May
2
2013

April 2013: ten Cisco vulnerabilities

The Cisco Product Security Incident Response Team (PSIRT) has published ten important vulnerability advisories:

  • Multiple Vulnerabilities in Cisco NX-OS-Based Products
  • Cisco Device Manager Command Execution Vulnerability
  • Multiple Vulnerabilities in Cisco Unified Computing System
  • Cisco Network Admission Control Manager SQL Injection Vulnerability
  • Cisco TelePresence Infrastructure Denial of Service Vulnerability
  • Multiple Vulnerabilities in Cisco IOS XE Software for 1000 Series Aggregation Services Routers
  • Multiple Vulnerabilities in Cisco Firewall Services Module Software
  • Multiple Vulnerabilities in Cisco ASA Software
  • Cisco Prime Network Control Systems Database Default Credentials Vulnerability
  • Multiple Vulnerabilities in Cisco Unified MeetingPlace Solution


Multiple Vulnerabilities in Cisco NX-OS-Based Products
Cisco Nexus, Cisco Unified Computing System (UCS), Cisco MDS 9000 Series Multilayer Switches, and Cisco 1000 Series Connected Grid Routers (CGR) are all based on the Cisco NX-OS operating system. These products are affected by one or more of the following vulnerabilities:

  • Multiple Cisco Discovery Protocol Vulnerabilities in Cisco NX-OS-Based Products
  • Cisco NX-OS Software SNMP and License Manager Buffer Overflow Vulnerability
  • Cisco NX-OS Software SNMP Buffer Overflow Vulnerability
  • Cisco NX-OS Software Jumbo Packet Denial of Service Vulnerability

Vulnerable Products
The following products are vulnerable:

  • Cisco UCS 6100 = Cisco Unified Computing Server Fabric Interconnect 6100 Series devices
  • Cisco UCS 6200 = Cisco Unified Computing Server Fabric Interconnect 6200 Series devices
  • Cisco Nexus 7000 = Cisco Nexus 7000 Series devices
  • Cisco Nexus 5000 = Cisco Nexus 5010 and Cisco Nexus 5020 devices
  • Cisco Nexus 5500 = Cisco Nexus 5500 Series devices
  • Cisco Nexus 4000 = Cisco Nexus 4000 Series blade devices
  • Cisco Nexus 3000 = Cisco Nexus 3000 Series devices
  • Cisco Nexus 1000v = Cisco Nexus 1000v virtual switches and 1010 Virtual Service Appliances
  • Cisco MDS 9000 = Cisco MDS 9000 Multilayer Switch/Director Family devices
  • Cisco CGR 1000 = Cisco Connected Grid Router 1000 Series devices

Details

  • Multiple Cisco Discovery Protocol Vulnerabilities in Cisco NX-OS-Based Products: Cisco NX-OS based devices contain multiple buffer overflow vulnerabilities in Cisco Discovery Protocol (CDP) subsystem. These vulnerabilities could allow an unauthenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to a failure to properly handle malformed Cisco Discovery Protocol packets. An attacker could exploit these vulnerabilities by passing malformed Cisco Discovery Protocol packets to an affected device. Successful exploitation of these vulnerabilities could allow the attacker to execute arbitrary code with elevated privileges.
  • Cisco NX-OS Software SNMP and License Manager Buffer Overflow Vulnerability: Cisco NX-OS Software-based devices contain a buffer overflow vulnerability in the SNMP subsystem. An authenticated, remote attacker can exploit the vulnerability by submitting a malicious SNMP query via UDP port 161 to trigger a buffer overflow condition in the SNMP and License Manager components of the device. Successful exploitation could allow the attacker to execute arbitrary code with elevated privileges.
  • Cisco NX-OS Software SNMP Buffer Overflow Vulnerability: Cisco NX-OS based devices contain a buffer overflow vulnerability in the SNMP subsystem. An authenticated, remote attacker who can submit a malicious SNMP query via UDP port 161 could exploit the vulnerability to trigger a buffer overflow condition in the SNMP component of the device. Successful exploitation could allow the attacker to execute arbitrary code with elevated privileges.
  • Cisco NX-OS Software Jumbo Packet Denial of Service Vulnerability: Cisco NX-OS based devices contain a denial of service (DoS) vulnerability. An unauthenticated, remote attacker who can send a jumbo frame packet to the management interface of an affected device could cause the device to crash and reload.

