Dec
13
2012

November 2012: two Cisco vulnerabilities

The Cisco Product Security Incident Response Team (PSIRT) has published two important vulnerability advisories:

  • Cisco IronPort Appliances Sophos Anti-Virus Vulnerabilities
  • Cisco Secure Access Control System TACACS+ Authentication Bypass Vulnerability

Cisco IronPort Appliances Sophos Anti-Virus Vulnerabilities
Cisco IronPort Email Security Appliances (ESA) and Cisco IronPort Web Security Appliances (WSA) include versions of Sophos Anti-Virus that contain multiple vulnerabilities that could allow an unauthenticated, remote attacker to gain control of the system, escalate privileges, or cause a denial-of-service (DoS) condition. An attacker could exploit these vulnerabilities by sending malformed files to an appliance that is running Sophos Anti-Virus. The malformed files could cause the Sophos antivirus engine to behave unexpectedly.

Vulnerable Products
The following Cisco IronPort appliances, when configured to use Sophos software, are affected by this vulnerability:

Cisco IronPort Email Security Appliances (C-Series and X-Series) running Sophos Engine: 3.2.07.352_4.80 and earlier.
Cisco IronPort Web Security Appliances (S-Series) running Sophos Engine: 3.2.07.352_4.80 and earlier.

Details
The following vulnerabilities affect the Sophos engine that is currently installed on Cisco IronPort ESA and WSA products:

  • Integer overflow parsing Visual Basic 6 controls
  • Internet Explorer protected mode is effectively disabled by Sophos
  • Memory corruption vulnerability in Microsoft CAB parsers
  • RAR virtual machine standard filters memory corruption
  • Stack buffer overflow decrypting PDF files

The following vulnerabilities do not affect the Sophos engine that is currently installed on Cisco IronPort ESA and WSA products:

  • sophos_detoured_x64.dll ASLR bypass
  • Universal XSS
  • Privilege escalation through network update service

Sophos engine version 3.2.07.363_4.83 was qualified and provisioned to the Cisco IronPort ESA and WSA update servers on Tuesday, November 13th, 2012 and fixes the vulnerabilities described in this document.

Impact
Successful exploitation of these vulnerabilities may cause the Sophos Anti-Virus engine to crash. A remote, unauthenticated attacker may be able to gain control of the system, escalate privileges, or cause a denial-of-service condition.

Link: http://tools.cisco.com/…/cisco-sa-20121108-sophos

Cisco Secure Access Control System TACACS+ Authentication Bypass Vulnerability
Cisco Secure Access Control System (ACS) contains a vulnerability that could allow an unauthenticated, remote attacker to bypass TACACS+ based authentication service offered by the affected product. The vulnerability is due to improper validation of the user-supplied password when TACACS+ is the authentication protocol and Cisco Secure ACS is configured with a Lightweight Directory Access Protocol (LDAP) external identity store.

Vulnerable Products
The following Cisco Secure ACS versions are affected by this vulnerability: 5.0, 5.1, 5.2, 5.3, 5.4.

Details
Cisco Secure Access Control System (ACS) contains a vulnerability that could allow an unauthenticated, remote attacker to bypass the TACACS+ based authentication service offered by the affected product.

The vulnerability is due to improper validation of the user-supplied password when TACACS+ is as authentication protocol and Cisco Secure ACS is configured with a Lightweight Directory Access Protocol (LDAP) external identity store. An attacker could exploit this vulnerability by sending a special sequence of characters when prompted for the user password. The attacker would need to know a valid username stored in the LDAP external identity store in order to exploit this vulnerability, and the exploitation is limited to impersonate only that user. An exploit could allow the attacker to successfully authenticate to any system using TACACS+ in combination with an affected Cisco Secure ACS.

Impact
Successful exploitation of this vulnerability could allow a remote attacker impersonate a user and bypass the authentication to any system that uses TACACS+ and relies on the authentication service provided by an affected Cisco Secure ACS.

Link: http://tools.cisco.com/…/cisco-sa-20121107-acs