ID

VAR-201011-0225


CVE

CVE-2010-3040


TITLE

Cisco ICM of Setup Manager of agent.exe Vulnerable to stack-based buffer overflow

Trust: 0.8

sources: JVNDB: JVNDB-2010-003014

DESCRIPTION

Multiple stack-based buffer overflows in agent.exe in Setup Manager in Cisco Intelligent Contact Manager (ICM) before 7.0 allow remote attackers to execute arbitrary code via a long parameter in a (1) HandleUpgradeAll, (2) AgentUpgrade, (3) HandleQueryNodeInfoReq, or (4) HandleUpgradeTrace TCP packet, aka Bug IDs CSCti45698, CSCti45715, CSCti45726, and CSCti46164. The problem is Bug ID CSCti45698 , CSCti45715 , CSCti45726 ,and CSCti46164 It is a problem.By a third party (1) HandleUpgradeAll , (2) AgentUpgrade , (3) HandleQueryNodeInfoReq , (4) HandleUpgradeTrace TCP Arbitrary code could be executed via overly long parameters in the packet. Authentication is not required to exploit this vulnerability. The flaw exists within the Agent.exe component which listens by default on TCP port 40078. When processing the HandleUpgradeAll packet type an unchecked copy of user supplied data is performed into a stack-based buffer of a controlled size. Successful exploitation of this vulnerability leads to remote code execution under the context of the SYSTEM user. This may result in a compromise of the underlying system. Failed attempts may lead to a denial-of-service condition. ZDI-10-232: Cisco ICM Setup Manager Agent.exe HandleUpgradeAll Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-232 November 7, 2010 -- CVE ID: CVE-2010-3040 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Cisco -- Affected Products: Cisco Unified Intelligent Contact Management -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 9915. -- Vendor Response: Cisco has issued an update to correct this vulnerability. More details can be found at: http://tools.cisco.com/security/center/viewAlert.x?alertId=21726 -- Disclosure Timeline: 2010-06-01 - Vulnerability reported to vendor 2010-11-07 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * sb -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi

Trust: 4.86

sources: NVD: CVE-2010-3040 // JVNDB: JVNDB-2010-003014 // ZDI: ZDI-10-232 // ZDI: ZDI-10-235 // ZDI: ZDI-10-234 // ZDI: ZDI-10-233 // BID: 44699 // VULHUB: VHN-45645 // PACKETSTORM: 95603 // PACKETSTORM: 95602 // PACKETSTORM: 95608 // PACKETSTORM: 95601

AFFECTED PRODUCTS

vendor:ciscomodel:unified intelligent contact managementscope: - version: -

Trust: 2.8

vendor:ciscomodel:intelligent contact managerscope:eqversion:6.0\(0\)_sr1

Trust: 1.6

vendor:ciscomodel:intelligent contact managerscope:eqversion:6.0\(0\)_sr4

Trust: 1.6

vendor:ciscomodel:intelligent contact managerscope:eqversion:6.0\(0\)_sr7

Trust: 1.6

vendor:ciscomodel:intelligent contact managerscope:eqversion:6.0\(0\)_sr9

Trust: 1.6

vendor:ciscomodel:intelligent contact managerscope:eqversion:6.0\(0\)_sr3

Trust: 1.6

vendor:ciscomodel:intelligent contact managerscope:eqversion:6.0\(0\)_sr6

Trust: 1.6

vendor:ciscomodel:intelligent contact managerscope:eqversion:6.0\(0\)_sr10

Trust: 1.6

vendor:ciscomodel:intelligent contact managerscope:eqversion:6.0\(0\)_sr8

Trust: 1.6

vendor:ciscomodel:intelligent contact managerscope:eqversion:6.0\(0\)_sr5

Trust: 1.6

vendor:ciscomodel:intelligent contact managerscope:eqversion:6.0\(0\)_sr2

Trust: 1.6

vendor:ciscomodel:intelligent contact managerscope:eqversion:5.0\(0\)_sr2

Trust: 1.0

vendor:ciscomodel:intelligent contact managerscope:lteversion:6.0\(0\)a\(1\)

Trust: 1.0

vendor:ciscomodel:intelligent contact managerscope:eqversion:5.0\(0\)_sr5

Trust: 1.0

vendor:ciscomodel:intelligent contact managerscope:eqversion:5.0\(0\)a

Trust: 1.0

vendor:ciscomodel:intelligent contact managerscope:eqversion:5.0\(0\)_sr11

Trust: 1.0

vendor:ciscomodel:intelligent contact managerscope:eqversion:5.0\(0\)_sr12

Trust: 1.0

vendor:ciscomodel:intelligent contact managerscope:eqversion:6.0\(0\)a

Trust: 1.0

vendor:ciscomodel:intelligent contact managerscope:eqversion:5.0\(0\)_sr7

Trust: 1.0

vendor:ciscomodel:intelligent contact managerscope:eqversion:5.0\(0\)_sr13

Trust: 1.0

vendor:ciscomodel:intelligent contact managerscope:eqversion:5.0\(0\)_sr8

Trust: 1.0

vendor:ciscomodel:intelligent contact managerscope:eqversion:5.0\(0\)_sr3

Trust: 1.0

vendor:ciscomodel:intelligent contact managerscope:eqversion:5.0\(0\)

