January 2013: five Cisco vulnerabilities

The Cisco Product Security Incident Response Team (PSIRT) has published five important vulnerability advisories:

  • Portable SDK for UPnP Devices Contains Buffer Overflow Vulnerabilities
  • Multiple Vulnerabilities in Cisco Wireless LAN Controllers
  • Cisco ASA 1000V Cloud Firewall H.323 Inspection Denial of Service Vulnerability
  • Cisco Prime LAN Management Solution Command Execution Vulnerability
  • Cisco Unified IP Phone Local Kernel System Call Input Validation Vulnerability


Portable SDK for UPnP Devices Contains Buffer Overflow Vulnerabilities
The Portable Software Developer Kit (SDK) for Universal Plug-n-Play (UPnP) Devices contains a libupnp library, originally known as the Intel SDK for UPnP Devices, which is vulnerable to multiple stack-based buffer overflows when handling malicious Simple Service Discovery Protocol (SSDP) requests. This library is used in several vendor network devices, in addition to media streaming and file sharing applications.

Details
The Portable SDK for UPnP Devices is affected by at least three remotely exploitable buffer overflows. These vulnerabilities can be exploited in the processing of incoming SSDP requests on UDP port 1900. CERT released the following CVE IDs to document these vulnerabilities: CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961, CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, and CVE-2012-5965.

Impact
A remote, unauthenticated attacker could send a malicious SSDP request to an affected device, triggering a buffer overflow. Successful exploitation of the vulnerability could allow arbitrary command execution or a disruption of services on the affected device.

Link: http://tools.cisco.com/…/cisco-sa-20130129-upnp

Multiple Vulnerabilities in Cisco Wireless LAN Controllers
The Cisco Wireless LAN Controller (Cisco WLC) product family is affected by the following four vulnerabilities:

  • Cisco Wireless LAN Controllers Wireless Intrusion Prevention System (wIPS) Denial of Service Vulnerability
  • Cisco Wireless LAN Controllers Session Initiation Protocol Denial of Service Vulnerability
  • Cisco Wireless LAN Controllers HTTP Profiling Remote Code Execution Vulnerability
  • Cisco Wireless LAN Controllers SNMP Unauthorized Access Vulnerability

Vulnerable Products
Each of the following products is affected by at least one of the vulnerabilities covered in this security advisory:

  • Cisco 2000 Series WLC
  • Cisco 2100 Series WLC
  • Cisco 2500 Series WLC
  • Cisco 4100 Series WLC
  • Cisco 4400 Series WLC
  • Cisco 5500 Series WLC
  • Cisco 7500 Series WLC
  • Cisco 8500 Series WLC
  • Cisco 500 Series Wireless Express Mobility Controllers
  • Cisco Wireless Services Module (Cisco WiSM)
  • Cisco Wireless Services Module version 2 (Cisco WiSM version 2)
  • Cisco NME-AIR-WLC Module for Integrated Services Routers (ISRs)
  • Cisco NM-AIR-WLC Module for Integrated Services Routers (ISRs)
  • Cisco Catalyst 3750G Integrated WLCs
  • Cisco Flex 7500 Series Cloud Controller
  • Cisco Virtual Wireless Controller
  • Cisco Wireless Controller Software for Integrated Services Module 300 and Cisco Services-Ready Engine 700, 710, 900, and 910

Details

  • Cisco Wireless LAN Controllers Wireless Intrusion Prevention System (wIPS) Denial of Service Vulnerability: The Cisco Wireless LAN Controller (WLC) product family is affected by a denial of service (DoS) vulnerability that could allow an unauthenticated, remote attacker to cause the device to reload by sending crafted IP packets to the affected device. This vulnerability affects Cisco WLCs that are configured with Wireless Intrusion Prevention System (wIPS). This vulnerability can be exploited from both wired and wireless segments.
  • Cisco Wireless LAN Controllers Session Initiation Protocol Denial of Service Vulnerability: A denial of service (DoS) vulnerability exists on the Cisco Wireless Access Points (AP) that are managed by Cisco Wireless LAN Controllers (WLC) which could allow an unauthenticated, remote attacker to cause the AP to reload by sending crafted Session Initiation Protocol (SIP) packets to the affected device. This vulnerability can be exploited from both wired and wireless segments. This vulnerability can be triggered by transit traffic and even if SIP features are disabled on the device.
  • Cisco Wireless LAN Controllers HTTP Profiling Remote Code Execution Vulnerability: The HTTP Profiling feature of Cisco WLC devices is affected by a remote code execution vulnerability that may allow an authenticated, remote attacker to execute arbitrary code on an affected device by sending a crafted UserAgent string. This vulnerability can be exploited from both wired and wireless segments. Only Cisco WLC Software version 7.3.101.0 is affected by this vulnerability. A device is vulnerable only if the HTTP Profiling feature is enabled.
  • Cisco Wireless LAN Controllers SNMP Unauthorized Access Vulnerability: The Cisco Wireless LAN Controller (WLC) product family is affected by an unauthorized access vulnerability where an authenticated attacker could view and modify the configuration of an affected Cisco WLC via SNMP even if “management over wireless” feature is disabled.

