• Cisco Digital Media Player Remote Display Unauthorized Content Injection Vulnerability
• Cisco Digital Media Manager Vulerabilities
• Cisco Unified Communications Manager Denial of Service Vulnerabilities

Cisco Digital Media Player Remote Display Unauthorized Content Injection Vulnerability
A vulnerability exists in the Cisco Digital Media Player that could allow an unauthenticated attacker to inject video or data content into a remote display.

Vulnerable Products
Cisco Digital Media Player versions earlier than 5.2 are affected by this vulnerability.

Details
Cisco Digital Media Players are IP-based endpoints that can play high-definition live and on-demand video, motion graphics, web pages, and dynamic content on digital displays. The Cisco Digital Media Player contains a vulnerability that could allow an unauthenticated attacker to inject video or data content into a remote display.

Impact
Successful exploitation of the vulnerability could allow an unauthenticated attacker to inject video or data content into a remote display.

Link: http://www.cisco.com/…/security_advisory09186a0080b1b925.shtml

Multiple Vulnerabilities in Cisco Digital Media Manager
Multiple vulnerabilities exist in the Cisco Digital Media Manager (DMM). This security advisory outlines details of the following vulnerabilities:

• Default credentials
• Privilege escalation vulnerability
• Information leakage vulnerability

These vulnerabilities are independent of each other.

Vulnerable Products
The following products are affected by vulnerabilities that are described in this advisory:

• Cisco Unified Communications Manager 4.x
• Cisco Unified Communications Manager 5.x
• Cisco Unified Communications Manager 6.x
• Cisco Unified Communications Manager 7.x

Details
Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, VoIP gateways, and multimedia applications.

Impact
Successful exploitation of the vulnerabilities that are described in this advisory could result in the interruption of voice services. An affected Cisco Unified Communications Manager services may require a manual restart to restore voice services.

Link: http://www.cisco.com/…/security_advisory09186a0080b1b923.shtml

Cisco Unified Communications Manager Denial of Service Vulnerabilities
Cisco Unified Communications Manager (formerly Cisco CallManager) contains multiple denial of service (DoS) vulnerabilities that if exploited could cause an interruption of voice services. The Session Initiation Protocol (SIP), Skinny Client Control Protocol (SCCP) and Computer Telephony Integration (CTI) Manager services are affected by these vulnerabilities.

Vulnerable Products
The following products are affected by vulnerabilities that are described in this advisory:

* Cisco Unified Communications Manager 4.x
* Cisco Unified Communications Manager 5.x
* Cisco Unified Communications Manager 6.x
* Cisco Unified Communications Manager 7.x

Details
Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, VoIP gateways, and multimedia applications.

Impact
Successful exploitation of the vulnerabilities that are described in this advisory could result in the interruption of voice services. An affected Cisco Unified Communications Manager services may require a manual restart to restore voice services.

Link: http://www.cisco.com/…/security_advisory09186a0080b1b924.shtml

© Fabio Semperboni for CiscoZine, 2010. | Permalink | No comment
Post tags: DOS, Inject data, Privilege escalation

Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances
Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities:

• TCP Connection Exhaustion Denial of Service Vulnerability
• Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerabilities
• Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability
• WebVPN Datagram Transport Layer Security (DTLS) Denial of Service Vulnerability
• Crafted TCP Segment Denial of Service Vulnerability
• Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability
• NT LAN Manager version 1 (NTLMv1) Authentication Bypass Vulnerability

These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory.

Vulnerable Products
Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities. Affected versions of Cisco ASA Software vary depending on the specific vulnerability. For specific version information, refer to the Software Versions and Fixes section of this advisory.

Details
The Cisco ASA 5500 Series Adaptive Security Appliance is a modular platform that provides security and VPN services. It offers firewall, intrusion prevention (IPS), anti-X, and VPN services.

Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities:

• TCP Connection Exhaustion Denial of Service Vulnerability
• SIP Inspection Denial of Service Vulnerabilities
• SCCP Inspection Denial of Service Vulnerability
• WebVPN DTLS Denial of Service Vulnerability
• Crafted TCP Segment Denial of Service Vulnerability
• Crafted IKE Message Denial of Service Vulnerability
• NTLMv1 Authentication Bypass Vulnerability

Impact

• TCP Connection Exhaustion Denial of Service Vulnerability: Successful exploitation of this vulnerability may lead to an exhaustion condition where the affected appliance cannot accept new TCP connections. A reload of the appliance is necessary to recover from the TCP connection exhaustion condition. If a TCP-based protocol is used for device management (like telnet, SSH, or HTTPS), a serial console connection may be needed to access to the appliance.
• SIP Inspection Denial of Service Vulnerabilities: Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition.
• SCCP Inspection Denial of Service Vulnerability: Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition.
• WebVPN DTLS Denial of Service Vulnerability: Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition.
• Crafted TCP Segment Denial of Service Vulnerability: Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition.
• Crafted IKE Message Denial of Service Vulnerability: Successful exploitation of this vulnerability could cause all IPsec VPN tunnels (LAN-to-LAN or remote) that terminate on the security appliance to be torn down and prevent new tunnels from being established. A manual reload of the appliance is required to re-establish all VPN tunnels.
• NTLMv1 Authentication Bypass Vulnerability: Successful exploitation of this vulnerability could result in unauthorized access to the network or appliance.