Trust: 1.0

vendor:ciscomodel:intelligent contact managerscope:eqversion:6.0\(0\)

Trust: 1.0

vendor:ciscomodel:intelligent contact managerscope:eqversion:5.0

Trust: 1.0

vendor:ciscomodel:intelligent contact managerscope:eqversion:5.0\(0\)_sr9

Trust: 1.0

vendor:ciscomodel:intelligent contact managerscope:eqversion:5.0\(0\)_sr10

Trust: 1.0

vendor:ciscomodel:intelligent contact managerscope:eqversion:5.0\(0\)_sr4

Trust: 1.0

vendor:ciscomodel:intelligent contact managementscope:ltversion:7.0

Trust: 0.8

vendor:ciscomodel:unified intelligent contact management enterprisescope:eqversion:6.0

Trust: 0.3

vendor:ciscomodel:unified intelligent contact management enterprisescope:eqversion:5.0

Trust: 0.3

sources: ZDI: ZDI-10-232 // ZDI: ZDI-10-235 // ZDI: ZDI-10-234 // ZDI: ZDI-10-233 // BID: 44699 // JVNDB: JVNDB-2010-003014 // CNNVD: CNNVD-201011-105 // NVD: CVE-2010-3040

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI: CVE-2010-3040
value: HIGH

Trust: 2.8

nvd@nist.gov: CVE-2010-3040
value: HIGH

Trust: 1.0

NVD: CVE-2010-3040
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201011-105
value: CRITICAL

Trust: 0.6

VULHUB: VHN-45645
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2010-3040
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 4.6

VULHUB: VHN-45645
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: ZDI: ZDI-10-232 // ZDI: ZDI-10-235 // ZDI: ZDI-10-234 // ZDI: ZDI-10-233 // VULHUB: VHN-45645 // JVNDB: JVNDB-2010-003014 // CNNVD: CNNVD-201011-105 // NVD: CVE-2010-3040

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.9

sources: VULHUB: VHN-45645 // JVNDB: JVNDB-2010-003014 // NVD: CVE-2010-3040

THREAT TYPE

remote

Trust: 1.0

sources: PACKETSTORM: 95603 // PACKETSTORM: 95602 // PACKETSTORM: 95608 // PACKETSTORM: 95601 // CNNVD: CNNVD-201011-105

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-201011-105

CONFIGURATIONS

sources: JVNDB: JVNDB-2010-003014

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-45645

PATCH

title:21726url:http://tools.cisco.com/security/center/viewAlert.x?alertId=21726

Trust: 3.6

sources: ZDI: ZDI-10-232 // ZDI: ZDI-10-235 // ZDI: ZDI-10-234 // ZDI: ZDI-10-233 // JVNDB: JVNDB-2010-003014

EXTERNAL IDS

db:NVDid:CVE-2010-3040

Trust: 6.0

db:ZDIid:ZDI-10-232

Trust: 2.8

db:ZDIid:ZDI-10-235

Trust: 2.8

db:ZDIid:ZDI-10-234

Trust: 2.8

db:ZDIid:ZDI-10-233

Trust: 2.8

db:BIDid:44699

Trust: 2.0

db:VUPENid:ADV-2010-2914

Trust: 1.7

db:SECUNIAid:42146

Trust: 1.7

db:SECTRACKid:1024693

Trust: 1.7

db:JVNDBid:JVNDB-2010-003014

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-796

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-795

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-794

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-793

Trust: 0.7

db:CNNVDid:CNNVD-201011-105

Trust: 0.7

db:PACKETSTORMid:95601

Trust: 0.2

db:PACKETSTORMid:95603

Trust: 0.2

db:PACKETSTORMid:95608

Trust: 0.2

db:PACKETSTORMid:95602

Trust: 0.2

db:VULHUBid:VHN-45645

Trust: 0.1

sources: ZDI: ZDI-10-232 // ZDI: ZDI-10-235 // ZDI: ZDI-10-234 // ZDI: ZDI-10-233 // VULHUB: VHN-45645 // BID: 44699 // JVNDB: JVNDB-2010-003014 // PACKETSTORM: 95603 // PACKETSTORM: 95602 // PACKETSTORM: 95608 // PACKETSTORM: 95601 // CNNVD: CNNVD-201011-105 // NVD: CVE-2010-3040

