Dec
2
2011

October 2011: ten Cisco vulnerabilities

The Cisco Product Security Incident Response Team (PSIRT) has published ten important vulnerability advisories:

  • Buffer Overflow Vulnerabilities in the Cisco WebEx Player
  • Cisco Unified Contact Center Express Directory Traversal Vulnerability
  • Denial of Service Vulnerability in Cisco Video Surveillance IP Cameras
  • Cisco Security Agent Remote Code Execution Vulnerabilities
  • Cisco Unified Communications Manager Directory Traversal Vulnerability
  • CiscoWorks Common Services Arbitrary Command Execution Vulnerability
  • Cisco Show and Share Security Vulnerabilities
  • Directory Traversal Vulnerability in Cisco Network Admission Control Manager
  • Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module
  • Multiple Vulnerabilities in Cisco Firewall Services Module


Buffer Overflow Vulnerabilities in the Cisco WebEx Player
Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Recording Format (WRF) player. In some cases, exploitation of the vulnerabilities could allow a remote attacker to execute arbitrary code on the system with the privileges of a targeted user.

Vulnerable Products
The vulnerabilities disclosed in this advisory affect the Cisco WRF players. The Microsoft Windows, Apple Mac OS X, and Linux versions of the players are all affected. Review the following table for the list of releases that contain the nonvulnerable code. Affected versions of the players are those prior to client build T26 SP49 EP40 and T27 SP28. These build numbers are available only to WebEx site administrators. End users will see a version such as “Client build: 27.25.4.11889.” This indicates the server is running software version T27 SP25 EP4.

Details
The Cisco WebEx Recording Format (WRF) Player is affected by the following vulnerabilities:

  • Cisco WebEx Player WRF Parsing Vulnerability: This vulnerability has been assigned the following Common Vulnerabilities and Exposures (CVE) identifier: CVE-2011-3319
  • Cisco WebEx Player ATAS32 Processing Vulnerability:This vulnerability has been assigned the following Common Vulnerabilities and Exposures (CVE) identifier: CVE-2011-4004

The vulnerabilities may cause the player application to crash or, in some cases, remote code execution could occur.

Impact
Successful exploitation of the vulnerabilities described in this document could cause the Cisco WRF player application to crash and, in some cases, allow a remote attacker to execute arbitrary code on the system with the privileges of the user who is running the WRF player application.

Link: http://tools.cisco.com/…/cisco-sa-20111026-webex

Cisco Unified Contact Center Express Directory Traversal Vulnerability
Cisco Unified Contact Center Express (UCCX or Unified CCX) and Cisco Unified IP Interactive Voice Response (Unified IP-IVR) contain a directory traversal vulnerability that may allow a remote, unauthenticated attacker to retrieve arbitrary files from the filesystem.

Vulnerable Products
The following Cisco UCCX versions are vulnerable:

  • Cisco UCCX version 6.0(x)
  • Cisco UCCX version 7.0(x)
  • Cisco UCCX version 8.0(x)
  • Cisco UCCX version 8.5(x)

The following Cisco Unified IP Interactive Voice Response versions are vulnerable:

  • Cisco Unified IP Interactive Voice Response version 6.0(x)
  • Cisco Unified IP Interactive Voice Response version 7.0(x)
  • Cisco Unified IP Interactive Voice Response version 8.0(x)
  • Cisco Unified IP Interactive Voice Response version 8.5(x)

Details
The Cisco Unified Contact Center Express is a single/two node server, integrated “contact center in a box” for use in deployments with up to 300 agents until software version 8.0(x) and 400 agents starting at version 8.5(x). The vulnerability is due to improper input validation, and could allow the attacker to traverse the filesystem directory. An attacker could exploit this vulnerability by sending a specially crafted URL to the affected system. The vulnerability in Cisco Unified Contact Center Express and Cisco Unified IP Interactive Voice Response could be exploited over TCP port 8080 in 6.0(x) and 7.0(x) versions and TCP port 9080 starting in 8.0(x) version of the product.

