Details of VAR-201011-0225

ID

VAR-201011-0225

CVE

CVE-2010-3040

TITLE

Cisco ICM of Setup Manager of agent.exe Vulnerable to stack-based buffer overflow

Trust: 0.8

sources: JVNDB: JVNDB-2010-003014

DESCRIPTION

Multiple stack-based buffer overflows in agent.exe in Setup Manager in Cisco Intelligent Contact Manager (ICM) before 7.0 allow remote attackers to execute arbitrary code via a long parameter in a (1) HandleUpgradeAll, (2) AgentUpgrade, (3) HandleQueryNodeInfoReq, or (4) HandleUpgradeTrace TCP packet, aka Bug IDs CSCti45698, CSCti45715, CSCti45726, and CSCti46164. The problem is Bug ID CSCti45698 , CSCti45715 , CSCti45726 ,and CSCti46164 It is a problem.By a third party (1) HandleUpgradeAll , (2) AgentUpgrade , (3) HandleQueryNodeInfoReq , (4) HandleUpgradeTrace TCP Arbitrary code could be executed via overly long parameters in the packet. Authentication is not required to exploit this vulnerability. The flaw exists within the Agent.exe component which listens by default on TCP port 40078. When processing the HandleUpgradeAll packet type an unchecked copy of user supplied data is performed into a stack-based buffer of a controlled size. Successful exploitation of this vulnerability leads to remote code execution under the context of the SYSTEM user. This may result in a compromise of the underlying system. Failed attempts may lead to a denial-of-service condition. ZDI-10-232: Cisco ICM Setup Manager Agent.exe HandleUpgradeAll Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-232 November 7, 2010 -- CVE ID: CVE-2010-3040 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Cisco -- Affected Products: Cisco Unified Intelligent Contact Management -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 9915. -- Vendor Response: Cisco has issued an update to correct this vulnerability. More details can be found at: http://tools.cisco.com/security/center/viewAlert.x?alertId=21726 -- Disclosure Timeline: 2010-06-01 - Vulnerability reported to vendor 2010-11-07 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * sb -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi

Trust: 4.86

sources: NVD: CVE-2010-3040 // JVNDB: JVNDB-2010-003014 // ZDI: ZDI-10-232 // ZDI: ZDI-10-235 // ZDI: ZDI-10-234 // ZDI: ZDI-10-233 // BID: 44699 // VULHUB: VHN-45645 // PACKETSTORM: 95603 // PACKETSTORM: 95602 // PACKETSTORM: 95608 // PACKETSTORM: 95601

AFFECTED PRODUCTS

vendor:	cisco	model:	unified intelligent contact management	scope:	-	version:	-	Trust: 2.8
vendor:	cisco	model:	intelligent contact manager	scope:	eq	version:	6.0\(0\)_sr1	Trust: 1.6
vendor:	cisco	model:	intelligent contact manager	scope:	eq	version:	6.0\(0\)_sr4	Trust: 1.6
vendor:	cisco	model:	intelligent contact manager	scope:	eq	version:	6.0\(0\)_sr7	Trust: 1.6
vendor:	cisco	model:	intelligent contact manager	scope:	eq	version:	6.0\(0\)_sr9	Trust: 1.6
vendor:	cisco	model:	intelligent contact manager	scope:	eq	version:	6.0\(0\)_sr3	Trust: 1.6
vendor:	cisco	model:	intelligent contact manager	scope:	eq	version:	6.0\(0\)_sr6	Trust: 1.6
vendor:	cisco	model:	intelligent contact manager	scope:	eq	version:	6.0\(0\)_sr10	Trust: 1.6
vendor:	cisco	model:	intelligent contact manager	scope:	eq	version:	6.0\(0\)_sr8	Trust: 1.6
vendor:	cisco	model:	intelligent contact manager	scope:	eq	version:	6.0\(0\)_sr5	Trust: 1.6
vendor:	cisco	model:	intelligent contact manager	scope:	eq	version:	6.0\(0\)_sr2	Trust: 1.6
vendor:	cisco	model:	intelligent contact manager	scope:	eq	version:	5.0\(0\)_sr2	Trust: 1.0
vendor:	cisco	model:	intelligent contact manager	scope:	lte	version:	6.0\(0\)a\(1\)	Trust: 1.0
vendor:	cisco	model:	intelligent contact manager	scope:	eq	version:	5.0\(0\)_sr5	Trust: 1.0
vendor:	cisco	model:	intelligent contact manager	scope:	eq	version:	5.0\(0\)a	Trust: 1.0
vendor:	cisco	model:	intelligent contact manager	scope:	eq	version:	5.0\(0\)_sr11	Trust: 1.0
vendor:	cisco	model:	intelligent contact manager	scope:	eq	version:	5.0\(0\)_sr12	Trust: 1.0
vendor:	cisco	model:	intelligent contact manager	scope:	eq	version:	6.0\(0\)a	Trust: 1.0
vendor:	cisco	model:	intelligent contact manager	scope:	eq	version:	5.0\(0\)_sr7	Trust: 1.0
vendor:	cisco	model:	intelligent contact manager	scope:	eq	version:	5.0\(0\)_sr13	Trust: 1.0
vendor:	cisco	model:	intelligent contact manager	scope:	eq	version:	5.0\(0\)_sr8	Trust: 1.0
vendor:	cisco	model:	intelligent contact manager	scope:	eq	version:	5.0\(0\)_sr3	Trust: 1.0
vendor:	cisco	model:	intelligent contact manager	scope:	eq	version:	5.0\(0\)	Trust: 1.0
vendor:	cisco	model:	intelligent contact manager	scope:	eq	version:	6.0\(0\)	Trust: 1.0
vendor:	cisco	model:	intelligent contact manager	scope:	eq	version:	5.0	Trust: 1.0
vendor:	cisco	model:	intelligent contact manager	scope:	eq	version:	5.0\(0\)_sr9	Trust: 1.0
vendor:	cisco	model:	intelligent contact manager	scope:	eq	version:	5.0\(0\)_sr10	Trust: 1.0
vendor:	cisco	model:	intelligent contact manager	scope:	eq	version:	5.0\(0\)_sr4	Trust: 1.0
vendor:	cisco	model:	intelligent contact management	scope:	lt	version:	7.0	Trust: 0.8
vendor:	cisco	model:	unified intelligent contact management enterprise	scope:	eq	version:	6.0	Trust: 0.3
vendor:	cisco	model:	unified intelligent contact management enterprise	scope:	eq	version:	5.0	Trust: 0.3

