August 2013: six Cisco vulnerabilities

The Cisco Product Security Incident Response Team (PSIRT) has published six important vulnerability advisories:

  • Cisco Secure Access Control Server Remote Command Execution Vulnerability
  • Multiple Vulnerabilities in Cisco Unified Communications Manager
  • Cisco Prime Central for Hosted Collaboration Solution Assurance Denial of Service Vulnerabilities
  • Cisco Unified Communications Manager IM and Presence Service Denial of Service Vulnerability
  • Cisco TelePresence System Default Credentials Vulnerability
  • OSPF LSA Manipulation Vulnerability in Multiple Cisco Products

Cisco Secure Access Control Server Remote Command Execution Vulnerability
The vulnerability is due to improper parsing of user identities used for EAP-FAST authentication. An attacker could exploit this vulnerability by sending crafted EAP-FAST packets to an affected device. An exploit could allow the attacker to execute arbitrary commands on the Cisco Secure ACS server and take full control of the affected server.

Vulnerable Products
Cisco Secure ACS for Windows versions 4.0 through 4.2.1.15 are affected by this vulnerability when configured as a RADIUS server with EAP-FAST authentication. Cisco Secure ACS, when configured as TACACS+ server only, does not support the EAP-FAST authentication method, and is not vulnerable.

Details
A vulnerability in the EAP-FAST authentication module of Cisco Secure Access Control Server (ACS) versions 4.0 through 4.2.1.15 could allow an unauthenticated, remote attacker to execute arbitrary commands on the Cisco Secure ACS server. This vulnerability is only present when Cisco Secure ACS is configured as a RADIUS server.

The vulnerability is due to improper parsing of user identities used for EAP-FAST authentication. An attacker could exploit this vulnerability by sending crafted EAP-FAST packets to an affected device. An exploit could allow the attacker to execute arbitrary commands on the Cisco Secure ACS server and take full control of the affected server.

Commands are executed in the context of the System user for Cisco Secure ACS authentication service running on Microsoft Windows. Cisco Secure ACS uses the standard RADIUS UDP port 1812 or 1645 for EAP-FAST authentication.

Impact
Successful exploitation of the vulnerability may allow an unauthenticated, remote attacker to execute arbitrary commands and take full control of the underlying operating system that hosts the Cisco Secure ACS application in the context of the System user for Cisco Secure ACS running on Microsoft Windows.

Link: http://tools.cisco.com/…/cisco-sa-20130828-acs

Multiple Vulnerabilities in Cisco Unified Communications Manager
Cisco Unified Communications Manager (Unified CM) contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to modify data, execute arbitrary commands, or cause a denial of service (DoS) condition.

Vulnerable Products
The following products are affected by the vulnerabilities that are described in this advisory:

  • Cisco Unified Communications Manager 7.1(x)
  • Cisco Unified Communications Manager 8.5(x)
  • Cisco Unified Communications Manager 8.6(x)
  • Cisco Unified Communications Manager 9.0(x)
  • Cisco Unified Communications Manager 9.1(x)

Details
Cisco Unified Communications Manager 8.5(x), 8.6(x), and 9.0(x) contain a vulnerability that could allow an unauthenticated, remote attacker to cause a DoS condition on an affected device. The vulnerability is due to insufficient limiting of traffic on certain UDP ports. An attacker could exploit this vulnerability by sending UDP packets at a high rate to certain ports on an affected device, resulting in a DoS condition on the affected device.

Cisco Unified Communications Manager versions 8.5(x), 8.6(x) and 9.0(1) contain a vulnerability that could allow an unauthenticated, remote attacker to cause a DoS condition on an affected device. The vulnerability is due to insufficient rate limiting of traffic on the Session Initiation Protocol (SIP) port. An attacker could exploit this vulnerability by sending UDP packets at a high rate to port 5060 on an affected device. A sustained attack could allow the attacker to cause a DoS condition on the affected device.

Impact
Successful exploitation of these vulnerabilities may result in disruption of services, modification of system data, or execution of arbitrary files. Continued exploitation may result in a DoS condition.

