Mar
1
2011

February 2011: nine Cisco vulnerabilities

The Cisco Product Security Incident Response Team (PSIRT) has published nine important vulnerability advisories:

  • Multiple Vulnerabilities in Cisco TelePresence Multipoint Switch
  • Multiple Vulnerabilities in Cisco TelePresence Manager
  • Multiple Vulnerabilities in Cisco TelePresence Recording Server
  • Multiple Vulnerabilities in Cisco TelePresence Endpoint Devices
  • Cisco Firewall Services Module Skinny Client Control Protocol Inspection Denial of Service Vulnerability
  • Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances
  • Management Center for Cisco Security Agent Remote Code Execution Vulnerability
  • Default Credentials for Root Account on Tandberg E, EX and C Series Endpoints
  • Multiple Cisco WebEx Player Vulnerabilities

Multiple Vulnerabilities in Cisco TelePresence Multipoint Switch
Multiple vulnerabilities exist within the Cisco TelePresence Multipoint Switch. This security advisory outlines details of the following vulnerabilities:

  • Unauthenticated Java Servlet Access
  • Unauthenticated Arbitrary File Upload
  • Cisco Discovery Protocol Remote Code Execution
  • Unauthorized Servlet Access
  • Java RMI Denial of Service
  • Real-Time Transport Control Protocol Denial of Service
  • XML-Remote Procedure Call (RPC) Denial of Service

Vulnerable Products
All releases of Cisco TelePresence System Software prior to 1.7.1 are affected by one or more of the vulnerabilities listed in this advisory. Cisco TelePresence Multipoint Switch devices running an affected version of software are affected. To determine the current version of software running on the Cisco TelePresence Multipoint Switch, establish an SSH connection to the device and issue the show version active and the show version inactive commands.

Details
The Cisco TelePresence solution allows for immersive, in-person communication and collaboration over the network with colleagues, prospects, and partners even when they are located in opposite hemispheres. This security advisory describes multiple, distinct vulnerabilities in the Cisco TelePresence Multipoint Switch.

Impact

  • Successful exploitation of the Unauthenticated Java Servlet (CSCtf42008, CSCtf01253) vulnerabilities could allow an unauthenticated, remote attacker to take complete control of the affected device.
  • Successful exploitation of the Unauthenticated Arbitrary File Upload (CSCth61065) vulnerability could allow an unauthenticated, remote attacker to place or overwrite arbitrary files on the affected system. This may allow the attacker to gain full control of the affected device.
  • Successful exploitation of the Cisco Discovery Protocol Remote Code Execution (CSCtd75766) vulnerability could allow an unauthenticated, adjacent attacker to take complete control of the affected system.
  • Successful exploitation of the Unauthorized Servlet Access (CSCtf97164) vulnerability could allow a remote, authenticated attacker to perform certain actions on the system that should be restricted by the attacker’s privilege level.
  • Successful exploitation of the Java RMI Denial of Service (CSCtg35825) vulnerability could allow an unauthenticated, remote attacker to cause all web-based services to become inaccessible.
  • Successful exploitation of the Real-Time Transport Control Protocol Denial of Service (CSCth60993) vulnerability could allow an unauthenticated, remote attacker to terminate all active calls on the affected device.
  • Successful exploitation of the XML-RPC Denial of Service (CSCtj44534) vulnerability could allow an unauthenticated, remote attacker to terminate all current calls and potentially cause the device to become unusable for future calls.

Link: http://www.cisco.com/…/advisory09186a0080b6e14e.shtml

Multiple Vulnerabilities in Cisco TelePresence Manager
Multiple vulnerabilities exist in the Cisco TelePresence Manager. This security advisory outlines the details of the following vulnerabilities:

  • Simple Object Access Protocol (SOAP) Authentication Bypass
  • Java Remote Method Invocation (RMI) Command Injection
  • Cisco Discovery Protocol Remote Code Execution

Vulnerable Products
Releases of Cisco TelePresence Manager software prior to 1.7.0 may be affected by one or more of the vulnerabilities listed in this advisory. To determine the current version of software that is running on the Cisco TelePresence Manager, establish an SSH connection to the device and issue the show version active and the show version inactive commands.