Impact
Successful exploitation of any of the Cisco Discovery Protocol vulnerabilities detailed in this document could allow an unauthenticated, adjacent attacker to execute arbitrary code with elevated privileges.

Successful exploitation of either of the SNMP vulnerabilities could allow an attacker to execute arbitrary code with elevated privileges, which could lead to a complete compromise of an affected device.

Successful exploitation of the jumbo packet vulnerability could allow an attacker to cause a device to restart. A sustained attack could result in an extended DoS condition.

Link: http://tools.cisco.com…/cisco-sa-20130424-nxosmulti

 

Cisco Device Manager Command Execution Vulnerability
Cisco Device Manager contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on a client host with the privileges of the user. This vulnerability affects Cisco Device Manager for the Cisco MDS 9000 Family and Cisco Nexus 5000 Series Switches when it is installed or launched via the Java Network Launch Protocol (JNLP) on a host running Microsoft Windows.

Vulnerable Products
This vulnerability affects the following versions of Cisco Device Manager for the Cisco MDS 9000 Family or Cisco Nexus 5000 Series Switches: Cisco Device Manager versions 5.x and earlier.

Details
A vulnerability in the Java Archive (JAR) executable files that are downloaded via JNLP from the Cisco MDS 9000 Series or Cisco Nexus 5000 Series Switches could allow an unauthenticated, remote attacker to execute arbitrary commands on the client host that is executing the JNLP file. Command execution would occur with the privileges of the user.

The vulnerability is due to insufficient validation of certain parameters passed by the element-manager.jnlp file and executed by the affected JAR files. An attacker may exploit this vulnerability by redirecting the user to download a crafted version of the element-manager.jnlp file and execute the file.

Impact
Successful exploitation may allow an attacker to execute arbitrary commands on a host with the privileges of the user.

Link: http://tools.cisco.com/…/cisco-sa-20130424-fmdm

 

Multiple Vulnerabilities in Cisco Unified Computing System
Managed and standalone Cisco Unified Computing System (UCS) deployments contain one or more of the vulnerabilities:

  • Cisco Unified Computing System LDAP User Authentication Bypass Vulnerability
  • Cisco Unified Computing System IPMI Buffer Overflow Vulnerability
  • Cisco Unified Computing Management API Denial of Service Vulnerability
  • Cisco Unified Computing System Information Disclosure Vulnerability
  • Cisco Unified Computing System KVM Authentication Bypass Vulnerability

Vulnerable Products
The following products are affected by one or more of the vulnerabilities detailed in this advisory:

  • Cisco Unified Computing System 6100 Series Fabric Interconnect
  • Cisco Unified Computing System 6200 Series Fabric Interconnect
  • Cisco Unified Computing System Cisco Integrated Management Controllers