Link: http://www.cisco.com/…/security_advisory09186a0080b1910c.shtml

Multiple Vulnerabilities in Cisco Security Agent
The Management Center for Cisco Security Agents is affected by a directory traversal vulnerability and a SQL injection vulnerability. Successful exploitation of the directory traversal vulnerability may allow an authenticated attacker to view and download arbitrary files from the server hosting the Management Center. Successful exploitation of the SQL injection vulnerability may allow an authenticated attacker to execute SQL statements that can cause instability of the product or changes in the configuration.

Additionally, the Cisco Security Agent is affected by a denial of service (DoS) vulnerability. Successful exploitation of the Cisco Security Agent agent DoS vulnerability may cause the affected system to crash. Repeated exploitation could result in a sustained DoS condition. These vulnerabilities are independent of each other.

Vulnerable Products
Cisco Security Agent releases 5.1, 5.2 and 6.0 are affected by the SQL injection vulnerability. Only Cisco Security Agent release 6.0 is affected by the directory traversal vulnerability. Only Cisco Security Agent release 5.2 is affected by the DoS vulnerability. Only Cisco Security Agent release 5.2 for Linux, either managed or standalone, are affected by the DoS vulnerability (the Windows version is not affected).

Details
The Cisco Security Agent is a security software agent that provides threat protection for server and desktop computing systems. Cisco Security Agents can be standalone agents or can be managed by the Cisco Security Agent Management Center.

Impact
Successful exploitation of the directory traversal vulnerability may allow an authenticated attacker to view and download arbitrary files from the server that is hosting the Management Center for Cisco Security Agents. Successful exploitation of the SQL injection vulnerability may allow an authenticated attacker to execute SQL statements that can cause the Management Center for Cisco Security Agents to become unstable or modify its configuration. Successful exploitation of the Cisco Security Agent DoS vulnerability may cause the affected system to crash. Repeated exploitation could result in a sustained DoS condition.

Link: http://www.cisco.com/…/security_advisory09186a0080b1910d.shtml

Cisco Firewall Services Module Skinny Client Control Protocol Inspection Denial of Service Vulnerability
A vulnerability exists in the Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers that may cause the Cisco FWSM to reload after processing a malformed Skinny Client Control Protocol (SCCP) message. The vulnerability exists when SCCP inspection is enabled.

Vulnerable Products
All non-fixed 4.x versions of Cisco FWSM Software are affected by this vulnerability if SCCP inspection is enabled. SCCP inspection is enabled by default. To check if SCCP inspection is enabled, issue the show service-policy | include skinny command and confirm that the command returns output.

Details
The Cisco FWSM is a high-speed, integrated firewall module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers. The FWSM offers firewall services with stateful packet filtering and deep packet inspection. The Cisco FWSM is affected by a vulnerability that may cause the device to reload during the processing of a malformed SCCP message when SCCP inspection is enabled. This vulnerability is only triggered by transit traffic; traffic that is destined to the device does not trigger this vulnerability.

Impact
Successful exploitation of this vulnerability may cause a reload of the affected device. Repeated exploitation could result in a sustained denial of service condition.

Link: http://www.cisco.com/…/security_advisory09186a0080b1910e.shtml

Multiple Vulnerabilities in Cisco IronPort Encryption Appliance
Cisco IronPort Encryption Appliance devices contain two vulnerabilities that allow remote, unauthenticated access to any file on the device and one vulnerability that allows remote, unauthenticated users to execute arbitrary code with elevated privileges. There are workarounds available to mitigate these vulnerabilities.

Vulnerable Products
The following Cisco IronPort Encryption Appliance versions are affected by these vulnerabilities:

• Cisco IronPort Encryption Appliance 6.5 versions prior to 6.5.2
• Cisco IronPort Encryption Appliance 6.2 versions prior to 6.2.9.1
• Cisco IronPort PostX MAP versions prior to 6.2.9.1

The version of software that is running on a Cisco IronPort Encryption Appliance is located on the About page of the Cisco IronPort Encryption Appliance administration interface.

Details
The Cisco IronPort Encryption Appliance contains two information disclosure vulnerabilities that allow remote, unauthenticated access to arbitrary files on vulnerable devices via the embedded HTTPS server. The first vulnerability affecting the Cisco IronPort Encryption Appliance administration interface is documented in IronPort bug 65921 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0143. The second vulnerability affecting the WebSafe servlet is documented in IronPort bug 65922 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0144.

The Cisco IronPort Encryption Appliance contains a remote code execution vulnerability that allows an unauthenticated attacker to run arbitrary code with elevated privileges on vulnerable devices via the embedded HTTPS server. The vulnerability is documented in IronPort bug 65923 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0145.

Impact
Successful exploitation of these vulnerabilities may allow a remote, unauthenticated attacker to access arbitrary files or execute arbitrary code with elevated privileges.

Link: http://www.cisco.com/…/security_advisory09186a0080b17903.shtml

© Fabio Semperboni for CiscoZine, 2010. | Permalink | No comment
Post tags: DOS, Privilege escalation, Remote Control

Multiple Vulnerabilities in Cisco Unified MeetingPlace
Multiple vulnerabilities exist in Cisco Unified MeetingPlace. This security advisory outlines the details of these vulnerabilities:

• Insufficient validation of SQL commands
• Unauthorized account creation
• User and password enumeration in Cisco MeetingTime
• Privilege escalation in Cisco MeetingTime

Vulnerable Products
Cisco Unified MeetingPlace versions 5, 6, and 7 are each affected by at least one of the vulnerabilities described in this document.