Details

  • SOAP Authentication Bypass: An authentication bypass vulnerability exists that could allow a remote, unauthenticated attacker to invoke arbitrary methods that are available via the SOAP interface on the Cisco TelePresence Manager. The attacker would need the ability to submit a malformed SOAP request that is designed to trigger the vulnerability to the affected device on TCP port 8080 or 8443.
  • Java RMI Command Injection: A command injection vulnerability exists in the Java RMI interface that is exposed on the Cisco TelePresence Manager. The vulnerability could allow an unauthenticated, remote attacker to perform a number of actions on the device with elevated privileges. The attacker would need to be able to submit a crafted request to the affected device on TCP port 1100 or 32000.
  • Cisco Discovery Protocol Remote Code Execution: A remote code execution vulnerability exists in Cisco TelePresence Manager devices. This vulnerability could allow an unauthenticated, adjacent attacker to trigger a buffer overflow condition. The attacker would need the ability to submit a malicious Cisco Discovery Protocol packet to the affected system to exploit this vulnerability.

Impact

  • Successful exploitation of the SOAP Authentication Bypass vulnerability (CSCtc59562) could allow an unauthenticated, remote attacker to issue SOAP requests to the affected system. This could allow the attacker to perform multiple actions that should be restricted to authenticated users.
  • Successful exploitation of the Java RMI Command Injection Vulnerability (CSCtf97085) could allow an unauthenticated, remote attacker to take complete control of the affected device.
  • Successful exploitation of the Cisco Discovery Protocol Remote Code Execution vulnerability (CSCtd75761) could allow an unauthenticated, adjacent attacker to take complete control of the affected system.

Link: http://www.cisco.com/…/advisory09186a0080b6e14f.shtml

Multiple Vulnerabilities in Cisco TelePresence Recording Server
Multiple vulnerabilities exist within the Cisco TelePresence Recording Server. This security advisory outlines details of the following vulnerabilities:

  • Unauthenticated Java Servlet Access
  • Common Gateway Interface (CGI) Command Injection
  • Unauthenticated Arbitrary File Upload
  • XML-Remote Procedure Call (RPC) Arbitrary File Overwrite
  • Cisco Discovery Protocol Remote Code Execution
  • Ad Hoc Recording Denial of Service
  • Java Remote method Invocation (RMI) Denial of Service
  • Unauthenticated XML-RPC Interface

Vulnerable Products
All releases of Cisco TelePresence software prior to 1.7.1 are affected by one or more of the vulnerabilities listed in this advisory. To determine the current version of software that is running on the Cisco TelePresence Recording Server, access the device via SSH and issue the show version active and the show version inactive commands.

Details

  • Unauthenticated Java Servlet Access: A number of sensitive Java Servlets delivered via a Java Servlet framework within the Cisco TelePresence Recording Server could allow a remote, unauthenticated attacker to perform actions that should be restricted to administrative users. To successfully exploit this vulnerability, the attacker would need the ability to submit a crafted request to an affected device on TCP port 80, TCP port 443, or TCP port 8080.
  • CGI Command Injection: A CGI command injection vulnerability exists within the Cisco TelePresence Recording Server that could allow a remote, unauthenticated attacker to execute arbitrary commands with elevated privileges. To successfully exploit this vulnerability the attacker would need the ability to submit a malformed request to an affected device via TCP port 443.
  • Unauthenticated Arbitrary File Upload: An arbitrary file upload vulnerability exists within the administrative web interface of the Cisco TelePresence Recording Server. An unauthenticated, remote attacker could place content to arbitrary locations on the device by submitting crafted requests to the affected device. To successfully exploit this vulnerability the attacker would need the ability to submit a crafted request to an affected device on TCP port 80 or 443.
  • XML-RPC Arbitrary File Overwrite: An arbitrary file overwrite vulnerability exists within Cisco TelePresence Recording Server devices that could allow an unauthenticated, remote attacker to overwrite arbitrary files with logging data. This vulnerability could be leveraged to obtain full control of the affected device. To successfully exploit this vulnerability the attacker would need the ability to submit a malformed request to an affected device via TCP port 12102 or 12104.
  • Cisco Discovery Protocol Remote Code Execution: A remote code execution vulnerability exists within Cisco TelePresence Recording Server devices. This vulnerability could allow an unauthenticated, adjacent attacker to trigger a buffer overflow condition. To exploit this vulnerability, the attacker must submit a malicious Cisco Discovery Protocol packet to the affected system.
  • Ad Hoc Recording Denial of Service: A denial of service vulnerability exists within Cisco TelePresence Recording Server devices. The vulnerability could allow an unauthenticated, remote attacker to cause all recording and playback threads on the device to be consumed. A restart of the affected device may be required to regain functionality. To successfully exploit this vulnerability the attacker would need the ability to submit a malformed request to an affected device via TCP port 80.
  • Java RMI Denial of Service: A denial of service vulnerability exists within Cisco TelePresence Recording Server devices due to a failure to properly restrict access to the RMI interface of the Java Servlet framework. An unauthenticated, remote attacker could trigger an out-of-memory condition on the Servlet host by issuing a series of crafted requests. To successfully exploit this vulnerability the attacker would need the ability to communicate to an affected device on TCP port 8999.
  • Unauthenticated XML-RPC Interface: An unauthenticated XML-RPC interface exists within Cisco TelePresence Recording Server devices. This vulnerability could allow an unauthenticated, remote attacker to perform a limited number of actions on the system that should be restricted to authorized users. To successfully exploit this vulnerability the attacker would need the ability to communicate to an affected device on TCP port 8080.

