Nov
12
2012

October 2012: five Cisco vulnerabilities

The Cisco Product Security Incident Response Team (PSIRT) has published five important vulnerability advisories:

  • Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module
  • Multiple Vulnerabilities in Cisco Firewall Services Module
  • Multiple Vulnerabilities in the Cisco WebEx Recording Format Player
  • Multiple Vulnerabilities in Cisco Unified MeetingPlace Web Conferencing
  • Cisco Prime Data Center Network Manager Remote Command Execution Vulnerability

Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module
Cisco ASA 5500 Series Adaptive Security Appliances (ASA) and Cisco Catalyst 6500 Series ASA Services Module (ASASM) may be affected by the following vulnerabilities:

  • DHCP Memory Allocation Denial of Service Vulnerability
  • SSL VPN Authentication Denial of Service Vulnerability
  • SIP Inspection Media Update Denial of Service Vulnerability
  • DCERPC Inspection Buffer Overflow Vulnerability
  • Two DCERPC Inspection Denial Of Service Vulnerabilities

Details
The following section provides additional information about each vulnerability.

  • DHCP Memory Allocation Denial of Service Vulnerability: A vulnerability exists in the implementation of the Dynamic Host Configuration Protocol (DHCP) Server functionality that would allow an unauthenticated, remote attacker to trigger a reload of the affected device. This vulnerability is due to a failure in allocating memory for an internal DHCP data structure upon receiving crafted DHCP packets. An attacker could exploit this vulnerability by sending a sequence of crafted DHCP packets to the affected system
  • SSL VPN Authentication Denial of Service Vulnerability: A vulnerability exists in the implementation of the authentication, authorization and accounting (AAA) code for remote the SSL VPN (Clientless and AnyConnect) feature that could allow an unauthenticated, remote attacker to trigger a reload of the affected system. This vulnerability is due to insufficient validation of a crafted authentication response when a AAA challenge-response is required to complete the authentication process. An attacker could exploit this vulnerability by trying to authenticate on an ASA configured for SSL VPN with a crafted authentication challenge response.
  • SIP Inspection Media Update Denial of Service Vulnerability: A vulnerability exists in the SIP inspection engine code of the Cisco ASA Software, that may allow an unauthenticated, remote attacker to trigger a reload of the affected device. This vulnerability is due to improper processing of SIP media update packets. An attacker could exploit this vulnerability by sending a crafted SIP packet through the affected system. The packets that trigger this vulnerability must be part of an established SIP inspection session that needs to be inspected by the affected system.
  • DCERPC Inspection Buffer Overflow Vulnerability: A vulnerability exists in the DCERPC inspection engine that would allow an unauthenticated, remote attacker to cause a reload of the affected system or to overflow the stack and possibly execute arbitrary commands. The vulnerability is due to insufficient validation of DCERPC packets within a valid DCERPC session. An attacker could exploit this vulnerability by sending a crafted DCERPC packet that needs to be inspected by the affected system.
  • DCERPC Inspection Denial Of Service Vulnerabilities: Two vulnerabilities exist in the DCERPC inspection engine that would allow an unauthenticated, remote attacker to cause a reload of the affected system. The vulnerabilities are due to insufficient validation of DCERPC packets within a valid DCERPC session. An attacker could exploit this vulnerability by sending a crafted DCERPC packet that needs to be inspected by the affected system.

Impact
Successful exploitation of all the vulnerabilities described in this security advisory may cause a reload of the affected device. Successful exploitation of the DCERPC Inspection Buffer Overflow Vulnerability may additionally cause a stack overflow and possibly the execution of arbitrary commands.

Link: http://tools.cisco.com/…/cisco-sa-20121010-asa

Multiple Vulnerabilities in Cisco Firewall Services Module
The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers is affected by the following vulnerabilities:

  • DCERPC Inspection Buffer Overflow Vulnerability
  • DCERPC Inspection Denial Of Service Vulnerabilities

Vulnerable Products
Consult the “Software Versions and Fixes” section of this security advisory for more information about the affected versions.

  • DCERPC Inspection Buffer Overflow Vulnerability
  • The Cisco FWSM is vulnerable when DCERPC inspection is enabled. DCERPC inspection is not enabled by default.
  • DCERPC Inspection Denial Of Service Vulnerabilities
  • The Cisco FWSM is vulnerable when DCERPC inspection is enabled. DCERPC inspection is not enabled by default.

Details

  • DCERPC Inspection Buffer Overflow Vulnerability: A vulnerability exists in the code of the DCERPC inspection engine that would allow an unauthenticated, remote attacker to cause a reload of the affected system or to overflow the stack and possibly execute arbitrary commands. The vulnerability is due to insufficient validation of DCERPC packets within a valid DCERPC session. An attacker could exploit this vulnerability by sending a crafted DCERPC packet that will be inspected by the affected system.
  • DCERPC Inspection Denial Of Service Vulnerabilities: Two vulnerabilities exist in the DCERPC inspection engine that would allow an unauthenticated, remote attacker to cause a reload of the affected system. The vulnerabilities are due to insufficient validation of DCERPC packets within a valid DCERPC session. An attacker could exploit this vulnerability by sending a crafted DCERPC packet that will be inspected by the affected system.