Details
This Security Advisory describes multiple distinct vulnerabilities in the MeetingPlace and MeetingTime products. These vulnerabilities are independent of each other.

• Insufficient Validation of SQL Commands
  An unauthenticated user may be able to send SQL commands to manipulate the database that MeetingPlace uses to store information about server configuration, meetings, and users. These commands could be used to create, delete, or alter any of the information contained in the Cisco Unified MeetingPlace database.
• Unauthorized Account Creation
  An unauthenticated user may be able to send a crafted URL to the internal interface of the Cisco Unified MeetingPlace web server to create a MeetingPlace user or administrator account.
• User and Password Enumeration in Cisco MeetingTime
  The MeetingTime authentication sequence consists of a series of packets that are transmitted between the client and the Cisco Meeting Place Audio Server over TCP port 5001. An attacker may be able to alter the authentication sequence to access sensitive information in the user database including usernames and passwords.
• Privilege Escalation in Cisco MeetingTime
  An attacker may be able to alter the packets in the MeetingTime authentication sequence to elevate the privileges of a normal user to an administrative user.

Impact
Successful exploitation of these vulnerabilities may result in a variety of conditions including: information disclosure, denial of service, privilege escalation, account creation, or alteration of configuration data.

Link: http://www.cisco.com/../advisory09186a0080b1490b.shtml

Cisco IOS XR Software SSH Denial of Service Vulnerability
The SSH server implementation in Cisco IOS XR Software contains a vulnerability that an unauthenticated, remote user could exploit to cause a denial of service condition. An attacker could trigger this vulnerability by sending a crafted SSH version 2 packet that may cause a new SSH connection handler process to crash. Repeated exploitation may cause each new SSH connection handler process to crash and lead to a significant amount of memory being consumed, which could introduce instability that may adversely impact other system functionality. During this event, the parent SSH daemon process will continue to function normally.

Vulnerable Products
This vulnerability affects Cisco IOS XR systems that are running an affected version of Cisco IOS XR Software and have the SSH server feature enabled.

Details
Cisco IOS XR Software is a member of the Cisco IOS Software family that uses a microkernel-based distributed operating system infrastructure. Cisco IOS XR Software runs on the Cisco CRS-1 Carrier Routing System, Cisco 12000 Series Routers, and Cisco ASR 9000 Series Aggregation Services Routers.

The SSH server implementation in Cisco IOS XR Software contains a vulnerability that an unauthenticated, remote user could exploit to cause a denial of service condition.

The vulnerability is triggered when a new SSH handler process handles a crafted SSH version 2 packet, which may cause the process to crash. During this event, a significant amount of memory may be consumed. Repeated exploitation may impact other system functionality, depending upon the size of the available memory and the duration of attack.

Although exploitation of this vulnerability does not require user authentication, the TCP three-way handshake must be completed, and some SSH protocol negotiation must occur.

Impact
Successful exploitation of the vulnerability described in this advisory could result in a crash of the SSH connection handler process. Repeated exploitation may impact other system functionality, depending upon the size of the available memory and the duration of attack.

Link: http://www.cisco.com/../advisory09186a0080b13512.shtml

CiscoWorks Internetwork Performance Monitor CORBA GIOP Overflow Vulnerability
CiscoWorks Internetwork Performance Monitor (IPM) versions 2.6 and earlier for Microsoft Windows operating systems contain a buffer overflow vulnerability that could allow a remote unauthenticated attacker to execute arbitrary code. There are no workarounds for this vulnerability.

Vulnerable Products
CiscoWorks IPM versions 2.6 and earlier for Windows operating systems are affected.

Details
CiscoWorks IPM is a troubleshooting application that gauges network response time and availability. CiscoWorks IPM is available as a component within the CiscoWorks LAN Management Solution (LMS) bundle. CiscoWorks IPM versions 2.6 and earlier for Windows contain a buffer overflow vulnerability when processing Common Object Request Broker Architecture (CORBA) GIOP requests. By sending a crafted CORBA GIOP request, a remote, unauthenticated attacker may be able to trigger the buffer overflow condition and execute arbitrary code with SYSTEM privileges on affected Windows systems. This vulnerability is documented in Cisco Bug ID CSCsv62350 and has been assigned the Common Vulnerabilities and Exposures (CVE) CVE-2010-0138.

Impact
Successful exploitation of the vulnerability may result in the ability to execute arbitrary code with SYSTEM privileges on affected Windows systems.

Link: http://www.cisco.com/../advisory09186a0080b1351d.shtml

© Fabio Semperboni for CiscoZine, 2010. | Permalink | No comment
Post tags: DOS, Privilege escalation, Remote Control

Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Recording Format (WRF) Player. In some cases, exploitation of the vulnerabilities could allow a remote attacker to execute arbitrary code on the system of a targeted user.

The Cisco WebEx WRF Player is an application that is used to play back WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The WRF Player can be automatically installed when the user accesses a WRF file that is hosted on a WebEx server. The WRF Player can also be manually installed for offline playback after downloading the application from www.webex.com.

If the WRF Player was automatically installed, the WebEx WRF Player will be automatically upgraded to the latest, non-vulnerable version when users access a WRF file hosted on a WebEx server. If the WebEx WRF Player was manually installed, users will need to manually install a new version of the player after downloading the latest version from http://www.webex.com/.

