +-- These products are vulnerable: * Cisco Unified Communications Manager 5.x versions prior to 5.1(3e) * Cisco Unified Communications Manager 6.x versions prior to 6.1(3) Administrators of systems that are running Cisco Unified Communications Manager versions 5.x and 6.x can determine the software version by viewing the main page of the Cisco Unified Communications Manager Administration interface. The software version can also be determined by running the command show version active by way of the command line interface (CLI). Products Confirmed Not Vulnerable + Cisco Unified Communications Manager version 4.x and Cisco Unified Communications Manager Express are not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. Note: Cisco Unified Communications Manager 7.0(1) shipped with the software fix for this vulnerability and is not affected. Details === The CAPF service of Cisco Unified Communications Manager versions 5.x and 6.x contain a vulnerability when handling malformed input that may result in a DoS condition. The CAPF service is disabled by default; however, if it is enabled, the CAPF service listens by default on TCP port 3804 and the listening port is configurable by the user. There is a workaround for this vulnerability. This vulnerability is fixed in Cisco Unified Communications Manager versions 5.1(3e) and 6.1(3). This vulnerability is documented in Cisco Bug ID CSCsq32032 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-0057. Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCsq32032 - CAPF DoS when client terminates prematurely CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact- None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact == Successful exploitation of the vulnerability described in this advisory may result in the interruption of voice services. Software Versions and Fixes === When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Cisco Unified Communications Manager version 5.1(3e) contains the fix for this vulnerability and can be downloaded here:
[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers Advisory ID: cisco-sa-20090204-wlc http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml Revision 1.0 For Public Release 2009 February 04 1600 UTC (GMT) Summary === Multiple vulnerabilities exist in the Cisco Wireless LAN Controllers (WLCs), Cisco Catalyst 6500 Wireless Services Modules (WiSMs), and Cisco Catalyst 3750 Integrated Wireless LAN Controllers. This security advisory outlines details of the following vulnerabilities: * Denial of Service Vulnerabilities (total of three) * Privilege Escalation Vulnerability These vulnerabilities are independent of each other. Cisco has released free software updates that address these vulnerabilities. There are no workarounds available for these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml. Affected Products = Vulnerable Products +-- The following products and software versions are affected for each vulnerability. Denial of Service Vulnerabilities + Two denial of service (DoS) vulnerabilities affect software versions 4.2 and later. All Cisco Wireless LAN Controller (WLC) platforms are affected. A third DoS vulnerability affects software versions 4.1 and later. The following platforms are affected by this vulnerability: * Cisco 4400 Series Wireless LAN Controllers * Cisco 4100 Series Wireless LAN Controllers * Cisco Catalyst 6500 Series/7600 Series Wireless Services Module (WiSM) * Cisco Catalyst 3750 Series Integrated Wireless LAN Controllers Note: The Cisco Wireless LAN Controller Modules supported on Cisco 2800 and 3800 series Integrated Services Routers are not vulnerable. The Cisco 2000 and 2100 Series Wireless LAN Controllers are also not affected by this vulnerability. Privilege Escalation Vulnerability +- Only WLC software version 4.2.173.0 is affected by this vulnerability. Determination of Software Versions +- To determine the WLC version that is running in a given environment, use one of the following methods: * In the web interface, choose the Monitor tab, click Summary in the left pane, and note the Software Version. * From the command-line interface, type show sysinfo and note the Product Version, as shown in the following example: (Cisco Controller) show sysinfo Manufacturer's Name.. Cisco Systems Inc. Product Name. Cisco Controller Product Version.. 5.1.151.0 RTOS Version. Linux-2.6.10_mvl401 Bootloader Version... 4.0.207.0 Build Type... DATA + WPS output suppressed Use the show wism module module number controller 1 status command on a Cisco Catalyst 6500 Series/7600 Series switch if using a WiSM, and note the Software Version, as demonstrated in the following example: Router#show wism mod 3 controller 1 status WiSM Controller 1 in Slot 3 Operational Status of the Controller : Oper-Up Service VLAN : 192 Service Port : 10 Service Port Mac Address : 0011.92ff.8742 Service IP Address : 192.168.10.1 Management IP Address : 192.168.1.123 Software Version : 5.1.151.0 Port Channel Number : 288 Allowed vlan list : 30,40 Native VLAN ID : 40 WCP Keep Alive Missed : 0 Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by these vulnerabilities. Details === Cisco Wireless LAN Controllers (WLCs), Cisco Catalyst 6500 Wireless Services Modules (WiSMs), and Cisco Catalyst 3750 Integrated Wireless LAN Controllers are responsible for system-wide wireless LAN functions, such as security policies, intrusion prevention, RF management, quality of service (QoS), and mobility. These devices communicate with Controller-based Access Points over any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the Lightweight Access Point Protocol (LWAPP). This Security Advisory describes multiple distinct vulnerabilities in the WLCs, WiSMs, and the Cisco Catalyst 3750 Integrated WLCs. These vulnerabilities are independent of each other. Denial of Service Vulnerabilities + These vulnerabilities are documented in the following Cisco Bug ID and have been assigned the following Common Vulnerabilities and Exposures (CVE) identifiers: * CSCsq44516 - CVE-2009-0058 Web authentication is a Layer 3 security feature that causes the controller to drop IP traffic (except DHCP and DNS related packets) from a particular client until that client has correctly supplied a valid username and password. An attacker may use a vulnerability
[c-nsp] Cisco Security Advisory: Cisco Unified MeetingPlace Web Conferencing Authentication Bypass Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Unified MeetingPlace Web Conferencing Authentication Bypass Vulnerability Advisory ID: cisco-sa-20090225-mtgplace Revision 1.0 For Public Release 2009 February 25 1600 UTC (GMT) +- Summary === Cisco Unified MeetingPlace Web Conferencing servers may contain an authentication bypass vulnerability that could allow an unauthenticated user to gain administrative access to the MeetingPlace application. Cisco has released free software updates that address this vulnerability. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20090225-mtgplace.shtml Affected Products = Cisco Unified MeetingPlace conferencing solution provides functionality that allows organizations to host integrated voice, video, and web conferencing. The solution is deployed on-network, behind the firewall and integrated directly into an organization's private voice/data networks and enterprise applications. Cisco Unified MeetingPlace servers can be deployed so that the server is accessible from the Internet, allowing external parties to participate in meetings. Vulnerable Products +-- Cisco Unified MeetingPlace Web Conferencing servers running software versions 6.0 and 7.0 may be affected by this vulnerability. Products Confirmed Not Vulnerable + Cisco Unified MeetingPlace Web Conferencing servers not running 6.0 or 7.0 software are not affected by this vulnerability. Cisco Unified MeetingPlace Express is not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. Details === The Cisco Unified MeetingPlace Web Conferencing server may contain a vulnerability that could allow an unauthenticated user to use a crafted URL to bypass the authentication mechanisms of the server. If successful, the user could gain full administrative access to the Cisco Unified MeetingPlace application. This vulnerability is documented in Cisco Bug ID CSCsv65815 and has been assigned Common Vulnerability and Exposures (CVE) ID CVE-2009-0614. Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCsv65815 - Authentication Bypass in MeetingPlace Web Server CVSS Base Score - 9 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Partial Integrity Impact- Partial Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact == Successful exploitation of the vulnerability may result in unauthorized access to the administrative functions of the Cisco Unified MeetingPlace application. Software Versions and Fixes === This vulnerability is fixed in Cisco Unified MeetingPlace Web Conferencing software version 6.0(517.0) also known as Maintenance Release 4 (MR4) for the 6.0 release, and version 7.0(2) also known as Maintenance Release 1 (MR1) for the 7.0 release. The latest versions of Cisco MeetingPlace software can be downloaded from: http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=278875240 The Cisco Unified MeetingPlace Web Server software is available at: http://tools.cisco.com/support/downloads/go/Model.x?mdfid=278816725mdfLevel=Software%20Version/OptiontreeName=Voice%20and%20Unified%20CommunicationsmodelName=Cisco%20Unified%20MeetingPlace%20Web%20ConferencingtreeMdfId=278875240 When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance
[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in the Cisco ACE Application Control Engine Module and Cisco ACE 4710 Application Control Engine
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in the Cisco ACE Application Control Engine Module and Cisco ACE 4710 Application Control Engine Document ID: 109450 Advisory ID: cisco-sa-20090225-ace http://www.cisco.com/warp/public/707/cisco-sa-20090225-ace.shtml Revision 1.0 For Public Release 2009 February 25 1600 UTC (GMT) - - Summary === The Cisco ACE Application Control Engine Module and Cisco ACE 4710 Application Control Engine Cisco ACE Module and Cisco ACE 4710 Application Control Engine contain multiple vulnerabilities that, if exploited, can could result in any of the following impacts: * Administrative level access via default user names and passwords * Privilege escalation * A denial of service (DoS) condition Cisco has released free software updates available for affected customers. Workarounds that mitigate some of the vulnerabilities are available. Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090225-ace.shtml Note: This advisory is being released simultaneously with a multiple vulnerability disclosure advisory that impacts the Cisco 4700 Series Application Control Engine Device Manager and Application Networking Manager module software. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml Affected Products = Vulnerable Products +-- The following table displays the products that are affected by each vulnerability that is described within this advisory. +---+ | | Products and Versions | | | Affected| |Vulnerability|-| | | Cisco ACE| Cisco ACE| | | 4710 | Module | | | Appliance| | |-+--+--| | | All versions | All versions | | Default Usernames and Passwords | prior to A1 | prior to A2 | | | (8a) | (1.1)| |-+--+--| | | All versions | All versions | | Privilege Escalation Vulnerability | prior to A1 | prior to A2 | | | (8a) | (1.2)| |-+--+--| | | All versions | All versions | | Crafted SSH Packet Vulnerability| prior to A3 | prior to A2 | | | (2.1)| (1.3)| |-+--+--| | Crafted Simple Network Management | All versions | All versions | | Protocol version 2 (SNMPv2) Packet | prior to A3 | prior to A2 | | Vulnerability | (2.1)| (1.3)| |-+--+--| | | All versions | All versions | | Crafted SNMPv3 Packet Vulnerability | prior to A1 | prior to A2 | | | (8.0)| (1.2)| +---+ Determining Software Versions + To display the version of system software that is currently running on Cisco ACE Application Control Engine, use the show version command. The following example displays the output of the show version command on the Cisco ACE Application Control Engine software version A3(1.0): ACE-4710/Admin# show version Cisco Application Control Software (ACSW) TAC support: http://www.cisco.com/tac Copyright (c) 1985-2008 by Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license. Some parts of this software are covered under the GNU Public License. A copy of the license is available at http://www.gnu.org/licenses/gpl.html Software loader:Version 0.95 system:Version A3(1.0) [build 3.0(0)A3(0.0.148) adbuild_03:31:25-2008/08/06_/auto/adbure_nightly2/nightly_rel_a3_1_0_throttle/REL_3_0_0_A3_0_0 system image file: (nd)/192.168.65.31/scimitar.bin Device Manager version 1.1 (0) 20080805:0415 ... output truncated The following example displays the output of the show version command on a Cisco ACE Application
[c-nsp] Cisco Security Advisory: Cisco ACE Application Control Engine Device Manager and Application Networking Manager Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco ACE Application Control Engine Device Manager and Application Networking Manager Vulnerabilities Advisory ID: cisco-sa-20090225-anm http://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml Revision 1.0 For Public Release 2009 February 25 1600 UTC (GMT) Summary === Multiple vulnerabilities exist in the Cisco Application Networking Manager (ANM) and Cisco Application Control Engine (ACE) Device Manager applications. These vulnerabilities are independent of each other. Successful exploitation of these vulnerabilities may result in unauthorized system or host operating system access. This security advisory identifies the following vulnerabilities: * ACE Device Manager and ANM invalid directory permissions vulnerability * ANM default user credentials vulnerability * ANM MySQL default credentials vulnerability * ANM Java agent privilege escalation Cisco has released free software updates that address these vulnerabilities. A workaround that mitigates one of the issues is available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml. Note: This advisory is being released simultaneously with a multiple vulnerabilities advisory impacting the ACE appliance and module software, which is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090225-ace.shtml. Affected Products = Vulnerable Products - --- The following are the products and versions affected by each vulnerability described within this advisory. +---+ | Vulnerability | Product | Version | | | Affected | Affected | |---+--+| | Invalid | ACE | All| | Directory | Device | versions | | Permissions | Manager | prior to | | | | A3(2.1)| |---+--+| | Invalid | | All| | Directory | ANM | versions | | Permissions | | prior to | | | | ANM 2.0| |---+--+| | | | All| | Default User | ANM | versions | | Credentials | | prior to | | | | ANM 2.0| |---+--+| | | | All| | MySQL Default | ANM | versions | | Credentials | | prior to | | | | ANM 2.0| |---+--+| | | | All| | Java Agent| | versions | | Privilege | ANM | prior to | | Escalation| | ANM 2.0| | | | Update A | +---+ Determining ACE Device Manager Software Version +-- The ACE Device Manager is embedded with the ACE appliance software. To display the version of system software that is currently running on the device, use the show version command. The following example includes the output of the show version command on a Cisco ACE appliance running software version A3(2.1): ACE-4710/Admin# show version Cisco Application Control Software (ACSW) TAC support: http://www.cisco.com/tac Copyright (c) 1985-2008 by Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license. Some parts of this software are covered under the GNU Public License. A copy of the license is available at http://www.gnu.org/licenses/gpl.html. Software loader:Version 0.95 system:Version A3(2.1) [build 3.0(0)A3(2.1) adbuild_14:33:29-2008/11/19_/auto/adbu-rel4/rel_a3_2_1_throttle_build/REL_3_0_0_A3_2_1] system image file: (nd)/192.168.65.32/scimitar.bin Device Manager version 1.1 (0) 20081113:2052 --- Determining ANM Software Version +--- To display the version of ANM software that is currently installed, login to the ANM server and select the About keyword in the upper right. An informational pop up window will be displayed. ANM Version 2.0 Update A is indicated in the example output below. Version: 2.0(0), Update: A Build Number: 709 Build Timestamp: 20081031:1226 Products Confirmed Not Vulnerable - - The Cisco ACE XML Gateway, Cisco ACE GSS (Global Site Selector) 4400 Series and Cisco ACE Web Application Firewall are not affected by any of these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details === ANM is a network management application that manages Cisco ACE modules or appliances. ANM is installed on customer provided servers with a Red Hat Enterprise
[c-nsp] Cisco Security Advisory: Cisco 7600 Series Router Session Border Controller Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco 7600 Series Router Session Border Controller Denial of Service Vulnerability Document ID: 109483 Advisory ID: cisco-sa-20090304-sbc http://www.cisco.com/warp/public/707/cisco-sa-20090304-sbc.shtml Revision 1.0 For Public Release 2009 March 4 1600 UTC (GMT) - - Summary === A denial of service (DoS) vulnerability exists in the Cisco Session Border Controller (SBC) for the Cisco 7600 series routers. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090304-sbc.shtml Affected Products = Vulnerable Products +-- All Cisco ACE-based SBC modules running software versions prior to 3.0(2) are affected. To determine the version of the Cisco SBC software running on a system, log in to the device and issue the show version command to display the system banner. card_A/Admin# show version system image file: [LCP] disk0:c76-sbck9-mzg.3.0.1_AS3_0_00.bin output truncated Cisco SBC software version 3.0.1 is running in the device used in this example. Products Confirmed Not Vulnerable + The Cisco XR 12000 Series SBC is not vulnerable. Additionally, the Cisco ACE Module, Cisco ACE 4710 Application Control Engine, Cisco ACE XML Gateway, Cisco ACE Web Application Firewall, and the Cisco ACE GSS (Global Site Selector) 4400 Series are not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. Details === The Session Border Controller (SBC) enables direct IP-to-IP interconnect between multiple administrative domains for session-based services providing protocol interworking, security, and admission control and management. The SBC is a multimedia device that sits on the border of a network and controls call admission to that network. A vulnerability exists in the Cisco SBC where an unauthenticated attacker may cause the Cisco SBC card to reload by sending crafted TCP packets over port 2000. Repeated exploitation could result in a sustained DoS condition. Note: Only the Cisco SBC module reloads after successful exploitation. The Cisco 7600 series router does not reload and it is not affected by this vulnerability. Note: TCP port 2000 is typically used by Skinny Call Control Protocol (SCCP) applications. However, the Cisco SBC module uses TCP port 2000 for high availability (redundancy) communication, but does not use the SCCP for this purpose. This vulnerability is documented in Cisco Bug IDs CSCsq18958 ( registered customers only) ; and has been assigned the Common Vulnerability and Exposures (CVE) IDs CVE-2009-0619. Vulnerability Scoring Details = Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact- None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact == Successful exploitation of the vulnerability may cause a reload of the affected device. Repeated exploitation could result in a sustained DoS condition. Software Versions and Fixes === This vulnerability has been corrected in Cisco SBC software release 3.0(2). Cisco SBC software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/sbc-7600-crypto When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the
[c-nsp] Cisco Security Advisory: Cisco Unified Communications Manager IP Phone Personal Address Book Synchronizer Privilege Escalation Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Unified Communications Manager IP Phone Personal Address Book Synchronizer Privilege Escalation Vulnerability Advisory ID: cisco-sa-20090311-cucmpab Revision 1.0 For Public Release 2009 March 11 1600 UTC (GMT) +- Summary === Cisco Unified Communications Manager, formerly CallManager, contains a privilege escalation vulnerability in the IP Phone Personal Address Book (PAB) Synchronizer feature that may allow an attacker to gain complete administrative access to a vulnerable Cisco Unified Communications Manager system. If Cisco Unified Communications Manager is integrated with an external directory service, it may be possible for an attacker to leverage the privilege escalation vulnerability to gain access to additional systems configured to use the directory service for authentication. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20090311-cucmpab.shtml Affected Products = Vulnerable Products +-- The following products are vulnerable: * Cisco Unified CallManager 4.1 versions * Cisco Unified Communications Manager 4.2 versions prior to 4.2(3)SR4b * Cisco Unified Communications Manager 4.3 versions prior to 4.3(2)SR1b * Cisco Unified Communications Manager 5.x versions prior to 5.1(3e) * Cisco Unified Communications Manager 6.x versions prior to 6.1(3) * Cisco Unified Communications Manager 7.0 versions prior to 7.0(2) Administrators of systems that are running Cisco Unified Communications Manager software version 4.x can determine the software version by navigating to Help About Cisco Unified CallManager and selecting the Details button via the Cisco Unified Communications Manager administration interface. Administrators of systems that are running Cisco Unified Communications Manager software versions 5.x, 6.x, and 7.x can determine the software version by viewing the main page of the Cisco Unified Communications Manager administration interface. The software version can also be determined by running the command show version active via the command line interface (CLI). Products Confirmed Not Vulnerable + Cisco Unified Communications Manager Express is not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. Details === The Cisco IP Phone Personal Address Book (PAB) Synchronizer feature of Cisco Unified Communications Manager allows users to keep their Cisco Unified Communications Manager address book synchronized with their Microsoft Windows address book. The IP Phone PAB Synchronizer feature contains a privilege escalation vulnerability that may allow an attacker to obtain complete administrative access to a vulnerable Cisco Unified Communications Manager system. After an IP Phone PAB Synchronizer client successfully authenticates to a Cisco Unified Communications Manager device over a HTTPS connection, the Cisco Unified Communications Manager returns credentials for a user account that is used to manage the Cisco Unified Communications Manager directory service. If an attacker is able to intercept the credentials, they can perform unauthorized modifications to the Cisco Unified Communications Manager configuration and extend their privileges. The IP Phone PAB Synchronizer client has been redesigned to allow address book synchronization without requiring the directory service credentials. This vulnerability does not allow an attacker to gain access to the underlying platform operating system of any Cisco Unified Communications Manager system. Cisco Unified Communications Manager 4.x +--- Cisco Unified Communications Manager software version 4.x by default stores user information using an internal Lightweight Directory Access Protocol (LDAP) server called DC Directory. After an IP Phone PAB Synchronizer client successfully authenticates, the Cisco Unified Communications Manager returns credentials for the DC Directory user that will be used by the client to synchronize a user's address book. Depending on how a Cisco Unified Communications Manager is configured, an attacker may obtain different privilege levels using the intercepted credentials. By default, Cisco Unified Communications Manager software version 4.x administrator accounts are created as part of an underlying Microsoft Windows operating system. Cisco Unified Communications Manager is commonly deployed using the Multi-Level Administration (MLA) feature to ease the integration of Cisco Unified Communications Manager into enterprise environments. If MLA is enabled, Cisco Unified Communications Manager stores administrator accounts in the Cisco
