July & August 2010: ten Cisco vulnerabilities

The The Cisco Product Security Incident Response Team (PSIRT) has published ten important vulnerability advisories:

• Cisco IOS XR Software Border Gateway Protocol Vulnerability
• Cisco Unified Communications Manager Denial of Service Vulnerabilities
• Cisco Unified Presence Denial of Service Vulnerabilities
• Cisco IOS Software TCP Denial of Service Vulnerability
• Multiple Vulnerabilities in the Cisco ACE Application Control Engine Module and Cisco ACE 4710 Application Control Engine
• SQL Injection Vulnerability in Cisco Wireless Control System
• Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances
• Multiple Vulnerabilities in Cisco Firewall Services Module
• CDS Internet Streamer: Web Server Directory Traversal Vulnerability
• Hard-Coded SNMP Community Names in Cisco Industrial Ethernet 3000 Series Switches Vulnerability

Cisco IOS XR Software Border Gateway Protocol Vulnerability
Cisco IOS XR Software contains a vulnerability in the Border Gateway Protocol (BGP) feature. The vulnerability manifests itself when a BGP peer announces a prefix with a specific, valid but unrecognized transitive attribute. On receipt of this prefix, the Cisco IOS XR device will corrupt the attribute before sending it to the neighboring devices. Neighboring devices that receive this corrupted update may reset the BGP peering session.

Affected devices running Cisco IOS XR Software corrupt the unrecognized attribute before sending to neighboring devices, but neighboring devices may be running operating systems other than Cisco IOS XR Software and may still reset the BGP peering session after receiving the corrupted update. This is per standards defining the operation of BGP.

Cisco developed a fix that addresses this vulnerability and will be releasing free software maintenance upgrades (SMU) progressively starting 28 August 2010. This advisory will be updated accordingly as fixes become available

Vulnerable Products
To determine the Cisco IOS XR Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS XR Software by displaying text similar to “Cisco IOS XR Software”. The software version is displayed after the text “Cisco IOS XR Software”.

Details
This vulnerability affects Cisco IOS XR devices running affected software versions and configured with the BGP routing feature. The vulnerability manifests itself when a BGP peer announces a prefix with a specific, valid but unrecognized transitive attribute. On receipt of this prefix, the Cisco IOS XR device will corrupt the attribute before sending it to the neighboring devices. Neighboring devices that receive this corrupted update may reset the BGP peering session.

Impact
Successful exploitation of these vulnerabilities may result in the continuous resetting of BGP peering sessions. This may lead to routing inconsistencies and a denial of service for those affected networks.

Link: http://www.cisco.com/…/products_security_advisory09186a0080b4411f.shtml

Cisco Unified Communications Manager Denial of Service Vulnerabilities
Cisco Unified Communications Manager contains two denial of service (DoS) vulnerabilities that affect the processing of Session Initiation Protocol (SIP) messages. Exploitation of these vulnerabilities could cause an interruption of voice services.

Vulnerable Products
The following products are affected by vulnerabilities that are described in this advisory:

• Cisco Unified Communications Manager 6.x
• Cisco Unified Communications Manager 7.x
• Cisco Unified Communications Manager 8.x

Details
Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, VoIP gateways, and multimedia applications.

Cisco Unified Communications Manager contains two DoS vulnerabilities that involve the processing of SIP messages. Each vulnerability is triggered by a malformed SIP message that could cause a critical process to fail, which could result in the disruption of voice services. All SIP ports (TCP ports 5060 and 5061, UDP ports 5060 and 5061) are affected.

Impact
Successful exploitation of the vulnerabilities that are described in this advisory could result in the interruption of voice services. Cisco Unified Communications Manager will restart the affected processes, but repeated attacks may result in a sustained DoS Condition.

Link: http://www.cisco.com/…/products_security_advisory09186a0080b43908.shtml

Cisco Unified Presence Denial of Service Vulnerabilities
Cisco Unified Presence contains two denial of service (DoS) vulnerabilities that affect the processing of Session Initiation Protocol (SIP) messages. Exploitation of these vulnerabilities could cause an interruption of presence services.

Vulnerable Products
The following products are affected:

• Cisco Unified Presence 6.0 versions prior to 6.0(7)
• Cisco Unified Presence 7.0 versions prior to 7.0(8)

Note: Cisco Unified Presence version 8.0(1) shipped with software fixes for all the vulnerabilities described in this advisory.