Vulnerable Products
The vulnerabilities disclosed in this advisory affect the Cisco WebEx WRF Player. Microsoft Windows, Apple Mac OS X, and Linux versions of the player are affected. Affected versions of the WRF Player are those prior to the “first fixed” versions, which are shown in the section “Software Versions and Fixes” of this advisory.

To check if a Cisco WebEx server is running an affected version of the WebEx client build, users can log in to their Cisco WebEx server and go to the Support -> Downloads section. The version of the WebEx client build will be displayed on the right-hand side of the page under “About Support Center”, for example “Client build: 27.11.0.3328.”

Details
The WebEx meeting service is a hosted multimedia conferencing solution that is managed by and maintained by Cisco WebEx. The WebEx Recording Format (WRF) is a file format that is used to store WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The WRF Player is an application that is used to play back and edit WRF files (files with .wrf extensions). The WRF Player can be automatically installed when the user accesses a WRF file that is hosted on a WebEx server (stream playback mode). The WRF Player can also be manually installed after downloading the application from http://www.webex.com/  to play back WRF files locally (offline playback mode).

Multiple buffer overflow vulnerabilities exist in the WRF Player. The vulnerabilities may lead to a crash of the WRF Player application, or in some cases, lead to remote code execution.

To exploit a vulnerability, a malicious WRF file would need to be opened by the WRF Player application. An attacker may be able to accomplish this by providing the malicious WRF file directly to users (for example, via e-mail), or by convincing users to visit a malicious website. The vulnerability cannot be triggered by users attending a WebEx meeting.

Impact
Successful exploitation of the vulnerabilities described in this document could result in a crash of the Cisco WebEx WRF Player application, and in some cases, allow a remote attacker to execute arbitrary code on the targeted system with the privileges of the user running the WRF Player application.

Link: http://www.cisco.com/…/products_security_advisory09186a0080b0a577.shtml

© Fabio Semperboni for CiscoZine, 2010. | Permalink | No comment
Post tags: DOS, Remote Control, WebEx

Cisco Unified Presence contains two denial of service (DoS) vulnerabilities that may cause an interruption to presence services. These vulnerabilities were discovered internally by Cisco, and there are no workarounds.

Vulnerable Products
The following products are affected:

• Cisco Unified Presence 1.x versions
• Cisco Unified Presence 6.x versions prior to 6.0(6)
• Cisco Unified Presence 7.x versions prior to 7.0(4)

Administrators of systems running Cisco Unified Presence can determine the software version by viewing the main page of the Cisco Unified Presence Administration interface. The software version can be determined by running the command show version active via the Command Line Interface (CLI).

Details

• Network Flooding Vulnerability: Cisco Unified Presence contains a denial of service (DoS) vulnerability that may cause the TimesTenD process to fail when TCP ports 16200 or 22794 are flooded with connections. TCP 3-way handshakes must be completed for the attack to be successful. The TimesTenD process will be automatically restarted upon failure. This vulnerability is documented in Cisco Bug ID CSCsy17662 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2009-2874.
• Network Connection Tracking Vulnerability: Cisco Unified Presence contains a DoS vulnerability that involves the tracking of network connections by the embedded firewall. An attacker can overwhelm the table that is used to track network connections and prevent new connections from being established to system services by establishing many TCP connections with a vulnerable system. Any service that listens to a TCP port on a vulnerable system could be affected by this vulnerability. This vulnerability is documented in Cisco Bug ID CSCsw52371 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2009-2052.

Impact
Successful exploitation of any of the vulnerabilities may result in the interruption of presence services.

Link: http://www.cisco.com/…/products_security_advisory09186a0080afc930.shtml

© Fabio Semperboni for CiscoZine, 2009. | Permalink | No comment
Post tags: DOS

Cisco Unified Communications Manager Express Vulnerability
Cisco IOS® devices that are configured for Cisco Unified Communications Manager Express (CME) and the Extension Mobility feature are vulnerable to a buffer overflow vulnerability. Successful exploitation of this vulnerability may result in the execution of arbitrary code or a Denial of Service (DoS) condition on an affected device.

Vulnerable Products
To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to “Cisco Internetwork Operating System Software” or “Cisco IOS Software.” The image name is displayed in parentheses, followed by “Version” and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output.

Details
A vulnerability in the login section of the Extension Mobility feature may allow an unauthenticated attacker to execute arbitrary code or cause a Denial of Service (DoS) condition. Such packets can only come from registered phone IP addresses in the form of HTTP requests. If the auto-registration feature is enabled, an attacker can register its IP address and subsequently send a crafted payload to exploit this vulnerability. The auto-registration feature is enabled by default.

Impact
Successful exploitation of this vulnerability may result in the execution of arbitrary code or a Denial of Service (DoS) condition on an affected device.

Link: http://www.cisco.com/…/advisory09186a0080af8116.shtml

Cisco IOS Software Internet Key Exchange Resource Exhaustion Vulnerability
Cisco IOS® devices that are configured for Internet Key Exchange (IKE) protocol and certificate based authentication are vulnerable to a resource exhaustion attack. Successful exploitation of this vulnerability may result in the allocation of all available Phase 1 security associations (SA) and prevent the establishment of new IPsec sessions.

Vulnerable Products
Cisco IOS devices that are configured for IKE and certificate based authentication are affected.

Details
A vulnerability exists in the IKE implementation of Cisco IOS Software, if the certificate based authentication method is used. Successful exploitation of this vulnerability may result in the allocation of all available Phase 1 SAs, which may prevent new IPSec sessions from being established.