[c-nsp] Cisco Security Advisory: Cisco IOS Software Mobile IP and Mobile IPv6 Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco IOS Software Mobile IP and Mobile IPv6 Vulnerabilities Advisory ID: cisco-sa-20090325-mobileip http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml Revision 1.0 For Public Release 2009 March 25 1600 UTC (GMT) - - Summary === Devices that are running Cisco IOS Software and configured for Mobile IP Network Address Translation (NAT) Traversal feature or Mobile IPv6 are vulnerable to a denial of service (DoS) attack that may result in a blocked interface. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at the following link http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml Note: The March 25, 2009, Cisco IOS Security Advisory bundled publication includes eight Security Advisories. All of the advisories address vulnerabilities in Cisco IOS Software. Each advisory lists the releases that correct the vulnerability or vulnerabilities in the advisory. The following table lists releases that correct all Cisco IOS Software vulnerabilities that have been published in Cisco Security Advisories on March 25, 2009, or earlier. http://www.cisco.com/warp/public/707/cisco-sa-20090325-bundle.shtml Individual publication links are listed below: * Cisco IOS cTCP Denial of Service Vulnerability http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml * Cisco IOS Software Multiple Features IP Sockets Vulnerability http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml * Cisco IOS Software Mobile IP and Mobile IPv6 Vulnerabilities http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml * Cisco IOS Software Secure Copy Privilege Escalation Vulnerability http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml * Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml * Cisco IOS Software Multiple Features Crafted TCP Sequence Vulnerability http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml * Cisco IOS Software Multiple Features Crafted UDP Packet Vulnerability http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml * Cisco IOS Software WebVPN and SSLVPN Vulnerabilities http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml Affected Products = Devices that are running an affected version of Cisco IOS Software and configured for Mobile IP NAT Traversal feature or Mobile IPv6 are vulnerable. Vulnerable Products +-- Devices running Cisco IOS Software and configured for Mobile IP NAT Traversal feature will have a line similar to the following in the output of the show running-config command: ip mobile home-agent nat traversal [...] or ip mobile foreign-agent nat traversal [...] or ip mobile router-service collocated registration nat traversal [...] Devices running Cisco IOS Software and configured for Mobile IPv6 will have a line similar to the following in the output of the show running-config command: ipv6 mobile home-agent To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The image name displays in parentheses, followed by Version and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 12.3(26) with an installed image name of C2500-IS-L: Router#show version Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by cisco Systems, Inc. Compiled Mon 17-Mar-08 14:39 by dchih !--- output truncated The following example identifies a Cisco product that is running Cisco IOS Software Release 12.4(20)T with an installed image name of C1841-ADVENTERPRISEK9-M: Router#show version Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 10-Jul-08 20:25 by prod_rel_team !--- output truncated Additional information about Cisco IOS Software release naming conventions is available in White Paper: Cisco IOS Reference Guide at the following link:
[c-nsp] Cisco Security Advisory: Cisco IOS cTCP Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco IOS cTCP Denial of Service Vulnerability Advisory ID: cisco-sa-20090325-ctcp http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml Revision 1.0 For Public Release 2009 March 25 1600 UTC (GMT) - - Summary === A series of TCP packets may cause a denial of service (DoS) condition on Cisco IOS devices that are configured as Easy VPN servers with the Cisco Tunneling Control Protocol (cTCP) encapsulation feature. Cisco has released free software updates that address this vulnerability. No workarounds are available; however, the IPSec NAT traversal (NAT-T) feature can be used as an alternative. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml Note: The March 25, 2009, Cisco IOS Security Advisory bundled publication includes eight Security Advisories. All of the advisories address vulnerabilities in Cisco IOS Software. Each advisory lists the releases that correct the vulnerability or vulnerabilities in the advisory. The following table lists releases that correct all Cisco IOS Software vulnerabilities that have been published in Cisco Security Advisories on March 25, 2009, or earlier. http://www.cisco.com/warp/public/707/cisco-sa-20090325-bundle.shtml Individual publication links are listed below: * Cisco IOS cTCP Denial of Service Vulnerability http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml * Cisco IOS Software Multiple Features IP Sockets Vulnerability http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml * Cisco IOS Software Mobile IP and Mobile IPv6 Vulnerabilities http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml * Cisco IOS Software Secure Copy Privilege Escalation Vulnerability http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml * Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml * Cisco IOS Software Multiple Features Crafted TCP Sequence Vulnerability http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml * Cisco IOS Software Multiple Features Crafted UDP Packet Vulnerability http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml * Cisco IOS Software WebVPN and SSLVPN Vulnerabilities http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml Affected Products = Vulnerable Products +-- Cisco IOS devices running versions 12.4(9)T or later and configured for Cisco Tunneling Control Protocol (cTCP) encapsulation for EZVPN server are vulnerable. Note: The cTCP encapsulation feature was introduced in Cisco IOS version 12.4(9)T. The cTCP encapsulation feature is disabled by default. Cisco IOS devices configured for EZVPN client are not affected by this vulnerability. Only devices configured as EZVPN servers are vulnerable. To configure the cTCP encapsulation feature for Easy VPN, use the crypto ctcp command in global configuration mode. You can optionally specify the port number that the device will listen to with the crypto ctcp port port command. Up to ten numbers can be configured and the port value can be from 1 through 65535. If the port keyword is not configured, the default port number is 1. In the following example, the Cisco IOS device is configured to listen for cTCP messages on port 1. crypto ctcp port 1 Note: The port keyword is configured only on the Cisco IOS device acting as an EZVPN server. To determine the version of the Cisco IOS software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as Internetwork Operating System Software or simply IOS. On the next line of output, the image name will be displayed between parentheses, followed by Version and the IOS release name. Other Cisco devices will not have the show version command or will give different output. The following example identifies a Cisco product running Cisco IOS Software release 12.3(26) with an installed image name of C2500-IS-L: Router#show version Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by cisco Systems, Inc. Compiled Mon 17-Mar-08 14:39 by dchih output truncated The next example shows a product running Cisco IOS Software release 12.4(20)T with an image name of C1841-ADVENTERPRISEK9-M: Router#show version Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport
[c-nsp] Cisco Security Advisory: Cisco IOS Software WebVPN and SSLVPN Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco IOS Software WebVPN and SSLVPN Vulnerabilities Advisory ID: cisco-sa-20090325-webvpn http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml Revision 1.0 For Public Release 2009 March 25 1600 UTC (GMT) - - Summary === Cisco IOS software contains two vulnerabilities within the Cisco IOS WebVPN or Cisco IOS SSLVPN feature (SSLVPN) that can be remotely exploited without authentication to cause a denial of service condition. Both vulnerabilities affect both Cisco IOS WebVPN and Cisco IOS SSLVPN features: 1. Crafted HTTPS packet will crash device. 2. SSLVPN sessions cause a memory leak in the device. Cisco has released free software updates that address these vulnerabilities. There are no workarounds that mitigate these vulnerabilities. This advisory is posted at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml Note: The March 25, 2009, Cisco IOS Security Advisory bundled publication includes eight Security Advisories. All of the advisories address vulnerabilities in Cisco IOS Software. Each advisory lists the releases that correct the vulnerability or vulnerabilities in the advisory. The following table lists releases that correct all Cisco IOS Software vulnerabilities that have been published in Cisco Security Advisories on March 25, 2009, or earlier. http://www.cisco.com/warp/public/707/cisco-sa-20090325-bundle.shtml Individual publication links are listed below: * Cisco IOS cTCP Denial of Service Vulnerability http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml * Cisco IOS Software Multiple Features IP Sockets Vulnerability http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml * Cisco IOS Software Mobile IP and Mobile IPv6 Vulnerabilities http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml * Cisco IOS Software Secure Copy Privilege Escalation Vulnerability http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml * Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml * Cisco IOS Software Multiple Features Crafted TCP Sequence Vulnerability http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml * Cisco IOS Software Multiple Features Crafted UDP Packet Vulnerability http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml * Cisco IOS Software WebVPN and SSLVPN Vulnerabilities http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml Affected Products = Vulnerable Products +-- Devices running affected versions of Cisco IOS software are affected if configured with SSLVPN. To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The image name displays in parentheses, followed by Version and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 12.3(26) with an installed image name of C2500-IS-L: Router#show version Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by cisco Systems, Inc. Compiled Mon 17-Mar-08 14:39 by dchih output truncated The following example shows a product that is running Cisco IOS Software release 12.4(20)T with an image name of C1841-ADVENTERPRISEK9-M: Router#show version Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 10-Jul-08 20:25 by prod_rel_team output truncated Additional information about Cisco IOS Software release naming conventions is available in White Paper: Cisco IOS Reference Guide at the following link: http://www.cisco.com/warp/public/620/1.html To determine that SSLVPN is enabled on your device, log in to the device and issue the command-line interface (CLI) command show running-config | include webvpn. If the device returns any output this means that SSLVPN is configured on the device and the device may be vulnerable. Vulnerable configurations vary depending on whether the device is supporting Cisco IOS WebVPN (introduced in Release 12.3 (14)T) or Cisco IOS
[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Adaptive Security Appliance and Cisco PIX Security Appliances
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Adaptive Security Appliance and Cisco PIX Security Appliances Advisory ID: cisco-sa-20090408-asa http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml Revision 1.0 For Public Release 2009 April 08 1600 UTC (GMT) Summary === Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances. This security advisory outlines the details of these vulnerabilities: * VPN Authentication Bypass when Account Override Feature is Used vulnerability * Crafted HTTP packet denial of service (DoS) vulnerability * Crafted TCP Packet DoS vulnerability * Crafted H.323 packet DoS vulnerability * SQL*Net packet DoS vulnerability * Access control list (ACL) bypass vulnerability Workarounds are available for some of the vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml. Affected Products = Vulnerable Products +-- The following is a list of the products affected by each vulnerability as described in detail within this advisory. VPN Authentication Bypass Vulnerability +-- Cisco ASA or Cisco PIX security appliances that are configured for IPsec or SSL-based remote access VPN and have the Override Account Disabled feature enabled are affected by this vulnerability. Note: The Override Account Disabled feature was introduced in Cisco ASA software version 7.1(1). Cisco ASA and PIX software versions 7.1, 7.2, 8.0, and 8.1 are affected by this vulnerability. This feature is disabled by default. Crafted HTTP Packet DoS Vulnerability + Cisco ASA security appliances may experience a device reload that can be triggered by a series of crafted HTTP packets, when configured for SSL VPNs or when configured to accept Cisco Adaptive Security Device Manager (ASDM) connections. Only Cisco ASA software versions 8.0 and 8.1 are affected by this vulnerability. Crafted TCP Packet DoS Vulnerability +--- Cisco ASA and Cisco PIX security appliances may experience a memory leak that can be triggered by a series of crafted TCP packets. Cisco ASA and Cisco PIX security appliances running versions 7.0, 7.1, 7.2, 8.0, and 8.1 are affected when configured for any of the following features: * SSL VPNs * ASDM Administrative Access * Telnet Access * SSH Access * Cisco Tunneling Control Protocol (cTCP) for Remote Access VPNs * Virtual Telnet * Virtual HTTP * Transport Layer Security (TLS) Proxy for Encrypted Voice Inspection * Cut-Through Proxy for Network Access * TCP Intercept Crafted H.323 Packet DoS Vulnerability +- Cisco ASA and Cisco PIX security appliances may experience a device reload that can be triggered by a series of crafted H.323 packets, when H.323 inspection is enabled. H.323 inspection is enabled by default. Cisco ASA and Cisco PIX software versions 7.0, 7.1, 7.2, 8.0, and 8.1 are affected by this vulnerability. SQL*Net Packet DoS Vulnerability +--- Cisco ASA and Cisco PIX security appliances may experience a device reload that can be triggered by a series of SQL*Net packets, when SQL*Net inspection is enabled. SQL*Net inspection is enabled by default. Cisco ASA and Cisco PIX software versions 7.2, 8.0, and 8.1 are affected by this vulnerability. Access Control List Bypass Vulnerability +--- A vulnerability exists in the Cisco ASA and Cisco PIX security appliances that may allow traffic to bypass the implicit deny behavior at the end of ACLs that are configured within the device. Cisco ASA and Cisco PIX software versions 7.0, 7.1, 7.2, and 8.0 are affected by this vulnerability. Determination of Software Versions +- The show version command-line interface (CLI) command can be used to determine whether a vulnerable version of the Cisco PIX or Cisco ASA software is running. The following example shows a Cisco ASA Adaptive Security Appliance that runs software version 8.0(4): ASA#show version Cisco Adaptive Security Appliance Software Version 8.0(4) Device Manager Version 6.0(1) output truncated The following example shows a Cisco PIX security appliance that runs software version 8.0(4): PIX#show version Cisco PIX Security Appliance Software Version 8.0(4) Device Manager Version 5.2(3) output truncated Customers who use Cisco ASDM to manage their devices can find the software version displayed in the table in the login window or in the upper left corner of the ASDM window. Products Confirmed Not Vulnerable + The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series switches and Cisco
[c-nsp] Cisco Security Advisory: Cisco Physical Access Gateway Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Physical Access Gateway Denial of Service Vulnerability Advisory ID: cisco-sa-20090624-gateway Revision 1.0 For Public Release 2009 June 24 1600 UTC (GMT) +- Summary === A denial of service (DoS) vulnerability exists in the Cisco Physical Access Gateway. There are no workarounds available to mitigate the vulnerability. This vulnerability has been corrected in Cisco Physical Access Gateway software version 1.1. Cisco has released free software updates that address this vulnerability. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20090624-gateway.shtml Affected Products = Vulnerable Products +-- Cisco Physical Access Gateway running software versions prior to 1.1 are vulnerable. Products Confirmed Not Vulnerable + Cisco Physical Access Gateway running software versions 1.1 or later are not vulnerable. No other Cisco products are currently known to be affected by this vulnerability. Details === The Cisco Physical Access Gateway is the primary means for the Cisco Physical Access Control solution to connect door hardware, such as locks and readers, to an IP network. Certain crafted TCP port 443 packets may cause a memory leak that could lead to a denial of service (DoS) condition in the Cisco Physical Access Gateway. A TCP three-way handshake is needed to exploit this vulnerability. This vulnerability is documented in Cisco Bug ID CSCsu95864 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2009-1163. Vulnerability Scoring Details = Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCsu95864 - Memory leak with certain IP packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact- None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact == Successful exploitation of the vulnerability described in this document may result in a memory leak. The issue could be repeatedly exploited to cause an extended DoS condition. Connected door hardware, such as card readers, locks, and other input/output devices will function intermittently during extended DoS exploitation. Doors will remain open or locked depending on the gateway's configuration. Software Versions and Fixes === When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. This vulnerability has been corrected in Cisco Physical Access Gateway software version 1.1 and can be downloaded from the following link: http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=280588231 Workarounds === No workarounds are available; however, mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20090624-gateway.shtml Obtaining Fixed Software Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading,
[c-nsp] Cisco Security Advisory: Vulnerabilities in Cisco Video Surveillance Products
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Vulnerabilities in Cisco Video Surveillance Products Advisory ID: cisco-sa-20090624-video Revision 1.0 For Public Release 2009 June 24 1600 UTC (GMT) +- Summary === Cisco Video Surveillance Stream Manager firmware for the Cisco Video Surveillance Services Platforms and Cisco Video Surveillance Integrated Services Platforms contain a denial of service (DoS) vulnerability that could result in a reboot on systems that receive a crafted packet. Cisco Video Surveillance 2500 Series IP Cameras contain an information disclosure vulnerability that could allow an authenticated user to view any file on a vulnerable camera. Cisco has released free software updates that address these vulnerabilities. There are no workarounds that mitigate these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20090624-video.shtml Affected Products = Vulnerable Products +-- The following products are vulnerable: * Cisco Video Surveillance Stream Manager firmware for the Cisco Video Surveillance Services Platform versions prior to 5.3 * Cisco Video Surveillance Stream Manager firmware for the Cisco Video Surveillance Integrated Services Platform versions prior to 5.3 * Cisco Video Surveillance 2500 Series IP Camera firmware versions prior to 2.1 Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by these vulnerabilities. Details === Cisco Video Surveillance Services Platforms and Cisco Video Surveillance Integrated Services Platforms are vulnerable to a DoS condition. An attacker could exploit this vulnerability by sending a crafted packet to UDP port 37000, which could cause the crash of a critical process and result in a system reboot. This vulnerability is documented in Cisco Bug ID CSCsj47924 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-2045. Cisco Video Surveillance 2500 Series IP Cameras contain an information disclosure vulnerability. An authenticated user may be able to access a vulnerable camera and view any file through the embedded web server on TCP ports 80 (HTTP) and/or 443 (HTTPS), depending on the camera configuration. This vulnerability is documented in Cisco Bug IDs CSCsu05515 and CSCsr96497 (Wireless Cameras) and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-2046. Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCsj47924 - Malformed payload to xvcrman process causes reboot CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact- None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsu05515 - SD Camera Web Server Will Display any File on System CVSS Base Score - 6.8 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact- None Availability Impact - None CVSS Temporal Score - 5.6 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsr96497 - Wireless Camera HTTP Server Will Display any File on System CVSS Base Score - 6.8 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact- None Availability Impact - None CVSS Temporal Score - 5.6 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact == Successful exploitation of the Cisco Video Surveillance Stream Manager firmware vulnerability could cause a system reboot. Repeated exploitation may result in an extended DoS condition, which could
[c-nsp] Cisco Security Advisory: Vulnerabilities in Unified Contact Center Express Administration Pages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Vulnerabilities in Unified Contact Center Express Administration Pages Advisory ID: cisco-sa-20090715-uccx http://www.cisco.com/warp/public/707/cisco-sa-20090715-uccx.shtml Revision 1.0 For Public Release 2009 July 15 1600 UTC (GMT) Summary === Cisco Unified Contact Center Express (Cisco Unified CCX) server contains both a directory traversal vulnerability and a script injection vulnerability in the administration pages of the Customer Response Solutions (CRS) and Cisco Unified IP Interactive Voice Response (Cisco Unified IP IVR) products. Exploitation of these vulnerabilities could result in a denial of service condition, information disclosure, or a privilege escalation attack. Cisco has released free software updates that address these two vulnerabilities in the latest version of Cisco Unified CCX software. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090715-uccx.shtml. Affected Products = The Cisco Unified Contact Center Express (Cisco Unified CCX) is a single-server, integrated contact center in a box for use in deployments with up to 300 agents. Vulnerable Products +-- All versions of Cisco Unified CCX server running the following software may be affected by these vulnerabilities, to include: * Cisco Customer Response Solution (CRS) versions 3.x, 4.x, 5.x, 6.x, and 7.x * Cisco Unified IP Interactive Voice Response (Cisco Unified IP IVR) versions 3.x, 4.x, 5.x, 6.x, and 7.x * Cisco Unified CCX 4.x, 5.x, 6.x, and 7.x * Cisco Unified IP Contact Center Express versions 3.x, 5.x, 6.x, and 7.x * Cisco Customer Response Applications versions 3.x * Cisco IP Queue Manager (IP QM) versions 3.x Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by these vulnerabilities. Details === Cisco Unified Contact Center Express (Cisco Unified CCX) servers may be affected by both a directory traversal vulnerability and a script injection vulnerability. The directory traversal vulnerability may allow authenticated users to view, modify, or delete any file on the server through the Customer Response Solutions (CRS) Administration interface. This vulnerability is documented in Cisco Bug ID CSCsw76644 and has been assigned Common Vulnerability and Exposures (CVE) ID CVE-2009-2047. The script injection vulnerability may allow authenticated users to enter JavaScript into the Cisco Unified CCX database. The stored script could be executed in the browser of the next authenticated user. This vulnerability is documented in Cisco Bug ID CSCsw76649 and has been assigned CVE ID CVE-2009-2048. Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss. * Incomplete input validation allows modification of OS files/directories (CSCsw76644) CVSS Base Score - 9.0 Access Vector -Network Access Complexity -Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.7 Exploitability - Functional Remediation Level -Official-Fix Report Confidence -Confirmed * script injection vulnerability in admin interface pages (CSCsw76649) CVSS Base Score - 5.5 Access Vector -Network Access Complexity -Low Authentication - Single Confidentiality Impact - None Integrity Impact - Partial Availability Impact - Partial CVSS Temporal Score - 4.5 Exploitability - Functional Remediation Level -Official-Fix Report Confidence -Confirmed Impact == Successful exploitation of the directory traversal vulnerability may result in read and write access to files on the underlying operating system. Successful exploitation of the script injection vulnerability may result in the execution of JavaScript of authenticated users and prevent server pages from displaying properly. Software