Impact

  • Successful exploitation of the Unauthenticated Java Servlet Access (CSCtf42005) vulnerability could allow an unauthenticated, remote attacker to take complete control of the affected device or system.
  • Successful exploitation of the CGI Command Injection (CSCtf97221) vulnerability could allow an unauthenticated, remote attacker to take complete control of the affected device or system.
  • Succesful exploitation of the Unauthenticated Arbitrary File Upload (CSCth85786) vulnerability could allow an unauthenticated, remote attacker to place or overwrite arbitrary files on the affected system. This may allow the attacker to gain full control of the affected device.
  • Successful exploitation of the XML-RPC Arbitrary File Overwrite (CSCti50739) vulnerability could allow an unauthenticated, remote attacker to create a denial of service condition. In some instances this issue could be leveraged to gain complete control of the affected system.
  • Successful exploitation of the Cisco Discovery Protocol Remote Code Execution (CSCtd75769) vulnerability could allow an unauthenticated, adjacent attacker to take complete control of the affected system.
  • Successful exploitation of the Ad Hoc Recording Denial of Service (CSCtf97205) vulnerability could allow an unauthenticated, remote attacker to cause a persistent denial of service condition on an affected device.
  • Successful exploitation of the Java RMI Denial of Service (CSCtg35830) vulnerability could allow an unauthenticated, remote attacker to cause all web-based services to become inaccessible.
  • Successful exploitation of the Unauthenticated XML-RPC Interface (CSCtg35833) vulnerability could allow an unauthenticated, remote attacker to perform a number of actions that should be restricted to authenticated users.

Link: http://www.cisco.com/…/advisory09186a0080b6e11d.shtml

Multiple Vulnerabilities in Cisco TelePresence Endpoint Devices
Multiple vulnerabilities exist in the Cisco TelePresence solution; each component of the solution is addressed independently in its own advisory. This advisory addresses Cisco TelePresence endpoint devices and details the following vulnerabilities:

  • Unauthenticated Common Gateway Interface (CGI) Access
  • CGI Command Injection
  • TFTP Information Disclosure
  • Malicious IP Address Injection
  • XML-Remote Procedure Call (RPC) Command Injection
  • Cisco Discovery Protocol Remote Code Execution

Vulnerable Products
One or more of these vulnerabilities affect all Cisco TelePresence endpoint systems that are running a release of Cisco TelePresence software prior to 1.7.1.  The following Cisco TelePresence endpoint systems that are running an affected version of software are vulnerable: Cisco TelePresence System 500 Series, 1300 Series, 3000 Series, and 3200 Series and Cisco TelePresence System 1000 and 1100. To determine the current version of software that is running on the endpoint, access the device via SSH and issue the show version command. The output should resemble the following example.

Details

  • Unauthenticated CGI Access: Multiple CGI command injection vulnerabilities exist in Cisco TelePresence endpoint devices that could allow a remote, authenticated attacker to execute arbitrary commands with elevated privileges. To exploit these vulnerabilities, an attacker must submit a malformed request to an affected device via TCP port 8082.
  • CGI Command Injection: Multiple CGI command injection vulnerabilities exist in Cisco TelePresence endpoint devices that could allow a remote, authenticated attacker to execute arbitrary commands with elevated privileges. To exploit these vulnerabilities, an attacker must submit a malformed request to an affected device via TCP port 443.
  • TFTP Information Disclosure: An information disclosure vulnerability exists within Cisco TelePresence endpoint devices that could allow an unauthenticated, remote attacker to retrieve sensitive authentication and configuration information. The attacker would need to have the ability to submit a TFTP GET request via UDP port 69 to the affected device.
  • Malicious IP Address Injection: A denial of service vulnerability exists within Cisco TelePresence endpoint devices that could allow a remote, unauthenticated attacker to cause a denial of service condition. An attacker with the ability to impersonate a Cisco TelePresence Manager system could remotely inject an invalid IP address into a configuration file that could cause a critical service on the device to crash. An endpoint affected by this issue will remain unusable until it has been manually restored to a known good state. Restoration of service may require an administrator to reload software on the affected device. The attacker would need the ability to submit a malformed SOAP request to an affected device via TCP port 8081 or TCP port 9501.
  • XML-RPC Command Injection: An XML-RPC command injection vulnerability exists with Cisco TelePresence endpoint devices. This issue could allow an unauthenticated attacker with access to the broadcast domain of the affected device to execute arbitrary commands with elevated privileges. The attacker would need the ability to submit a request to an affected system via TCP port 61441 or TCP port 61445.
  • Cisco Discovery Protocol Remote Code Execution: A remote code execution vulnerability exists in Cisco TelePresence endpoint devices. This vulnerability could allow an unauthenticated, adjacent attacker to trigger a buffer overflow condition. To exploit this vulnerability, the attacker must submit a malicious Cisco Discovery Protocol packet to an affected system.