Details
Cisco Unified Presence contains two DoS vulnerabilities that involve the processing of SIP messages. Each vulnerability is triggered by a malformed SIP message that could cause a critical process to fail, which could result in the disruption of presence services. All SIP ports (TCP ports 5060 and 5061, UDP ports 5060 and 5061) are affected.

Impact
Successful exploitation of any of the vulnerabilities may result in the interruption of presence services. Cisco Unified Presence will restart the affected processes, but repeated attacks may result in a sustained DoS condition.

Link: http://www.cisco.com/…/products_security_advisory09186a0080b43909.shtml

Cisco IOS Software TCP Denial of Service Vulnerability
Cisco IOS® Software Release, 15.1(2)T is affected by a denial of service (DoS) vulnerability during the TCP establishment phase. The vulnerability could cause embryonic TCP connections to remain in a SYNRCVD or SYNSENT state. Enough embryonic TCP connections in these states could consume system resources and prevent an affected device from accepting or initiating new TCP connections, including any TCP-based remote management access to the device.

No authentication is required to exploit this vulnerability. An attacker does not need to complete a three-way handshake to trigger this vulnerability; therefore, this vulnerability can be exploited using spoofed packets. This vulnerability may be triggered by normal network traffic.

Vulnerable Products
A Cisco device is vulnerable when it is running Cisco IOS Software Release 15.1(2)T. To determine the Cisco IOS Software Release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to “Cisco Internetwork Operating System Software” or “Cisco IOS Software.” The image name displays in parentheses, followed by “Version” and the Cisco IOS Software Release name. Other Cisco devices do not have the show version command or may provide different output.

Details
Cisco IOS Software version 15.1(2)T contains a vulnerability that could cause an embryonic TCP connection to remain in SYNRCVD or SYNSENT state without a further TCP state transition. Examining the output of the show tcp brief all command multiple times will indicate if TCP sessions remain in one of these states. This vulnerability is triggered only by TCP traffic that is terminated by or originated from the device. Transit traffic will not trigger this vulnerability.

Impact
Successful exploitation of this vulnerability may prevent some TCP applications on Cisco IOS Software from accepting any new connections. Exploitation could also prevent remote access to the affected system via the vtys. Remote access to the affected device via out-of-band connectivity to the console port should still be available.

Link: http://www.cisco.com/…/products_security_advisory09186a0080b4095e.shtml

Multiple Vulnerabilities in the Cisco ACE Application Control Engine Module and Cisco ACE 4710 Application Control Engine
The Cisco ACE Application Control Engine Module and Cisco ACE 4710 Application Control Engine contain the following DoS vulnerabilities:

• Real-Time Streaming Protocol (RTSP) inspection DoS vulnerability
• HTTP, RTSP, and Session Initiation Protocol (SIP) inspection DoS vulnerability
• Secure Socket Layer (SSL) DoS vulnerability
• SIP inspection DoS vulnerability

Vulnerable Products
The Cisco ACE Application Control Engine Module and Cisco ACE 4710 Application Control Engine are affected by multiple vulnerabilities. Affected versions vary depending on the specific vulnerability. For specific version information, refer to the Software Versions and Fixes section of this advisory.

Details
The Cisco ACE 4710 Application Control Engine appliance and the Cisco ACE Application Control Engine Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers are a load-balancing and application-delivery solution for data centers. Multiple vulnerabilities exist in both products. These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another.

Impact
Successful exploitation of any of the vulnerabilities described in this security advisory may cause a reload of the affected device. Repeated exploitation could result in a sustained DoS condition.

Link: http://www.cisco.com/…/products_security_advisory09186a0080b4091d.shtml

SQL Injection Vulnerability in Cisco Wireless Control System
Cisco Wireless Control System (WCS) contains a SQL injection vulnerability that could allow an authenticated attacker full access to the vulnerable device, including modification of system configuration; create, modify and delete users; or modify the configuration of wireless devices managed by WCS.

Vulnerable Products
Cisco WCS devices running software 6.0.x are affected by this vulnerability.

Details
Cisco WCS enables an administrator to configure and monitor one or more WLCs and associated access points. A SQL injection vulnerability exists in Cisco WCS. Exploitation could allow an authenticated attacker to modify system configuration; create, modify and delete users; or modify the configuration of wireless devices managed by WCS.