[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers Advisory ID: cisco-sa-20090727-wlc http://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml Revision 1.0 For Public Release 2009 July 27 1600 UTC (GMT) - - Summary Multiple vulnerabilities exist in the Cisco Wireless LAN Controller (WLC) platforms. This security advisory outlines the details of the following vulnerabilities: * Malformed HTTP or HTTPS authentication response denial of service vulnerability * SSH connections denial of service vulnerability * Crafted HTTP or HTTPS request denial of service vulnerability * Crafted HTTP or HTTPS request unauthorized configuration modification vulnerability Cisco has released free software updates that address these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml Affected Products = Vulnerable Products +-- Cisco 1500 Series, 2000 Series, 2100 Series, 4400 Series, 4100 Series, 4200 Series, Wireless Services Modules (WiSM), WLC Modules for Integrated Services Routers, and Cisco Catalyst 3750G Integrated Wireless LAN Controllers are affected by one or more of the following vulnerabilities: * The malformed HTTP or HTTPS authentication response denial of service vulnerability affects software versions 4.2 and later. * The SSH connections denial of service vulnerability affects software versions 4.1 and later. * The crafted HTTP or HTTPS request denial of service vulnerability affects software versions 4.1 and later. * The crafted HTTP or HTTPS request unauthorized configuration modification vulnerability affects software versions 4.1 and later. Determination of Software Versions +- To determine the WLC version that is running in a given environment, use one of the following methods: * In the web interface, choose the Monitor tab, click Summary in the left pane, and note the Software Version field. Note: Customers who use a WLC Module in an Integrated Services Router (ISR) will need to issue the service-module wlan-controller 1/0 session command prior to performing the next step on the command line. Customers who use a Cisco Catalyst 3750G Switch with an integrated WLC Module will need to issue the session Stack-Member-Number processor 1 session command prior to performing the next step on the command line. * From the command-line interface, type show sysinfo and note the Product Version field, as shown in the following example: (Cisco Controller) show sysinfo Manufacturer's Name.. Cisco Systems Inc. Product Name. Cisco Controller Product Version.. 5.1.151.0 RTOS Version. Linux-2.6.10_mvl401 Bootloader Version... 4.0.207.0 Build Type... DATA + WPS output suppressed Use the show wism module module number controller 1 status command on a Cisco Catalyst 6500 Series/7600 Series Switch if you are using a WiSM. Note the software version as demonstrated in the following example, which shows version 5.1.151.0. Router#show wism module 3 controller 1 status WiSM Controller 1 in Slot 3 Operational Status of the Controller : Oper-Up Service VLAN : 192 Service Port : 10 Service Port Mac Address : 0011.92ff.8742 Service IP Address : 192.168.10.1 Management IP Address : 192.168.1.123 Software Version : 5.1.151.0 Port Channel Number : 288 Allowed vlan list : 30,40 Native VLAN ID : 40 WCP Keep Alive Missed : 0 Products Confirmed Not Vulnerable + The Cisco Wireless Controller 5500 Series is not affected by these vulnerabilities. Details === Cisco Wireless LAN Controllers (WLCs) are responsible for system-wide wireless LAN functions, such as security policies, intrusion prevention, RF management, quality of service (QoS), and mobility. These devices communicate with controller-based access points over any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the Lightweight Access Point Protocol (LWAPP). This security advisory describes multiple distinct vulnerabilities in the WLC family of devices. * Malformed HTTP or HTTPS authentication response denial of service vulnerability An attacker with access to the administrative web interface via HTTP or HTTPS may cause the device to reload by providing a malformed response to an
[c-nsp] Cisco Security Advisory: Active Template Library (ATL) Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Active Template Library (ATL) Vulnerability Advisory ID: cisco-sa-20090728-activex http://www.cisco.com/warp/public/707/cisco-sa-20090728-activex.shtml Revision 1.0 For Public Release 2009 July 28 1800 UTC (GMT) - - Summary === Certain Cisco products that use Microsoft Active Template Libraries (ATL) and headers may be vulnerable to remote code execution. In some instances, the vulnerability may be exploited against Microsoft Internet Explorer to perform kill bit bypass. In order to exploit this vulnerability, an attacker must convince a user to visit a malicious web site. Cisco will release free software updates for products that are affected by this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090728-activex.shtml Affected Products = Vulnerable Products +-- The following products are affected by this vulnerability: * Cisco Unity 4.x, 5x., and 7.x Products Confirmed Not Vulnerable + The following Cisco products are not known to be affected by this vulnerability: * Cisco AnyConnect VPN Client * Cisco Adaptive Security Device Manager (ASDM) * Cisco Building Broadband Service Manager (BBSM) * Cisco Catalyst Operating System (Catalyst OS) * Cisco Computer Telephony Integration Object Server (CTI) * Cisco IOS Software * Cisco IP/TV * Cisco Meetingplace * Cisco Mobile Wireless Fault Mediator (MWFM) * Cisco NAC Appliance (formerly Cisco Clean Access) * Cisco Secure Access Control Server (ACS) * Cisco Secure Desktop * Cisco Security Agent * Cisco Security Monitoring, Analysis and Response System (MARS) * Cisco SSL VPN Client (SVC) * Cisco Unified Contact Center Express (Unified CCX) * Cisco Video Surveillance Media Server (VSMS) * CiscoWorks LAN Management Solution (LMS) * WebEx Details === Microsoft has identified vulnerabilities in the Active Template Library (ATL) headers that are shipped with the Software Development Kit (SDK) for Microsoft Windows systems and used in Cisco products. In general, this vulnerability, if exposed by an ActiveX control, could lead to remote code execution on a client's system. For complete details, please review the Microsoft Security Bulletin at: http://www.microsoft.com/technet/security/Bulletin/MS09-035.mspx The following Bug IDs have been filed for Cisco Products affected by this vulnerability: * CSCta71728 ( registered customers only) Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCta71728 - Vulnerability in the ActiveX headers used in Unity +- CVSS Base Score - 9.3 Access Vector- Network Access Complexity- Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.4 Exploitability - Proof-of-Concept Remediation Level- Unavailable Report Confidence- Confirmed Impact == Successful exploitation of the vulnerability may result in remote code execution. Software Versions and Fixes === When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Workarounds === General information on ActiveX attacks and mitigation techniques can be found at the following link:
[c-nsp] Cisco Security Advisory: Cisco IOS Software Border Gateway Protocol 4-Byte Autonomous System Number Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco IOS Software Border Gateway Protocol 4-Byte Autonomous System Number Vulnerabilities Advisory ID: cisco-sa-20090729-bgp http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml Revision: 1.0 = For Public Release 2009 July 29 1600 UTC (GMT) Summary === Recent versions of Cisco IOS Software support RFC4893 (BGP Support for Four-octet AS Number Space) and contain two remote denial of service (DoS) vulnerabilities when handling specific Border Gateway Protocol (BGP) updates. These vulnerabilities affect only devices running Cisco IOS Software with support for four-octet AS number space (here after referred to as 4-byte AS number) and BGP routing configured. The first vulnerability could cause an affected device to reload when processing a BGP update that contains autonomous system (AS) path segments made up of more than one thousand autonomous systems. The second vulnerability could cause an affected device to reload when the affected device processes a malformed BGP update that has been crafted to trigger the issue. Cisco has released free software updates to address these vulnerabilities. No workarounds are available for the first vulnerability. A workaround is available for the second vulnerability. This advisory is posted at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml Affected Products = Vulnerable Products +-- These vulnerabilities affect only devices running Cisco IOS and Cisco IOS XE Software (here after both referred to as simply Cisco IOS) with support for RFC4893 and that have been configured for BGP routing. The software table in the section Software Versions and Fixes of this advisory indicates all affected Cisco IOS Software versions that have support for RFC4893 and are affected by this vulnerability. A Cisco IOS software version that has support for RFC4893 will allow configuration of AS numbers using 4 Bytes. The following example identifies a Cisco device that has 4 byte AS number support: Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#router bgp ? 1-65535Autonomous system number 1.0-XX.YY 4 Octets Autonomous system number Or: Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#router bgp ? 1-4294967295 Autonomous system number 1.0-XX.YY Autonomous system number The following example identifies a Cisco device that has 2 byte AS number support: Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#router bgp ? 1-65535 Autonomous system number A router that is running the BGP process will contain a line in the configuration that defines the autonomous system number (AS number), which can be seen by issuing the command line interface (CLI) command show running-config. The canonical textual representation of four byte AS Numbers is standardized by the IETF through RFC5396 (Textual Representation of Autonomous System (AS) Numbers). Two major ways for textual representation have been defined as ASDOT and ASPLAIN. Cisco IOS routers support both textual representations of AS numbers. For further information about textual representation of four byte AS numbers in Cisco IOS Software consult the document Explaining 4-Byte Autonomous System (AS) ASPLAIN and ASDOT Notation for Cisco IOS at the following link: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps6599/white_paper_c11_516829.html Cisco IOS Software with support for RFC4893 is affected by both vulnerabilities if BGP routing is configured using either ASPLAIN or ASDOT notation. The following example identifies a Cisco device that is configured for BGP using ASPLAIN notation: router bgp 65536 The following example identifies a Cisco device that is configured for BGP using ASDOT notation: router bgp 1.0 To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The image name displays in parentheses, followed by Version and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 12.3(26) with an installed image name of C2500-IS-L: Router#show version Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2)
[c-nsp] Cisco Security Advisory: Cisco Security Advisory: Cisco IOS XR Software Border Gateway Protocol Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Security Advisory: Cisco IOS XR Software Border Gateway Protocol Vulnerability Advisory ID: cisco-sa-20090818-bgp http://www.cisco.com/warp/public/707/cisco-sa-20090818-bgp.shtml Revision 1.0 For Public Release 2009 August 18 1500 UTC (GMT) - - Summary === Cisco IOS XR will reset a Border Gateway Protocol (BGP) peering session when receiving a specific invalid BGP update. The vulnerability manifests when a BGP peer announces a prefix with a specific invalid attribute. On receipt of this prefix, the Cisco IOS XR device will restart the peering session by sending a notification. The peering session will flap until the sender stops sending the invalid/corrupt update. This is a different vulnerability to what was disclosed in the Cisco Security Advisory Cisco IOS Software Border Gateway Protocol 4-Byte Autonomous System Number Vulnerabilities disclosed on the 2009 July 29 1600 UTC at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml Cisco is preparing to release free software maintenance upgrade (SMU) that address this vulnerability. This advisory will be updated once the SMU is available. A workaround that mitigates this vulnerability is available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090818-bgp.shtml Affected Products = This vulnerability affects all Cisco IOS XR software devices after and including software release 3.4.0 configured with BGP routing. Vulnerable Products +-- To determine the Cisco IOS XR Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS XR Software by displaying text similar to Cisco IOS XR Software. The software version is displayed after the text Cisco IOS XR Software. The following example identifies a Cisco CRS-1 that is running Cisco IOS XR Software Release 3.6.2: RP/0/RP0/CPU0:CRS#show version Tue Aug 18 14:25:17.407 AEST Cisco IOS XR Software, Version 3.6.2[00] Copyright (c) 2008 by Cisco Systems, Inc. ROM: System Bootstrap, Version 1.49(20080319:195807) [CRS-1 ROMMON], CRS uptime is 4 weeks, 4 days, 1 minute System image file is disk0:hfr-os-mbi-3.6.2/mbihfr-rp.vm cisco CRS-8/S (7457) processor with 4194304K bytes of memory. 7457 processor at 1197Mhz, Revision 1.2 17 Packet over SONET/SDH network interface(s) 1 DWDM controller(s) 17 SONET/SDH Port controller(s) 8 TenGigabitEthernet/IEEE 802.3 interface(s) 2 Ethernet/IEEE 802.3 interface(s) 1019k bytes of non-volatile configuration memory. 38079M bytes of hard disk. 981440k bytes of ATA PCMCIA card at disk 0 (Sector size 512 bytes). Configuration register on node 0/0/CPU0 is 0x102 Boot device on node 0/0/CPU0 is mem: !--- output truncated The following example identifies a Cisco 12404 router that is running Cisco IOS XR Software Release 3.7.1: RP/0/0/CPU0:GSR#show version Cisco IOS XR Software, Version 3.7.1[00] Copyright (c) 2008 by Cisco Systems, Inc. ROM: System Bootstrap, Version 12.0(20051020:160303) SOFTWARE Copyright (c) 1994-2005 by cisco Systems, Inc. GSR uptime is 3 weeks, 6 days, 3 hours, 20 minutes System image file is disk0:c12k-os-mbi-3.7.1/mbiprp-rp.vm cisco 12404/PRP (7457) processor with 2097152K bytes of memory. 7457 processor at 1266Mhz, Revision 1.2 1 Cisco 12000 Series Performance Route Processor 1 Cisco 12000 Series - Multi-Service Blade Controller 1 1 Port ISE Packet Over SONET OC-48c/STM-16 Controller (1 POS) 1 Cisco 12000 Series SPA Interface Processor-601/501/401 3 Ethernet/IEEE 802.3 interface(s) 1 SONET/SDH Port controller(s) 1 Packet over SONET/SDH network interface(s) 4 PLIM QoS controller(s) 8 FastEthernet/IEEE 802.3 interface(s) 1016k bytes of non-volatile configuration memory. 1000496k bytes of disk0: (Sector size 512 bytes). 65536k bytes of Flash internal SIMM (Sector size 256k). Configuration register on node 0/0/CPU0 is 0x2102 Boot device on node 0/0/CPU0 is disk0: !--- output truncated Additional information about Cisco IOS XR software release naming conventions is available in the White Paper: Cisco IOS Reference Guide at the following link: http://www.cisco.com/warp/public/620/1.html#t6 Additional information about Cisco IOS XR software time-based release model is available in the White Paper: Guidelines for Cisco IOS XR Software at the following link: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8803/ps5845/product_bulletin_c25-478699.html BGP is configured in
[c-nsp] Cisco Security Advisory: Firewall Services Module Crafted ICMP Message Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Firewall Services Module Crafted ICMP Message Vulnerability Advisory ID: cisco-sa-20090819-fwsm http://www.cisco.com/warp/public/707/cisco-sa-20090819-fwsm.shtml Revision 1.0 For Public Release 2009 August 19 1600 UTC (GMT) Summary === A vulnerability exists in the Cisco Firewall Services Module (FWSM) for the Catalyst 6500 Series Switches and Cisco 7600 Series Routers. The vulnerability may cause the FWSM to stop forwarding traffic and may be triggered while processing multiple, crafted ICMP messages. There are no known instances of intentional exploitation of this vulnerability. However, Cisco has observed data streams that appear to trigger this vulnerability unintentionally. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090819-fwsm.shtml. Affected Products = Vulnerable Products - --- All non-fixed 2.x, 3.x and 4.x versions of the FWSM software are affected by this vulnerability. To determine the version of the FWSM software that is running, issue the show module command-line interface (CLI) command from Cisco IOS Software or Cisco Catalyst Operating System Software to identify what modules and sub-modules are installed in the system. The following example shows a system with an FWSM (WS-SVC-FWM-1) installed in slot 4. switch#show module Mod Ports Card Type Model Serial No. --- - -- - --- 1 48SFM-capable 48 port 10/100/1000mb RJ45 WS-X6548-GE-TXSAx 46Firewall ModuleWS-SVC-FWM-1 SAx 52Supervisor Engine 720 (Active) WS-SUP720-BASESAx 62Supervisor Engine 720 (Hot)WS-SUP720-BASESAx After locating the correct slot, issue the show module slot number command to identify the software version that is running. switch#show module 4 Mod Ports Card Type Model Serial No. --- - -- - --- 46Firewall ModuleWS-SVC-FWM-1 SAx Mod MAC addresses Hw Fw Sw Status --- - -- --- 4 0003.e4xx. to 0003.e4xx. 3.07.2(1) 3.2(3) Ok The preceding example shows that the FWSM is running software version 3.2(3) as indicated by the column under Sw. Note: Recent versions of Cisco IOS Software will show the software version of each module in the output from the show module command; therefore, executing the show module slot number command is not necessary. If a Virtual Switching System (VSS) is used to allow two physical Cisco Catalyst 6500 Series Switches to operate as a single logical virtual switch, the show module switch all command can display the software version of all FWSMs that belong to switch 1 and switch 2. The output from this command will be similar to the output from the show module slot number but will include module information for the modules in each switch in the VSS. Alternatively, version information can be obtained directly from the FWSM through the show version command, as shown in the following example. FWSM#show version FWSM Firewall Version 3.2(3) Customers who use the Cisco Adaptive Security Device Manager (ASDM) to manage their devices can find the version of the software displayed in the table in the login window or in the upper left corner of the ASDM window. The version notation is similar to the following example. FWSM Version: 3.2(3) Products Confirmed Not Vulnerable - - Other Cisco products that offer firewall services, including Cisco IOS Software, Cisco ASA 5500 Series Adaptive Security Appliances, and Cisco PIX Security Appliances, are not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. Details === The Cisco FWSM is a high-speed, integrated firewall module for Catalyst 6500 Series Switches and Cisco 7600 Series Routers. The FWSM offers firewall services with stateful packet filtering and deep packet inspection. A vulnerability exists in the Cisco FWSM Software that may cause the FWSM to stop forwarding traffic between interfaces, or stop processing traffic that is directed at the FWSM (management traffic) after multiple, crafted ICMP messages are processed by the FWSM. Any traffic that transits or is directed towards the FWSM is affected, regardless of whether ICMP inspection (inspect icmp command under Class configuration mode) is enabled. The FWSM stops processing traffic because one of the Network Processors (NPs) that is used by the
[c-nsp] Cisco Security Advisory: Cisco Unified Communications Manager Denial of Service Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Unified Communications Manager Denial of Service Vulnerabilities Advisory ID: cisco-sa-20090826-cucm Revision 1.0 For Public Release 2009 August 26 1600 UTC (GMT) +- Summary === Cisco Unified Communications Manager (formerly CallManager) contains multiple denial of service (DoS) vulnerabilities that if exploited could cause an interruption to voice services. The Session Initiation Protocol (SIP) and Skinny Client Control Protocol (SCCP) services are affected by these vulnerabilities. Cisco has released free software updates for select Cisco Unified Communications Manager versions that address these vulnerabilities. There are no workarounds for these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20090826-cucm.shtml Affected Products = Vulnerable Products +-- The following products are affected by vulnerabilities described in this advisory: * Cisco Unified Communications Manager 4.x * Cisco Unified Communications Manager 5.x * Cisco Unified Communications Manager 6.x * Cisco Unified Communications Manager 7.x Products Confirmed Not Vulnerable + Cisco Unified Communications Manager Express is not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details === Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, VoIP gateways, and multimedia applications. Malformed SIP Message Vulnerabilities + Cisco Unified Communications Manager contains two DoS vulnerabilities that involve the processing of SIP packets. Each vulnerability is triggered by a malformed SIP message that could cause a critical process to fail, resulting in the disruption of voice services. All SIP ports (TCP 5060 and 5061, UDP 5060 and 5061) are affected by these vulnerabilities. The first SIP DoS vulnerability is documented in Cisco Bug ID CSCsi46466 and has been assigned the CVE identifier CVE-2009-2050. The first vulnerability is fixed in Cisco Unified Communications Manager versions 6.1(1) and later. Cisco Unified Communications Manager 4.x versions are only affected by the first SIP DoS vulnerability if a SIP trunk is explicitly configured. To determine if a SIP truck is configured on a Cisco Unified Communications Manager version 4.x system, navigate to Device Trunk and choose the option SIP Trunk in the Cisco Unified Communications Manager administration interface. To mitigate against this vulnerability, administrators are advised to restrict access to TCP and UDP port 5060 on vulnerable Cisco Unified Communications Manager 4.x systems that are configured to use SIP trunks with screening devices to valid SIP trunk end points. The second SIP DoS vulnerability is documented in Cisco Bug ID CSCsz40392 and has been assigned the CVE identifier CVE-2009-2051. The second vulnerability is fixed in Cisco Unified Communications Manager versions 5.1(3g), 6.1(4), and 7.1(2). Network Connection Tracking Vulnerability + Cisco Unified Communications Manager contains a DoS vulnerability that involves the tracking of network connections by the embedded operating system firewall. By establishing many TCP connections with a vulnerable system, an attacker could overwhelm the operating system table that is used to track network connections and prevent new connections from being established to system services. Any service that listens to a TCP port on a vulnerable system could be affected by this vulnerability, including SIP and SCCP. This vulnerability is documented in Cisco Bug ID CSCsq22534 and has been assigned the CVE identifier CVE-2009-2052. The vulnerability is fixed in Cisco Unified Communications Manager versions 5.1(3g), 6.1(4), 7.0(2), and 7.1(2). Related SIP and SCCP DoS Vulnerabilities +--- Cisco Unified Communications Manager contains two DoS vulnerabilities involving the processing of SIP and SCCP packets. By flooding a vulnerable system with many TCP packets, an attacker could exhaust operating system file descriptors that cause the SIP port (TCP 5060 and 5061) and SCCP port (TCP 2000 and 2443) to close. This action could prevent new connections from being established to the SIP and SCCP services. SIP UDP (5060 and 5061) ports are not affected. The SCCP vulnerability is documented in Cisco Bug ID CSCsx32236 and has been assigned the CVE identifier CVE-2009-2053. The SCCP vulnerability is fixed in Cisco Unified Communications Manager versions 5.1(3g), 6.1(4), 7.0(2a)su1, and 7.1(2).