Impact
Successful exploitation of this vulnerability may result in the allocation of all available Phase 1 SAs, which may prevent new IPsec sessions from being established.

Link: http://www.cisco.com/…/advisory09186a0080af8117.shtml

Cisco IOS Software Tunnels Vulnerability
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.

Vulnerable Products
Cisco devices are vulnerable when running an affected version of Cisco IOS Software and configured for Generic Routing Encapsulation (GRE), IPinIP, Generic Packet Tunneling in IPv6 or IPv6 over IP tunnels with Cisco Express Forwarding enabled. The Cisco IOS Point to Point Tunneling Protocol (PPTP) feature creates GRE tunnels that are transparent to the user. Therefore systems configured for PPTP are also vulnerable. The Cisco multicast Virtual Private Network (MVPN) feature also creates GRE tunnels that are transparent to the user, however MVPN configurations are not vulnerable, unless there are other tunnels that are configured explicitly.

Details
A tunnel protocol encapsulates a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link between internetworking devices over an IP network. Cisco Express Forwarding is a Layer 3 IP switching technology. It improves network performance and scalability for networks with high and dynamic traffic patterns.

Impact
Successful exploitation of the vulnerability may result in the reload of an affected system, causing a DoS condition.

Link: http://www.cisco.com/…/advisory09186a0080af8115.shtml

Cisco IOS Software Object-group Access Control List Bypass Vulnerability
A vulnerability exists in Cisco IOS® software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature.

Vulnerable Products
Any Cisco device configured with ACLs using the object group feature and running an affected Cisco IOS software version is affected by this vulnerability.

Details
In Cisco IOS Software an object group can contain a single object (such as a single IP address, network, or subnet) or multiple objects (such as a combination of multiple IP addresses, networks, or subnets). In an ACL that is based on an object group, administrators can create a single access control entry (ACE) that uses an object group name instead of creating many ACEs, which each would require a different IP address. A similar object group, such as a protocol port group, can be extended to limit access to a set of applications for a user group to a server group.

Impact
Successful exploitation of the vulnerability may allow an attacker to access resources that should be protected by the Cisco IOS device.

Link: http://www.cisco.com/…/advisory09186a0080af8119.shtml

Cisco Unified Communications Manager Session Initiation Protocol Denial of Service Vulnerability
Cisco Unified Communications Manager, which was formerly Cisco Unified CallManager, contains a denial of service (DoS) vulnerability in the Session Initiation Protocol (SIP) service. An exploit of this vulnerability may cause an interruption in voice services.

Vulnerable Products
The following Cisco Unified Communications Manager versions are affected:

• Cisco Unified Communications Manager 5.x versions prior to 5.1(3g)
• Cisco Unified Communications Manager 6.x versions prior to 6.1(4)
• Cisco Unified Communications Manager 7.0.x versions prior to 7.0(2a)su1
• Cisco Unified Communications Manager 7.1.x versions prior to 7.1(2)

Details
A DoS vulnerability exists in the SIP implementation of the Cisco Unified Communications Manager. This vulnerability could be triggered when Cisco Unified Communications Manager processes crafted SIP messages. An exploit could lead to a reload of the main Cisco Unified Communications Manager process.

Impact
Successful exploitation of the vulnerability that is described in this advisory could result in a reload of the Cisco Unified Communications Manager process, which may result in the interruption of voice services.

Link: http://www.cisco.com/…/advisory09186a0080af8118.shtml

Cisco IOS Software H.323 Denial of Service Vulnerability
The H.323 implementation in Cisco IOS® Software contains a vulnerability that can be exploited remotely to cause a device that is running Cisco IOS Software to reload.

Vulnerable Products
Cisco devices that are running affected Cisco IOS Software versions that are configured to process H.323 messages are affected by this vulnerability. H.323 is not enabled by default. To determine the Cisco IOS Software device is running H.323 services use the show process cpu | include 323 command

Details
The H.323 implementation in Cisco IOS Software contains a vulnerability. An attacker can exploit this vulnerability remotely by sending an H.323 crafted packet to the affected device that is running Cisco IOS Software. A TCP three-way handshake is needed to exploit this vulnerability.

Impact
Successful exploitation of the vulnerability described in this document may cause the affected device to reload. The issue could be exploited repeatedly to cause an extended DoS condition.

Link: http://www.cisco.com/…/advisory09186a0080af811a.shtml

Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability
A vulnerability exists in the Session Initiation Protocol (SIP) implementation in Cisco IOS® Software that could allow an unauthenticated attacker to cause a denial of service (DoS) condition on an affected device when the Cisco Unified Border Element feature is enabled.

Vulnerable Products
This vulnerability only affects devices running Cisco IOS Software with SIP voice services enabled.

Details
SIP is a popular signaling protocol that is used to manage voice and video calls across IP networks such as the Internet. SIP is responsible for handling all aspects of call setup and termination. Voice and video are the most popular types of sessions that SIP handles, but the protocol has the flexibility to accommodate other applications that require call setup and termination. SIP call signaling can use UDP (port 5060), TCP (port 5060), or TLS (TCP port 5061) as the underlying transport protocol. A DoS vulnerability exists in the SIP implementation in Cisco IOS Software when devices are running a Cisco IOS image that contains the Cisco Unified Border Element feature. This vulnerability is triggered by processing a series of crafted SIP messages.

Impact
Successful exploitation of the vulnerability described in this document may result in a reload of the device. The issue could be repeatedly exploited to cause an extended DoS condition.