Details

  • Cisco Unified Computing System LDAP User Authentication Bypass Vulnerability: Cisco UCS Manager contains an LDAP authentication bypass vulnerability. This vulnerability could allow an unauthenticated, remote attacker who can access the Cisco UCS Manager Web Console to authenticate as a specific user without providing valid authentication credentials. To exploit the vulnerability the attacker would need to submit a malformed request to a Cisco UCS Manager login page designed to leverage this vulnerability.
  • Cisco Unified Computing System IPMI Buffer Overflow Vulnerability: Cisco UCS Manager contains a buffer overflow vulnerability in the Intelligent Platform Management Interface (IPMI) implementation that is hosted on the Cisco UCS Fabric Interconnect. An unauthenticated, remote attacker who can submit a properly malformed request to the IPMI service via UDP port 623 could trigger a buffer overflow. This could allow the attacker to execute arbitrary code with elevated privileges.
  • Cisco Unified Computing Management API Denial of Service Vulnerability: Cisco UCS Manager contains a denial of service vulnerability in the management API. An unauthenticated, remote attacker who can submit a properly malformed request to the XML API management service of the Cisco UCS Manager could cause the service to stop responding. As a result, administrators could not make configuration changes or perform management actions on the Fabric Interconnect and computing resources managed by the device. A restart of the Fabric Interconnect is required to restore functionality.
  • Cisco Unified Computing System Information Disclosure Vulnerability: Cisco UCS Manager contains an information disclosure vulnerability. An unauthenticated, remote attacker could access technical support or local backup files that were created by a device administrator. The attacker would need to access the web interface of the Cisco UCS Manager to exploit this vulnerability.
  • Cisco Unified Computing System KVM Authentication Bypass Vulnerability: Cisco UCS platforms contain an IP keyboard, video, mouse (KVM) authentication bypass vulnerability. An unauthenticated, remote attacker who can send a malicious KVM authentication request to the Cisco IMC of a managed computing resource could bypass authentication and access to the IP KVM console of the physical or virtual device. This vulnerability could also allow an unauthenticated, remote attacker to join an existing, active IP KVM session if the active owner confirms the request or fails to respond to the request within 60 seconds.

Impact
Successful exploitation of the vulnerabilities detailed in this advisory could allow an attacker to take complete control of the affected device or cause a persistent denial of service condition.

Successful exploitation of the IP KVM vulnerability will allow an attacker to access the console of a virtual or physical computing resource. The extended impact of that access will depend on the state of the device and the installed operating system.

Link: http://tools.cisco.com/…/cisco-sa-20130424-ucsmulti

 

Cisco Network Admission Control Manager SQL Injection Vulnerability
Cisco Network Admission Control (NAC) Manager contains a vulnerability that could allow an unauthenticated remote attacker to execute arbitrary code and take full control of the vulnerable system. A successful attack could allow an unauthenticated attacker to access, create or modify any information in the NAC Manager database.

Vulnerable Products
Cisco NAC Manager versions prior to the following are affected by this vulnerability:

  • 4.9.2
  • 4.8.3.1

Details
Cisco NAC Manager contains a vulnerability that could allow an unauthenticated remote attacker to execute arbitrary code and take full control of the vulnerable system. This vulnerability is due to improper validation of user-supplied requests by the Cisco NAC Manager. An attacker could exploit this vulnerability by injecting Structured Query Language (SQL) commands. An exploit could allow the attacker to execute arbitrary queries and take full control of the affected system.

Impact
Successful exploitation of the vulnerability could allow the attacker to execute arbitrary queries on the Cisco NAC Manager and take full control of the affected system.

A successful attack could allow an unauthenticated attacker to access, create or modify information such as usernames and password hashes in the NAC Manager database. A successful attack also has the potential to create, modify, or delete arbitrary and system files and to copy sensitive information from the vulnerable device.

Link: http://tools.cisco.com/…/cisco-sa-20130417-nac

 

Cisco TelePresence Infrastructure Denial of Service Vulnerability
Cisco TelePresence multipoint control unit (MCU) and Cisco TelePresence Server contain a vulnerability that could allow an unauthenticated, remote attacker to trigger the reload of an affected system.

Vulnerable Products
The following Cisco TelePresence Infrastructure products are affected by this vulnerability:

  • Cisco TelePresence MCU 4501 Series, MCU 4500 Series and Cisco TelePresence MCU MSE 8510 versions 4.3(2.18) and earlier
  • Cisco TelePresence Server versions 2.2(1.54) and earlier

Details
A vulnerability in the digital signal processor (DSP) card could allow an unauthenticated, remote attacker to cause a crash of the DSP card which will trigger a reload of the affected system.