[c-nsp] Cisco Security Advisory: Cisco IOS Software Object-group Access Control List Bypass Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco IOS Software Object-group Access Control List Bypass Vulnerability Advisory ID: cisco-sa-20090923-acl Revision 1.0 For Public Release 2009 September 23 +- Summary === A vulnerability exists in Cisco IOS® software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml Note: The September 23, 2009, Cisco IOS Security Advisory bundled publication includes eleven Security Advisories. Ten of the advisories address vulnerabilities in Cisco IOS Software, and one advisory addresses a vulnerability in Cisco Unified Communications Manager. Each advisory lists the releases that correct the vulnerability or vulnerabilities detailed in the advisory. The following table lists releases that correct all Cisco IOS Software vulnerabilities that have been published on September 23, 2009, or earlier. http://www.cisco.com/warp/public/707/cisco-sa-20090923-bundle.shtml Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Advisory Bundled Publication at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep09.html Affected Products = Vulnerable Products +-- Any Cisco device configured with ACLs using the object group feature and running an affected Cisco IOS software version is affected by this vulnerability. Note: The Object Groups for ACLs feature was introduced in Cisco IOS software version 12.4(20)T. To verify whether object groups are configured in a Cisco IOS device, use the show object-group command in user EXEC or privileged EXEC mode. The following example displays a sample output from the show object-group command when object groups are configured: Router# show object-group Network object group my_host_group host 172.18.104.123 Service object group my_allowed_services tcp eq www tcp eq 443 Alternatively, administrators can also use the show running config | include ^ (permit|deny) .*object-group command to verify whether object groups are configured, as shown in the following example: Router#show running-config | include ^ (permit|deny) .*object-group permit object-group my_allowed_services host 10.10.1.1 host 10.20.1.1 permit tcp any object-group my_host_group eq 22 To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The image name displays in parentheses, followed by Version and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 12.3(26) with an installed image name of C2500-IS-L: Router#show version Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by cisco Systems, Inc. Compiled Mon 17-Mar-08 14:39 by dchih !--- output truncated The following example identifies a Cisco product that is running Cisco IOS Software Release 12.4(20)T with an installed image name of C1841-ADVENTERPRISEK9-M: Router#show version Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 10-Jul-08 20:25 by prod_rel_team !--- output truncated Products Confirmed Not Vulnerable + Cisco devices that are not configured with object groups are not vulnerable. Cisco IOS XE Software and Cisco IOS XR Software are not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. Details === In Cisco IOS Software an object group can contain a single object (such as a single IP address, network, or subnet) or multiple objects (such as a combination of multiple IP addresses, networks, or subnets). In an ACL that is based on an object group, administrators can create a single access control entry (ACE) that uses an object group name instead of
[c-nsp] Cisco Security Advisory: Cisco Unified Communications Manager Express Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Unified Communications Manager Express Vulnerability Advisory ID: cisco-sa-20090923-cme Revision 1.0 For Public Release 2009 September 23 +- Summary === Cisco IOS® devices that are configured for Cisco Unified Communications Manager Express (CME) and the Extension Mobility feature are vulnerable to a buffer overflow vulnerability. Successful exploitation of this vulnerability may result in the execution of arbitrary code or a Denial of Service (DoS) condition on an affected device. Cisco has released free software updates that address this vulnerability. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20090923-cme.shtml Note: The September 23, 2009, Cisco IOS Security Advisory bundled publication includes eleven Security Advisories. Ten of the advisories address vulnerabilities in Cisco IOS Software, and one advisory addresses a vulnerability in Cisco Unified Communications Manager. Each advisory lists the releases that correct the vulnerability or vulnerabilities detailed in the advisory. The following table lists releases that correct all Cisco IOS Software vulnerabilities that have been published on September 23, 2009, or earlier. http://www.cisco.com/warp/public/707/cisco-sa-20090923-bundle.shtml Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Advisory Bundled Publication at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep09.html Affected Products = Cisco IOS devices, including Cisco Unified Communications 500 Series, that are configured for Cisco Unified CME and the Extension Mobility feature are affected. Vulnerable Products +-- A Cisco IOS device that is configured for Cisco Unified CME and Extension Mobility contains the following output when the show running-config command is issued: ephone [Ethernet phone tag] ... logout-profile [logout-profile tag] To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The image name is displayed in parentheses, followed by Version and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 12.3(26) with an installed image name of C2500-IS-L: Router#show version Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by cisco Systems, Inc. Compiled Mon 17-Mar-08 14:39 by dchih output truncated The following example identifies a Cisco product that is running Cisco IOS Software Release 12.4(20)T with an installed image name of C1841-ADVENTERPRISEK9-M: Router#show version Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 10-Jul-08 20:25 by prod_rel_team output truncated Additional information about Cisco IOS Software release naming conventions is available in White Paper: Cisco IOS Reference Guide at the following link: http://www.cisco.com/warp/public/620/1.html . Products Confirmed Not Vulnerable + Cisco IOS devices that are configured for Survivable Remote Site Telephony (SRST) Mode are not affected. Cisco IOS XR is not affected. Cisco IOS XE is not affected. Cisco Unified Communications Manager is not affected. Cisco Unified CME is not affected unless configured to use the Extension Mobility feature. No other Cisco products are currently known to be affected by these vulnerabilities. Details === Cisco Unified CME is the call processing component of an enhanced IP telephony solution that is integrated into Cisco IOS. The Extension Mobility feature in Cisco Unified CME provides the benefit of phone mobility for end users. A user login service allows phone users to temporarily access a physical phone other than their own phone and utilize their personal settings, such as directory number, speed-dial lists, and services, that is assigned to their own desk phone. The phone user can make and receive calls on that phone using the same personal directory number as is on their own desk phone. More information on Extension Mobility
[c-nsp] Cisco Security Advisory: Cisco IOS Software Zone-Based Policy Firewall Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco IOS Software Zone-Based Policy Firewall Vulnerability Advisory ID: cisco-sa-20090923-ios-fw Revision 1.0 For Public Release 2009 September 23 +- Summary === Cisco IOS® devices that are configured with Cisco IOS Zone-Based Policy Firewall Session Initiation Protocol (SIP) inspection are vulnerable to denial of service (DoS) attacks when processing a specific SIP transit packet. Exploitation of the vulnerability could result in a reload of the affected device. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20090923-ios-fw.shtml Note: The September 23, 2009, Cisco IOS Security Advisory bundled publication includes eleven Security Advisories. Ten of the advisories address vulnerabilities in Cisco IOS Software, and one advisory addresses a vulnerability in Cisco Unified Communications Manager. Each advisory lists the releases that correct the vulnerability or vulnerabilities detailed in the advisory. The following table lists releases that correct all Cisco IOS Software vulnerabilities that have been published on September 23, 2009, or earlier. http://www.cisco.com/warp/public/707/cisco-sa-20090923-bundle.shtml Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Advisory Bundled Publication at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep09.html Affected Products = This vulnerability affects a limited number of Cisco IOS Software releases. Consult the Software Versions and Fixes section of this advisory for the details of affected releases. Only devices that are configured with Cisco IOS Zone-Based Policy Firewall SIP inspection (UDP port 5060, TCP ports 5060, and 5061) are vulnerable. Cisco IOS devices that are configured with legacy Cisco IOS Firewall Support for SIP (context-based access control (CBAC)) are not vulnerable. Vulnerable Products +-- To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The image name displays in parentheses, followed by Version and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 12.3(26) with an installed image name of C2500-IS-L: Router#show version Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright ©) 1986-2008 by cisco Systems, Inc. Compiled Mon 17-Mar-08 14:39 by dchih output truncated The following example identifies a Cisco product that is running Cisco IOS Software Release 12.4(20)T with an installed image name of C1841-ADVENTERPRISEK9-M: Router#show version Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright ©) 1986-2008 by Cisco Systems, Inc. Compiled Thu 10-Jul-08 20:25 by prod_rel_team output truncated Additional information about Cisco IOS Software release naming conventions is available in White Paper: Cisco IOS Reference Guide at the following link: http://www.cisco.com/warp/public/620/1.html The device is vulnerable if the configuration has either a layer 3 or layer 7 SIP application-specific policy configured, and these policies are applied to any firewall zone. To determine whether the device is running a vulnerable configuration, log in to the device and issue the command line interface (CLI) command show policy-map type inspect zone-pair | include atch: access|protocol sip. If the output contains Match: protocol sip, the device is vulnerable. If the output contains Match: access-group number, then the device is only vulnerable if, the referenced access list permits the SIP protocol (UDP port 5060, or TCP ports 5060 and 5061). The following example shows a vulnerable device configured with Cisco IOS Zone-Based Policy Firewall SIP inspection: Router#show policy-map type inspect zone-pair | include atch: access|protocol sip Match: protocol sip Router# The following example shows a vulnerable device configured with SIP inspection by way of an applied access list: Router#show policy-map type inspect zone-pair | include atch:
[c-nsp] Cisco Security Advisory: Cisco IOS Software Network Time Protocol Packet Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco IOS Software Network Time Protocol Packet Vulnerability Advisory ID: cisco-sa-20090923-ntp Revision 1.0 For Public Release 2009 September 23 +- Summary === Cisco IOS® Software with support for Network Time Protocol (NTP) version (v4) contains a vulnerability processing specific NTP packets that will result in a reload of the device. This results in a remote denial of service (DoS) condition on the affected device. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20090923-ntp.shtml Note: The September 23, 2009, Cisco IOS Security Advisory bundled publication includes eleven Security Advisories. Ten of the advisories address vulnerabilities in Cisco IOS Software, and one advisory addresses a vulnerability in Cisco Unified Communications Manager. Each advisory lists the releases that correct the vulnerability or vulnerabilities detailed in the advisory. The following table lists releases that correct all Cisco IOS Software vulnerabilities that have been published on September 23, 2009, or earlier. http://www.cisco.com/warp/public/707/cisco-sa-20090923-bundle.shtml Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Advisory Bundled Publication at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep09.html Affected Products = Vulnerable Products +-- Cisco IOS Software devices are vulnerable if they support NTPv4 and are configured for NTP operations. NTP is not enabled in Cisco IOS Software by default. To see if a device supports NTPv4, log into the device and via configuration mode of the command line interface (CLI), enter the command ntp peer 127.0.0.1 version ?. If the output has the number 4 as an option, then the device supports NTPv4. The following example identifies a Cisco device that is running a Cisco IOS Software release that does support NTPv4: Router#configure terminal Router(config)#ntp peer 127.0.0.1 version ? 2-4 NTP version number The following example identifies a Cisco device that is running a Cisco IOS Software release that does not support NTPv4: Router(config)#ntp peer 127.0.0.1 version ? 1-3 NTP version number To see if a device is configured with NTP, log into the device and issue the CLI command show running-config | include ntp. If the output returns either of the following commands listed then the device is vulnerable: ntp master any following commands ntp peer any following commands ntp server any following commands ntp broadcast client ntp multicast client The following example identifies a Cisco device that is configured with NTP: router#show running-config | include ntp ntp peer 192.168.0.12 The following example identifies a Cisco device that is not configured with NTP: router#show running-config | include ntp router# To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The image name displays in parentheses, followed by Version and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 12.3(26) with an installed image name of C2500-IS-L: Router#show version Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright ©) 1986-2008 by cisco Systems, Inc. Compiled Mon 17-Mar-08 14:39 by dchih output truncated The following example shows a product that is running Cisco IOS Software release 12.4(20)T with an image name of C1841-ADVENTERPRISEK9-M: Router#show version Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright ©) 1986-2008 by Cisco Systems, Inc. Compiled Thu 10-Jul-08 20:25 by prod_rel_team output truncated Additional information about Cisco IOS Software release naming conventions is available in White Paper: Cisco IOS Reference Guide at the following link: http://www.cisco.com/warp/public/620/1.html Products Confirmed Not Vulnerable + The following products and features are not
[c-nsp] Cisco Security Advisory: Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability Advisory ID: cisco-sa-20090923-sip Revision 1.0 For Public Release 2009 September 23 +- Summary === A vulnerability exists in the Session Initiation Protocol (SIP) implementation in Cisco IOS® Software that could allow an unauthenticated attacker to cause a denial of service (DoS) condition on an affected device when the Cisco Unified Border Element feature is enabled. Cisco has released free software updates that address this vulnerability. For devices that must run SIP there are no workarounds; however, mitigations are available to limit exposure of the vulnerability. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20090923-sip.shtml Note: The September 23, 2009, Cisco IOS Security Advisory bundled publication includes eleven Security Advisories. Ten of the advisories address vulnerabilities in Cisco IOS Software, and one advisory addresses a vulnerability in Cisco Unified Communications Manager. Each advisory lists the releases that correct the vulnerability or vulnerabilities detailed in the advisory. The following table lists releases that correct all Cisco IOS Software vulnerabilities that have been published on September 23, 2009, or earlier. http://www.cisco.com/warp/public/707/cisco-sa-20090923-bundle.shtml Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Advisory Bundled Publication at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep09.html Affected Products = This vulnerability only affects devices running Cisco IOS Software with SIP voice services enabled. Vulnerable Products +-- Cisco devices running affected Cisco IOS Software versions that are configured to process SIP messages with the Cisco Unified Border Element feature are affected. Cisco IOS devices that are not configured for SIP and Cisco Unified Border Element feature are not affected by this vulnerability. Note: Cisco Unified Border Element feature (previously known as the Cisco Multiservice IP-to-IP Gateway) is a special Cisco IOS Software image that runs on Cisco multiservice gateway platforms. It provides a network-to-network interface point for billing, security, call admission control, quality of service, and signaling interworking. Cisco Unified Border Element feature requires the voice service voip command and the allow-connections subcommand. An example of an affected configuration is as follows: voice service voip allow-connections from-type to to-type ... ! Recent versions of Cisco IOS Software do not process SIP messages by default. Creating a dial peer by issuing the command dial-peer voice will start the SIP processes, causing the Cisco IOS device to process SIP messages. In addition, several features within Cisco Unified Communications Manager Express, such as ePhones, once configured will also automatically start the SIP process, which will cause the device to start processing SIP messages. An example of an affected configuration is as follows: dial-peer voice Voice dial-peer tag voip ... ! In addition to inspecting the Cisco IOS device configuration for a dial-peer command that causes the device to process SIP messages, administrators can also use the command show processes | include SIP to determine whether Cisco IOS Software is running the processes that handle SIP messages. In the following example, the presence of the processes CCSIP_UDP_SOCKET or CCSIP_TCP_SOCKET indicates that the Cisco IOS device is processing SIP messages: Router#show processes | include SIP 149 Mwe 40F482544 1400023108/24000 0 CCSIP_UDP_SOCKET 150 Mwe 40F480344 1400023388/24000 0 CCSIP_TCP_SOCKET warning Warning: Since there are several ways a device running Cisco IOS Software can start processing SIP messages, it is recommended that the show processes | include SIP command be used to determine whether the device is processing SIP messages instead of relying on the presence of specific configuration commands. To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The image name displays in parentheses, followed by Version and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 12.3(26) with
[c-nsp] Cisco Security Advisory: Cisco IOS Software Crafted Encryption Packet Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco IOS Software Crafted Encryption Packet Denial of Service Vulnerability Advisory ID: cisco-sa-20090923-tls Revision 1.0 For Public Release 2009 September 23 +- Summary === Cisco IOS® Software contains a vulnerability that could allow an attacker to cause a Cisco IOS device to reload by remotely sending a crafted encryption packet. Cisco has released free software updates that address this vulnerability. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20090923-tls.shtml Note: The September 23, 2009, Cisco IOS Security Advisory bundled publication includes eleven Security Advisories. Ten of the advisories address vulnerabilities in Cisco IOS Software, and one advisory addresses a vulnerability in Cisco Unified Communications Manager. Each advisory lists the releases that correct the vulnerability or vulnerabilities detailed in the advisory. The following table lists releases that correct all Cisco IOS Software vulnerabilities that have been published on September 23, 2009, or earlier. http://www.cisco.com/warp/public/707/cisco-sa-20090923-bundle.shtml Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Advisory Bundled Publication at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep09.html Affected Products = Vulnerable Products +-- Devices running affected versions of Cisco IOS Software are susceptible if configured with any of the following features: * Secure Socket Layer (SSL) Virtual Private Network (VPN) * Secure Shell (SSH) * Internet Key Exchange (IKE) Encrypted Nonces Note: Other SSL/HTTPS related features than WebVPN and SSL VPN are not affected by this vulnerability. To determine whether SSLVPN is enabled on a device, log in to the device and issue the command-line interface (CLI) command show running-config | include webvpn. If the device returns any output then SSLVPN is configured and the device may be vulnerable. Vulnerable configurations vary depending on whether the device is supporting Cisco IOS WebVPN (introduced in Release 12.3(14)T) or Cisco IOS SSLVPNs (introduced in Release 12.4(6)T). The following methods describe how to confirm if the device is vulnerable: If the output from show running-config | include webvpn contains webvpn enable then the device is configured with the original Cisco IOS WebVPN. The only way to determine whether the device is vulnerable is to examine the output of show running-config to confirm that webvpn is enabled via the command webvpn enable and that a ssl trustpoint has been configured. The following example shows a vulnerable device configured with Cisco IOS WebVPN: webvpn enable ! webvpn ssl trustpoint TP-self-signed-29742012 If the output from show running-config | include webvpn contains webvpn gateway word then the device is supporting the Cisco IOS SSLVPN feature. A device is vulnerable if it has the inservice command in at least one of the webvpn gateway sections. The following example shows a vulnerable device configured with Cisco IOS SSLVPN: Router# show running | section webvpn webvpn gateway Gateway ip address 10.1.1.1 port 443 ssl trustpoint Gateway-TP inservice ! Router# A device that supports the Cisco IOS SSLVPN is not vulnerable if it has no webvpn gateways configured or all the configured webvpn gateways contain the no inservice webvpn gateway command. To determine if SSH is enabled use the show ip ssh command, as shown in the following example: Router#show ip ssh SSH Enabled - version 1.99 Authentication timeout: 120 secs; Authentication retries: 3 Minimum expected Diffie Hellman key size : 1024 bits To determine if the IKE encrypted nonces feature is enabled, use the show running-config | include rsa-encr command as follows: Router#show running-config | inc rsa-encr authentication rsa-encr To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The image name displays in parentheses, followed by Version and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 12.3(26) with an installed image name of C2500-IS-L: Router#show version Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2) Technical Support:
[c-nsp] Cisco Security Advisory: Cisco Unified Communications Manager Session Initiation Protocol Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Unified Communications Manager Session Initiation Protocol Denial of Service Vulnerability Advisory ID: cisco-sa-20090923-cm Revision 1.0 For Public Release 2009 September 23 +- Summary === Cisco Unified Communications Manager, which was formerly Cisco Unified CallManager, contains a denial of service (DoS) vulnerability in the Session Initiation Protocol (SIP) service. An exploit of this vulnerability may cause an interruption in voice services. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20090923-cm.shtml Note: Cisco IOS® Software is also affected by the vulnerability described in this advisory. A companion advisory for Cisco IOS software is available at: http://www.cisco.com/warp/public/707/cisco-sa-20090923-sip.shtml Note: The September 23, 2009, Cisco IOS Security Advisory bundled publication includes eleven Security Advisories. Ten of the advisories address vulnerabilities in Cisco IOS Software, and one advisory addresses a vulnerability in Cisco Unified Communications Manager. Each advisory lists the releases that correct the vulnerability or vulnerabilities detailed in the advisory. The following table lists releases that correct all Cisco IOS Software vulnerabilities that have been published on September 23, 2009, or earlier. http://www.cisco.com/warp/public/707/cisco-sa-20090923-bundle.shtml Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Advisory Bundled Publication at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep09.html Affected Products = The vulnerability described in this document applies to the Cisco Unified Communications Manager. Vulnerable Products +-- The following Cisco Unified Communications Manager versions are affected: * Cisco Unified Communications Manager 5.x versions prior to 5.1(3g) * Cisco Unified Communications Manager 6.x versions prior to 6.1(4) * Cisco Unified Communications Manager 7.0.x versions prior to 7.0(2a)su1 * Cisco Unified Communications Manager 7.1.x versions prior to 7.1(2) Cisco Unified CallManager versions 4.x are not affected by this vulnerability. Administrators of systems that are running Cisco Unified Communications Manager versions 5.x, 6.x and 7.x can determine the software version by viewing the main page of the Cisco Unified Communications Manager Administration interface. The software version can also be determined by running the show version active command via the command-line interface. A SIP trunk must be configured for the Cisco Unified CallManager server to begin listening for SIP messages on TCP and UDP port 5060 and TCP/5061. However, in Cisco Unified Communications Manager versions 5.x and later, the use of SIP as a call signaling protocol is enabled by default and cannot be disabled. Cisco IOS Software is also affected by this vulnerability, but it is associated with different Cisco bug IDs. A companion security advisory for Cisco IOS Software is available at: http://www.cisco.com/warp/public/707/cisco-sa-20090923-sip.shtml Products Confirmed Not Vulnerable + Cisco Unified CallManager versions 4.x are not affected by this vulnerability. With the exception of Cisco IOS software, no other Cisco products are currently known to be affected by this vulnerability. Details === Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, voice-over-IP gateways, and multimedia applications. SIP is a popular signaling protocol that manages voice and video calls across IP networks such as the Internet. SIP is responsible for handling all aspects of call setup and termination. Voice and video are the most popular types of sessions that SIP handles, but the protocol is flexible enough to accommodate other applications that require call setup and termination. SIP call signaling can use UDP (port 5060), TCP (port 5060), or Transport Layer Security (TLS; TCP port 5061) as the underlying transport protocol. A DoS vulnerability exists in the SIP implementation of the Cisco Unified Communications Manager. This vulnerability could be triggered when Cisco Unified Communications Manager processes crafted SIP messages. An exploit could lead to a reload of the main Cisco Unified Communications Manager process. This vulnerability is documented in Cisco bug ID CSCsz95423 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2009-2864. Vulnerability Scoring Details