Link: http://tools.cisco.com/…/cisco-sa-20130821-cucm

Cisco Prime Central for Hosted Collaboration Solution Assurance Denial of Service Vulnerabilities
Cisco Prime Central for Hosted Collaboration Solution (HCS) Assurance contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. Exploitation of these vulnerabilities could interrupt the monitoring of voice services and exhaust system resources.

Vulnerable Products
The following products are affected by the vulnerabilities that are described in this advisory:

  • Cisco Prime Central for HCS Assurance 8.6
  • Cisco Prime Central for HCS Assurance 9.0
  • Cisco Prime Central for HCS Assurance 9.1

Details
Memory Leak Vulnerability: Cisco Prime Central for HCS Assurance contains a memory leak vulnerability that could allow an unauthenticated, remote attacker to execute a sustained flood against vulnerable TCP ports to cause a DoS condition on the affected system

Memory Exhaustion Vulnerabilities: Cisco Prime Central for HCS Assurance contains two memory exhaustion vulnerabilities that could allow an unauthenticated, remote attacker to execute a sustained TCP connection flood against an affected system. A sustained TCP connection flood against the affected ports will result in memory exhaustion, preventing access to the web GUI and cause out-of-memory exceptions when executing basic commands.

Disk Exhaustion Vulnerability: Cisco Prime Central for HCS Assurance contains a disk exhaustion vulnerability that could allow an unauthenticated, remote attacker to cause a DoS condition on an affected system.

Impact
Successful exploitation of the vulnerabilities that are described in this advisory could allow a remote attacker to trigger a memory leak or DoS condition that could interrupt services.

Link: http://tools.cisco.com/…/cisco-sa-20130821-hcm

Cisco Unified Communications Manager IM and Presence Service Denial of Service Vulnerability
Cisco Unified Communications Manager IM and Presence Service contains a denial of service (DoS) vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. Exploitation of this vulnerability could cause an interruption of presence services.

Vulnerable Products
All versions of Cisco Unified Communications Manager IM and Presence Service prior to 9.1(2) are affected by the vulnerability described in this advisory.

Details
The vulnerability is due to a memory leak. An attacker could exploit this vulnerability by generating a large number of TCP connections to ports 5060 or 5061. An exploit could allow the attacker to cause a DoS condition on the affected device. The server must be restarted to clear the condition.

Impact
Successful exploitation of the vulnerability could allow a remote attacker to trigger a memory leak or a DoS condition resulting in the interruption of presence services.

Link: http://tools.cisco.com/…/cisco-sa-20130821-cup

Cisco TelePresence System Default Credentials Vulnerability
The vulnerability is due to a default user account being created at installation time. An attacker could exploit this vulnerability by remotely accessing the web server and using the default account credentials. An exploit could allow the attacker to log in with the default credentials, which gives them full administrative rights to the system.

Vulnerable Products
Cisco TelePresence System Series 500-37, 1300, 1X00, 3X00, and 30X0 running CiscoTelePresence System Software Releases 1.8.1 through 1.10.1 are affected by this vulnerability. Cisco TelePresence Series TX 1310, TX 9X00, and CTS 500-32 running Cisco TelePresence System Software Releases 6.0.3 and prior are affected by this vulnerability.

Details
Cisco TelePresence System Software includes a password recovery administrator account that is enabled by default. Successful exploitation of this vulnerability could allow a remote attacker to use these default credentials to modify the system configuration and settings and take full control of the affected system. An attacker could use this account to modify the system configuration and settings via an HTTPS session.

Impact
Successful exploitation of this vulnerability could allow a remote attacker to use the default credentials for the password recovery account to modify the system configuration and settings and take full control of the affected system.

Link: http://tools.cisco.com/…/cisco-sa-20130807-tp

OSPF LSA Manipulation Vulnerability in Multiple Cisco Products
Multiple Cisco products are affected by a vulnerability involving the Open Shortest Path First (OSPF) Routing Protocol Link State Advertisement (LSA) database. This vulnerability could allow an unauthenticated attacker to take full control of the OSPF Autonomous System (AS) domain routing table, blackhole traffic, and intercept traffic.

The attacker could trigger this vulnerability by injecting crafted OSPF packets. Successful exploitation could cause flushing of the routing table on a targeted router, as well as propagation of the crafted OSPF LSA type 1 update throughout the OSPF AS domain.