Impact

  • Successful exploitation of the Unauthenticated CGI Access (CSCtb31640) vulnerability could allow an unauthenticated, remote attacker to take complete control of an affected device or system.
  • Successful exploitation of the CGI Command Injection (CSCtb31659, CSCtb31685, and CSCth24672) vulnerabilities could allow an authenticated, remote attacker to take complete control of an affected device or system.
  • Successful exploitation of the TFTP Information Disclosure (CSCte43876) vulnerability could allow an unauthenticated, remote attacker to take complete control of an affected system.
  • Successful exploitation of the Malicious IP Address Injection (CSCth03605) vulnerability could allow an unauthenticated, remote attacker to cause a persistent denial of service condition on an affected system.
  • Successful exploitation of the XML-RPC Command Injection (CSCtb52587) vulnerability could allow an unauthenticated, adjacent attacker to take complete control of an affected system.
  • Successful exploitation of the Cisco Discovery Protocol Remote Code Execution (CSCtd75754) vulnerability could allow an unauthenticated, adjacent attacker to take complete control of an affected system.

Link: http://www.cisco.com/…/advisory09186a0080b6e152.shtml

Cisco Firewall Services Module Skinny Client Control Protocol Inspection Denial of Service Vulnerability
A vulnerability exists in the Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers that may cause the Cisco FWSM to reload after processing a malformed Skinny Client Control Protocol (SCCP) message. Devices are affected when SCCP inspection is enabled.

Vulnerable Products
Versions 3.1.x, 3.2.x, 4.0.x, and 4.1.x of Cisco FWSM software are affected by this vulnerability if SCCP inspection is enabled. SCCP inspection is enabled by default. To determine whether SCCP inspection is enabled, issue the show service-policy | include skinny command and confirm that the command returns output.

Details
The Cisco FWSM is a high-speed, integrated firewall module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers. The FWSM offers firewall services with stateful packet filtering and deep packet inspection. The Cisco FWSM is affected by a vulnerability that may cause the device to reload during the processing of a malformed SCCP message when SCCP inspection is enabled. This vulnerability is triggered only by transit traffic; traffic that is destined to the device does not trigger this vulnerability.

Impact
Successful exploitation of this vulnerability may cause a reload of the affected device. Repeated exploitation could result in a sustained denial of service condition.

Link: http://www.cisco.com/…/advisory09186a0080b6e148.shtml

Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances
Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities:

  • Transparent Firewall Packet Buffer Exhaustion Vulnerability
  • Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability
  • Routing Information Protocol (RIP) Denial of Service Vulnerability
  • Unauthorized File System Access Vulnerability

These vulnerabilities are independent; a release that is affected by one vulnerability is not necessarily affected by the others.

Vulnerable Products
Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities. Affected versions of Cisco ASA Software vary depending on the specific vulnerability.
For specific version information, refer to the Software Versions and Fixes section of this advisory.