[c-nsp] Cisco Security Advisory: Cisco Unified Presence Denial of Service Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Unified Presence Denial of Service Vulnerabilities Advisory ID: cisco-sa-20091014-cup Revision 1.0 For Public Release 2009 October 14 1600 UTC (GMT) +- Summary === Cisco Unified Presence contains two denial of service (DoS) vulnerabilities that may cause an interruption to presence services. These vulnerabilities were discovered internally by Cisco, and there are no workarounds. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20091014-cup.shtml Affected Products = Vulnerable Products +-- The following products are affected: * Cisco Unified Presence 1.x versions * Cisco Unified Presence 6.x versions prior to 6.0(6) * Cisco Unified Presence 7.x versions prior to 7.0(4) Administrators of systems running Cisco Unified Presence can determine the software version by viewing the main page of the Cisco Unified Presence Administration interface. The software version can be determined by running the command show version active via the Command Line Interface (CLI). Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by these vulnerabilities. Details === Network Flooding Vulnerability +- Cisco Unified Presence contains a denial of service (DoS) vulnerability that may cause the TimesTenD process to fail when TCP ports 16200 or 22794 are flooded with connections. TCP 3-way handshakes must be completed for the attack to be successful. The TimesTenD process will be automatically restarted upon failure. This vulnerability is documented in Cisco Bug ID CSCsy17662 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2009-2874. Network Connection Tracking Vulnerability + Cisco Unified Presence contains a DoS vulnerability that involves the tracking of network connections by the embedded firewall. An attacker can overwhelm the table that is used to track network connections and prevent new connections from being established to system services by establishing many TCP connections with a vulnerable system. Any service that listens to a TCP port on a vulnerable system could be affected by this vulnerability. This vulnerability is documented in Cisco Bug ID CSCsw52371 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2009-2052. Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCsy17662 - TimesTenD Coredump During TCP Flood CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact- None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsw52371 - CUP: IP_Conntrack Fills Up During TCP Flood Attack CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact- None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact == Successful exploitation of any of the vulnerabilities may result in the interruption of presence services. Software Versions and Fixes === When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. Cisco Unified Presence version 6.0(6) is available at the following link:
[c-nsp] Cisco Security Advisory: Transport Layer Security Renegotiation Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Transport Layer Security Renegotiation Vulnerability Advisory ID: cisco-sa-20091109-tls http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml Revision 1.0 For Public Release 2009 November 9 1600 UTC (GMT) Summary === An industry-wide vulnerability exists in the Transport Layer Security (TLS) protocol that could impact any Cisco product that uses any version of TLS and SSL. The vulnerability exists in how the protocol handles session renegotiation and exposes users to a potential man-in-the-middle attack. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml. Affected Products = Cisco is currently evaluating products for possible exposure to these TLS issues. Products will only be listed in the Vulnerable Products or Products Confirmed Not Vulnerable sections of this advisory when a final determination about product exposure is made. Products that are not listed in either of these two sections are still being evaluated. Vulnerable Products - --- This section will be updated when more information is available. Products Confirmed Not Vulnerable - - The following products are confirmed not vulnerable: * Cisco AnyConnect VPN Client This section will be updated when more information is available. Details === TLS and its predecessor, SSL, are cryptographic protocols that provide security for communications over IP data networks such as the Internet. An industry-wide vulnerability exists in the TLS protocol that could impact any Cisco product that uses any version of TLS and SSL. The vulnerability exists in how the protocol handles session renegotiation and exposes users to a potential man-in-the-middle attack. The following Cisco Bug IDs are being used to track potential exposure to the SSL and TLS issues. The bugs listed below do not confirm that a product is vulnerable, but rather that the product is under investigation by the appropriate product teams. Registered Cisco customers can view these bugs via Cisco's Bug Toolkit: http://www.cisco.com/pcgi-bin/Support/Bugtool/launch_bugtool.pl ++ | Product |Bug ID | |+---| | Cisco Adaptive Security| CSCtd01491| | Device Manager (ASDM) | | |+---| | Cisco AON Software | CSCtd01646| || | |+---| | Cisco AON Healthcare for | CSCtd01652| | HIPAA and ePrescription| | |+---| | Cisco Application and | CSCtd01529| | Content Networking System | | | (ACNS) Software| | |+---| | Cisco Application | CSCtd01480| | Networking Manager | | |+---| | Cisco ASA 5500 Series | CSCtd00697| | Adaptive Security | | | Appliances | | |+---| | Cisco ASA Advanced | | | Inspection and Prevention | CSCtd01539| | (AIP) Security Services| | | Module | | |+---| | Cisco AVS 3100 Series | CSCtd01566| | Application Velocity | | | System | | |+---| | Cisco Catalyst 6500 Series | CSCtd06389| | SSL Services Module| | |+---| | Firewall Services Module | CSCtd04061| | FWSM | | |+---| | Cisco CSS 11000 Series | CSCtd01636| | Content Services Switches | | |+---| | Cisco Unified SIP Phones | CSCtd01446| || |
[c-nsp] Cisco Security Advisory: Multiple Cisco WebEx WRF Player Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Multiple Cisco WebEx WRF Player Vulnerabilities Advisory ID: cisco-sa-20091216-webex http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml Revision 1.0 For Public Release 2009 December 16 1600 UTC (GMT) Summary === Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Recording Format (WRF) Player. In some cases, exploitation of the vulnerabilities could allow a remote attacker to execute arbitrary code on the system of a targeted user. The Cisco WebEx WRF Player is an application that is used to play back WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The WRF Player can be automatically installed when the user accesses a WRF file that is hosted on a WebEx server. The WRF Player can also be manually installed for offline playback after downloading the application from www.webex.com. If the WRF Player was automatically installed, the WebEx WRF Player will be automatically upgraded to the latest, non-vulnerable version when users access a WRF file hosted on a WebEx server. If the WebEx WRF Player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml. Affected Products = Vulnerable Products - --- The vulnerabilities disclosed in this advisory affect the Cisco WebEx WRF Player. Microsoft Windows, Apple Mac OS X, and Linux versions of the player are affected. Affected versions of the WRF Player are those prior to the first fixed versions, which are shown in the section Software Versions and Fixes of this advisory. To check if a Cisco WebEx server is running an affected version of the WebEx client build, users can log in to their Cisco WebEx server and go to the Support - Downloads section. The version of the WebEx client build will be displayed on the right-hand side of the page under About Support Center, for example Client build: 27.11.0.3328. There is no way to check if a manually installed version of the WRF Player is affected by these vulnerabilities. Therefore, Cisco recommends that users upgrade to the most current version of the player that is available from http://www.webex.com/downloadplayer.html. Products Confirmed Not Vulnerable - - The Cisco WebEx Player for the WebEx Advanced Recording Format (ARF) file format is not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details === The WebEx meeting service is a hosted multimedia conferencing solution that is managed by and maintained by Cisco WebEx. The WebEx Recording Format (WRF) is a file format that is used to store WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The WRF Player is an application that is used to play back and edit WRF files (files with .wrf extensions). The WRF Player can be automatically installed when the user accesses a WRF file that is hosted on a WebEx server (stream playback mode). The WRF Player can also be manually installed after downloading the application from www.webex.com to play back WRF files locally (offline playback mode). Multiple buffer overflow vulnerabilities exist in the WRF Player. The vulnerabilities may lead to a crash of the WRF Player application, or in some cases, lead to remote code execution. To exploit a vulnerability, a malicious WRF file would need to be opened by the WRF Player application. An attacker may be able to accomplish this by providing the malicious WRF file directly to users (for example, via e-mail), or by convincing users to visit a malicious website. The vulnerability cannot be triggered by users attending a WebEx meeting. These vulnerabilities have been assigned the following Common Vulnerabilities and Exposures (CVE) identifiers: * CVE-2009-2875 * CVE-2009-2876 * CVE-2009-2877 * CVE-2009-2878 * CVE-2009-2879 * CVE-2009-2880 Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also
[c-nsp] Cisco Security Advisory: Cisco IOS XR Software SSH Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco IOS XR Software SSH Denial of Service Vulnerability Advisory ID: cisco-sa-20100120-xr-ssh Revision 1.0 For Public Release 2010 January 20 1600 UTC (GMT) +- Summary === The SSH server implementation in Cisco IOS XR Software contains a vulnerability that an unauthenticated, remote user could exploit to cause a denial of service condition. An attacker could trigger this vulnerability by sending a crafted SSH version 2 packet that may cause a new SSH connection handler process to crash. Repeated exploitation may cause each new SSH connection handler process to crash and lead to a significant amount of memory being consumed, which could introduce instability that may adversely impact other system functionality. During this event, the parent SSH daemon process will continue to function normally. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100120-xr-ssh.shtml. Affected Products = Vulnerable Products +-- This vulnerability affects Cisco IOS XR systems that are running an affected version of Cisco IOS XR Software and have the SSH server feature enabled. A system with the SSH server feature enabled will have the command ssh server [v2] present in its configuration. Refer to the Cisco IOS XR System Security Configuration Guide at http://www.cisco.com/en/US/docs/routers/crs/software/crs_r3.9/security/configuration/guide/sc39ssh.html#wp1044523 for additional details regarding configuration of the SSH server in Cisco IOS XR Software. The SSH server can only be enabled in Cisco IOS XR Software if the security Package Information Envelope (PIE) is installed. Administrators can issue the show install summary command to confirm if the security PIE is installed. This command will display an active package similar to platform-k9sec-version or, for example, c12k-k9sec-3.6.1 if the security PIE is installed. Refer to the Software Version and Fixes section of this advisory for information on specific affected software versions. Products Confirmed Not Vulnerable + SSH server implementations in Cisco IOS Software and Cisco IOS XE Software are not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. Details === Cisco IOS XR Software is a member of the Cisco IOS Software family that uses a microkernel-based distributed operating system infrastructure. Cisco IOS XR Software runs on the Cisco CRS-1 Carrier Routing System, Cisco 12000 Series Routers, and Cisco ASR 9000 Series Aggregation Services Routers. More information on Cisco IOS XR Software is available at http://www.cisco.com/en/US/products/ps5845/index.html. The SSH protocol was developed as a secure replacement for the Telnet, FTP, rlogin, remote shell (rsh), and Remote Copy Protocol (RCP) protocols, which allow for remote device access. SSH varies from these older protocols in that it provides strong authentication and confidentiality and uses encrypted transactions. The SSH server implementation in Cisco IOS XR Software contains a vulnerability that an unauthenticated, remote user could exploit to cause a denial of service condition. The vulnerability is triggered when a new SSH handler process handles a crafted SSH version 2 packet, which may cause the process to crash. During this event, a significant amount of memory may be consumed. Repeated exploitation may impact other system functionality, depending upon the size of the available memory and the duration of attack. Although exploitation of this vulnerability does not require user authentication, the TCP three-way handshake must be completed, and some SSH protocol negotiation must occur. The SSH service will continue to function normally during an after an attack. During exploitation of this vulnerability, the system may generate the following messages: RP/0/RP1/CPU0:Jan 14 16:56:34.885 : dumper[59]: %OS-DUMPER-7-DUMP_ATTRIBUTE : Dump request with attribute 407 for process pkg/bin/sshd_child_handler RP/0/RP1/CPU0:Jan 14 16:56:34.897 : dumper[59]: %OS-DUMPER-7-SIGSEGV : Thread 1 received SIGSEGV RP/0/RP1/CPU0:Jan 14 16:56:34.901 : dumper[59]: %OS-DUMPER-7-BUS_ADRERR : Accessed BadAddr 50199000 at PC 4a280c64 RP/0/RP1/CPU0:Jan 14 16:56:34.906 : dumper[59]: %OS-DUMPER-4-CRASH_INFO : Crashed pid = 21733716 (pkg/bin/sshd_child_handler) This vulnerability is documented in Cisco bug ID CSCsu10574 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-0137. Vulnerability Scoring Details = Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is
[c-nsp] Cisco Security Advisory: CiscoWorks Internetwork Performance Monitor CORBA GIOP Overflow Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: CiscoWorks Internetwork Performance Monitor CORBA GIOP Overflow Vulnerability Advisory ID: cisco-sa-20100120-ipm Revision 1.0 For Public Release 2010 January 20 1600 UTC (GMT) +- Summary === CiscoWorks Internetwork Performance Monitor (IPM) versions 2.6 and earlier for Microsoft Windows operating systems contain a buffer overflow vulnerability that could allow a remote unauthenticated attacker to execute arbitrary code. There are no workarounds for this vulnerability. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100120-ipm.shtml Affected Products = Vulnerable Products +-- CiscoWorks IPM versions 2.6 and earlier for Windows operating systems are affected. Products Confirmed Not Vulnerable + CiscoWorks IPM version 2.x for Sun Solaris and CiscoWorks IPM version 4.x for Windows and Solaris operating systems are not affected. No other Cisco products are currently known to be affected by this vulnerability. Details === CiscoWorks IPM is a troubleshooting application that gauges network response time and availability. CiscoWorks IPM is available as a component within the CiscoWorks LAN Management Solution (LMS) bundle. CiscoWorks IPM versions 2.6 and earlier for Windows contain a buffer overflow vulnerability when processing Common Object Request Broker Architecture (CORBA) GIOP requests. By sending a crafted CORBA GIOP request, a remote, unauthenticated attacker may be able to trigger the buffer overflow condition and execute arbitrary code with SYSTEM privileges on affected Windows systems. This vulnerability is documented in Cisco Bug ID CSCsv62350 and has been assigned the Common Vulnerabilities and Exposures (CVE) CVE-2010-0138. Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCsv62350 - Malformed CORBA GIOP request causes crash CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact- Complete Availability Impact - Complete CVSS Temporal Score - 9.5 Exploitability - Functional Remediation Level - Unavailable Report Confidence - Confirmed Impact == Successful exploitation of the vulnerability may result in the ability to execute arbitrary code with SYSTEM privileges on affected Windows systems. Software Versions and Fixes === Ciscoworks IPM versions 2.6 and earlier for Windows contain a vulnerable third-party component that is no longer supported. Cisco is unable to provide updated software for affected CiscoWorks versions. Consult the Obtaining Fixed Software section of this advisory for instructions on how to address vulnerable systems. Workarounds === There are no workarounds for this vulnerability. It is possible to mitigate this vulnerability by restricting network access to TCP ports on an affected Windows system running IPM versions 2.6 and earlier to trusted systems. Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100120-ipm.shtml Obtaining Fixed Software Ciscoworks IPM versions 2.6 and earlier for Windows contain a vulnerable third-party component that is no longer supported. Cisco is unable to provide updated software for affected CiscoWorks versions. Customers with active software licenses for the IPM component of CiscoWorks versions 2.6 and earlier for Windows should send email to the following address for instructions on migrating to non-vulnerable software: ipm-corba-...@cisco.com Exploitation and Public Announcements = The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was
[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Unified MeetingPlace
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Unified MeetingPlace Advisory ID: cisco-sa-20100127-mp Revision 1.0 For Public Release 2010 Jan 27 1600 UTC (GMT) +- Summary === Multiple vulnerabilities exist in Cisco Unified MeetingPlace. This security advisory outlines the details of these vulnerabilities: * Insufficient validation of SQL commands * Unauthorized account creation * User and password enumeration in Cisco MeetingTime * Privilege escalation in Cisco MeetingTime Workarounds are not available for these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100127-mp.shtml Affected Products = Vulnerable Products +-- Cisco Unified MeetingPlace versions 5, 6, and 7 are each affected by at least one of the vulnerabilities described in this document. The Cisco Unified MeetingPlace conferencing solution provides functionality that allows organizations to host integrated voice, video, and web conferencing. The solution is deployed on-network and integrated directly into an organization's private voice/data networks and enterprise applications. Cisco Unified MeetingPlace servers can be deployed so that the server is accessible from the Internet, allowing external parties to participate in meetings. Cisco MeetingTime is a desktop application included with Cisco Unified MeetingPlace version 6.x that could be used to access and configure the Cisco Unified MeetingPlace Audio Server systems. MeetingTime classifies users as either end users, contacts, attendants, or system administrators. The end-of-software maintenance for MeetingPlace version 5.3 occurred in April 2009. End-of-sale and end-of-life details are available at: http://cco-rtp-1.cisco.com/en/US/prod/collateral/voicesw/ps6789/ps5664/ps5669/prod_end-of-life_notice0900aecd806e743c.html Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by these vulnerabilities. Details === This Security Advisory describes multiple distinct vulnerabilities in the MeetingPlace and MeetingTime products. These vulnerabilities are independent of each other. Insufficient Validation of SQL Commands An unauthenticated user may be able to send SQL commands to manipulate the database that MeetingPlace uses to store information about server configuration, meetings, and users. These commands could be used to create, delete, or alter any of the information contained in the Cisco Unified MeetingPlace database. This vulnerability is documented in Cisco Bug ID CSCtc39691 and has been assigned CVE ID CVE-2010-0139. Unauthorized Account Creation An unauthenticated user may be able to send a crafted URL to the internal interface of the Cisco Unified MeetingPlace web server to create a MeetingPlace user or administrator account. This vulnerability is documented in Cisco Bug IDs CSCtc59231 and CSCtd40661 and has been assigned CVE ID CVE-2010-0140. User and Password Enumeration in Cisco MeetingTime The MeetingTime authentication sequence consists of a series of packets that are transmitted between the client and the Cisco Meeting Place Audio Server over TCP port 5001. An attacker may be able to alter the authentication sequence to access sensitive information in the user database including usernames and passwords. This vulnerability is documented in Cisco Bug ID CSCsv76935 and has been assigned CVE ID CVE-2010-0141. Privilege Escalation in Cisco MeetingTime An attacker may be able to alter the packets in the MeetingTime authentication sequence to elevate the privileges of a normal user to an administrative user. This vulnerability is documented in Cisco Bug ID CSCsv66530 and has been assigned CVE ID CVE-2010-0142. Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCtc39691 - Insufficient validation of SQL commands CVSS Base Score - 9 Access Vector - Network Access Complexity - Low Authentication - None
[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco IronPort Encryption Appliance
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco IronPort Encryption Appliance Advisory ID: cisco-sa-20100210-ironport Revision 1.0 For Public Release 2010 February 10 1600 UTC (GMT) +- Summary === Cisco IronPort Encryption Appliance devices contain two vulnerabilities that allow remote, unauthenticated access to any file on the device and one vulnerability that allows remote, unauthenticated users to execute arbitrary code with elevated privileges. There are workarounds available to mitigate these vulnerabilities. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100210-ironport.shtml Affected Products = Vulnerable Products +-- The following Cisco IronPort Encryption Appliance versions are affected by these vulnerabilities: • Cisco IronPort Encryption Appliance 6.5 versions prior to 6.5.2 • Cisco IronPort Encryption Appliance 6.2 versions prior to 6.2.9.1 • Cisco IronPort PostX MAP versions prior to 6.2.9.1 The version of software that is running on a Cisco IronPort Encryption Appliance is located on the About page of the Cisco IronPort Encryption Appliance administration interface. Note: Customers should contact IronPort support to determine which software fixes are applicable for their environment. Please consult the Obtaining Fixed Software section of this advisory for more information. Products Confirmed Not Vulnerable + Cisco IronPort C, M, and S-Series appliances are not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details === Note: IronPort tracks bugs using an internal system that is not available to customers. The IronPort bug tracking identifiers are provided for reference only. The Cisco IronPort Encryption Appliance contains two information disclosure vulnerabilities that allow remote, unauthenticated access to arbitrary files on vulnerable devices via the embedded HTTPS server. The first vulnerability affecting the Cisco IronPort Encryption Appliance administration interface is documented in IronPort bug 65921 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0143. The second vulnerability affecting the WebSafe servlet is documented in IronPort bug 65922 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0144. The Cisco IronPort Encryption Appliance contains a remote code execution vulnerability that allows an unauthenticated attacker to run arbitrary code with elevated privileges on vulnerable devices via the embedded HTTPS server. The vulnerability is documented in IronPort bug 65923 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0145. Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss IronPort Bug 65921 - Arbitrary File Access Through Administrative Interface CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact- None Availability Impact - None CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed IronPort Bug 65922 - WebSafe DistributorServlet Allows Unauthenticated Arbitrary File Access CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact- None Availability Impact - None CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed IronPort Bug 65923 - Default Config Allows Unauthenticated Remote Arbitrary Code CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None
[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Security Agent
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Security Agent Advisory ID: cisco-sa-20100217-csa Revision 1.0 For Public Release 2010 February 17 1600 UTC (GMT) +- Summary === The Management Center for Cisco Security Agents is affected by a directory traversal vulnerability and a SQL injection vulnerability. Successful exploitation of the directory traversal vulnerability may allow an authenticated attacker to view and download arbitrary files from the server hosting the Management Center. Successful exploitation of the SQL injection vulnerability may allow an authenticated attacker to execute SQL statements that can cause instability of the product or changes in the configuration. Additionally, the Cisco Security Agent is affected by a denial of service (DoS) vulnerability. Successful exploitation of the Cisco Security Agent agent DoS vulnerability may cause the affected system to crash. Repeated exploitation could result in a sustained DoS condition. These vulnerabilities are independent of each other. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100217-csa.shtml Affected Products = Vulnerable Products +-- Cisco Security Agent releases 5.1, 5.2 and 6.0 are affected by the SQL injection vulnerability. Only Cisco Security Agent release 6.0 is affected by the directory traversal vulnerability. Only Cisco Security Agent release 5.2 is affected by the DoS vulnerability. Note: Only the Management Center for Cisco Security Agents is affected by the directory traversal and SQL injection vulnerabilities. The agents installed on user end-points are not affected. Only Cisco Security Agent release 5.2 for Windows and Linux, either managed or standalone, are affected by the DoS vulnerability. Standalone agents are installed in the following products: * Cisco Unified Communications Manager (CallManager) * Cisco Conference Connection (CCC) * Emergency Responder * IPCC Express * IPCC Enterprise * IPCC Hosted * IP Interactive Voice Response (IP IVR) * IP Queue Manager * Intelligent Contact Management (ICM) * Cisco Voice Portal (CVP) * Cisco Unified Meeting Place * Cisco Personal Assistant (PA) * Cisco Unity * Cisco Unity Connection * Cisco Unity Bridge * Cisco Secure ACS Solution Engine * Cisco Internet Service Node (ISN) * Cisco Security Manager (CSM) Note: The Sun Solaris version of the Cisco Security Agent is not affected by these vulnerabilities. Products Confirmed Not Vulnerable + The Sun Solaris version of Cisco Security Agent is not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details === The Cisco Security Agent is a security software agent that provides threat protection for server and desktop computing systems. Cisco Security Agents can be standalone agents or can be managed by the Cisco Security Agent Management Center. The Management Center for Cisco Security Agents is affected by a directory traversal vulnerability and a SQL injection vulnerability. Management Center for Cisco Security Agents Directory Traversal Vulnerability + The Management Center for Cisco Security Agents is affected by a directory traversal vulnerability that may allow an authenticated attacker to view and download arbitrary files from the server that is hosting the Management Center for Cisco Security Agents. This vulnerability is documented in Cisco Bug ID CSCtd73275 and has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0146. Management Center for Cisco Security Agents SQL Injection Vulnerability +-- The Management Center for Cisco Security Agents is also affected by a SQL injection vulnerability that may allow an authenticated attacker to execute SQL statements that can cause the Management Center for Cisco Security Agents to become unstable or modify its configuration. These configuration changes may result in modifications to the security policies of the endpoints. Additionally, an attacker may create, delete, or modify management user accounts that are found in the Management Center for Cisco Security Agents. This vulnerability is documented in Cisco Bug ID CSCtd73290 and has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0147. Cisco Security Agent Denial of Service Vulnerability +--- Cisco Security Agent is affected by a DoS vulnerability that could allow an unauthenticated attacker to cause a system to crash by sending a series of TCP packets.