The vulnerability is due to insufficient validation of a malformed H.264 bit stream that is transported in a Real-Time Transport Protocol (RTP) packet payload. An attacker could exploit this vulnerability by injecting RTP packets with a malformed H.264 bit stream into an established Session Initiation Protocol (SIP) or H.323 session. An exploit could allow the attacker to cause the reload of the affected system.

Impact
Successful exploitation of the vulnerability may cause the reload of the affected system.

Link: http://tools.cisco.com/…/cisco-sa-20130417-tpi

 

 

Multiple Vulnerabilities in Cisco IOS XE Software for 1000 Series Aggregation Services Routers
Cisco IOS XE Software for 1000 Series Aggregation Services Routers (ASR) contains the following denial of service (DoS) vulnerabilities:

  • Cisco IOS XE Software IPv6 Multicast Traffic Denial of Service Vulnerability
  • Cisco IOS XE Software MVPNv6 Traffic Denial of Service Vulnerability
  • Cisco IOS XE Software L2TP Traffic Denial of Service Vulnerability
  • Cisco IOS XE Software Bridge Domain Interface Denial of Service Vulnerability
  • Cisco IOS XE Software SIP Traffic Denial of Service Vulnerability

Vulnerable Products

  • Cisco IOS XE Software IPv6 Multicast Traffic Denial of Service Vulnerability and Cisco IOS XE Software MVPNv6 Traffic Denial of Service Vulnerability: These vulnerabilities are triggered when a fragmented multicast IP version 6 (IPv6) or a fragmented IPv6 Multicast VPN (MVPNv6) packet is received by an affected Cisco ASR device. The fragmented multicast packet processed by Cisco Multicast Leaf Recycle Elimination (MLRE) may cause a Cisco ESP card on the Cisco ASR device to reload. Multiple features configured on the Cisco ASR 1000 may trigger this kind of processing that will lead to a crash.
  • Cisco IOS XE Software L2TP Traffic Denial of Service Vulnerability: Cisco IOS XE Software contains a vulnerability that may cause an affected device to reload when processing of a large amount of specific Layer 2 Tunneling Protocol (L2TP) packets when L2TP Network Server (LNS) termination or L2TPv3 Ethernet Pseudowire (xconnect) is enabled. L2TP LNS termination and xconnect are not enabled by default.
  • Cisco IOS XE Software Bridge Domain Interface Denial of Service Vulnerability: Cisco IOS XE Software contains a vulnerability that may cause an affected device to reload during the processing of packets when the bridge domain interface (BDI) feature is configured.
  • Cisco IOS XE Software SIP Traffic Denial of Service Vulnerability: Cisco IOS XE Software contains a vulnerability that may cause an affected device to reload while processing Session Initiation Protocol (SIP) packets that undergo Network Address Translation (NAT) within Virtual Routing and Forwarding (VRF) instance and SIP Application Layer Gateway (ALG) inspection. An attacker could exploit this vulnerability by sending a large number of SIP packets traversing a device configured for NAT.

Details

  • Cisco IOS XE Software IPv6 Multicast Traffic Denial of Service Vulnerability: Cisco IOS XE Software contains a vulnerability that could allow an unauthenticated remote attacker to cause a DoS condition.
  • Cisco IOS XE Software MVPNv6 Traffic Denial of Service Vulnerability: Cisco IOS XE Software contains a vulnerability that could allow an unauthenticated remote attacker to cause a DoS condition.
  • Cisco IOS XE Software L2TP Traffic Denial of Service Vulnerability: Cisco IOS XE Software contains a vulnerability that could allow an unauthenticated remote attacker to cause a DoS condition.
  • Cisco IOS XE Software Bridge Domain Interface Denial of Service Vulnerability: Cisco IOS XE Software contains a vulnerability that could allow an unauthenticated remote attacker to cause a denial of service (DoS) condition.
  • Cisco IOS XE Software SIP Traffic Denial of Service Vulnerability: Cisco IOS XE Software contains a vulnerability that could allow an unauthenticated, remote attacker to cause a DoS condition.

