May 2011: five Cisco vulnerabilities

The Cisco Product Security Incident Response Team (PSIRT) has published five important vulnerability advisories:

  • Cisco Content Delivery System Internet Streamer: Web Server Vulnerability
  • Cisco RVS4000 and WRVS4400N Web Management Interface Vulnerabilities
  • Cisco IOS XR Software IP Packet Vulnerability
  • Cisco XR 12000 Series Shared Port Adapters Interface Processor Vulnerability
  • Cisco IOS XR Software SSHv1 Denial of Service Vulnerability

Cisco Content Delivery System Internet Streamer: Web Server Vulnerability
The Cisco Internet Streamer application, part of the Cisco Content Delivery System (Cisco CDS), contains a vulnerability in its web server component that could cause the web server engine to crash when processing specially crafted URLs.

Vulnerable Products
To determine the software version that is running on a Cisco Content Delivery Engine, log in to the device and issue the show version command-line interface (CLI) command to display the system banner. Cisco CDS Internet Streamer software will identify itself as “Content Delivery System Software Release”. On the same line of output, the version number will also be provided.

Details
The Cisco Internet Streamer application provides edge caching, content streaming, and downloads to subscriber IP devices such as PCs. The Cisco Internet Streamer application, part of the Cisco CDS, contains a vulnerability on its web server component that could cause the web server engine to crash when processing specially crafted URLs.
An unauthenticated attacker may be able to exploit this vulnerability to cause a denial of service condition on the web server that is running on the Service Engine. The device will remain operational, and the Web Engine will restart if the attack stops.

Impact
Successful exploitation of the vulnerability may cause the Web Engine of the Cisco Internet Streamer application to crash.
The device will remain operational, and the Web Engine will restart if the attack stops. A sustained attack will prevent the distribution of HTML content to end users.

Link: http://www.cisco.com/../advisory09186a0080b7f18b.shtml

Cisco RVS4000 and WRVS4400N Web Management Interface Vulnerabilities
Cisco RVS4000 4-port Gigabit Security Routers and Cisco WRVS4400N Wireless-N Gigabit Security Routers have several web interface vulnerabilities that can be exploited by a remote, unauthenticated user.

Vulnerable Products
These vulnerabilities affect the following devices running firmware prior to the first fixed release documented in the Software Versions and Fixes section of this advisory:

  • Cisco RVS4000 Gigabit Security Router (v1 and v2)
  • Cisco WRVS4400N Wireless-N Gigabit Security Router (V1.0, V1.1, and V2)

Details
The Cisco RVS4000 and WRVS4400N Gigabit Security Routers deliver high-speed network access and IPsec VPN capabilities for small businesses. They also provides firewall and intrusion prevention capabilities.

The Cisco RVS4000 and WRVS4400N Gigabit Security Routers contain three web management interface vulnerabilities:

  • Retrieval of the configuration file: If an administrator of the device has previously created a backup of the configuration, using Administration –> Backup & Restore –> Backup, it is possible for a remote unauthenticated user to access the backup configuration file. This file contains all configuration parameters of the device, including the HTTP authentication password and VPN pre-shared-keys (PSKs).
  • Root operating system arbitrary command injection by an authenticated attacker: A user who is authenticated to the device can inject arbitrary commands into the underlying operating system with root privileges, via the ping test and traceroute test parameters.
  • Retrieval of admin SSL certificate private key: The admin SSL certificate private and public keys can be retrieved (used for Quick VPN) by a remote unauthenticated user.

Impact
Successful exploitation of the vulnerabilities may result in execution of arbitrary commands on the device by an authenticated user or retrieval of configuration files and private keys by an unauthenticated user. The configuration files contain sensitive information in text, such as the HTTP passwords and PSKs. The retrieval of the certificates may aid in further attacks.

Link: http://www.cisco.com/…/advisory09186a0080b7f190.shtml

Cisco IOS XR Software IP Packet Vulnerability
Cisco IOS XR Software Releases 3.8.3, 3.8.4, and 3.9.1 are affected by a vulnerability that an unauthenticated, remote user can trigger by sending specific IP version 4 (IPv4) packets to or through an affected device.