Link: http://www.cisco.com/…/advisory09186a0080af811b.shtml

Cisco IOS Software Crafted Encryption Packet Denial of Service Vulnerability
Cisco IOS® Software contains a vulnerability that could allow an attacker to cause a Cisco IOS device to reload by remotely sending a crafted encryption packet.

Vulnerable Products
Devices running affected versions of Cisco IOS Software are susceptible if configured with any of the following features:

• Secure Socket Layer (SSL) Virtual Private Network (VPN)
• Secure Shell (SSH)
• Internet Key Exchange (IKE) Encrypted Nonces

Details
A Cisco IOS device that is configured for SSLVPN or SSH may reload when it receives a specially crafted TCP packet on TCP port 443 (SSLVPN) or TCP port 22 (SSH). Completion of the three-way handshake to the associated TCP port number of these features is required for the vulnerability to be successfully exploited; however, authentication is not required. A Cisco IOS device that is configured for IKE encrypted nonces may reload when it receives a specially crafted UDP packet on port 500 or 4500 (if configured for NAT Traversal (NAT-T)).

Impact
Successful exploitation of the vulnerability described in this document may result in a reload of the device. The issue could be repeatedly exploited to cause an extended DoS condition.

Link: http://www.cisco.com/…/advisory09186a0080af811c.shtml

Cisco IOS Software Authentication Proxy Vulnerability
Cisco IOS® Software configured with Authentication Proxy for HTTP(S), Web Authentication or the consent feature, contains a vulnerability that may allow an unauthenticated session to bypass the authentication proxy server or bypass the consent webpage.

Vulnerable Products
Devices running affected versions of Cisco IOS Software and configured with Authentication Proxy for HTTP(S) or Web Authentication or the consent feature are vulnerable.

Details
This vulnerability allows a session to be permitted without first being authenticated by the authentication proxy, or to be permitted without first acknowledging the consent webpage. At least one successfully authenticated session or accepted consent session must exist for the vulnerability to be exposed. When this occurs, the RADIUS or TACACS+ server will show subsequent users as authenticated, all with the same username as the initial connection if performing authentication, regardless of the authentication information provided by the user and whether it was defined on the AAA server, and regardless of whether the password was correct.

Impact
Successful exploitation of the vulnerability may result in an unauthenticated and unauthorized user bypassing the authentication proxy services offered in Cisco IOS Authentication Proxy for HTTP(S) and/or bypassing the consent accept webpage.

Link: http://www.cisco.com/…/advisory09186a0080af8132.shtml

Cisco IOS Software Zone-Based Policy Firewall Vulnerability
Cisco IOS® devices that are configured with Cisco IOS Zone-Based Policy Firewall Session Initiation Protocol (SIP) inspection are vulnerable to denial of service (DoS) attacks when processing a specific SIP transit packet. Exploitation of the vulnerability could result in a reload of the affected device.

Vulnerable Products
Only devices that are configured with Cisco IOS Zone-Based Policy Firewall SIP inspection (UDP port 5060, TCP ports 5060, and 5061) are vulnerable. Cisco IOS devices that are configured with legacy Cisco IOS Firewall Support for SIP (context-based access control (CBAC)) are not vulnerable.

Details
Firewalls are networking devices that control access to the network assets of an organization. Firewalls are often positioned at the entrance points into networks. Cisco IOS software provides a set of security features that enable you to configure a simple or elaborate firewall policy, according to your particular requirements. Cisco IOS Software that is configured with Cisco IOS Zone-Based Policy Firewall SIP inspection are vulnerable to a DoS attack when processing a specific SIP transit packet. Exploitation of this vulnerability will result in a reload of the affected device.

Impact
Successful exploitation of the vulnerability may result in a reload of the affected device. Repeated exploit attempts may result in a sustained DoS attack.

Link: http://www.cisco.com/…/advisory09186a0080af8130.shtml

Cisco IOS Software Network Time Protocol Packet Vulnerability
Cisco IOS® Software with support for Network Time Protocol (NTP) version (v4) contains a vulnerability processing specific NTP packets that will result in a reload of the device. This results in a remote denial of service (DoS) condition on the affected device.

Vulnerable Products
Cisco IOS Software devices are vulnerable if they support NTPv4 and are configured for NTP operations. NTP is not enabled in Cisco IOS Software by default.

Details
The Network Time Protocol (NTP) is a protocol designed to time-synchronize a network of machines. NTP runs over UDP, which in turn runs over IP. NTPv3 is documented in RFC1305 . NTPv4 is a significant revision of the NTP standard, and is the current development version, but has not been formalized into an RFC at the time of publication of this advisory. NTPv4 is currently documented in draft-ietf-ntp-ntpv4-proto-11.

Impact
Successful exploitation of the vulnerability may result in a reload of the device. The vulnerability could be repeatedly exploited to cause an extended DoS condition.

Link: http://www.cisco.com/…/advisory09186a0080af8131.shtml

© Fabio Semperboni for CiscoZine, 2009. | Permalink | No comment
Post tags: DOS, Remote Control

Multiple Cisco products are affected by denial of service (DoS) vulnerabilities that manipulate the state of Transmission Control Protocol (TCP) connections. By manipulating the state of a TCP connection, an attacker could force the TCP connection to remain in a long-lived state, possibly indefinitely. If enough TCP connections are forced into a long-lived or indefinite state, resources on a system under attack may be consumed, preventing new TCP connections from being accepted. In some cases, a system reboot may be necessary to recover normal system operation. To exploit these vulnerabilities, an attacker must be able to complete a TCP three-way handshake with a vulnerable system.