Impact
Successful exploitation of any of the following vulnerabilities may allow a remote, unauthenticated attacker to reload the Embedded Services Processors (ESP) card, causing interruption of services.

Link: http://tools.cisco.com/…/cisco-sa-20130410-asr1000

 

Multiple Vulnerabilities in Cisco Firewall Services Module Software
Cisco Firewall Services Module (FWSM) Software for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers is affected by the following vulnerabilities:

  • FWSM HTTP Proxy Traceback Vulnerability
  • IKE Version 1 Denial of Service Vulnerability

Vulnerable Products

  • FWSM HTTP Proxy Traceback Vulnerability: A Cisco FWSM is affected by this vulnerability when running an affected version of Cisco FWSM Software with the auth-proxy feature configured. The auth-proxy feature is not enabled by default. See the “Details” section for information on determining whether a device has a vulnerable configuration.
  • IKE Version 1 Denial of Service Vulnerability: A Cisco FWSM is affected by this vulnerability if IKE version 1 is enabled. IKE is not enabled by default. See the “Details” section for information on determining whether a device has a vulnerable configuration.

Details

  • FWSM HTTP Proxy Traceback Vulnerability: The auth-proxy feature in Cisco Firewall Services Module (FWSM) Software contains a vulnerability that could allow an unauthenticated, remote attacker to cause a reload of an affected device.
  • IKE Version 1 Denial of Service Vulnerability: A Cisco FWSM is affected by this vulnerability if IKE version 1 is enabled. IKE version 1 is enabled if the command isakmp enable <interface name> is configured

Impact
Successful exploitation of either of these vulnerabilities may result in a reload of an affected device, leading to a DoS condition.

Link: http://tools.cisco.com/…/cisco-sa-20130410-fwsm

 

Multiple Vulnerabilities in Cisco ASA Software
Cisco ASA Software is affected by the following vulnerabilities:

  • IKE Version 1 Denial of Service Vulnerability
  • Crafted URL Denial of Service Vulnerability
  • Denial of Service During Validation of Crafted Certificates
  • DNS Inspection Denial of Service Vulnerability

Vulnerable Products

  • IKE Version 1 Denial of Service Vulnerability: A device running Cisco ASA Software is affected by this vulnerability if IKE version 1 is enabled.
  • Crafted URL Denial of Service Vulnerability: A device running Cisco ASA Software is affected by this vulnerability if the device is using authentication, authorization, and accounting (AAA) for network access control and HTTP(S) listening ports to authenticate network users are enabled. HTTP(S) listening ports to authenticate network users are enabled if the command aaa authentication listener is configured.
  • Denial of Service During Validation of Crafted Certificates: To be vulnerable, Cisco ASA Software must have at least one authenticated trustpoint enrolled with a third-party certificate authority or enrolled with the Cisco ASA local certificate authority.
  • DNS Inspection Denial of Service Vulnerability: Cisco ASA Software is affected by this vulnerability if DNS inspection is enabled.

Details

  • IKE Version 1 Denial of Service Vulnerability: The vulnerability is due to the incorrect processing of an incoming IKE version 1 message. An attacker could exploit this vulnerability by sending a crafted IKE message. An exploit could allow the attacker to cause a reload of an affected device.
  • Crafted URL Denial of Service Vulnerability: A vulnerability in the URL processing code of the authentication proxy feature of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of an affected device.
  • Denial of Service During Validation of Crafted Certificates: A vulnerability in the implementation of the function used to validate digital certificates for authentication could allow an unauthenticated, remote attacker to cause a reload of an affected device.
  • DNS Inspection Denial of Service Vulnerability: Cisco ASA Software DNS application inspection supports DNS message controls that provide protection against DNS spoofing and cache poisoning.