Impact
Successful exploitation of the vulnerability may allow a remote, unauthenticated attacker to retrieve arbitrary files from the Cisco Unified Contact Center Express or Cisco Unified IP Interactive Voice Response filesystem.

Link: http://tools.cisco.com/…/cisco-sa-20111026-uccx

Denial of Service Vulnerability in Cisco Video Surveillance IP Cameras
A denial of service (DoS) vulnerability exists in the Cisco Video Surveillance IP Cameras 2421, 2500 series and 2600 series of devices. An unauthenticated, remote attacker could exploit this vulnerability by sending crafted RTSP TCP packets to an affected device. Successful exploitation prevents cameras from sending video streams, subsequently causing a reboot. The camera reboot is done automatically and does not require action from an operator.

Vulnerable Products
Cisco Video Surveillance IP Cameras 2421, 2500 series, and 2600 series are affected by this vulnerability. For Cisco Video Surveillance 2421 and 2500 series IP Cameras, all 1.1.x software releases and releases prior 2.4.0 are affected by this vulnerability, For Cisco Video Surveillance 2600 IP Camera, all software releases before 4.2.0-13 are affected by this vulnerability.

Details
The Cisco Video Surveillance IP Cameras 2421, 2500 series, and 2600 series of devices are affected by a RSTP TCP crafted packets denial of service vulnerability that may allow an unauthenticated attacker to cause the device to reload by sending a series of crafted packets. This vulnerability can be exploited from both wired and wireless segments.

Impact
Successful exploitation of the vulnerability may result in DoS condition. Subsequent exploitation may result in sustained DoS condition, as the cameras will continue to reload.

Link: http://tools.cisco.com/…/cisco-sa-20111026-camera

Cisco Security Agent Remote Code Execution Vulnerabilities
Cisco Security Agent is affected by vulnerabilities that could allow an unauthenticated attacker to perform remote code execution on the affected device. These vulnerabilities are in a third-party library (Oracle Outside In) and are documented in CERT-CC.

Vulnerable Products
These vulnerabilities only affect 6.x versions of Cisco Security Agent running on Windows platforms.

Details
Version 6.x of Cisco Security Agent running on Windows platforms is affected by the following vulnerabilities:

  • Vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5.0 allows local users to affect availability, related to File ID SDK: This vulnerability is assigned Common Vulnerabilities and Exposures (CVE) IDs CVE-2011-0794
  • Vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.2.0 and 8.3.5.0 allows local users to affect availability via vectors related to Outside In Filters: This vulnerability is assigned Common Vulnerabilities and Exposures (CVE) IDs CVE-2011-0808

Impact
Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to perform remote code execution on the affected device that will execute with Administrator privileges.

Link: http://tools.cisco.com/…/cisco-sa-20111026-csa

Cisco Unified Communications Manager Directory Traversal Vulnerability
Cisco Unified Communications Manager contains a directory traversal vulnerability that may allow an unauthenticated, remote attacker to retrieve arbitrary files from the filesystem.

Vulnerable Products
The following products are affected by this vulnerability:

  • Cisco Unified Communications Manager 6.x
  • Cisco Unified Communications Manager 7.x
  • Cisco Unified Communications Manager 8.x

Details
Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices such as IP phones, media processing devices, VoIP gateways, and multimedia applications.

Impact
Successful exploitation of the vulnerability may allow a remote, unauthenticated attacker to retrieve arbitrary files from the filesystem.

Link: http://tools.cisco.com/…/cisco-sa-20111026-cucm

CiscoWorks Common Services Arbitrary Command Execution Vulnerability
CiscoWorks Common Services for Microsoft Windows contains a vulnerability that could allow an authenticated, remote attacker to execute arbitrary commands on the affected system with the privileges of a system administrator.