In addition to these vulnerabilities, Cisco Nexus 5000 devices contain a TCP DoS vulnerability that may result in a system crash. This additional vulnerability was found as a result of testing the TCP state manipulation vulnerabilities.

Details
Multiple Cisco products are affected by DoS vulnerabilities in the TCP protocol. By manipulating the state of TCP connections, an attacker could force a system that is under attack to maintain TCP connections for long periods of time, or indefinitely in some cases. With a sufficient number of open TCP connections, the attacker may be able to cause a system to consume internal buffer and memory resources, resulting in new TCP connections being denied access to a targeted port or an entire system. A system reboot may be required to restore full system functionality. A full TCP three-way handshake is required to exploit these vulnerabilities.

Network devices are not directly impacted by TCP state manipulation DoS attacks transiting a device; however, network devices that maintain the state of TCP connections may be impacted. If the attacker can establish enough TCP connections through a transit device that maintains TCP state, device resources may be exhausted and prevent the device from processing new TCP connections, resulting in a DoS condition. If an affected device that forwards traffic (that is, routes) in a network is the target of a TCP state manipulation attack, the attacker could cause a network-impacting DoS condition.

Impact
Successful exploitation of the TCP state manipulation vulnerabilities may result in a DoS condition where new TCP connections are not accepted on an affected system. Repeated exploitation may result in a sustained DoS condition. A reboot may be required to recover affected systems. In addition, Cisco Nexus 5000 systems may crash upon receiving a specific sequence of TCP packets.

Link: http://www.cisco.com/…/products_security_advisory09186a0080af511d.shtml

© Fabio Semperboni for CiscoZine, 2009. | Permalink | No comment
Post tags: DOS

1) Cisco IOS XR Software Border Gateway Protocol Vulnerabilities
Cisco IOS XR Software contains multiple vulnerabilities in the Border Gateway Protocol (BGP) feature. These vulnerabilities include:

• Cisco IOS XR Software will reset a BGP peering session when receiving a specific invalid BGP update.
  The vulnerability manifests when a BGP peer announces a prefix with a specific invalid attribute. On receipt of this prefix, the Cisco IOS XR device will restart the peering session by sending a notification. The peering session will flap until the sender stops sending the invalid/corrupt update. This vulnerability was disclosed in revision 1.0 of this advisory.
• Cisco IOS XR BGP process will crash when sending a long length BGP update message
  When Cisco IOS XR sends a long length BGP update message, the BGP process may crash. The number of AS numbers required to exceed the total/maximum length of update message and cause the crash are well above normal limits seen within production environments.
• Cisco IOS XR BGP process will crash when constructing a BGP update with a large number of AS prepends
  If the Cisco IOS XR BGP process is configured to prepend a very large number of Autonomous System (AS) Numbers to the AS path, the BGP process will crash. The number of AS numbers required to be prepended and cause the crash are well above normal limits seen within production environments.

Vulnerable Products
To determine the Cisco IOS XR Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS XR Software by displaying text similar to “Cisco IOS XR Software”. The software version is displayed after the text “Cisco IOS XR Software”.

Details
These vulnerabilities affect Cisco IOS XR devices running affected software versions and configured with the BGP routing feature.

Impact
Successful exploitation of these vulnerabilities may result in the continuous resetting of BGP peering sessions, or the continuous resetting of the BGP process itself. This may lead to routing inconsistencies and a denial of service for those affected networks.

Link: http://www.cisco.com/…/security_advisory09186a0080af150f.shtml

2) Cisco Unified Communications Manager Denial of Service Vulnerabilities
Cisco Unified Communications Manager (formerly CallManager) contains multiple denial of service (DoS) vulnerabilities that if exploited could cause an interruption to voice services. The Session Initiation Protocol (SIP) and Skinny Client Control Protocol (SCCP) services are affected by these vulnerabilities. Cisco has released free software updates for select Cisco Unified Communications Manager versions that address these vulnerabilities. There are no workarounds for these vulnerabilities.

Vulnerable Products
The following products are affected by vulnerabilities described in this advisory:

• Cisco Unified Communications Manager 4.x
• Cisco Unified Communications Manager 5.x
• Cisco Unified Communications Manager 6.x
• Cisco Unified Communications Manager 7.x

Details
Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, VoIP gateways, and multimedia applications.

Impact
Successful exploitation of the vulnerabilities described in this advisory could result in the interruption of voice services. To restore voice services, affected Cisco Unified Communications Manager services may require a manual restart.

Link: http://www.cisco.com/…/security_advisory09186a0080af2d11.shtml

3) Firewall Services Module Crafted ICMP Message Vulnerability
A vulnerability exists in the Cisco Firewall Services Module (FWSM) for the Catalyst 6500 Series Switches and Cisco 7600 Series Routers. The vulnerability may cause the FWSM to stop forwarding traffic and may be triggered while processing multiple, crafted ICMP messages. There are no known instances of intentional exploitation of this vulnerability. However, Cisco has observed data streams that appear to trigger this vulnerability unintentionally. Cisco has released free software updates that address this vulnerability.

Vulnerable Products
All non-fixed 2.x, 3.x and 4.x versions of the FWSM software are affected by this vulnerability. To determine the version of the FWSM software that is running, issue the show module command-line interface (CLI) command from Cisco IOS Software or Cisco Catalyst Operating System Software to identify what modules and sub-modules are installed in the system.