REFERENCES

url:http://tools.cisco.com/security/center/viewalert.x?alertid=21726

Trust: 5.2

url:http://www.zerodayinitiative.com/advisories/zdi-10-232/

Trust: 2.0

url:http://www.zerodayinitiative.com/advisories/zdi-10-233/

Trust: 2.0

url:http://www.zerodayinitiative.com/advisories/zdi-10-234/

Trust: 2.0

url:http://www.zerodayinitiative.com/advisories/zdi-10-235/

Trust: 2.0

url:http://www.securityfocus.com/bid/44699

Trust: 1.7

url:http://securitytracker.com/id?1024693

Trust: 1.7

url:http://secunia.com/advisories/42146

Trust: 1.7

url:http://www.vupen.com/english/advisories/2010/2914

Trust: 1.7

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-3040

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-3040

Trust: 0.8

url:http://www.zerodayinitiative.com/advisories/disclosure_policy/

Trust: 0.4

url:http://twitter.com/thezdi

Trust: 0.4

url:http://www.tippingpoint.com

Trust: 0.4

url:http://www.zerodayinitiative.com

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2010-3040

Trust: 0.4

url:http://www.cisco.com/en/us/products/sw/custcosw/ps1001/tsd_products_support_series_home.html

Trust: 0.3

url:http://www.zerodayinitiative.com/advisories/zdi-10-234

Trust: 0.1

url:http://www.zerodayinitiative.com/advisories/zdi-10-233

Trust: 0.1

url:http://www.zerodayinitiative.com/advisories/zdi-10-235

Trust: 0.1

url:http://www.zerodayinitiative.com/advisories/zdi-10-232

Trust: 0.1

sources: ZDI: ZDI-10-232 // ZDI: ZDI-10-235 // ZDI: ZDI-10-234 // ZDI: ZDI-10-233 // VULHUB: VHN-45645 // BID: 44699 // JVNDB: JVNDB-2010-003014 // PACKETSTORM: 95603 // PACKETSTORM: 95602 // PACKETSTORM: 95608 // PACKETSTORM: 95601 // CNNVD: CNNVD-201011-105 // NVD: CVE-2010-3040

CREDITS

sb

Trust: 3.1

sources: ZDI: ZDI-10-232 // ZDI: ZDI-10-235 // ZDI: ZDI-10-234 // ZDI: ZDI-10-233 // BID: 44699

SOURCES

db:ZDIid:ZDI-10-232
db:ZDIid:ZDI-10-235
db:ZDIid:ZDI-10-234
db:ZDIid:ZDI-10-233
db:VULHUBid:VHN-45645
db:BIDid:44699
db:JVNDBid:JVNDB-2010-003014
db:PACKETSTORMid:95603
db:PACKETSTORMid:95602
db:PACKETSTORMid:95608
db:PACKETSTORMid:95601
db:CNNVDid:CNNVD-201011-105
db:NVDid:CVE-2010-3040

LAST UPDATE DATE

2024-11-07T22:38:14.669000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-10-232date:2010-11-07T00:00:00
db:ZDIid:ZDI-10-235date:2010-11-07T00:00:00
db:ZDIid:ZDI-10-234date:2010-11-07T00:00:00
db:ZDIid:ZDI-10-233date:2010-11-07T00:00:00
db:VULHUBid:VHN-45645date:2010-11-10T00:00:00
db:BIDid:44699date:2010-11-07T00:00:00
db:JVNDBid:JVNDB-2010-003014date:2012-03-27T00:00:00
db:CNNVDid:CNNVD-201011-105date:2010-11-11T00:00:00
db:NVDid:CVE-2010-3040date:2010-11-10T15:26:10.980

SOURCES RELEASE DATE

db:ZDIid:ZDI-10-232date:2010-11-07T00:00:00
db:ZDIid:ZDI-10-235date:2010-11-07T00:00:00
db:ZDIid:ZDI-10-234date:2010-11-07T00:00:00
db:ZDIid:ZDI-10-233date:2010-11-07T00:00:00
db:VULHUBid:VHN-45645date:2010-11-09T00:00:00
db:BIDid:44699date:2010-11-07T00:00:00
db:JVNDBid:JVNDB-2010-003014date:2012-03-27T00:00:00
db:PACKETSTORMid:95603date:2010-11-08T23:35:44
db:PACKETSTORMid:95602date:2010-11-08T23:35:31
db:PACKETSTORMid:95608date:2010-11-08T23:45:11
db:PACKETSTORMid:95601date:2010-11-08T23:34:24
db:CNNVDid:CNNVD-201011-105date:2010-11-11T00:00:00
db:NVDid:CVE-2010-3040date:2010-11-09T21:00:03.693