Vulnerable Products
This vulnerability affects all versions of CiscoWorks Common Services-based products running on Microsoft Windows. Common Services version 4.1 and later are not affected by this vulnerability.

Details
CiscoWorks Common Services for Microsoft Windows contains a vulnerability that could allow an authenticated, remote attacker to execute arbitrary commands on the affected system with the privileges of a system administrator. The vulnerability is due to improper input validation in the CiscoWorks Home Page component. An attacker could exploit this vulnerability by sending a specially crafted URL to the affected system. An exploit could allow the attacker to execute arbitrary commands on the affected system with the privileges of a system administrator.
This vulnerability affects CiscoWorks Common Services running only on Microsoft Windows.
This vulnerability could be exploited over the default management ports, TCP port 1741 or 443.

Impact
Successful exploitation of this vulnerability may allow an authenticated, remote attacker to execute arbitrary commands on the affected system with the privileges of a system administrator.

Link: http://tools.cisco.com/…/cisco-sa-20111019-cs

Cisco Show and Share Security Vulnerabilities
The Cisco Show and Share webcasting and video sharing application contains two vulnerabilities.

  • The first vulnerability allows an unauthenticated user to access several administrative web pages.
  • The second vulnerability permits an authenticated user to execute arbitrary code on the device under the privileges of the web server user account.

Vulnerable Products
These vulnerabilities affect all versions of Cisco Show and Share prior to the first fixed releases as indicated in the Software Version and Fixes section of this Cisco Security Advisory.

Details
Cisco Show and Share contains the following vulnerabilities:

  • Anonymous users can access some administration pages: Several administrative web pages of the Cisco Show and Share can be accessed without prior user authentication. These include pages for accessing Encoders and Pull Configurations, Push Configurations, Video Encoding Formats, and Transcoding. This vulnerability is documented in Cisco Bug ID CSCto73758, (registered customers only) and has been assigned CVE identifier CVE-2011-2584.
  • Cisco Show and Share arbitrary code execution vulnerability: An authenticated user with privileges to upload videos could upload code that could then be executed under the privileges of the web server.

Impact
These vulnerabilities have the following impact on Cisco Show and Share:
CSCto73758: Anonymous users can access some administration pages. Several administrative web pages of the Cisco Show and Share can be accessed without prior user authentication. The impact of the different administrative web pages include:

  • Encoders Configurations
  • Push Configurations
  • Video Encoding Formats
  • Transcoding

CSCto69857: Cisco Show and Share arbitrary code execution vulnerability. An authenticated user may upload arbitrary code that can be executed on the appliance with the same privileges as the web server.

Link: http://tools.cisco.com/…/cisco-sa-20111019-sns

Directory Traversal Vulnerability in Cisco Network Admission Control Manager
Cisco Network Admission Control (NAC) Manager contains a directory traversal vulnerability that may allow an unauthenticated attacker to obtain system information.

Vulnerable Products
Only Cisco NAC Manager software versions 4.8.X are affected by this vulnerability. Cisco NAC Manager software versions 4.7.X and earlier are not affected.

Details
Cisco NAC Manager contains a directory traversal vulnerability. The management interface uses TCP port 443. An unauthenticated attacker could exploit this vulnerability to access sensitive information, including password files and system logs, that could be leveraged to launch subsequent attacks.

Impact
An unauthenticated attacker could exploit this vulnerability to access sensitive information, including password files and system logs, that could be leveraged to launch subsequent attacks.