[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances Advisory ID: cisco-sa-20100217-asa Revision 1.0 For Public Release 2010 February 17 1600 UTC (GMT) +- Summary === Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities: * TCP Connection Exhaustion Denial of Service Vulnerability * Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerabilities * Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability * WebVPN Datagram Transport Layer Security (DTLS) Denial of Service Vulnerability * Crafted TCP Segment Denial of Service Vulnerability * Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability * NT LAN Manager version 1 (NTLMv1) Authentication Bypass Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml. Affected Products = Vulnerable Products +-- Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities. Affected versions of Cisco ASA Software vary depending on the specific vulnerability. For specific version information, refer to the Software Versions and Fixes section of this advisory. TCP Connection Exhaustion Denial of Service Vulnerability + Cisco ASA 5500 Series Adaptive Security Appliances may experience a TCP connection exhaustion condition (no new TCP connections are accepted) that can be triggered through the receipt of specific TCP segments during the TCP connection termination phase. Appliances that are running versions 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected when they are configured for any of the following features: * SSL VPNs * Cisco Adaptive Security Device Manager (ASDM) Administrative Access * Telnet Access * SSH Access * Virtual Telnet * Virtual HTTP * Transport Layer Security (TLS) Proxy for Encrypted Voice Inspection SIP Inspection Denial of Service Vulnerabilities +--- Two denial of service (DoS) vulnerabilities affect the SIP inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances. Versions 7.0.x, 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. SIP inspection is enabled by default. To check if SIP inspection is enabled, issue the show service-policy | include sip command and confirm that some output is returned. Sample output is displayed in the following example: ciscoasa#show service-policy | include sip Inspect: sip , packet 0, drop 0, reset-drop 0 Alternatively, an appliance that has SIP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sip ... ! service-policy global_policy global SCCP Inspection Denial of Service Vulnerability +-- A denial of service vulnerability affects the SCCP inspection feature of the Cisco ASA 5500 Series Adaptive Security Appliances. Versions 8.0.x, 8.1.x, and 8.2.x are affected. SCCP inspection is enabled by default. To check if SCCP inspection is enabled, issue the show service-policy | include skinny command and confirm that some output is returned. Sample output is displayed in the following example: ciscoasa#show service-policy | include skinny Inspect: skinny , packet 0, drop 0, reset-drop 0 Alternatively, an appliance that has SCCP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect skinny ... ! service-policy global_policy global WebVPN DTLS Denial of Service Vulnerability +-- Cisco ASA 5500 Series Adaptive Security Appliances are affected by a denial of service vulnerability that exists when WebVPN and DTLS are enabled. Affected versions include 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x. Administrators can enable WebVPN with the enable interface name command in webvpn configuration mode. DTLS can be enabled by issuing the svc dtls enable command in group policy webvpn configuration mode. The following configuration snippet provides an example of a WebVPN configuration that enables
[c-nsp] Cisco Security Advisory: Cisco Firewall Services Module Skinny Client Control Protocol Inspection Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Firewall Services Module Skinny Client Control Protocol Inspection Denial of Service Vulnerability Advisory ID: cisco-sa-20100217-fwsm http://www.cisco.com/warp/public/707/cisco-sa-20100217-fwsm.shtml Revision 1.0 For Public Release 2010 February 17 1600 UTC (GMT) +- Summary === A vulnerability exists in the Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers that may cause the Cisco FWSM to reload after processing a malformed Skinny Client Control Protocol (SCCP) message. The vulnerability exists when SCCP inspection is enabled. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100217-fwsm.shtml. Affected Products = Vulnerable Products +-- All non-fixed 4.x versions of Cisco FWSM Software are affected by this vulnerability if SCCP inspection is enabled. SCCP inspection is enabled by default. To check if SCCP inspection is enabled, issue the show service-policy | include skinny command and confirm that the command returns output. Example output follows: fwsm#show service-policy | include skinny Inspect: skinny , packet 0, drop 0, reset-drop 0 Alternatively, a device that has SCCP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect skinny ... ! service-policy global_policy global To determine the version of Cisco FWSM Software that is running, issue the show module command-line interface (CLI) command from Cisco IOS Software or Cisco Catalyst Operating System Software to identify what modules and sub modules are installed on the system. The following example shows a system with a Cisco FWSM (WS-SVC-FWM-1) installed in slot 2: switchshow module Mod Ports Card Type Model Serial No. --- - -- -- --- 1 16 SFM-capable 16 port 1000mb GBICWS-X6516-GBIC SAL06334NS9 26 Firewall ModuleWS-SVC-FWM-1 SAD10360485 38 Intrusion Detection System WS-SVC-IDSM-2 SAD0932089Z 44 SLB Application Processor Complex WS-X6066-SLB-APC SAD093004BD 52 Supervisor Engine 720 (Active) WS-SUP720-3B SAL0934888E Mod MAC addresses HwFw Sw Status --- -- -- --- 1 0009.11e3.ade8 to 0009.11e3.adf7 5.1 6.3(1) 8.5(0.46)RFW Ok 2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 3.2(2)10 Ok 3 0014.a90c.9956 to 0014.a90c.995d 5.0 7.2(1) 5.1(6)E1 Ok 4 0014.a90c.66e6 to 0014.a90c.66ed 1.74.2(3) Ok 5 0013.c42e.7fe0 to 0013.c42e.7fe3 4.4 8.1(3) 12.2(18)SXF1 Ok [...] After locating the correct slot, issue the show module slot number command to identify the software version that is running. Example output follows: switchshow module 2 Mod Ports Card Type Model Serial No. --- - -- -- --- 26 Firewall ModuleWS-SVC-FWM-1 SAD10360485 Mod MAC addresses HwFw Sw Status --- -- -- --- 2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 3.2(2)10 Ok [...] The preceding example shows that the FWSM is running software version 3.2(2)10 as indicated by the column under Sw. Note: Recent versions of Cisco IOS Software will show the software version of each module in the output from the show module command; therefore, executing the show module slot number command is not necessary. If a Virtual Switching System (VSS) is used to allow two physical Cisco Catalyst 6500 Series Switches to operate as a single logical virtual switch, the show module switch all command can display the software version of all FWSMs that belong to switch 1 and switch 2. The output from this command will be similar to the output from the show module slot number but will include module information for the modules in each switch in the VSS. Alternatively, version information can be obtained directly from the FWSM through the show version command. Example output follows: FWSM show version FWSM Firewall Version 3.2(2)10 [...] Customers who use the Cisco
[c-nsp] Cisco Security Advisory: Cisco Unified Communications Manager Denial of Service Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Unified Communications Manager Denial of Service Vulnerabilities Advisory ID: cisco-sa-20100303-cucm Revision 1.0 For Public Release 2010 March 3 1600 UTC (GMT) +- Summary === Cisco Unified Communications Manager (formerly Cisco CallManager) contains multiple denial of service (DoS) vulnerabilities that if exploited could cause an interruption of voice services. The Session Initiation Protocol (SIP), Skinny Client Control Protocol (SCCP) and Computer Telephony Integration (CTI) Manager services are affected by these vulnerabilities. To address these vulnerabilities, Cisco has released free software updates for select Cisco Unified Communications Manager versions. There is a workaround for of one the vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100303-cucm.shtml Affected Products = Vulnerable Products +-- The following products are affected by vulnerabilities that are described in this advisory: * Cisco Unified Communications Manager 4.x * Cisco Unified Communications Manager 5.x * Cisco Unified Communications Manager 6.x * Cisco Unified Communications Manager 7.x Note: Cisco Unified Communications Manager version 5.1 reached the End of Software Maintenance on February 13, 2010. For customers using Cisco Unified Communications Manager 5.x versions, please contact your Cisco support team for assistance in upgrading to a supported version of Cisco Unified Communications Manager. Products Confirmed Not Vulnerable + Cisco Unified Communications Manager version 8.0(1) and Cisco Unified Communications Manager Express are not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details === Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, VoIP gateways, and multimedia applications. Malformed SCCP Message Vulnerabilities +- Cisco Unified Communications Manager contains two DoS vulnerabilities that involve the processing of SCCP packets. Each vulnerability is triggered by a malformed SCCP message that could cause a critical process to fail, which could result in the disruption of voice services. All SCCP ports (TCP ports 2000 and 2443) are affected. The first SCCP DoS vulnerability is documented in Cisco Bug ID CSCtc38985 and has been assigned the CVE identifier CVE-2010-0587. This vulnerability is fixed in Cisco Unified Communications Manager versions 4.3(2)SR2, 6.1(5), 7.1(3a)su1 and 8.0(1). The second SCCP DoS vulnerability is documented in Cisco Bug ID CSCtc47823 and has been assigned the CVE identifier CVE-2010-0588. This vulnerability is fixed in Cisco Unified Communications Manager versions 6.1(5), 7.1(3a)su1 and 8.0(1). Cisco Unified Communications Manager 4.x versions are not affected. Malformed SIP Message Vulnerabilities + Cisco Unified Communications Manager contains two DoS vulnerabilities that involve the processing of SIP messages. Each vulnerability is triggered by a malformed SIP message that could cause a critical process to fail, which could result in the disruption of voice services. All SIP ports (TCP ports 5060 and 5061, UDP ports 5060 and 5061) are affected. The first SIP DoS vulnerability is documented in Cisco Bug ID CSCtc37188 and has been assigned the CVE identifier CVE-2010-0590. This vulnerability is fixed in Cisco Unified Communications Manager versions 7.1(3a)su1 and 8.0(1) . Cisco Unified Communications Manager 4.x and 6.x versions are not affected. The second SIP DoS vulnerability is documented in Cisco Bug ID CSCtc62362 and has been assigned the CVE identifier CVE-2010-0591. The second vulnerability is fixed in Cisco Unified Communications Manager versions 6.1(5), 7.1(3b)SU2 and 8.0(1). Cisco Unified Communications Manager 4.x versions are not affected. Malformed CTI Manager Message Vulnerability +-- The CTI Manager service of Cisco Unified Communications Manager contains a DoS vulnerability. A malformed message sent to the CTI Manager service port (TCP 2748) could cause the CTI Manager service to fail, which could result in the interruption of CTI applications. The CTI Manager service is disabled by default. The CTI Manager vulnerability is documented in Cisco Bug ID CSCsu31800 and has been assigned the CVE identifier CVE-2010-0592. This vulnerability is fixed in Cisco Unified Communications Manager versions 4.3(2)sr1a, 6.1(3), 7.0(2), 7.1(2) and 8.0(1). Vulnerability Scoring Details
[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Digital Media Manager
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Digital Media Manager Advisory ID: cisco-sa-20100303-dmm http://www.cisco.com/warp/public/707/cisco-sa-20100303-dmm.shtml Revision 1.0 For Public Release 2010 March 03 1600 UTC (GMT) +- Summary === Multiple vulnerabilities exist in the Cisco Digital Media Manager (DMM). This security advisory outlines details of the following vulnerabilities: * Default credentials * Privilege escalation vulnerability * Information leakage vulnerability These vulnerabilities are independent of each other. There are no workarounds that can mitigate any of these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100303-dmm.shtml. Note: This advisory is being released simultaneously with a vulnerability disclosure advisory that impacts the Cisco Digital Media Player. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100303-dmp.shtml. Affected Products = Vulnerable Products +-- The following is a list of the products affected by each vulnerability as described in detail within this advisory. Default Credentials +-- Cisco DMM versions 5.0.x and 5.1.x are affected by this vulnerability. Cisco DMM versions 4.x are not vulnerable. Privilege Escalation Vulnerability +- Cisco DMM versions 5.0.x and 5.1.x are affected by this vulnerability. Cisco DMM versions 4.x are not vulnerable. Information Leakage Vulnerability + All Cisco DMM releases earler than 5.2 are affected by this vulnerability. Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by these vulnerabilities. Details === The Cisco DMM is used to manage, schedule, and publish digital media for Cisco Digital Signs, Cisco Cast and Cisco Show and Share. This security advisory describes multiple distinct vulnerabilities in the Cisco DMM. These vulnerabilities are independent of each other. Default Credentials +-- Cisco DMM versions earler than 5.2 have default credentials that could allow an attacker full control of the installed web applications, including settings, status, and deployment. This vulnerability is documented in Cisco Bug ID CSCta03378 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0570. Privilege Escalation Vulnerability +- A vulnerability exists in Cisco DMM versions 5.0.x and 5.1.x that could allow authenticated, but unauthorized users to change the configuration and obtain full access of the device. This vulnerability is documented in Cisco Bug ID CSCtc46008 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0571. Information Leakage Vulnerability + The Cisco DMM can be used to manage the Cisco Digital Media Player. The Cisco Digital Media Player is an IP-based endpoint that can play high-definition live and on-demand video, motion graphics, web pages, and dynamic content on digital displays. A vulnerability exists in all Cisco DMM versions earler than 5.2 that could allow authenticated but unauthorized users to view Cisco Digital Media Player user credentials and LDAP credentials (if configured) in error log messages and stack traces. This vulnerability is documented in Cisco Bug ID CSCtc46050 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0572. Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss * CSCta03378 (Default password for Tomcat administration account) CVSS Base Score - 10.0 Access Vector -Network Access Complexity -Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.7 Exploitability -
[c-nsp] Cisco Security Advisory: Cisco Digital Media Player Remote Display Unauthorized Content Injection Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Digital Media Player Remote Display Unauthorized Content Injection Vulnerability Advisory ID: cisco-sa-20100303-dmp http://www.cisco.com/warp/public/707/cisco-sa-20100303-dmp.shtml Revision 1.0 For Public Release 2010 March 03 1600 UTC (GMT) +- Summary === A vulnerability exists in the Cisco Digital Media Player that could allow an unauthenticated attacker to inject video or data content into a remote display. Cisco has released free software updates that address this vulnerability. There are no workarounds available to mitigate this vulnerability. This additional advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100303-dmp.shtml. Note: This advisory is being released simultaneously with a multiple vulnerability disclosure advisory that impacts the Cisco Digital Media Manager. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100303-dmm.shtml. Affected Products = Vulnerable Products +-- Cisco Digital Media Player versions earlier than 5.2 are affected by this vulnerability. Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by this vulnerability. Details === Cisco Digital Media Players are IP-based endpoints that can play high-definition live and on-demand video, motion graphics, web pages, and dynamic content on digital displays. The Cisco Digital Media Player contains a vulnerability that could allow an unauthenticated attacker to inject video or data content into a remote display. This vulnerability is documented in Cisco Bug ID CSCtc46024 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0573. Vulnerability Scoring Details = Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtc46024 (Remote Display Unauthorized Content Injection) CVSS Base Score - 8.5 Access Vector -Network Access Complexity -Low Authentication - None Confidentiality Impact - None Integrity Impact - Partial Availability Impact - Complete CVSS Temporal Score - 7.0 Exploitability - Functional Remediation Level -Official-Fix Report Confidence -Confirmed Impact == Successful exploitation of the vulnerability could allow an unauthenticated attacker to inject video or data content into a remote display. Software Versions and Fixes === When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. This vulnerability has been fixed in Cisco Digital Media Player version 5.2. Workarounds === There are no workarounds to mitigate this vulnerability. Obtaining Fixed Software Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact ps...@cisco.com or security-al...@cisco.com for software upgrades. Customers with
[c-nsp] Cisco Security Advisory: Cisco Secure Desktop ActiveX Control Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Secure Desktop ActiveX Control Code Execution Vulnerability Advisory ID: cisco-sa-20100414-csd Revision 1.0 +- Summary === Cisco Secure Desktop contains a vulnerable ActiveX control that could allow an attacker to execute arbitrary code with the privileges of the user who is currently logged into the affected system. Cisco has released a free software update that addresses this vulnerability. There is a workaround that mitigates this vulnerability. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100414-csd.shtml Affected Products = Vulnerable Products +-- Cisco Secure Desktop versions prior to 3.5.841 are affected. Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by this vulnerability. Details === A Cisco-signed ActiveX control that is used by Cisco Secure Desktop fails to properly verify the integrity of an executable file that is used by the Cisco Secure Desktop installation process. If an attacker can entice a user to visit an attacker controlled web page, the vulnerable ActiveX control could be invoked to download an attacker-modified package. The package could contain a malicious executable file that executes with the privileges of the affected user. A successful exploit could result in a complete compromise of a vulnerable system. This vulnerability is documented in Cisco Bug ID CSCta25876 and has been assigned the Common Vulnerabilities and Exposures (CVE) ID CVE-2010-0589. Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCta25876 CVSS Base Score - 9.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact- Complete Availability Impact - Complete CVSS Temporal Score - 7.7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact == Successful exploitation of this vulnerability could result in a complete compromise of the affected system. Software Versions and Fixes === When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Cisco Secure Desktop version 3.5.841 can be downloaded at the following link: http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=3.5.841mdfid=280277835sftType=CSD+package-+ASA+DistributionoptPlat=nodecount=2edesignator=nullmodelName=Cisco+Secure+DesktoptreeMdfId=268438162treeName=Securitymodifmdfid=nullimname=hybrid=imst=lr=Y Note: Cisco Secure Desktop versions 3.0 and 3.1 are only supported for operation with certain versions of Cisco IOS software and Cisco Adaptive Security Appliance (ASA) software version 7.x. Cisco Secure Desktop versions 3.2 through 3.5 are only supported for operation with Cisco ASA software version 8.x. Customers running Cisco Secure Desktop versions 3.2 through 3.5 with a supported Cisco ASA software version are encouraged to upgrade to Cisco Secure Desktop version 3.5.841. Customers with active software licenses for Cisco Secure Desktop versions 3.0 and 3.1 should send email to the following address for instructions on migrating to non-vulnerable software: csd-activex-inqu...@cisco.com Workarounds === Administrators can mitigate this vulnerability by using the kill bit feature of Microsoft Windows to prevent the loading and execution of the vulnerable ActiveX control. Administrators must use the Class identifier
[c-nsp] Cisco Security Advisory: Cisco Small Business Video Surveillance Cameras and Cisco 4-Port Gigabit Security Routers Authentication Bypass Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Small Business Video Surveillance Cameras and Cisco 4-Port Gigabit Security Routers Authentication Bypass Vulnerability Advisory ID: cisco-sa-20100421-vsc http://www.cisco.com/warp/public/707/cisco-sa-20100421-vsc.shtml Revision 1.0 For Public Release 2010 APR 21 1600 UTC (GMT) +- Summary === Cisco Small Business Video Surveillance Cameras and Cisco RVS4000 4-port Gigabit Security Routers contain a vulnerability that could allow an authenticated user to view passwords for other users, regardless of the authenticated user's level of authorization. An unprivileged user could take advantage of this vulnerability to gain full administrative access on the device or view another user's credentials. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available on some devices. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100421-vsc.shtml. Affected Products = Vulnerable Products +-- This vulnerability affects the Cisco RVS4000 4-port Gigabit Security Router and all Cisco Small Business Video Surveillance Cameras, except for the Cisco PVC300 Pan Tilt Optical Zoom Camera. These cameras are affected: * Cisco PVC2300 Business Internet Video Camera - Audio/PoE * Cisco WVC200 Wireless-G PTZ Internet Video Camera - Audio * Cisco WVC210 Wireless-G PTZ Internet Video Camera - 2-way Audio * Cisco WVC2300 Wireless-G Business Internet Video Camera - Audio Products Confirmed Not Vulnerable + The Cisco PVC300 Pan Tilt Optical Zoom Camera and Cisco Small Business cameras are not affected by this vulnerability. No other Cisco cameras or products are currently known to be affected by this vulnerability. Details === Cisco Small Business Video Surveillance Cameras are a component of network-based, physical security solutions. More information on the surveillance cameras can be found at this link: http://www.cisco.com/cisco/web/solutions/small_business/products/security/small_business_video_surveillance_cameras/index.html The Small Business Video Surveillance Cameras are connected to an IP network and are remotely accessible for both surveillance and device management. An administrator can restrict a user's ability to manage the device, allowing the user to employ the camera for surveillance only. The Cisco RVS4000 Gigabit Security Router delivers high-speed network access and IPsec VPN capabilities for as many as five users. The Cisco RVS4000 also provides firewall and intrusion prevention capabilities. More information on the Cisco RVS4000 Gigabit Security Router can be found at this link: http://www.cisco.com/en/US/products/ps9928/index.html A user on the PVC2300 and WVC2300 cameras can use a specifically crafted URL to bypass any restrictions that are configured to prevent the device configuration from being viewed. The user could then view the passwords for all users on the device. A user on the WVC200 and WVC210 camera must have been granted setup privileges to take advantage of this vulnerability to view the passwords. The ability to configure setup privileges is not available on the other devices affected by this vulnerability. Administrative users on the RVS4000 router may be able to view the passwords of other administrative users. This vulnerability is documented in Cisco bug ID CSCte64726 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-0593. Vulnerability Scoring Details + Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCte64726 (Unprivileged users may be able to view passwords for other users) CVSS Base Score - 9.0 Access Vector -Network Access Complexity -Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level -
[c-nsp] Cisco Security Advisory: Multiple vulnerabilities in Cisco PGW Softswitch
