Jan
15
2009

3 new Cisco critical vulnerabilities

Yesterday Cisco has published 3 different vulnerabilities, which can be exploited by malicious people to conduct a DOS attack or a Remote control attack.

1) Cisco ONS Platform Crafted Packet Vulnerability
The Cisco ONS 15300 series Edge Optical Transport Platform, the Cisco ONS 15454 Optical Transport Platform, the Cisco ONS 15454 SDH Multiservice Platform, and the Cisco ONS 15600 Multiservice Switching Platform contains a vulnerability when processing TCP traffic streams that may result in a reload of the device control card.

Cisco has released free software updates that address this vulnerability.

There are no workarounds that mitigate this vulnerability. Several mitigations exist that can limit the exposure of this vulnerability.

Vulnerable Products

  • Cisco ONS 15310-CL and 15310-MA
  • Cisco ONS 15327
  • Cisco ONS 15454 and 15454 SDH
  • Cisco ONS 15600

Details
The affected Cisco 15310-CL, 15310-MA, ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 hardware is managed through the CTX, CTX2500, XTC, TCC/TCC+/TCC2/TCC2P, TCCi/TCC2/TCC2P, and TSC control cards respectively. These control cards are usually connected to a Data Communications Network (DCN). In this context the term DCN is used to denote the network that transports management information between a management station and the network entity (NE). This definition of DCN is sometimes referred to as Management Communication Network (MCN). The DCN is usually physically or logically separated from the optical data network and isolated from the Internet. This limits the exposure to the exploitation of this vulnerability from the Internet.

A crafted stream of TCP traffic to the control cards on a node will result in a reset of the corresponding control cards on this node. A complete 3-way handshake is required on any open TCP port to be able to exploit this vulnerability.

The timing for the data channels traversing the switch is provided by the control cards.

When an active and a standby Cisco ONS 15310-MA, ONS 15310-CL, ONS 15327, ONS 15454 or ONS 15454 SDH control card reloads at the same time, the synchronous data channels traversing the switch drop traffic until the card comes back online. Asynchronous data channels traversing the switch are not impacted. Manageability functions provided by the network element using the CTX, CTX2500, XTC or TCC/TCC+/TCC2/TCC2P control cards are not available until the control card comes back online.

On the Cisco ONS 15600 hardware, whenever both the active and standby control cards are rebooting at the same time, there is no impact to the data channels traversing the switch because the TSC performs a software reset which does not impact the timing being provided by the TSC for the data channels.

Manageability functions provided by the network element through the TSC control cards are not available until the control card comes back online.

This vulnerability is documented in Cisco bug ID CSCsr41128 ( registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-3818.

Impact
Successful exploitation of this vulnerability will result in a reset of the node’s control card. Repeated attempts to exploit this vulnerability could result in a sustained DoS condition, dropping the synchronous data channels traversing the switch (Cisco ONS 15310-MA, ONS 15310-CL, ONS 15327, ONS 15454, ONS 15454 SDH) and preventing manageability functions provided by the network element control cards (all ONS switches) until the control card comes back online.

Link: http://www.cisco.com/warp/public/707/cisco-sa-20090114-ons.shtml

 

2) IronPort Encryption Appliance / PostX and PXE Encryption Vulnerabilities
IronPort PXE Encryption is an e-mail encryption solution that is designed to secure e-mail communications without the need for a Public Key Infrastructure (PKI) or special agents on receiving systems. When an e-mail message is targeted for encryption, the PXE encryption engine on an IronPort e-mail gateway encrypts the original e-mail message as an HTML file and attaches it to a notification e-mail message that is sent to the recipient. The per-message key used to decrypt the HTML file attachment is stored on a local IronPort Encryption Appliance, PostX software installation or the Cisco Registered Envelope Service, which is a Cisco-managed software service.

PXE Encryption Privacy Vulnerabilities: The IronPort PXE Encryption solution is affected by two vulnerabilities that could allow unauthorized individuals to view the contents of secure e-mail messages. To exploit the vulnerabilities, attackers must first intercept secure e-mail messages on the network or via a compromised e-mail account.