Details
A vulnerability exists in the Cisco FWSM Software that may cause the FWSM to stop forwarding traffic between interfaces, or stop processing traffic that is directed at the FWSM (management traffic) after multiple, crafted ICMP messages are processed by the FWSM. Any traffic that transits or is directed towards the FWSM is affected, regardless of whether ICMP inspection (inspect icmp command under Class configuration mode) is enabled.

Impact
Successful exploitation of the vulnerability may cause the FWSM to stop forwarding traffic between interfaces (transit traffic), and stop processing traffic directed at the FWSM (management traffic). If the FWSM is configured for failover operation, the active FWSM may not fail over to the standby FWSM.

Link: http://www.cisco.com/…/security_advisory09186a0080af0d1d.shtml

© Fabio Semperboni for CiscoZine, 2009. | Permalink | No comment
Post tags: DOS

1) Active Template Library (ATL) Vulnerability
Certain Cisco products that use Microsoft Active Template Libraries (ATL) and headers may be vulnerable to remote code execution. In some instances, the vulnerability may be exploited against Microsoft Internet Explorer to perform kill bit bypass. In order to exploit this vulnerability, an attacker must convince a user to visit a malicious web site.

Vulnerable Products
The following products are affected by this vulnerability:Cisco Unity 4.x, 5x., and 7.x

Details
Microsoft has identified vulnerabilities in the Active Template Library (ATL) headers that are shipped with the Software Development Kit (SDK) for Microsoft Windows systems and used in Cisco products. In general, this vulnerability, if exposed by an ActiveX control, could lead to remote code execution on a client’s system.

Impact
Successful exploitation of the vulnerability may result in remote code execution.

Link: http://www.cisco.com/…/advisory09186a0080ae9e43.shtml

2) Cisco IOS Software Border Gateway Protocol 4-Byte Autonomous System Number Vulnerabilities
Recent versions of Cisco IOS Software support RFC4893 (“BGP Support for Four-octet AS Number Space”) and contain two remote denial of service (DoS) vulnerabilities when handling specific Border Gateway Protocol (BGP) updates. These vulnerabilities affect only devices running Cisco IOS Software with support for four-octet AS number space (here after referred to as 4-byte AS number) and BGP routing configured.

• The first vulnerability could cause an affected device to reload when processing a BGP update that contains autonomous system (AS) path segments made up of more than one thousand autonomous systems.

• The second vulnerability could cause an affected device to reload when the affected device processes a malformed BGP update that has been crafted to trigger the issue.

Vulnerable Products
These vulnerabilities affect only devices running Cisco IOS and Cisco IOS XE Software (here after both referred to as simply Cisco IOS) with support for RFC4893 and that have been configured for BGP routing.

Details

• The first vulnerability could cause an affected device to reload when processing a BGP update that contains AS path segments made up of more than one thousand autonomous systems. If an affected 4-byte AS number BGP speaker receives a BGP update from a 2-byte AS number BGP speaker that contains AS path segments made up of more than one thousand autonomous systems, the device may crash with memory corruption, and the error “%%Software-forced reload” will be displayed.

• The second vulnerability could cause an affected device to reload when the affected device processes a malformed BGP update that has been crafted to trigger the issue.

Impact
Successful exploitation of the vulnerabilities described in this document may result in a reload of the device. The issue could result in repeated exploitation to cause an extended DoS condition.

Link: http://www.cisco.com/…/dvisory09186a0080aea4c9.shtml

© Fabio Semperboni for CiscoZine, 2009. | Permalink | No comment
Post tags: DOS, Remote Control

• Malformed HTTP or HTTPS authentication response denial of service vulnerability
• SSH connections denial of service vulnerability
• Crafted HTTP or HTTPS request denial of service vulnerability
• Crafted HTTP or HTTPS request unauthorized configuration modification vulnerability

Vulnerable Products
Cisco 1500 Series, 2000 Series, 2100 Series, 4400 Series, 4100 Series, 4200 Series, Wireless Services Modules (WiSM), WLC Modules for Integrated Services Routers, and Cisco Catalyst 3750G Integrated Wireless LAN Controllers are affected by one or more of the following vulnerabilities:

• The malformed HTTP or HTTPS authentication response denial of service vulnerability affects software versions 4.2 and later.
• The SSH connections denial of service vulnerability affects software versions 4.1 and later.
• The crafted HTTP or HTTPS request denial of service vulnerability affects software versions 4.1 and later.
• The crafted HTTP or HTTPS request unauthorized configuration modification vulnerability affects software versions 4.1 and later.

Details
Cisco Wireless LAN Controllers (WLCs) are responsible for system-wide wireless LAN functions, such as security policies, intrusion prevention, RF management, quality of service (QoS), and mobility. These devices communicate with controller-based access points over any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the Lightweight Access Point Protocol (LWAPP).

Impact
Successful exploitation of the denial of service (DoS) vulnerabilities may cause the affected device to reload. Repeated exploitation could result in a sustained DoS condition. An unauthenticated, remote attacker may be able to use the unauthorized configuration modification vulnerability to gain full control over the Wireless LAN Controller if the attacker is able to submit a crafted request directly to an administrative interface of the affected device.

Link: http://www.cisco.com/…/products_security_advisory.shtml

© Fabio Semperboni for CiscoZine, 2009. | Permalink | No comment
Post tags: DOS