Jul
11
2013

June 2013: five Cisco vulnerabilities

The Cisco Product Security Incident Response Team (PSIRT) has published five important vulnerability advisories:

  • Multiple Vulnerabilities in Cisco Web Security Appliance
  • Multiple Vulnerabilities in Cisco Email Security Appliance
  • Multiple Vulnerabilities in Cisco Content Security Management Appliance
  • Cisco ASA Next-Generation Firewall Fragmented Traffic Denial of Service Vulnerability
  • Multiple Vulnerabilities in Cisco TelePresence TC and TE Software

Multiple Vulnerabilities in Cisco Web Security Appliance
Cisco IronPort AsyncOS Software for Cisco Web Security Appliance is affected by the following vulnerabilities:

  • Two authenticated command injection vulnerabilities
  • Management GUI Denial of Service Vulnerability

Vulnerable Products
All models of Cisco Web Security Appliance running a vulnerable version of Cisco IronPort AsyncOS Software are affected by one or more of the vulnerabilities described in this advisory.

Details

  • Authenticated Command Injection Vulnerabilities: Two vulnerabilities in the web framework code could allow an authenticated, remote attacker to to execute arbitrary commands on the underlying operating system with elevated privileges. The vulnerabilities are due to the failure to properly sanitize user supplied input that is utilized to perform actions that leverage the underlying command-line interface of the device.
    An authenticated, unprivileged attacker could exploit this vulnerability by sending a crafted URL to the affected system or convince a valid user to click on a malicious URL. An successful exploit could allow the attacker to take complete control of the affected device. These vulnerabilities can only be triggered by IPv4 traffic directed to the management IP addresses of the affected system. These vulnerabilities can be exploited over the default management ports, TCP port 8080 or TCP port 8443.
  • Management GUI Denial of Service Vulnerability: A vulnerability in the Graphical User Interface (GUI) function in the web framework code could allow an unauthenticated, remote attacker to cause multiple processes to become unresponsive, resulting in a denial of service condition. The vulnerability is due to improper handling, processing and termination of HTTP and HTTPS connections. An attacker could exploit this vulnerability by sending multiple HTTP or HTTPS requests to any management enabled interfaces of the affected system.
    A full TCP three-way handshake is required to exploit this vulnerability. An exploit could allow the attacker prevent management access via the GUI and cause other critical process to become unresponsive, resulting in a denial of service condition. A hard reboot of the affected system is needed to restore full functionality. This vulnerability can only be triggered by IPv4 traffic directed to the management IP addresses of the affected system. This vulnerability can be exploited over the default management ports, TCP port 8080 or TCP port 8443.

Impact
Successful exploitation of any of the two command injection vulnerabilities could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system with elevated privileges.

Successful exploitation of the Management GUI Denial of Service Vulnerability could cause several critical processes to become unresponsive and make the affected system unstable.

Link: http://tools.cisco.com/…/cisco-sa-20130626-wsa

Multiple Vulnerabilities in Cisco Email Security Appliance

Cisco IronPort AsyncOS Software for Cisco Email Security Appliance is affected by the following vulnerabilities:

  • Web Framework Authenticated Command Injection Vulnerability
  • IronPort Spam Quarantine Denial of Service Vulnerability
  • Management GUI Denial of Service Vulnerability

Successful exploitation of the Web Framework Authenticated Command Injection Vulnerability could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system with elevated privileges. Successful exploitation of either of the two denial of service vulnerabilities may cause several critical processes to become unresponsive and make the affected system unstable.

Vulnerable Products
All models of Cisco Email Security Appliance running a vulnerable version of Cisco IronPort AsyncOS Software are affected by one or more of the vulnerabilities described in this advisory.

Details

  • Web Framework Authenticated Command Injection Vulnerability: A vulnerability in the web framework code could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system with elevated privileges. This vulnerability can be triggered by IPv4 and IPv6 traffic directed to the management IP addresses of the affected system.
    This vulnerability can be exploited over the default management ports, TCP port 80 or TCP port 443.
  • IronPort Spam Quarantine Denial of Service Vulnerability: A vulnerability in the IronPort Spam Quarantine (ISQ) function in the web framework code could allow an unauthenticated, remote attacker to cause multiple critical processes to become unresponsive, resulting in a denial of service condition. This vulnerability can be triggered by IPv4 and IPv6 traffic directed to ISQ enabled interfaces of the affected system.
    This vulnerability can be exploited over the default ISQ ports, TCP port 82 or TCP port 83.
  • Management GUI Denial of Service Vulnerability: A vulnerability in the Graphical User Interface (GUI) function in the web framework code could allow an unauthenticated, remote attacker to cause multiple processes to become unresponsive, resulting in a denial of service condition. This vulnerability can be triggered by IPv4 and IPv6 traffic directed to the management IP addresses of the affected system.
    This vulnerability can be exploited over the default management ports, TCP port 80 or TCP port 443.

Impact
Successful exploitation of the Web Framework Authenticated Command Injection Vulnerability could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system with elevated privileges.

Successful exploitation of either of the two DoS vulnerabilities could cause several critical processes to become unresponsive and make the affected system unstable.

Link: http://tools.cisco.com…/cisco-sa-20130626-esa

Multiple Vulnerabilities in Cisco Content Security Management Appliance

Cisco IronPort AsyncOS Software for Cisco Content Security Management Appliance is affected by the following vulnerabilities:

  • Web Framework Authenticated Command Injection Vulnerability
  • IronPort Spam Quarantine Denial of Service Vulnerability
  • Management GUI Denial of Service Vulnerability

Vulnerable Products
All models of Cisco Content Security Management Appliance running a vulnerable version of Cisco IronPort AsyncOS Software are affected by one or more of the vulnerabilities described in this advisory.