Impact
Successful exploitation of this vulnerability could allow an authenticated attacker to modify system configuration; create, modify and delete users; or modify the configuration of wireless devices managed by WCS.

Link: http://www.cisco.com/…/products_security_advisory09186a0080b4091e.shtml

Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances
Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities as follows:

• Three SunRPC Inspection Denial of Service Vulnerabilities
• Three Transport Layer Security (TLS) Denial of Service Vulnerabilities
• Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability
• Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability

These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others.

Vulnerable Products
Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities. Affected versions of Cisco ASA Software will vary depending on the specific vulnerability.

Details
Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities:

• SunRPC Inspection Denial of Service Vulnerabilities
• Transport Layer Security (TLS) Denial of Service Vulnerabilities
• Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability
• Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability

Impact
Successful exploitation of any of the vulnerabilities described in this security advisory may cause the affected device to reload. Repeated exploitation could result in a sustained DoS condition.

Link: http://www.cisco.com/…/products_security_advisory09186a0080b3f12f.shtml

Multiple Vulnerabilities in Cisco Firewall Services Module
Multiple vulnerabilities exist in the Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers that may cause the Cisco FWSM to reload after processing crafted SunRPC or certain TCP packets. Repeated exploitation could result in a sustained DoS condition.

Vulnerable Products
The Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers is affected by multiple vulnerabilities. Affected versions of Cisco FWSM Software vary depending on the specific vulnerability.

Details
The Cisco FWSM is a high-speed, integrated firewall module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers. The FWSM offers firewall services with stateful packet filtering and deep packet inspection.

Impact
Successful exploitation of all the vulnerabilities described in this security advisory may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition.

Link: http://www.cisco.com/…/products_security_advisory09186a0080b3f130.shtml

CDS Internet Streamer: Web Server Directory Traversal Vulnerability
The Cisco Internet Streamer application, part of the Cisco Content Delivery System, contains a directory traversal vulnerability on its web server component that allows for arbitrary file access. By exploiting this vulnerability, an attacker may be able to read arbitrary files on the device, outside of the web server document directory, by using a specially crafted URL. An unauthenticated attacker may be able to exploit this issue to access sensitive information, including the password files and system logs, which could be leveraged to launch subsequent attacks.

Vulnerable Products
All versions of system software on the Cisco Internet Streamer application are vulnerable prior to the first fixed release.

Details
The Cisco Internet Streamer application provides edge caching, content streaming, and downloads to subscriber IP devices such as PCs. An unauthenticated attacker may be able to exploit this issue to access sensitive information that could be leveraged to launch subsequent attacks. On the Service Engine and the Cisco Content Delivery System Manager this vulnerability can be exploited over all open HTTP ports; TCP ports 80 (Default HTTP port), 443 (Default HTTPS port) and 8090 (Alternate HTTP and HTTPS port), as well as those that are configured as part of the HTTP proxy. On the Service Router this issue is seen on port TCP port 8090 (Alternate HTTP and HTTPS port).

Impact
An unauthenticated attacker may be able to exploit this issue to access sensitive information, including the password files and system logs, which could be leveraged to launch subsequent attacks.

Link: http://www.cisco.com/…/products_security_advisory09186a0080b3bd1c.shtml

Hard-Coded SNMP Community Names in Cisco Industrial Ethernet 3000 Series Switches Vulnerability
Cisco Industrial Ethernet 3000 (IE 3000) Series switches running Cisco IOS® Software releases 12.2(52)SE or 12.2(52)SE1, contain a vulnerability where well known SNMP community names are hard-coded for both read and write access. The hard-coded community names are “public” and “private.”

Vulnerable Products
The Cisco Industrial Ethernet 3000 Series switches are vulnerable when running any of the following Cisco IOS Software releases:

• Cisco IOS Software release 12.2(52)SE or 12.2(52)SE1

Details
This vulnerability was introduced as part of a new feature integrated into the affected releases called PROFINET. At the time of the publication of this advisory, PROFINET was only supported on Cisco Industrial Ethernet 3000 Series switches.

Impact
Successful exploitation of the vulnerability could result in an attacker obtaining full control of the device.

Link: http://www.cisco.com/…/products_security_advisory09186a0080b3891f.shtml