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Multiple vulnerabilities in Cisco PGW Softswitch Document ID: 111870 Advisory ID: cisco-sa-20100512-pgw http://www.cisco.com/warp/public/707/cisco-sa-20100512-pgw.shtml Revision 1.0 For Public Release 2010 May 12 1600 UTC (GMT) - - Summary === Multiple vulnerabilities exist in the Cisco PGW 2200 Softswitch series of products. Each vulnerability described in this advisory is independent from other. The vulnerabilities are related to processing Session Initiation Protocol (SIP) or Media Gateway Control Protocol (MGCP) messages. Successful exploitation of all but one of these vulnerabilities can crash the affected device. Exploitation of the remaining vulnerability will not crash the affected device, but it can lead to a denial-of-service (DoS) condition in which no new TCP-based connections will be accepted or created. Cisco has released free software updates that address these vulnerabilities. There are no workarounds that mitigate these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100512-pgw.shtml Affected Products = Vulnerable Products +-- The Cisco PGW 2200 Softswitch is affected by these vulnerabilities. The following table displays information about software releases that are affected by individual vulnerabilities. Each vulnerability in the table affects all software releases prior to the release that is listed in the table. +---+ | Cisco Bug | Affects All Software | | ID | Releases Prior This | || Version(s) | |+--| | CSCsz13590 | 9.8(1)S5 | |+--| | CSCsl39126 | 9.7(3)S11| |+--| | CSCsk32606 | 9.7(3)S11| |+--| | CSCsk44115 | 9.7(3)S11, 9.7(3)P11 | |+--| | CSCsk40030 | 9.7(3)S10| |+--| | CSCsk38165 | 9.7(3)S10| |+--| | CSCsj98521 | 9.7(3)S9, 9.7(3)P9 | |+--| | CSCsk04588 | 9.7(3)S9, 9.7(3)P9 | |+--| | CSCsk13561 | 9.7(3)S9, 9.7(3)P9 | +---+ To determine the software version running on a Cisco product, log in to the device and issue the RTRV-NE command. This command displays information about the Cisco PGW 2200 Softswitch hardware, software, and current state. The following example identifies a Cisco PGW 2200 Softswitch running software release 9.7(3): mml RTRV-NE Media Gateway Controller - MGC-01 2010-04-23 11:55:00.000 M RTRV Type:MGC (Switch Mode) Hardware platform:sun4u sparc SUNW,Sun-Fire-V210 Vendor:Cisco Systems, Inc. Location:MGC-01 - Media Gateway Controller Version:9.7(3) Patch:CSCOgs028/CSCOnn028 Platform State:ACTIVE ; Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by these vulnerabilities. In particular, Cisco IOS Software is not affected by these vulnerabilities. Details === SIP is a popular signaling protocol used to manage voice and video calls across IP networks such as the Internet. SIP is responsible for handling all aspects of call setup and termination. Voice and video are the most popular types of sessions that SIP handles, but the protocol is flexible to accommodate for other applications that require call setup and termination. SIP call signaling can use UDP (port 5060), TCP (port 5060), or Transport Layer Security (TLS; TCP port 5061) as the underlying transport protocol. MGCP is the protocol for controlling telephony gateways from external call control elements known as media gateway controllers or call agents. A telephony gateway is a network element that provides conversion between the audio signals carried on telephone circuits and data packets carried over the Internet or other packet networks. Multiple DoS vulnerabilities exist in the Cisco PGW 2200 Softswitch SIP implementation, and one vulnerability is in the MGCP implementation. The following vulnerabilities can cause affected devices to crash: * CSCsl39126 (registered customers only), CVE ID CVE-2010-0601 * CSCsk32606 (registered customers only), CVE ID CVE-2010-0602 * CSCsk40030 (registered customers only), CVE ID CVE-2010-0603 * CSCsk38165 (registered customers only), CVE ID CVE-2010-0604 * CSCsk44115 (registered customers only), CVE ID CVE-2010-1561 * CSCsj98521 (registered customers only), CVE ID CVE-2010-1562 * CSCsk04588 (registered customers only), CVE ID CVE-2010-1563 * CSCsz13590
[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Network Building Mediator
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Network Building Mediator Document ID: 111014 Advisory ID: cisco-sa-20100526-mediator http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml Revision 1.0 For Public Release 2010 May 26 1600 UTC (GMT) - - Summary === Multiple vulnerabilities exist in the Cisco Network Building Mediator (NBM) products. These vulnerabilities also affect the legacy Richards-Zeta Mediator products. This security advisory outlines details of the following vulnerabilities: * Default credentials * Privilege escalation * Unauthorized information interception * Unauthorized information access Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of the listed vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml Affected Products = These vulnerabilities affect the legacy Richards-Zeta Mediator 2500 product and Cisco Network Building Mediator NBM-2400 and NBM-4800 models. All Mediator Framework software releases prior to 3.1.1 are affected by all vulnerabilities listed in this security advisory. This table provides information about affected software releases: +---+ | Cisco Bug |Affects Software | | ID |Releases | |-+-| | CSCtb83495 | 1.5.1, 2.2, 3.0.8 | |-+-| | CSCtb83607 | 2.2, 3.0.8 | |-+-| | CSCtb83618 | 1.5.1, 2.2, 3.0.8 | |-+-| | CSCtb83631 | 1.5.1, 2.2, 3.0.8 | |-+-| | CSCtb83505 | 1.5.1, 2.2, 3.0.8 | |-+-| | CSCtb83512 | 1.5.1, 2.2, 3.0.8 | +---+ Vulnerable Products +-- Users can determine the version of the Mediator Framework running on a device by logging into the device. After a successful login, the device will display the version of Mediator Framework running on the device. The following example identifies a Cisco Network Building Mediator that is running Mediator Framework version 3.1.1: Mediator Operating Environment 3.0.4 Mediator Framework (tm) 3.1.1 Copyright ) 2010 Cisco Systems, Inc. Serial number 05-x Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by these vulnerabilities. Details === The Cisco Network Building Mediator is a platform that transforms the way buildings are designed, operated, and experienced. Cisco Network Building Mediator collects data from sources that include the building, IT, energy supply, and energy demand systems, which use different protocols that are otherwise unable to communicate with one another. The Cisco Network Building Mediator normalizes the data into a common data representation. This ability enables the Cisco Network Building Mediator to perform any-to-any protocol translation and to provide information to the end user in a uniform presentation. This security advisory describes multiple distinct vulnerabilities in the legacy Richards-Zeta Mediator and the Cisco Network Building Mediator. These vulnerabilities are independent of each other. Default credentials +-- Default credentials are assigned for several predefined user accounts on the device including the administrative user account. Any user with network access to the device can log in as an administrator and take complete control over the vulnerable device. * CSCtb83495 ( registered customers only) has been assigned the CVE identifier CVE-2010-0595. Privilege escalation +--- Vulnerabilities in this category enable unauthorized users to read and modify device configuration. A malicious user must authenticate as an existing user but does not need to have administrator privileges or know administrator credentials to modify device configuration. Both vulnerabilities can be exploited over either transport protocol (HTTP or HTTPS). Additionally, the vulnerability described by Cisco Bug ID CSCtb83618 ( registered customers only) can be used to reload the vulnerable device. Repeated exploitation of this vulnerability can lead to a prolonged denial of service (DoS) condition. * CSCtb83607 ( registered customers only) (registered customers only) has been assigned the CVE identifier CVE-2010-0596. This vulnerability could enable any user to read and modify device configuration. * CSCtb83618 ( registered customers only) has been assigned the CVE identifier CVE-2010-0597. This vulnerability could enable any user to
[c-nsp] Cisco Security Advisory: Vulnerabilities in Cisco Unified Contact Center Express
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Vulnerabilities in Cisco Unified Contact Center Express Advisory ID: cisco-sa-20100609-uccx Revision 1.0 For Public Release 2010 June 09 1600 UTC (GMT) +- Summary === Cisco Unified Contact Center Express (UCCX or Unified CCX) contains a denial of service (DoS) vulnerability and a directory traversal vulnerability. These vulnerabilities are independent of each other. Exploitation of these vulnerabilities could result in a DoS condition or an information disclosure. Cisco has released free software updates that address these vulnerabilities in the latest versions of Cisco Unified Contact Center products. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100609-uccx.shtml Affected Products = Cisco UCCX is an integrated contact center in a box solution for use in deployments of up to 300 agents. Vulnerable Products +-- The vulnerabilities described in this document affect the following products: * Cisco UCCX versions 5.x, 6.x, and 7.x * Cisco Customer Response Solution (CRS) versions 5.x, 6.x, and 7.x * Cisco Unified IP Interactive Voice Response (Cisco Unified IP IVR) versions 5.x, 6.x, and 7.x Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by these vulnerabilities. Details === Denial of Service Vulnerabilities + A DoS vulnerability exists in the computer telephony integration (CTI) server component of the Cisco UCCX product. The CTI server is only started when the Integrated Call Distribution (ICD) license is enabled, Cisco Unified IP Interactive Voice Response (Cisco Unified IP IVR) deployments are not affected by the CTI server DoS vulnerability. The CTI server listens by default on TCP port 42027, although the port number can be changed in the System Port Parameters screen. This vulnerability is triggered by malformed CTI messages addressed to the vulnerable systems that could cause the CTI server and the Cisco Unified CCX Node Manager to fail, and all active agents will be logged out. The DoS condition will be temporal and the Cisco UCCX system will become operational again once the node manager and the CTI server complete their automatic restart. This vulnerability is documented in Cisco Bug ID CSCso89629 and has been assigned CVE ID CVE-2010-1570. Directory Traversal Vulnerability + A directory traversal vulnerability exists in the bootstrap service of the Cisco UCCX product that allows read access to any file on the system. This vulnerability is triggered by bootstrap messages addressed to TCP port 6295. The bootstrap service is used to keep the UCCX configuration synchronized across servers in a high-availability deployment model. All deployment modes can be affected, such as ICD, ICM and IP-IVR, but only if a second node has been added to the configuration. (Nodes can be listed using the Cisco UCCX Administration Web interface with the Server option in the System pull-down taskbar). A high-availability license is not required for a system to be vulnerable. This vulnerability is documented in Cisco Bug ID CSCsx76165 and has been assigned CVE ID CVE-2010-1571. Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCso89629 - CTI Service DoS Vulnerability (UCCX) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact- None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsx76165 - Bootstrap Service Directory Traversal Vulnerability (UCCX) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact- None Availability Impact -
[c-nsp] Cisco Security Advisory: Cisco Application Extension Platform Privilege Escalation Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Application Extension Platform Privilege Escalation Vulnerability Advisory ID: cisco-sa-20100609-axp Revision 1.0 For Public Release 2010 June 09 1600 UTC (GMT) +- Summary === The Cisco Application Extension Platform contains a privilege escalation vulnerability in the tech support diagnostic shell that may allow an authenticated user to obtain administrative access to a vulnerable Cisco Application Extension Platform module. Cisco has released free software updates that address this vulnerability. There is no workaround for this vulnerability. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100609-axp.shtml Affected Products = Vulnerable Products +-- The following products are affected by this vulnerability: * Cisco Application Extension Platform version 1.1 * Cisco Application Extension Platform version 1.1.5 if upgraded from version 1.1 Products Confirmed Not Vulnerable + The following products are not affected by this vulnerability: * Cisco Application Extension Platform version 1.0 * Cisco Application Extension Platform version 1.1.5 if upgraded from version 1.0 or a clean installation * Cisco Application Extension Platform version 1.1.7 * Cisco Application Extension Platform version 1.5.x No other Cisco products are currently known to be affected by this vulnerability. Details === The Cisco Application Extension Platform (AXP) allows third-party applications to be hosted on Cisco Integrated Services Routers (ISR). A privilege escalation vulnerability exists in command-line interface of the the tech support diagnostic shell that may allow an authenticated user to obtain complete administrative access to vulnerable Cisco AXP module. The tech support shell is accessed using the techsupport support shell command. Authenticated Cisco AXP users can use an application programming interface (API) to execute commands on the Cisco ISR that is hosting the AXP module. It may be possible for an AXP user to obtain sensitive configuration information that allows the user to gain access to the ISR device. Cisco AXP version 1.5 requires that a user be configured in the ISR configuration before the AXP user can execute commands using the API. This vulnerability is documented in Cisco Bug ID CSCtb65413 and has been assigned the Common Vulnerabilities and Exposures (CVE) ID CVE-2010-1572. Vulnerability Scoring Details = Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCtb65413 - AXP techsupport shell privilege escalation vulnerabilities CVSS Base Score - 9 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact- Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact == Successful exploitation of the vulnerability may allow an authenticated user to obtain complete administrative access to a vulnerable Cisco Application Extension Platform module. Software Versions and Fixes === When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Workarounds === There is no workaround for this vulnerability. Obtaining Fixed Software Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance
[c-nsp] Cisco Security Advisory: Hard-Coded SNMP Community Names in Cisco Industrial Ethernet 3000 Series Switches Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Hard-Coded SNMP Community Names in Cisco Industrial Ethernet 3000 Series Switches Vulnerability Advisory ID: cisco-sa-20100707-snmp Revision 1.0 For Public Release 2010 July 07 1600 UTC (GMT) +- Summary === Cisco Industrial Ethernet 3000 (IE 3000) Series switches running Cisco IOS Software releases 12.2(52)SE or 12.2(52)SE1, contain a vulnerability where well known SNMP community names are hard-coded for both read and write access. The hard-coded community names are public and private. Cisco recommends that all administrators deploy the mitigation measures outlined in the Workarounds section or perform a Cisco IOS Software upgrade. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100707-snmp.shtml Affected Products = The following product is affected by this vulnerability: * Cisco Industrial Ethernet 3000 Series Switches Vulnerable Products +-- The Cisco Industrial Ethernet 3000 Series switches are vulnerable when running any of the following Cisco IOS Software releases: * Cisco IOS Software release 12.2(52)SE or 12.2(52)SE1 Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by this vulnerability. Other hardware models of Cisco switching products that are running the vulnerable Cisco IOS Software versions are not affected by this vulnerability. Cisco Industrial Ethernet 3000 Series switches that are not running the Cisco IOS Software releases that is listed above are not vulnerable. Details === Cisco Industrial Ethernet 3000 Series switches that are running affected versions of Cisco IOS Software contain hard-coded SNMP read-write community names. The Cisco Industrial Ethernet 3000 Series is a family of switches that provide a rugged, easy-to-use, secure infrastructure for harsh environments. SNMP is used for managing and monitoring the device and community names are the equivalent to a password. The hard-coded SNMP community names are: snmp-server community public RO snmp-server community private RW The SNMP community names can be removed; however, the hard-coded community names are reapplied to the running configuration when the device reloads. Cisco has provided a workaround that ensures the community names are removed when the device reloads. Note: Configuring an access list or a restricted mib view: snmp-server community public RO 99 snmp-server community private RW 99 snmp-server community public view mib RO 99 snmp-server community private view mib RO 99 access-list 99 deny any The proceeding works as a workaround until the device is reloaded. Once the device is reloaded the original configuration is inserted without the access lists or mib views assigned to the community names. Consult the workarounds section of this advisory. This vulnerability was introduced as part of a new feature integrated into the affected releases called PROFINET. At the time of the publication of this advisory, PROFINET was only supported on Cisco Industrial Ethernet 3000 Series switches. This vulnerability is documented in the Cisco Bug ID CSCtf25589. This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-1574. Vulnerability Scoring Details = Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCtf25589 - Hard-coded SNMP Community Names in Cisco Industrial Ethernet 3000 Series CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact- Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact == Successful exploitation of the vulnerability could
[c-nsp] Cisco Security Advisory: CDS Internet Streamer: Web Server Directory Traversal Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: CDS Internet Streamer: Web Server Directory Traversal Vulnerability Advisory ID: cisco-sa-20100721-spcdn http://www.cisco.com/warp/public/707/cisco-sa-20100721-spcdn.shtml Revision 1.0 For Public Release 2010 July 21 1600 UTC (GMT) +- Summary === The Cisco Internet Streamer application, part of the Cisco Content Delivery System, contains a directory traversal vulnerability on its web server component that allows for arbitrary file access. By exploiting this vulnerability, an attacker may be able to read arbitrary files on the device, outside of the web server document directory, by using a specially crafted URL. An unauthenticated attacker may be able to exploit this issue to access sensitive information, including the password files and system logs, which could be leveraged to launch subsequent attacks. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100721-spcdn.shtml. Affected Products = All versions of system software on the Cisco Internet Streamer application are vulnerable prior to the first fixed release. Vulnerable Products +-- To determine the software version running on a Cisco Content Delivery Engine, log in to the device and issue the show version command line interface (CLI) command to display the system banner. Cisco CDS Internet Streamer software will identify itself as Content Delivery System Software Release. On the same line of output, the version number will be provided. This example identifies a Cisco Content Delivery Engine that is running Cisco Content Delivery System software release 2.5.3: cdn-cde#show version Content Delivery System Software (CDS) Copyright ) 1999-2010 by Cisco Systems, Inc. Content Delivery System Software Release 2.5.3 (build b8 Jan 21 2010) Version: cde200-2.5.3.8 Compiled 16:07:11 Jan 21 2010 by ipvbuild Compile Time Options: KQ SS System was restarted on Thu Jun 3 04:09:25 2010. The system has been up for 2 hours, 11 minutes, 27 seconds. cdn-cde# Alternatively the Content Delivery System Manager home page gives a brief summary of the software versions in use on all the devices in the content delivery system network. To view the software version running on a particular device, choose Devices Devices. The Devices Table page displays the software version for each device listed. For further information on finding the software version, refer to the Maintaining the Internet Streamer CDS at the following link: http://www.cisco.com/en/US/docs/video/cds/cda/is/2_5/configuration_guide/maint.html#wp1198510. Products Confirmed Not Vulnerable + Cisco Content Delivery Engines running TV streaming content delivery applications and the Video Navigator Application are not affected. No other Cisco products are currently known to be affected by this vulnerability. Details === The Cisco Internet Streamer application provides edge caching, content streaming, and downloads to subscriber IP devices such as PCs. The Cisco Internet Streamer application, part of the Cisco Content Delivery System, contains a directory traversal vulnerability on its web server component that allows for arbitrary file access. It is possible to read arbitrary files on the Cisco Content Delivery Engine running the internet streamer application outside the web server's document directory using a specially-crafted URL. This includes the password files used to hold admin account details and system logs. An unauthenticated attacker may be able to exploit this issue to access sensitive information that could be leveraged to launch subsequent attacks. This vulnerability can be exploited over all open HTTP ports; TCP ports 80 (Default HTTP port), 443 (Default HTTPS port) and 8090 (Alternate HTTP and HTTPS port), as well as those that are configured as part of the HTTP proxy. In Cisco content delivery system software 2.5.3 and earlier, it is possible to configure Enable Incoming Proxy, which when enabled, accepts incoming requests on configured ports, in addition to TCP port 80. The additional ports that the device will listen on for HTTP requests is defined in the List of Incoming HTTP Ports field, within Devices Devices Application Control Web HTTP HTTP Connections of the content delivery system manager menu. For further information on HTTP settings, refer to the Cisco Internet Streamer CDS 2.5 Software Configuration Guide - Configuring Devices at the following link: http://www.cisco.com/en/US/docs/video/cds/cda/is/2_5/configuration_guide/configdevice.html. This vulnerability is documented in the Cisco Bug ID CSCtd68063 and has been assigned Common
[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances Advisory ID: cisco-sa-20100804-asa http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml Revision 1.0 For Public Release 2010 August 04 1600 UTC (GMT) +- Summary === Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities as follows: * Three SunRPC Inspection Denial of Service Vulnerabilities * Three Transport Layer Security (TLS) Denial of Service Vulnerabilities * Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability * Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml Note: The Cisco Firewall Services Module (FWSM) is affected by the SunRPC DoS vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-fwsm.shtml Affected Products = Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities. Affected versions of Cisco ASA Software will vary depending on the specific vulnerability. Vulnerable Products +-- For specific version information, refer to the Software Versions and Fixes section of this advisory. SunRPC Inspection Denial of Service Vulnerabilities ~~~ Three denial of service (DoS) vulnerabilities affect the SunRPC inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances. A successful attack may result in a sustained DoS condition. Versions 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. SunRPC inspection is enabled by default. To check if SunRPC inspection is enabled, issue the show service-policy | include sunrpc command and confirm that output, such as what is displayed in the following example, is returned. ciscoasa# show service-policy | include sunrpc Inspect: sunrpc, packet 0, drop 0, reset-drop 0 The following configuration commands are used to enable SunRPC inspection in the Cisco ASA. class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sunrpc ... ! service-policy global_policy global Transport Layer Security (TLS) Denial of Service Vulnerabilities Three DoS vulnerabilities exist in the Cisco ASA security appliances that can be triggered by a series of crafted TLS packets. A successful attack may result in a sustained DoS condition. Versions 7.2.x, 8.0.x, 8.1.x, 8.2.x, and 8.3.x are affected by one or more of these vulnerabilities. A Cisco ASA device configured for any of the following features is affected: * Secure Socket Layer Virtual Private Network (SSL VPN) * When the affected device is configured to accept Cisco Adaptive Security Device Manager (ASDM) connections * TLS Proxy for Encrypted Voice Inspection * Cut-Through Proxy for Network Access when using HTTPS SSL VPN (or WebVPN) is enabled with the enable interface name command in webvpn configuration mode. SSL VPN is disabled by default. The following configuration snippet provides an example of a SSL VPN configuration. webvpn enable outside ... ASDM access is affected by three of these vulnerabilities. To use ASDM, the HTTPS server must be enabled to allow HTTPS connections to the Cisco ASA. The server can be enabled using the http server enable [port] command. The default port is 443. To specify hosts that can access the HTTP server internal to the security appliance, use the http command in global configuration mode. The TLS Proxy for Encrypted Voice Inspection feature is affected by these vulnerabilities. This feature was introduced in Cisco ASA version 8.0(2) and is disabled by default. To determine if the TLS Proxy for Encrypted Voice Inspection feature is enabled on the device, use the show tls-proxy command, as shown in the following example: ciscoasa# show tls-proxy Maximum number of sessions: 1200 TLS-Proxy 'sip_proxy': ref_cnt 1, seq# 3 Server proxy: Trust-point: local_ccm Client proxy: Local dynamic certificate issuer: LOCAL-CA-SERVER Local dynamic certificate key-pair: phone_common Cipher suite: aes128-sha1 aes256-sha1 Run-time proxies: Proxy 0xcbae1538: Class-map: sip_ssl, Inspect: sip