sources: ZDI: ZDI-10-232 // ZDI: ZDI-10-235 // ZDI: ZDI-10-234 // ZDI: ZDI-10-233 // BID: 44699 // JVNDB: JVNDB-2010-003014 // CNNVD: CNNVD-201011-105 // NVD: CVE-2010-3040

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI:	CVE-2010-3040
value:	HIGH
Trust: 2.8
nvd@nist.gov:	CVE-2010-3040
value:	HIGH
Trust: 1.0
NVD:	CVE-2010-3040
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201011-105
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-45645
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2010-3040
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 4.6
VULHUB:	VHN-45645
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: ZDI: ZDI-10-232 // ZDI: ZDI-10-235 // ZDI: ZDI-10-234 // ZDI: ZDI-10-233 // VULHUB: VHN-45645 // JVNDB: JVNDB-2010-003014 // CNNVD: CNNVD-201011-105 // NVD: CVE-2010-3040

PROBLEMTYPE DATA

problemtype:

CWE-119

Trust: 1.9

sources: VULHUB: VHN-45645 // JVNDB: JVNDB-2010-003014 // NVD: CVE-2010-3040

THREAT TYPE

remote

Trust: 1.0

sources: PACKETSTORM: 95603 // PACKETSTORM: 95602 // PACKETSTORM: 95608 // PACKETSTORM: 95601 // CNNVD: CNNVD-201011-105

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-201011-105

CONFIGURATIONS

sources: JVNDB: JVNDB-2010-003014

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-45645

PATCH

title:

21726

url:

http://tools.cisco.com/security/center/viewAlert.x?alertId=21726

Trust: 3.6

sources: ZDI: ZDI-10-232 // ZDI: ZDI-10-235 // ZDI: ZDI-10-234 // ZDI: ZDI-10-233 // JVNDB: JVNDB-2010-003014

EXTERNAL IDS

db:	NVD	id:	CVE-2010-3040	Trust: 6.0
db:	ZDI	id:	ZDI-10-232	Trust: 2.8
db:	ZDI	id:	ZDI-10-235	Trust: 2.8
db:	ZDI	id:	ZDI-10-234	Trust: 2.8
db:	ZDI	id:	ZDI-10-233	Trust: 2.8
db:	BID	id:	44699	Trust: 2.0
db:	VUPEN	id:	ADV-2010-2914	Trust: 1.7
db:	SECUNIA	id:	42146	Trust: 1.7
db:	SECTRACK	id:	1024693	Trust: 1.7
db:	JVNDB	id:	JVNDB-2010-003014	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-796	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-795	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-794	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-793	Trust: 0.7
db:	CNNVD	id:	CNNVD-201011-105	Trust: 0.7
db:	PACKETSTORM	id:	95601	Trust: 0.2
db:	PACKETSTORM	id:	95603	Trust: 0.2
db:	PACKETSTORM	id:	95608	Trust: 0.2
db:	PACKETSTORM	id:	95602	Trust: 0.2
db:	VULHUB	id:	VHN-45645	Trust: 0.1

sources: ZDI: ZDI-10-232 // ZDI: ZDI-10-235 // ZDI: ZDI-10-234 // ZDI: ZDI-10-233 // VULHUB: VHN-45645 // BID: 44699 // JVNDB: JVNDB-2010-003014 // PACKETSTORM: 95603 // PACKETSTORM: 95602 // PACKETSTORM: 95608 // PACKETSTORM: 95601 // CNNVD: CNNVD-201011-105 // NVD: CVE-2010-3040