To exploit this vulnerability, an attacker must accurately determine certain parameters within the LSA database on the target router. This vulnerability can only be triggered by sending crafted unicast or multicast LSA type 1 packets. No other LSA type packets can trigger this vulnerability.

OSPFv3 is not affected by this vulnerability. Fabric Shortest Path First (FSPF) protocol is not affected by this vulnerability.

Vulnerable Products

The following Cisco Products have an OSPF implementation that is affected by this vulnerability.

Cisco IOS Software: Cisco devices that are running Cisco IOS Software and configured for OSPF are vulnerable. Devices that do not have OSPF enabled are not affected by this vulnerability.

Cisco IOS-XE Software: Cisco devices that are running Cisco IOS XE Software and configured for OSPF are vulnerable. Devices that do not have OSPF enabled are not affected by this vulnerability. The version of Cisco IOS-XE Software that is running on a Cisco device can be determined using the show version command from the Command Line Interface (CLI).

Cisco Adaptive Security Appliance (ASA), Cisco ASA Service Module (ASA-SM) and Cisco Pix Firewall: Cisco devices that are running Cisco ASA or Cisco PIX Software and configured for OSPF are vulnerable. Devices that do not have OSPF enabled are not affected by this vulnerability. The version of software that is running on a Cisco ASA, Cisco ASA-SM or Cisco Pix security appliances can be determined using the show version command from the CLI.

Cisco Firewall Services Module (FWSM): Cisco devices that are running Cisco FWSM Software and configured for OSPF are vulnerable. Devices that do not have OSPF enabled are not affected by this vulnerability. The version of software that is running on a Cisco FWSM can be determined using the show version command from the CLI.

Cisco NX-OS Software: Cisco devices that are running Cisco NX-OS Software and configured for OSPF are vulnerable. Devices that do not have OSPF enabled are not affected by this vulnerability. The version of Cisco NX-OS Software that is running on Cisco Nexus 3000, 5000, 6000 and 7000 series devices can be determined using the show version command from the CLI. Exploiting the vulnerability on a Cisco Nexus device will not affect the local routing table of Cisco Nexus. However, the Cisco Nexus devices will install and propagate the crafted LSA to other devices in the OSPF area. Such crafted LSA propagated to other routers that are part of the same OSPF AS may affect the routing tables across the OSPF AS.

Cisco ASR 5000: Cisco devices that are running Cisco StarOS Software and configured for OSPF are vulnerable. Devices that do not have OSPF enabled are not affected by this vulnerability.

The version of software that is running on a Cisco ASR 5000 can be determined using the show version command from the CLI.

Details
Multiple Cisco products are affected by a vulnerability involving the Open Shortest Path First (OSPF) Routing Protocol Link State Advertisement (LSA) database. This vulnerability could allow an unauthenticated attacker to take full control of the OSPF Autonomous System (AS) domain routing table, blackhole traffic, and intercept traffic.

The attacker could trigger this vulnerability by injecting crafted OSPF packets. Successful exploitation could cause flushing of the routing table on a targeted router, as well as propagation of the crafted OSPF LSA type 1 update throughout the OSPF AS domain.

To exploit this vulnerability, an attacker must accurately determine certain parameters within the LSA database on the target router. This vulnerability can only be triggered by sending crafted unicast or multicast LSA type 1 packets. No other LSA type packets can trigger this vulnerability.

OSPFv3 is not affected by this vulnerability. Fabric Shortest Path First (FSPF) protocol is not affected by this vulnerability.

Impact
Successful exploitation could allow an unauthenticated attacker to take full control of the OSPF AS domain routing table, blackhole traffic, and intercept such traffic. Repeated exploitation could result in a sustained DoS condition.

In order to recover affected systems, administrators can delete the OSPF configuration from the affected device and enable it again. Alternatively, a reload is required to recover affected systems.

Note: Clearing the OSPF process or routing table by issuing commands such as clear ip ospf process or clear ip route does not have any effect and can not be used to recover affected systems.

Link: http://tools.cisco.com/…/cisco-sa-20130801-lsaospf

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.