Details
The Cisco ASA 5500 Series Adaptive Security Appliance is a modular platform that provides security and VPN services. It offers firewall, intrusion prevention system (IPS), anti-X, and virtual private network (VPN) services. Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities:

  • Transparent Firewall Packet Buffer Exhaustion Vulnerability
  • SCCP Inspection Denial of Service Vulnerability
  • RIP Denial of Service Vulnerability
  • Unauthorized File System Access Vulnerability

Impact

  • Transparent Firewall Packet Buffer Exhaustion Vulnerability: Successful exploitation of this vulnerability could cause a decrease in the number of available packet buffers. Repeated exploitation could eventually deplete all available packet buffers, which may cause an appliance to stop forwarding traffic.
  • SCCP Inspection Denial of Service Vulnerability: Successful exploitation of this vulnerability could cause a reload of the affected device. Repeated exploitation may result in a sustained denial of service condition.
  • RIP Denial of Service Vulnerability: Successful exploitation of this vulnerability could cause a reload of the affected device. Repeated exploitation may result in a sustained denial of service condition.
  • Unauthorized File System Access Vulnerability: Successful exploitation of this vulnerability could allow unauthorized, unauthenticated users to retrieve files that are stored in an affected appliance’s file system, which may contain sensitive information.

Link: http://www.cisco.com/…/advisory09186a0080b6e14d.shtml

Management Center for Cisco Security Agent Remote Code Execution Vulnerability
The Management Center for Cisco Security Agent is affected by a vulnerability that may allow an unauthenticated attacker to perform remote code execution on the affected device.

Vulnerable Products
Cisco Security Agent software releases 5.1, 5.2, and 6.0 are affected by this vulnerability.

Details
Cisco Security Agent provides threat protection for server and desktop computing systems. Cisco Security Agent can function in a standalone manner or can be managed by the Management Center for Cisco Security Agent. The Management Center for Cisco Security Agent is affected by a vulnerability that could allow an unauthenticated attacker to perform remote code execution on the affected device. A successful exploit could allow the attacker to modify agent policies and system configuration and perform other administrative tasks.

Impact
Successful exploitation of the vulnerability could allow an unauthenticated attacker to perform remote code execution on the affected device and to perform agent policy modification, system configuration, and other administrative tasks.

Link: http://www.cisco.com/…/advisory09186a0080b6cee6.shtml

Default Credentials for Root Account on Tandberg E, EX and C Series Endpoints
Tandberg C Series Endpoints and E/EX Personal Video units that are running software versions prior to TC4.0.0 ship with a root administrator account that is enabled by default with no password. An attacker could use this account in order to modify the application configuration or operating system settings.

Vulnerable Products
This vulnerability affects Tandberg C Series Endpoints and E/EX Personal Video units, including software that is running on the C20, C40, C60, C90, E20, EX60, and EX90 codecs. The software version of the Tandberg unit can be determined by logging into the web-based user interface (UI) or using the “xStatus SystemUnit” command. Users can determine the Tandberg software version by entering the IP address of the codec in a web browser, authenticating (if the device is configured for authentication), and then selecting the “system info” menu option. The version number is displayed after the “Software Version” label in the System Info box.

Details
Tandberg devices are part of the Cisco TelePresence Systems that provide Cisco TelePresence endpoints for immersive environments, conference rooms, individual desktops and home offices. The C Series Endpoints are typically deployed as Multipurpose Room Systems and the E/EX Personal Video units are desktop devices. These devices contain a root user that is enabled for advanced debugging that is unnecessary during normal operations. The root account is not the same as the admin and user accounts. The root user is enabled by default in software versions prior to TC 4.0.0. The default configuration prior to TC 4.0.0 does not set a password for the root user.

Impact
Successful exploitation of the vulnerability may allow an unauthorized user to modify the application configuration and the operating system settings or gain complete administrative control of the device.

Link: http://www.cisco.com/…/advisory09186a0080b69541.shtml

Multiple Cisco WebEx Player Vulnerabilities
Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Recording Format (WRF) and Advanced Recording Format (ARF) Players. In some cases, exploitation of the vulnerabilities could allow a remote attacker to execute arbitrary code on the system of a targeted user.

Vulnerable Products
The vulnerabilities disclosed in this advisory affect the Cisco WebEx recording players. Microsoft Windows, Apple Mac OS X, and Linux versions of the player are all affected. Affected versions of the players are those prior to client builds T27LC SP22 and T27LB SP21 EP3.

Details
The WebEx meeting service is a hosted multimedia conferencing solution that is managed and maintained by Cisco WebEx. The WRF and ARF file formats are used to store WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The players are applications that are used to play back and edit recording files (files with .wrf and .arf extensions). The recording players can be automatically installed when the user accesses a recording file that is hosted on a WebEx server (for stream playback mode).

Impact
Successful exploitation of the vulnerabilities described in this document could result in a crash of the Cisco WebEx ARF Player or WRF Player application and, in some cases, allow a remote attacker to execute arbitrary code on the system with the privileges of the user who is running the recording player application.

Link: http://www.cisco.com/…/advisory09186a0080b6913f.shtml