REFERENCES

url:	http://tools.cisco.com/security/center/viewalert.x?alertid=21726	Trust: 5.2
url:	http://www.zerodayinitiative.com/advisories/zdi-10-232/	Trust: 2.0
url:	http://www.zerodayinitiative.com/advisories/zdi-10-233/	Trust: 2.0
url:	http://www.zerodayinitiative.com/advisories/zdi-10-234/	Trust: 2.0
url:	http://www.zerodayinitiative.com/advisories/zdi-10-235/	Trust: 2.0
url:	http://www.securityfocus.com/bid/44699	Trust: 1.7
url:	http://securitytracker.com/id?1024693	Trust: 1.7
url:	http://secunia.com/advisories/42146	Trust: 1.7
url:	http://www.vupen.com/english/advisories/2010/2914	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-3040	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-3040	Trust: 0.8
url:	http://www.zerodayinitiative.com/advisories/disclosure_policy/	Trust: 0.4
url:	http://twitter.com/thezdi	Trust: 0.4
url:	http://www.tippingpoint.com	Trust: 0.4
url:	http://www.zerodayinitiative.com	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2010-3040	Trust: 0.4
url:	http://www.cisco.com/en/us/products/sw/custcosw/ps1001/tsd_products_support_series_home.html	Trust: 0.3
url:	http://www.zerodayinitiative.com/advisories/zdi-10-234	Trust: 0.1
url:	http://www.zerodayinitiative.com/advisories/zdi-10-233	Trust: 0.1
url:	http://www.zerodayinitiative.com/advisories/zdi-10-235	Trust: 0.1
url:	http://www.zerodayinitiative.com/advisories/zdi-10-232	Trust: 0.1

CREDITS

Trust: 3.1

sources: ZDI: ZDI-10-232 // ZDI: ZDI-10-235 // ZDI: ZDI-10-234 // ZDI: ZDI-10-233 // BID: 44699

SOURCES

db:	ZDI	id:	ZDI-10-232
db:	ZDI	id:	ZDI-10-235
db:	ZDI	id:	ZDI-10-234
db:	ZDI	id:	ZDI-10-233
db:	VULHUB	id:	VHN-45645
db:	BID	id:	44699
db:	JVNDB	id:	JVNDB-2010-003014
db:	PACKETSTORM	id:	95603
db:	PACKETSTORM	id:	95602
db:	PACKETSTORM	id:	95608
db:	PACKETSTORM	id:	95601
db:	CNNVD	id:	CNNVD-201011-105
db:	NVD	id:	CVE-2010-3040

LAST UPDATE DATE

2024-09-15T23:12:47.488000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-10-232	date:	2010-11-07T00:00:00
db:	ZDI	id:	ZDI-10-235	date:	2010-11-07T00:00:00
db:	ZDI	id:	ZDI-10-234	date:	2010-11-07T00:00:00
db:	ZDI	id:	ZDI-10-233	date:	2010-11-07T00:00:00
db:	VULHUB	id:	VHN-45645	date:	2010-11-10T00:00:00
db:	BID	id:	44699	date:	2010-11-07T00:00:00
db:	JVNDB	id:	JVNDB-2010-003014	date:	2012-03-27T00:00:00
db:	CNNVD	id:	CNNVD-201011-105	date:	2010-11-11T00:00:00
db:	NVD	id:	CVE-2010-3040	date:	2010-11-10T15:26:10.980

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-10-232	date:	2010-11-07T00:00:00
db:	ZDI	id:	ZDI-10-235	date:	2010-11-07T00:00:00
db:	ZDI	id:	ZDI-10-234	date:	2010-11-07T00:00:00
db:	ZDI	id:	ZDI-10-233	date:	2010-11-07T00:00:00
db:	VULHUB	id:	VHN-45645	date:	2010-11-09T00:00:00
db:	BID	id:	44699	date:	2010-11-07T00:00:00
db:	JVNDB	id:	JVNDB-2010-003014	date:	2012-03-27T00:00:00
db:	PACKETSTORM	id:	95603	date:	2010-11-08T23:35:44
db:	PACKETSTORM	id:	95602	date:	2010-11-08T23:35:31
db:	PACKETSTORM	id:	95608	date:	2010-11-08T23:45:11
db:	PACKETSTORM	id:	95601	date:	2010-11-08T23:34:24
db:	CNNVD	id:	CNNVD-201011-105	date:	2010-11-11T00:00:00
db:	NVD	id:	CVE-2010-3040	date:	2010-11-09T21:00:03.693