IronPort Encryption Appliance Administration Interface Vulnerabilities: IronPort Encryption Appliance devices contain two vulnerabilities that could allow unauthorized users to gain access to the IronPort Encryption Appliance administration interface and modify other users’ settings. These vulnerabilities do not affect Cisco Registered Envelope Service users.

Cisco has released free software updates that address these vulnerabilities. There are no workarounds for the vulnerabilities that are described in this advisory.

Vulnerable Products

  • All PostX 6.2.1 versions prior to 6.2.1.1
  • All PostX 6.2.2 versions prior to 6.2.2.3
  • All IronPort Encryption Appliance/PostX 6.2.4 versions prior to 6.2.4.1.1
  • All IronPort Encryption Appliance/PostX 6.2.5 versions
  • All IronPort Encryption Appliance/PostX 6.2.6 versions
  • All IronPort Encryption Appliance/PostX 6.2.7 versions prior to 6.2.7.7
  • All IronPort Encryption Appliance 6.3 versions prior to 6.3.0.4
  • All IronPort Encryption Appliance 6.5 versions prior to 6.5.0.2

Details
PXE Encryption Privacy Vulnerabilities: Individual PXE Encryption users are vulnerable to two message privacy vulnerabilities that could allow an attacker to gain access to sensitive information. All the vulnerabilities require an attacker to first intercept a secure e-mail message as a condition for successful exploitation. Attackers can obtain secure e-mail messages by monitoring a network or a compromised user e-mail account. The IronPort Encryption Appliance contains a logic error that could allow an attacker to obtain the unique, per-message decryption key that is used to protect the content of an intercepted secure e-mail message without user interaction. Using the decryption key, an attacker could decrypt the contents of the secure e-mail message. This vulnerability is documented in IronPort bug 8062 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-0053. By modifying the contents of intercepted secure e-mail messages or by forging a close copy of the e-mail message, it may be possible for an attacker to convince a user to view a modified secure e-mail message and then cause the exposure of the user’s credentials and message content. Please see the Workarounds section for more information on mitigations available to reduce exposure to these phishing-style attacks. This vulnerability is documented in IronPort bug 8149 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-0054.

IronPort Encryption Appliance Administration Interface Vulnerabilities: The administration interface of IronPort Encryption Appliance devices contains a cross-site request forgery (CSRF) vulnerability that could allow an attacker to modify a user’s IronPort Encryption Appliance preferences, including their user name and personal security pass phrase, if the user is logged into the IronPort Encryption Appliance administration interface. Exploitation of the vulnerability will not allow an attacker to change a user’s password. This vulnerability is documented in IronPort bug 5806 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-0055. The administration interface of IronPort Encryption Appliance devices also contains a cross-site request forgery (CSRF) vulnerability that could allow an attacker to execute a command and modify a user’s IronPort Encryption Appliance preferences, including their user name and personal security pass phrase, under certain circumstances when a user logs out of the IronPort Encryption Appliance administration interface. Exploitation of the vulnerability will not allow an attacker to change a user’s password. This vulnerability is documented in IronPort bug 6403 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-0056.

Impact
PXE Encryption Privacy Vulnerabilities: Successful exploitation of these vulnerabilities could allow an attacker to obtain user credentials and view the contents of intercepted secure e-mail messages, which could result in the disclosure of sensitive information.

IronPort Encryption Appliance Administration Interface Vulnerabilities: Successful exploitation of these vulnerabilities could allow an attacker to access user accounts on an IronPort Encryption Appliance device, which could result in the modification of user preferences.

Link: http://www.cisco.com/warp/public/707/cisco-sa-20090114-ironport.shtml

 

3) Cisco IOS HTTP Server Two Cross-Site Scripting Vulnerabilities
Two vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to conduct cross-site scripting attacks.

1) Input passed as a parameter to the “ping” command within the Cisco IOS HTTP server is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in the context of an affected site.

2) Input passed to an unspecified parameter within the Cisco IOS HTTP server is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in the context of an affected site.

Successful exploitation of these vulnerabilities requires that the HTTP server or secure server is enabled.

These vulnerabilities are reported in certain 12.0, 12.1, 12.2, 12.3, and 12.4-based IOS releases.

Link: http://www.cisco.com/warp/public/707/cisco-sr-20090114-http.shtml