Link: http://tools.cisco.com/…/cisco-sa-20111005-nac

Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module
Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module are affected by multiple vulnerabilities as follows:

  • MSN Instant Messenger (IM) Inspection Denial of Service vulnerability
  • TACACS+ Authentication Bypass vulnerability
  • Four SunRPC Inspection Denial of Service vulnerabilities
  • Internet Locator Service (ILS) Inspection Denial of Service vulnerability

Vulnerable Products

  • MSN IM Inspection Denial of Service Vulnerability: The MSN IM inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances is affected by a DoS vulnerability.
  • TACACS+ Authentication Bypass Vulnerability: An authentication bypass vulnerability affects the TACACS+ implementation of Cisco ASA 5500 Series Adaptive Security Appliances.
  • SunRPC Inspection Denial of Service Vulnerabilities: Four DoS vulnerabilities affect the SunRPC inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances.
  • ILS Inspection Denial of Service Vulnerability: A DoS vulnerability affects the ILS inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances.

Impact
Successful exploitation of all the DoS vulnerabilities could cause an affected device to reload. Repeated exploitation could result in a sustained DoS condition. Successful exploitation of the TACACS+ authentication bypass vulnerability could allow an attacker to bypass authentication of VPN, firewall and/or administrative sessions.

Link: http://tools.cisco.com/…/cisco-sa-20111005-asa

Multiple Vulnerabilities in Cisco Firewall Services Module
The Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers is affected by the following vulnerabilities:

  • Syslog Message Memory Corruption Denial of Service Vulnerability
  • Authentication Proxy Denial of Service Vulnerability
  • TACACS+ Authentication Bypass Vulnerability
  • Sun Remote Procedure Call (SunRPC) Inspection Denial of Service Vulnerabilities
  • Internet Locator Server (ILS) Inspection Denial of Service Vulnerability

Vulnerable Products
The Cisco FWSM for the Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers is affected by multiple vulnerabilities. Affected versions of Cisco FWSM Software vary depending on the specific vulnerability. Refer to the “Software Version and Fixes” section for specific information on vulnerable versions.

Details

  • Syslog Message Memory Corruption Denial of Service Vulnerability: A denial of service vulnerability exists in the implementation of one specific system log message (message ID 302015, “Built outbound UDP connection session-id for src-intf:IP/Port to dst-intf:IP/Port ARP-Incomplete”) that can cause memory corruption and lead to a lock up or crash of the Cisco FWSM in the event that that system log message needs to be generated for IPv6 traffic that has flowed through the device. The Cisco FWSM may not recover on its own and a manual reboot may be necessary to recover.
  • Authentication Proxy Denial of Service Vulnerability: A denial of service vulnerability exists in some versions of Cisco FWSM Software that affects devices configured to use authentication to grant users access to the network, also known as cut-through or authentication proxy. Vulnerable configurations are those that contain the aaa authentication match or aaa authentication include commands. The vulnerability may be triggered when there is a high number of network access authentication requests.
  • TACACS+ Authentication Bypass Vulnerability: An authentication bypass vulnerability exists in the TACACS+ implementation in the Cisco FWSM. Successful exploitation could allow a remote attacker to bypass TACACS+ authentication of VPN users (the Cisco FWSM only allows VPN sessions for management), firewall sessions, or administrative access to the device.
  • SunRPC Inspection Denial of Service Vulnerabilities: The Cisco FWSM is affected by four vulnerabilities that may cause the device to reload during the processing of different crafted SunRPC messages when SunRPC inspection is enabled. These vulnerabilities are triggered only by transit traffic; traffic that is destined to the device does not trigger these vulnerabilities.
  • ILS Inspection Denial of Service Vulnerability: The ILS inspection engine provides Network Address Translation (NAT) support for Microsoft NetMeeting, SiteServer, and Active Directory products that use Lightweight Directory Access Protocol (LDAP) to exchange directory information with an ILS server.

Impact
Successful exploitation of any of the denial of service vulnerabilities could cause an affected device to reload. Repeated exploitation could result in a sustained denial of service condition. Successful exploitation of the TACACS+ authentication bypass vulnerability could allow an attacker to bypass authentication of VPN, firewall, and/or administrative sessions

Link: http://tools.cisco.com/…/cisco-sa-20111005-fwsm

Email Updates

Enter your email address to receive notifications of new posts.

Ciscozine on Facebook


Partners