Vulnerable Products
Cisco IOS XR Software Releases 3.8.3, 3.8.4, and 3.9.1 are affected when they are running on the following Cisco hardware platforms:

  • Cisco ASR 9000 Series Aggregation Services Routers
  • Cisco Carrier Routing System
  • Cisco XR 12000 Series Routers

Details
This vulnerability affects any device that is running affected releases of Cisco IOS XR Software and has an IPv4 address configured on one of the interfaces of a Cisco Line Card or Cisco CRS MSC.

When a Cisco Line Card or Cisco CRS MSC sends a specific IPv4 packet, the NetIO process will restart. If the NetIO process is restarted several times, the Cisco Line Card or Cisco CRS MSC will reload, which could cause a denial of service (DoS) condition for traffic that is transiting the affected line cards.

Although a crash is caused by a packet that originates from the Cisco Line Card or Cisco CRS MSC, an unauthenticated, remote user can trigger the vulnerability by sending specific IP packets to or through the device. In the latter scenario, the Cisco Line Card or Cisco CRS MSC will create the specific IPv4 packet response that triggers the vulnerability

Impact
Successful exploitation of the vulnerability may result in a reload of the Cisco CRS MSC on a Cisco CRS or the line cards on a Cisco 12000 Series Router or Cisco ASR 9000 Series Aggregation Services Router. Repeated exploitation could result in a sustained DoS condition.

Link: http://www.cisco.com/…/advisory09186a0080b7f18e.shtml

Cisco XR 12000 Series Shared Port Adapters Interface Processor Vulnerability
Cisco IOS XR Software Releases 3.9.0, 3.9.1, 3.9.2, 4.0.0, 4.0.1, 4.0.2, and 4.1.0 are affected by a vulnerability that an unauthenticated, remote user could use to trigger a reload of the Shared Port Adapters (SPA) Interface Processor by sending specific IP version 4 (IPv4) packets to an affected device.

Vulnerable Products
This vulnerability affects all Engine 5 Line Cards on the Cisco XR 12000 Series Routers. The engine 5 line cards are the SIP-600, SIP-601, SIP-501, and SIP-401.

Details
This vulnerability affects any device that is running affected releases of Cisco IOS XR Software and has an IPv4 address configured on any of the SPA interface processor interfaces. When the SPA interface processor receives specific IPv4 packets destined for either a network or a network broadcast address of a configured interface, it will reload and produce an error message that is similar to what is shown in the example that follows. Transit traffic through the device does not trigger this vulnerability.

Impact
Successful exploitation of the vulnerability may result in a reloading of the SPA interface processor. Repeated exploitation could result in a sustained denial of service (DoS) condition.

Link: http://www.cisco.com/…/advisory09186a0080b7f191.shtml

Cisco IOS XR Software SSHv1 Denial of Service Vulnerability
Cisco IOS XR Software contains a vulnerability in the SSH application that may result in a denial of service condition when the SSH version 1 (SSHv1) protocol is used. The vulnerability is a result of unremoved sshd_lock files consuming all available space in the /tmp filesystem.

Vulnerable Products
SSHv1 is configured in Cisco IOS XR Software with the configuration command ssh server enable. The device is vulnerable if it is running an affected Cisco IOS XR Software release and has SSHv1 enabled.

The following example shows a device that is running Cisco IOS XR Software that is configured with SSHv1:

(Router)# show running-config | inc ssh
ssh server vrf default

If the command returns “ssh server v2”, then the SSH server is not configured to accept SSHv1 connections and the device is not vulnerable.

Details
This vulnerability affects Cisco IOS XR devices that are running affected software releases and are configured to accept SSHv1 connections. When an SSHv1 connection is made to the SSH server that is running on a Cisco IOS XR device, a file is created in the /tmp directory. This file begins with the text “sshd_lock” and may not be properly removed when the session ends. Multiple connections may consume all available space in the /tmp filesystem and cause the system to crash, leading to a denial of service condition.

Impact
Successful exploitation of this vulnerability may cause the Cisco IOS XR device to crash, resulting in a denial of service condition.

Link: http://www.cisco.com/…/advisory09186a0080b7f18f.shtml

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.