Impact
Successful exploitation of either of the vulnerabilities could cause an affected device to reload. Repeated exploitation may result in a DoS condition. Successful exploitation of the DCERPC Inspection Buffer Overflow Vulnerability may cause a stack overflow and permit the execution of arbitrary commands.

Link: http://tools.cisco.com/…/cisco-sa-20121010-fwsm

Multiple Vulnerabilities in the Cisco WebEx Recording Format Player
The Cisco WebEx Recording Format (WRF) player contains six buffer overflow vulnerabilities. In some cases, exploitation of the vulnerabilities could allow a remote attacker to execute arbitrary code on the system with the privileges of a targeted user.

Vulnerable Products
The vulnerabilities disclosed in this advisory affect the Cisco WebEx WRF Player. The following client builds of Cisco WebEx Business Suite (WBS 27 and WBS 28) are affected by at least one of the vulnerabilities that are described in this advisory:

  • T28 client builds prior to T28.4 (28.4)
  • T27 client builds prior to T27LDSP32EP10 (27.32.10)

Impact
Successful exploitation of the vulnerabilities that are described in this document could cause the Cisco WebEx WRF Player application to crash and, in some cases, allow a remote attacker to execute arbitrary code on the system with the privileges of the user who is running the Cisco WebEx WRF Player application.

Link: http://tools.cisco.com/…/cisco-sa-20121010-webex

Multiple Vulnerabilities in Cisco Unified MeetingPlace Web Conferencing
Cisco Unified MeetingPlace Web Conferencing is affected by two vulnerabilities:

  • Cisco Unified MeetingPlace Web Conferencing SQL Injection Vulnerability
  • Cisco Unified MeetingPlace Web Conferencing Buffer Overrun Vulnerability

Vulnerable Products
The following versions of Cisco Unified MeetingPlace Web Conferencing are vulnerable to both Cisco Unified MeetingPlace Web Conferencing SQL Injection Vulnerability and Cisco Unified MeetingPlace Web Conferencing Buffer Overrun Vulnerability:

Version Affected: Prior to 7.0, 7.0, 7.1, 8.0, 8.5

Details

  • Cisco Unified MeetingPlace Web Conferencing SQL Injection Vulnerability: The vulnerability is due to insufficient validation of some of the parameters passed through the HTTP POST method. An attacker could exploit this vulnerability by inserting malicious SQL commands in the HTTP POST request directed to the affected system. An exploit could allow the attacker to modify or delete data from the Web Conferencing database.
  • Cisco Unified MeetingPlace Web Conferencing Buffer Overrun Vulnerability: The vulnerability is due to insufficient validation of some parameter values of an HTTP POST request. An attacker may be able to exploit this vulnerability by crafting the value of the vulnerable parameters in an HTTP POST request directed to the affected system. An exploit could allow the attacker to cause the Web Conferencing server to become unresponsive.

Impact
Successful exploitation of the Cisco Unified MeetingPlace Web Conferencing SQL Injection Vulnerability may result in a variety of conditions, including denial of service or alteration of data.

Successful exploitation of the Cisco Unified MeetingPlace Web Conferencing Buffer Overrun Vulnerability may result in a buffer overrun condition that may cause the Web Conferencing server to become unresponsive.

Link: http://tools.cisco.com/…/cisco-sa-20121031-mp

Cisco Prime Data Center Network Manager Remote Command Execution Vulnerability
Cisco Prime Data Center Network Manager (DCNM) contains a remote command execution vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary commands on the computer that is running the Cisco Prime DCNM application.

Vulnerable Products
All Cisco Prime Data Center Network Manager releases prior to release 6.1(1), for both the Microsoft Windows and Linux platforms, are affected by this vulnerability.

Details
The vulnerability exists because JBoss Application Server Remote Method Invocation (RMI) services, specifically the jboss.system:service=MainDeployer functionality, are exposed to unauthorized users. An unauthenticated, remote attacker could exploit this vulnerability by sending arbitrary commands via RMI services. An exploit could allow the attacker to execute arbitrary commands on the device.

Impact
Successful exploitation of the vulnerability may allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system that hosts the Cisco Prime DCNM application in the context of the System user for Cisco Prime DCNM running on Microsoft Windows) or the root user for Cisco Prime DCNM running on Linux.

Link: http://tools.cisco.com/…/cisco-sa-20121031-dcnm

Email Updates

Enter your email address to receive notifications of new posts.

Ciscozine on Facebook


Partners