Details

  • Web Framework Authenticated Command Injection Vulnerability: A vulnerability in the web framework code could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system with elevated privileges. This vulnerability can only be triggered by IPv4 traffic directed to the management IP addresses of the affected system.
    This vulnerability can be exploited over the default management ports, TCP port 80 or TCP port 443.
  • IronPort Spam Quarantine Denial of Service Vulnerability: A vulnerability in the IronPort Spam Quarantine (ISQ) function in the web framework code could allow an unauthenticated, remote attacker to cause multiple critical processes to become unresponsive, resulting in a denial of service condition. This vulnerability can only be triggered by IPv4 traffic directed to ISQ-enabled interfaces of the affected system.
    This vulnerability can be exploited over the default ISQ ports, TCP port 82 or TCP port 83.
  • Management GUI Denial of Service Vulnerability: A vulnerability in the Graphical User Interface (GUI) function in the web framework code could allow an unauthenticated, remote attacker to cause multiple processes to become unresponsive, resulting in a denial of service condition. This vulnerability can only be triggered by IPv4 traffic directed to the management IP addresses of the affected system.
    This vulnerability can be exploited over the default management ports, TCP port 80 or TCP port 443.

Impact
Successful exploitation of the Web Framework Authenticated Command Injection Vulnerability could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system with elevated privileges.

Successful exploitation of either of the two denial of service vulnerabilities could cause several critical processes to become unresponsive and make the affected system unstable.

Link: http://tools.cisco.com/…/cisco-sa-20130626-sma

Cisco ASA Next-Generation Firewall Fragmented Traffic Denial of Service Vulnerability
Cisco ASA Next-Generation Firewall (NGFW) Services contains a Fragmented Traffic Denial of Service (DoS) vulnerability. Successful exploitation of this vulnerability on the Cisco ASA NGFW could cause the device to reload or stop processing user traffic that has been redirected by the parent Cisco ASA to the ASA NGFW module for further inspection.

Vulnerable Products
The following versions of Cisco ASA NGFW are affected by the vulnerability in this advisory:

  • 9.1.1 versions of Cisco ASA NGFW prior to 9.1.1.9
  • 9.1.2 versions of Cisco NGFW prior to 9.1.2.12
  • All 9.0 versions of Cisco NGFW

Details
A vulnerability in fragmented traffic processing on Cisco ASA NGFW could allow an unauthenticated, remote attacker to cause a reload of the affected device. The vulnerability is due to invalid parsing of reassembled packet data. An attacker could exploit this vulnerability by sending fragmented traffic to be processed by one of the ASA NGFW deny policies.

Impact
Successful exploitation of the vulnerability on the Cisco ASA NGFW appliance may cause the device to reload or stop processing user traffic.

Additionally, if the Cisco ASA with a Cisco ASA NGFW module running an affected version of software is configured in High-Availability mode (HA), a failover event may be triggered when the Cisco ASA NGFW reloads or stops forwarding traffic. Repeated exploitation could result in a sustained failover condition of the parent Cisco ASA, and eventually lead to a sustained DoS condition.

Link: http://tools.cisco.com/…/cisco-sa-20130626-ngfw

Multiple Vulnerabilities in Cisco TelePresence TC and TE Software
Cisco TelePresence TC and TE Software contain two vulnerabilities in the implementation of the Session Initiation Protocol (SIP) that could allow an unauthenticated remote attacker to cause a denial of service (DoS) condition.

Additionally, Cisco TelePresence TC Software contain an adjacent root access vulnerability that could allow an attacker on the same physical or logical Layer-2 network as the affected system to gain an unauthenticated root shell.
Vulnerable Products

Vulnerable Products
The following products running a vulnerable version of Cisco TelePresence TC and TE Software are affected by the SIP DoS vulnerabilities:

  • Cisco TelePresence MX Series
  • Cisco TelePresence System EX Series
  • Cisco TelePresence Integrator C Series
  • Cisco TelePresence Profiles Series running
  • Cisco TelePresence Quick Set Series
  • Cisco IP Video Phone E20

The following products running Cisco TelePresence TC Software are affected by the Cisco TelePresence TC Software Adjacent root Access Vulnerability

  • Cisco TelePresence MX Series
  • Cisco TelePresence System EX Series
  • Cisco TelePresence Integrator C Series
  • Cisco TelePresence Profiles Series
  • Cisco TelePresence Quick Set Series

Note: Cisco TelePresence TE Software is not affected by the Cisco TelePresence TC Software Adjacent root Access Vulnerability

Details
Cisco TelePresence TC and TE Software SIP Denial of Service Vulnerabilities: Successful exploitation of this vulnerability may cause the affected system to become unresponsive for a certain amount of time. Repeated exploitation may lead to a denial of service condition. Cisco TelePresence TC Software Adjacent root Access Vulnerability: A vulnerability in the implementation of firewall rules could allow an unauthenticated, adjacent attacker to gain root shell access to an affected system.

Impact
Successful exploitation of the Cisco TelePresence TC and TE Software SIP DoS vulnerabilities may cause the affected system to become unresponsive or reload.

Successful exploitation of the Cisco TelePresence TC Software Adjacent root Access Vulnerability could allow an attacker on the same physical or logical Layer-2 network as the affected system to gain an unauthenticated root shell.

Link: http://tools.cisco.com/…/cisco-sa-20130619-tpc

Summary
Article Name
June 2013: five Cisco vulnerabilities
Description
June 2013: The Cisco Product Security Incident Response Team (PSIRT) has published five important vulnerability advisories.
Author