[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Firewall Services Module
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Firewall Services Module Advisory ID: cisco-sa-20100804-fwsm Revision 1.0 For Public Release 2010 August 04 1600 UTC (GMT) +- Summary === Multiple vulnerabilities exist in the Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers that may cause the Cisco FWSM to reload after processing crafted SunRPC or certain TCP packets. Repeated exploitation could result in a sustained DoS condition. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for the vulnerabilities disclosed in this advisory. Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-fwsm.shtml Note: The Cisco ASA 5500 Series Adaptive Security Appliances are affected by the SunRPC inspection vulnerabilities described in this advisory. A separate Cisco Security Advisory has been published to disclose this and other vulnerabilities that affect the Cisco ASA 5500 Series Adaptive Security Appliances. The advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml Affected Products = Vulnerable Products +-- The Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers is affected by multiple vulnerabilities. Affected versions of Cisco FWSM Software vary depending on the specific vulnerability. SunRPC Inspection Denial of Service Vulnerabilities ~~~ Cisco FWSM Software version 3.x and 4.x are affected by these vulnerabilities only if SunRPC inspection is enabled. SunRPC inspection is enabled by default. To check if SunRPC inspection is enabled, use the show service-policy | include sunrpc command and confirm that the command returns output, as shown in the following example: fwsm#show service-policy | include sunrpc Inspect: sunrpc , packet 0, drop 0, reset-drop 0 Alternatively, a device that has SunRPC inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sunrpc ... ! service-policy global_policy global Note: The Cisco ASA 5500 Series Adaptive Security Appliances are affected by the SunRPC inspection vulnerabilities described in this advisory. A separate Cisco Security Advisory has been published to disclose this and other vulnerabilities that affect the Cisco ASA 5500 Series Adaptive Security Appliances. The advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml TCP Denial of Service Vulnerability ~~~ Cisco FWSM Software version 3.x and 4.x are affected by this vulnerability when configured in multi-mode (with virtual firewalls) and with any of the following features: * ASDM Administrative Access * Telnet * SSH To verify if the FWSM is running in multiple mode, use the show mode command, as shown in the following example: FWSM(config)#show mode Security context mode: multiple The flash mode is the SAME as the running mode. The following commands are used to enable the HTTPS server and allow only hosts on the inside interface with an address in the 192.168.1.0 /24 network to create ASDM, SSH or Telnet connections: asa(config)# http server enable asa(config)# http 192.168.1.0 255.255.255.0 inside asa(config)# telnet 192.168.1.0 255.255.255.0 inside asa(config)# ssh 192.168.1.0 255.255.255.0 inside Determining Software Versions ~ To determine the version of Cisco FWSM Software that is running, issue the show module command from Cisco IOS Software or Cisco Catalyst Operating System Software to identify what modules and sub modules are installed on the system. The following example shows a system with a Cisco FWSM (WS-SVC-FWM-1) installed in slot 2: switchshow module Mod Ports Card Type Model Serial No. --- - -- -- --- 1 16 SFM-capable 16 port 1000mb GBICWS-X6516-GBIC SAL06334NS9 26 Firewall ModuleWS-SVC-FWM-1 SAD10360485 38 Intrusion Detection System WS-SVC-IDSM-2 SAD0932089Z 44 SLB Application Processor Complex WS-X6066-SLB-APC SAD093004BD 52 Supervisor Engine 720 (Active) WS-SUP720-3B SAL0934888E Mod MAC addresses
[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in the Cisco ACE Application Control Engine Module and Cisco ACE 4710 Application Control Engine
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in the Cisco ACE Application Control Engine Module and Cisco ACE 4710 Application Control Engine Advisory ID: cisco-sa-20100811-ace Revision 1.0 For Public Release 2010 August 11 1600 UTC (GMT) +- Summary === The Cisco ACE Application Control Engine Module and Cisco ACE 4710 Application Control Engine contain the following DoS vulnerabilities: * Real-Time Streaming Protocol (RTSP) inspection DoS vulnerability * HTTP, RTSP, and Session Initiation Protocol (SIP) inspection DoS vulnerability * Secure Socket Layer (SSL) DoS vulnerability * SIP inspection DoS vulnerability Cisco has released free software updates for affected customers. Workarounds that mitigate some of the vulnerabilities are available. Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100811-ace.shtml Affected Products = Vulnerable Products +-- The Cisco ACE Application Control Engine Module and Cisco ACE 4710 Application Control Engine are affected by multiple vulnerabilities. Affected versions vary depending on the specific vulnerability. For specific version information, refer to the Software Versions and Fixes section of this advisory. RTSP Inspection DoS Vulnerability ~ Cisco ACE Application Control Engine Module and Cisco ACE 4710 Application Control Engine appliances configured with RTSP inspection are affected. RTSP inspection is disabled by default. HTTP, RTSP, and SIP Inspection DoS Vulnerability Cisco ACE 4710 Application Control Engine appliances configured with HTTP, RTSP, or SIP inspection are affected. HTTP, RTSP, and SIP inspection are disabled by default. The Cisco ACE Application Control Engine Module is not affected by this vulnerability. Note: This vulnerability is independent from the other RSTP and SIP inspection vulnerabilities described in this advisory. SSL DoS Vulnerability ~ Cisco ACE Application Control Engine Module processing SSL transactions are affected by this vulnerability. The Cisco ACE 4710 Application Control Engine appliance is not affected by this vulnerability. SIP Inspection DoS Vulnerability Cisco ACE Application Control Engine Module and Cisco ACE 4710 Application Control Engine appliances configured for SIP inspection are affected. SIP inspection is disabled by default. Determining Software Versions ~ To display the version of system software that is currently running on Cisco ACE Application Control Engine, use the show version command. This example displays the output of the show version command on the Cisco ACE Application Control Engine software version A3(1.0): ACE-4710/Admin# show version Cisco Application Control Software (ACSW) TAC support: http://www.cisco.com/tac Copyright (c) 1985-2008 by Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license. Some parts of this software are covered under the GNU Public License. A copy of the license is available at http://www.gnu.org/licenses/gpl.html. Software loader:Version 0.95 system:Version A3(1.0) [build 3.0(0)A3(0.0.148)] system image file: (nd)/192.168.65.31/scimitar.bin Device Manager version 1.1 (0) 20080805:0415 ... output truncated This example displays the output of the show version command on a Cisco ACE Application Control Engine Module software version A2(3.0): ACEmod/Admin# show version Cisco Application Control Software (ACSW) TAC support: http://www.cisco.com/tac Copyright (c) 2002-2009, Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license. Some parts of this software are covered under the GNU Public License. A copy of the license is available at http://www.gnu.org/licenses/gpl.html. Software loader:Version 12.2[121] system:Version A23.0 [build 3.0(0)A2(2.99.80)] system image file: [LCP] disk0:c6ace-t1k9-mzg.A2_2_99_80.bin licensed features: no feature license is installed ... output truncated Products Confirmed Not Vulnerable + The Cisco ACE XML Gateway, the Cisco ACE Web Application Firewall, and the Cisco ACE GSS 4400 Series Global Site Selector Appliances are not affected by any of the vulnerabilities that are described in this advisory. No
[c-nsp] Cisco Security Advisory: SQL Injection Vulnerability in Cisco Wireless Control System
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: SQL Injection Vulnerability in Cisco Wireless Control System Advisory ID: cisco-sa-20100811-wcs Revision 1.0 For Public Release 2010 August 11 1600 UTC (GMT) +- Summary === Cisco Wireless Control System (WCS) contains a SQL injection vulnerability that could allow an authenticated attacker full access to the vulnerable device, including modification of system configuration; create, modify and delete users; or modify the configuration of wireless devices managed by WCS. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100811-wcs.shtml Affected Products = Vulnerable Products +-- Cisco WCS devices running software 6.0.x are affected by this vulnerability. Note: Cisco WCS software release 7.0 is not affected by this vulnerability. Cisco WCS version 7.0.164.0 (which is the first 7.0 version) already contains the fix for this vulnerability. Cisco WCS software releases prior to 6.0 are not affected by this vulnerability. The version of WCS software installed on a particular device can be found via the Cisco WCS HTTP management interface. Choose Help About the Software to obtain the software version. Products Confirmed Not Vulnerable + Cisco Wireless LAN Controllers (WLC) are not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. Details === Cisco WCS enables an administrator to configure and monitor one or more WLCs and associated access points. A SQL injection vulnerability exists in Cisco WCS. Exploitation could allow an authenticated attacker to modify system configuration; create, modify and delete users; or modify the configuration of wireless devices managed by WCS. This vulnerability is documented in Cisco bug ID CSCtf37019 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-2826. Vulnerability Scoring Details = Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCtf37019 - SQL injection in order by clause of Client List screens CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact- Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact == Successful exploitation of this vulnerability could allow an authenticated attacker to modify system configuration; create, modify and delete users; or modify the configuration of wireless devices managed by WCS. Software Versions and Fixes === When considering software upgrades, also consult: http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. This vulnerability is fixed in Cisco WCS version 6.0.196.0. Cisco WCS software can be downloaded from this location: http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=279705270 Workarounds === There are no workarounds for this vulnerability. Mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100811-wcs.shtml Obtaining Fixed Software Cisco has released free software updates that address this vulnerability. Prior to deploying
[c-nsp] Cisco Security Advisory: Cisco IOS Software TCP Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco IOS Software TCP Denial of Service Vulnerability Advisory ID: cisco-sa-20100812-tcp http://www.cisco.com/warp/public/707/cisco-sa-20100812-tcp.shtml Revision 1.0 For Public Release 2010 August 12 2130 UTC (GMT) +- Summary === Cisco IOS Software Release, 15.1(2)T is affected by a denial of service (DoS) vulnerability during the TCP establishment phase. The vulnerability could cause embryonic TCP connections to remain in a SYNRCVD or SYNSENT state. Enough embryonic TCP connections in these states could consume system resources and prevent an affected device from accepting or initiating new TCP connections, including any TCP-based remote management access to the device. No authentication is required to exploit this vulnerability. An attacker does not need to complete a three-way handshake to trigger this vulnerability; therefore, this this vunerability can be exploited using spoofed packets. This vulnerability may be triggered by normal network traffic. Cisco has released Cisco IOS Software Release 15.1(2)T0a to address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100812-tcp.shtml. Affected Products = This vulnerability affects only Cisco IOS Software Release 15.1(2)T. No other Cisco IOS Software Releases are affected. Cisco IOS XE Software, Cisco IOS XR Software, and Cisco NX-OS Software are not affected by this vulnerability. Vulnerable Products +-- A Cisco device is vulnerable when it is running Cisco IOS Software Release 15.1(2)T. To determine the Cisco IOS Software Release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The image name displays in parentheses, followed by Version and the Cisco IOS Software Release name. Other Cisco devices do not have the show version command or may provide different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 15.1(2)T with an installed image name of C2800NM-ENTSERVICES-M: Router#show version Cisco IOS Software, 2800 Software (C2800NM-ENTSERVICES-M), Version 15.1(2)T, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2010 by Cisco Systems, Inc. Compiled Mon 19-Jul-10 16:38 by prod_rel_team output truncated Additional information about Cisco IOS Software Release naming conventions is available in the White Paper: Cisco IOS Reference Guide. Products Confirmed Not Vulnerable + No other Cisco IOS Software versions are affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. Details === TCP provides reliable data transmission services in packet-switched network environments. TCP corresponds to the transport layer (Layer 4) of the OSI reference model. Among the services TCP provides are stream data transfer, reliability, efficient flow control, full-duplex operation, and multiplexing. When TCP connections are terminated in Cisco IOS Software, they are allocated a transmission control block (TCB). All allocated TCBs, associated TCP port numbers, and the TCP state are displayed in the output of the show tcp brief all command-line interface (CLI) command. Cisco IOS Software version 15.1(2)T contains a vulnerability that could cause an embryonic TCP connection to remain in SYNRCVD or SYNSENT state without a further TCP state transition. Examining the output of the show tcp brief all command multiple times will indicate if TCP sessions remain in one of these states. This vulnerability is triggered only by TCP traffic that is terminated by or originated from the device. Transit traffic will not trigger this vulnerability. Both connections to and from the router could trigger this vulnerability. An example of a connection to the router is that you may still be able to ping the device, but fail to establish a TELNET or SSH connection to the device. For example, an administrator may still be able to ping the device but fail to establish a Telnet or SSH connection to the device. Administrators who attempt a Telnet or a SSH connection to a remote device from the CLI prompt will encounter a hung session and the Trying ip address|hostname ... prompt. The connection that is initiated or terminated by the router can be removed from the socket table by clearing the associated TCB with the clear tcp tcb 0xaddress command. Devices could be vulnerable if examining the output of the CLI command debug ip tcp transactions, displays the error messages connection
[c-nsp] Cisco Security Advisory: Cisco Unified Communications Manager Denial of Service Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Unified Communications Manager Denial of Service Vulnerabilities Advisory ID: cisco-sa-20100825-cucm Revision 1.0 For Public Release 2010 August 25 1600 UTC (GMT) +- Summary === Cisco Unified Communications Manager contains two denial of service (DoS) vulnerabilities that affect the processing of Session Initiation Protocol (SIP) messages. Exploitation of these vulnerabilities could cause an interruption of voice services. Cisco has released free software updates that address these vulnerabilities. There are no workarounds for these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100825-cucm.shtml Affected Products = Vulnerable Products +-- The following products are affected by vulnerabilities that are described in this advisory: * Cisco Unified Communications Manager 6.x * Cisco Unified Communications Manager 7.x * Cisco Unified Communications Manager 8.x Products Confirmed Not Vulnerable + Cisco Unified Communications Manager version 4.x is not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details === Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, VoIP gateways, and multimedia applications. Cisco Unified Communications Manager contains two DoS vulnerabilities that involve the processing of SIP messages. Each vulnerability is triggered by a malformed SIP message that could cause a critical process to fail, which could result in the disruption of voice services. All SIP ports (TCP ports 5060 and 5061, UDP ports 5060 and 5061) are affected. The first SIP DoS vulnerability is documented in Cisco bug ID CSCtd17310 and has been assigned the CVE identifier CVE-2010-2837. This vulnerability is fixed in Cisco Unified Communications Manager versions 6.1(5)SU1, 7.0(2a)SU3, 7.1(3b)SU2, 7.1(5) and 8.0(1). Cisco Unified Communications Manager version 4.x is not affected. The second SIP DoS vulnerability is documented in Cisco bug ID CSCtf66305 and has been assigned the CVE identifier CVE-2010-2838. The second vulnerability is fixed in Cisco Unified Communications Manager versions 7.0(2a)SU3, 7.1(5) and 8.0(3). Cisco Unified Communications Manager versions 4.x and 6.x are not affected. Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCtd17310 - potential core dump issue in SIPStationInit code CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact- None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtf66305 - CCM Coredump From SendCombinedStatusInfo on Fuzzed REGISTER Message CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact- None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact == Successful exploitation of the vulnerabilities that are described in this advisory could result in the interruption of voice services. Cisco Unified Communications Manager will restart the affected processes, but repeated attacks may result in a sustained DoS Condition. Software Versions and Fixes === When considering software upgrades, also consult: http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be
[c-nsp] Cisco Security Advisory: Cisco Unified Presence Denial of Service Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Unified Presence Denial of Service Vulnerabilities Advisory ID: cisco-sa-20100825-cup Revision 1.0 For Public Release 2010 August 25 1600 UTC (GMT) +- Summary === Cisco Unified Presence contains two denial of service (DoS) vulnerabilities that affect the processing of Session Initiation Protocol (SIP) messages. Exploitation of these vulnerabilities could cause an interruption of presence services. Cisco has released free software updates that address these vulnerabilities. There are no workarounds for these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100825-cup.shtml Affected Products = Vulnerable Products +-- The following products are affected: * Cisco Unified Presence 6.0 versions prior to 6.0(7) * Cisco Unified Presence 7.0 versions prior to 7.0(8) Note: Cisco Unified Presence version 8.0(1) shipped with software fixes for all the vulnerabilities described in this advisory. Administrators of systems running Cisco Unified Presence can determine the software version by viewing the main page of the Cisco Unified Presence Administration interface. The software version can be determined by running the command show version active using the command line interface (CLI). Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by these vulnerabilities. Details === Cisco Unified Presence contains two DoS vulnerabilities that involve the processing of SIP messages. Each vulnerability is triggered by a malformed SIP message that could cause a critical process to fail, which could result in the disruption of presence services. All SIP ports (TCP ports 5060 and 5061, UDP ports 5060 and 5061) are affected. The first SIP DoS vulnerability is documented in Cisco bug ID CSCtd14474 and has been assigned the CVE identifier CVE-2010-2839. This vulnerability is fixed in Cisco Unified Presence versions 6.0(7) and 7.0(8). The second SIP DoS vulnerability is documented in Cisco bug ID CSCtd39629 and has been assigned the CVE identifier CVE-2010-2840. This vulnerability is fixed in Cisco Unified Presence versions 6.0(7) and 7.0(8). Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCtd14474 - SIPD Coredumps due to Possible Stack Corruption During Fuzzing CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact- None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtd39629 - PE Coredump On Subscribe Message with Contact Field Error CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact- None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact == Successful exploitation of any of the vulnerabilities may result in the interruption of presence services. Cisco Unified Presence will restart the affected processes, but repeated attacks may result in a sustained DoS condition. Software Versions and Fixes === When considering software upgrades, also consult: http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
[c-nsp] Cisco Security Advisory: Cisco IOS XR Software Border Gateway Protocol Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco IOS XR Software Border Gateway Protocol Vulnerability Advisory ID: cisco-sa-20100827-bgp Revision 1.0 For Public Release 2010 August 27 2200 UTC (GMT) +- Summary === Cisco IOS XR Software contains a vulnerability in the Border Gateway Protocol (BGP) feature. The vulnerability manifests itself when a BGP peer announces a prefix with a specific, valid but unrecognized transitive attribute. On receipt of this prefix, the Cisco IOS XR device will corrupt the attribute before sending it to the neighboring devices. Neighboring devices that receive this corrupted update may reset the BGP peering session. Affected devices running Cisco IOS XR Software corrupt the unrecognized attribute before sending to neighboring devices, but neighboring devices may be running operating systems other than Cisco IOS XR Software and may still reset the BGP peering session after receiving the corrupted update. This is per standards defining the operation of BGP. Cisco developed a fix that addresses this vulnerability and will be releasing free software maintenance upgrades (SMU) progressively starting 28 August 2010. This advisory will be updated accordingly as fixes become available. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100827-bgp.shtml Affected Products = This vulnerability affects all Cisco IOS XR Software devices configured with BGP routing. Vulnerable Products +-- To determine the Cisco IOS XR Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS XR Software by displaying text similar to Cisco IOS XR Software. The software version is displayed after the text Cisco IOS XR Software. The following example identifies a Cisco CRS-1 that is running Cisco IOS XR Software Release 3.6.2: RP/0/RP0/CPU0:CRS#show version Tue Aug 18 14:25:17.407 AEST Cisco IOS XR Software, Version 3.6.2[00] Copyright (c) 2008 by Cisco Systems, Inc. ROM: System Bootstrap, Version 1.49(20080319:195807) [CRS-1 ROMMON], CRS uptime is 4 weeks, 4 days, 1 minute System image file is disk0:hfr-os-mbi-3.6.2/mbihfr-rp.vm cisco CRS-8/S (7457) processor with 4194304K bytes of memory. 7457 processor at 1197Mhz, Revision 1.2 17 Packet over SONET/SDH network interface(s) 1 DWDM controller(s) 17 SONET/SDH Port controller(s) 8 TenGigabitEthernet/IEEE 802.3 interface(s) 2 Ethernet/IEEE 802.3 interface(s) 1019k bytes of non-volatile configuration memory. 38079M bytes of hard disk. 981440k bytes of ATA PCMCIA card at disk 0 (Sector size 512 bytes). Configuration register on node 0/0/CPU0 is 0x102 Boot device on node 0/0/CPU0 is mem: !--- output truncated The following example identifies a Cisco 12404 router that is running Cisco IOS XR Software Release 3.7.1: RP/0/0/CPU0:GSR#show version Cisco IOS XR Software, Version 3.7.1[00] Copyright (c) 2008 by Cisco Systems, Inc. ROM: System Bootstrap, Version 12.0(20051020:160303) SOFTWARE Copyright (c) 1994-2005 by cisco Systems, Inc. GSR uptime is 3 weeks, 6 days, 3 hours, 20 minutes System image file is disk0:c12k-os-mbi-3.7.1/mbiprp-rp.vm cisco 12404/PRP (7457) processor with 2097152K bytes of memory. 7457 processor at 1266Mhz, Revision 1.2 1 Cisco 12000 Series Performance Route Processor 1 Cisco 12000 Series - Multi-Service Blade Controller 1 1 Port ISE Packet Over SONET OC-48c/STM-16 Controller (1 POS) 1 Cisco 12000 Series SPA Interface Processor-601/501/401 3 Ethernet/IEEE 802.3 interface(s) 1 SONET/SDH Port controller(s) 1 Packet over SONET/SDH network interface(s) 4 PLIM QoS controller(s) 8 FastEthernet/IEEE 802.3 interface(s) 1016k bytes of non-volatile configuration memory. 1000496k bytes of disk0: (Sector size 512 bytes). 65536k bytes of Flash internal SIMM (Sector size 256k). Configuration register on node 0/0/CPU0 is 0x2102 Boot device on node 0/0/CPU0 is disk0: !--- output truncated Additional information about Cisco IOS XR Software release naming conventions is available in the White Paper: Cisco IOS Reference Guide at the following link: http://www.cisco.com/web/about/security/intelligence/ios-ref.html#9 Additional information about Cisco IOS XR Software time-based release model is available in the White Paper: Guidelines for Cisco IOS XR Software at the following link: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8803/ps5845/product_bulletin_c25-478699.html BGP is configured in Cisco IOS XR Software with the configuration command router bgp [AS