Impact
Successful exploitation of any of the vulnerabilities described in this security advisory may cause a reload of an affected device. Repeated exploitation could result in a sustained DoS condition.

Link: http://tools.cisco.com/…/cisco-sa-20130410-asa

 

Cisco Prime Network Control Systems Database Default Credentials Vulnerability
Cisco Prime Network Control System NCS appliances that are running software versions prior to 1.1.1.24 contain a database user account that is created with default credentials. An attacker could use this account to modify the configuration of the application or disrupt services.

Vulnerable Products
Cisco Prime Network Control System versions prior to 1.1.1.24

Details
Cisco Prime NCS contains default credentials for the database user. A remote attacker could use the default credentials to modify the configuration settings of a device or disrupt services.

Impact
Successful exploitation of the vulnerability could allow an unauthorized, remote user to use the default credentials to modify the configuration settings of a device or to disrupt services.

Link: http://tools.cisco.com/…/cisco-sa-20130410-ncs

 

Multiple Vulnerabilities in Cisco Unified MeetingPlace Solution
Cisco Unified MeetingPlace Application Server contains an authentication bypass vulnerability and Cisco Unified MeetingPlace Web Conferencing Server contains an arbitrary login vulnerability. For both vulnerabilities, successful exploitation could allow an unauthenticated, remote attacker to impersonate a legitimate user and send arbitrary commands to the affected system with the privileges of that user.

Vulnerable Products
The following versions of Cisco Unified MeetingPlace Application Server software are affected by the Cisco Unified MeetingPlace Application Server Authentication Bypass Vulnerability: 7.0, 7.1, 8.0, 8.5.

The following versions of Cisco Unified MeetingPlace Web Conferencing Server software are affected by the Cisco Unified MeetingPlace Web Conferencing Server Arbitrary Login Vulnerability:7.0, 7.1, 8.0, 8.5.

Details

  • Cisco Unified MeetingPlace Application Server Authentication Bypass Vulnerability: A vulnerability in the authentication code of the webserver component of Cisco Unified MeetingPlace Application Server could allow an unauthenticated, remote attacker to take over a user session after the user has logged out from the affected system. The vulnerability is due to the affected system not invalidating a user’s session when the user logs out. An attacker could exploit this vulnerability by crafting an HTTP GET or POST request and sending it to the affected system. To succeed, the attacker must know the session cookie value from a user that has previously logged out. The Cisco Unified MeetingPlace Application Server will automatically invalidate the session cookie after 30 minutes; therefore the attacker has 30 minutes to perform attack. An exploit could allow the attacker to impersonate a legitimate user and compromise the confidentiality, integrity and availability of the affected system with the privileges of that user.
  • Cisco Unified MeetingPlace Web Conferencing Server Arbitrary Login Vulnerability: A vulnerability in the authentication code of the Cisco Unified MeetingPlace Web Conferencing Server could allow an unauthenticated, remote attacker to impersonate a legitimate user and issue arbitrary commands to the affected system. The vulnerability is due to insufficient verification of the user cookies when the Remember Me option is configured on the affected system. An attacker could exploit this vulnerability by crafting a login request and send it to the affected system. The attacker must know a valid user name to execute the attack. An exploit could allow the attacker to impersonate a legitimate user and compromise the confidentiality, integrity and availability of the affected system with the privileges of that user.

Impact
Successful exploitation of these vulnerabilities may allow the attacker to impersonate a legitimate user and send arbitrary commands to the affected system with the privileges of that user.

Link: http://tools.cisco.com/…/cisco-sa-20130410-mp

Summary
Article Name
April 2013: ten Cisco vulnerabilities
Description
April 2013: The Cisco Product Security Incident Response Team (PSIRT) has published ten important vulnerability advisories.
Author