Impact

  • Successful exploitation of the DoS vulnerabilities could allow an unauthenticated attacker to cause an affected device to reload. Repeated exploitation could result in a sustained DoS condition.
  • Successful exploitation of the HTTP Profiling Remote Code Execution Vulnerability could allow an authenticated, remote attacker to perform remote code execution on the affected device.
  • Successful exploitation of the unauthorized access vulnerability could allow an authenticated attacker to view or modify the device configuration even if “management over wireless” is disabled.

Link: http://tools.cisco.com/…/cisco-sa-20130123-wlc

Cisco ASA 1000V Cloud Firewall H.323 Inspection Denial of Service Vulnerability
A vulnerability in Cisco Adaptive Security Appliance (ASA) Software for the Cisco ASA 1000V Cloud Firewall may cause the Cisco ASA 1000V to reload after processing a malformed H.323 message. Cisco ASA 1000V Cloud Firewall is affected when H.323 inspection is enabled.

Vulnerable Products
Versions 8.7.1 and 8.7.1.1 of Cisco ASA Software for the Cisco ASA 1000V Cloud Firewall are affected by this vulnerability if H.323 inspection is enabled. H.323 Inspection for both H.225 and Registration, Admission and Status (RAS) messages is enabled by default. The vulnerability exists only if H.323 inspection for H.225 messages is enabled. H.323 inspection for RAS messages has no effect on this vulnerability.

Details
Cisco ASA Software for the 1000V Cloud Firewall versions 8.7.1 and 8.7.1.1 contain a vulnerability that could allow an unauthenticated, remote attacker to cause a reload of the Cisco 1000V Cloud Firewall. The vulnerability is due to incorrect handling of malformed H.323 packets. An attacker could exploit this vulnerability by sending a crafted H.323 packet through the affected device. An exploit could allow the attacker to reload the Cisco ASA 1000V Cloud Firewall, resulting in denial of service (DoS) condition.

Impact
Successful exploitation of this vulnerability may cause a reload of the affected device. Repeated exploitation could result in a sustained DoS condition.

Link: http://tools.cisco.com/…/cisco-sa-20130116-asa1000v

Cisco Prime LAN Management Solution Command Execution Vulnerability
Cisco Prime LAN Management Solution (LMS) Virtual Appliance contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands with the privileges of the root user. The vulnerability is due to improper validation of authentication and authorization commands sent to certain TCP ports. An attacker could exploit this vulnerability by connecting to the affected system and sending arbitrary commands.

Vulnerable Products
Cisco Prime LMS Virtual Appliance Version Affected

  • 4.1 Yes
  • 4.2 Yes
  • 4.2.1 Yes
  • 4.2.2 Yes
  • 4.2.3 No

Details
Linux-based Cisco Prime LAN Management Solution (LMS) Virtual Appliance contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands with the privilege of the root user. The vulnerability is due to improper validation of authentication and authorization commands by the remote shell server (rshd) running on the affected system. An attacker could exploit this vulnerability by accessing the remote shell (rsh) service of the affected system and sending arbitrary commands.

Impact
Successful exploitation of the vulnerability may allow remote execution of arbitrary commands on the affected system with the privileges of the root user.

Link: http://tools.cisco.com/…/cisco-sa-20130109-lms

Cisco Unified IP Phone Local Kernel System Call Input Validation Vulnerability
Cisco Unified IP Phones 7900 Series versions 9.3(1)SR1 and prior contain an arbitrary code execution vulnerability that could allow a local attacker to execute code or modify arbitrary memory with elevated privileges. This vulnerability is due to a failure to properly validate input passed to kernel system calls from applications running in userspace. An attacker could exploit this issue by gaining local access to the device using physical access or authenticated access using SSH and executing an attacker-controlled binary that is designed to exploit the issue. Such an attack would originate from an unprivileged context.

Vulnerable Products
The following Cisco Unified IP Phones 7900 Series devices are affected by the vulnerability documented in this advisory:

  • Cisco Unified IP Phone 7906
  • Cisco Unified IP Phone 7911G
  • Cisco Unified IP Phone 7931G
  • Cisco Unified IP Phone 7941G
  • Cisco Unified IP Phone 7941G-GE
  • Cisco Unified IP Phone 7942G
  • Cisco Unified IP Phone 7945G
  • Cisco Unified IP Phone 7961G
  • Cisco Unified IP Phone 7961G-GE
  • Cisco Unified IP Phone 7962G
  • Cisco Unified IP Phone 7965G
  • Cisco Unified IP Phone 7970G
  • Cisco Unified IP Phone 7971G-GE
  • Cisco Unified IP Phone 7975G

Details
Several models in the CiscoUnified IP Phones 7900 Series contain an input validation vulnerability that could allow a local, authenticated attacker to manipulate arbitrary areas of memory within the device. This is due to a failure to properly validate user-supplied parameters that are passed to kernel system calls. Multiple access vectors have been identified whereby an attacker could gain local access to the device. An attacker can accomplish this by gaining physical access to the device via the AUX port on the back of the device, or remotely by first authenticating to the device via SSH. After the Cisco Unified Communications Manager (CallManager) provisions the device, the remote access method is disabled by default.

Impact
Successful exploitation of the vulnerability may allow a local attacker to manipulate arbitrary regions of system memory, which includes kernel space. If successful, the attacker could modify the operation of existing code or execute attacker-controlled code with elevated privileges.

Link: http://tools.cisco.com/…/cisco-sa-20130109-uipphone

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.