VARIoT IoT vulnerabilities database

The web interface on the Cisco Scientific Atlanta WebSTAR DPC2100R2 cable modem with firmware 2.0.2r1256-060303 has a default administrative password (aka SAPassword) of W2402, which makes it easier for remote attackers to obtain privileged access. The Cisco DPC2100 is a small cable modem

Cisco Mediator Framework 1.5.1 before 1.5.1.build.14-eng, 2.2 before 2.2.1.dev.1, and 3.0 before 3.0.9.release.1 on the Cisco Network Building Mediator NBM-2400 and NBM-4800 and the Richards-Zeta Mediator 2500 has a default password for the administrative user account and unspecified other accounts, which makes it easier for remote attackers to obtain privileged access, aka Bug ID CSCtb83495. The problem is Bug ID : CSCtb83495 It is a problem.Access rights may be obtained by a third party. Cisco Network Building Mediator (NBM) products are affected by multiple vulnerabilities that could allow an attacker to gain control of a vulnerable device or to cause a denial of service. The Cisco Network Building Mediator is a smart, interconnected building solution that intelligently interconnects and operates heating, ventilation and cooling systems (HVAC), lighting, power, security, and renewable energy systems over IP networks. There are several security vulnerabilities in Cisco Network Building Mediator, as follows: - Default Authentication Credentials (CVE-2010-0595): Multiple predefined users on the device, including administrator user accounts using default authentication information, any network access device Users can log in to the control system as an administrator.-Privilege Escalation (CVE-2010-0596, CVE-2010-0597): Vulnerability allows unauthorized users to read and modify device configurations, malicious users must be able to successfully authenticate, but do not require administrator privileges Or modify the device configuration if you know the administrator to verify the credentials. Both vulnerabilities need to be attacked via HTTP or HTTPS transport protocol. In addition, Cisco bug ID CSCtb83618 (CVE-2010-0597) vulnerability can be used for heavy-duty devices, continuous exploitation of vulnerabilities Can lead to denial of service attacks. - Unauthorized information interception (CVE-2010-0598, CVE-2010-0599): Operator workstation Cisco Network Building Mediator did not protect unauthorized interception of sessions, malicious users could intercept sessions, obtain arbitrary authentication information, and use this information to control devices. CVE-2010-0598 related vulnerabilities allow malicious users to intercept HTTP session access The administrator verifies the credentials. CVE-2010-0599 related vulnerabilities allow malicious users to intercept XML RPC session access administrator authentication credentials. - Unauthorized Information Access (CVE-2010-0600): Malicious users can read system configuration files, configuration files Contains user account information, including passwords. Attackers can perform attacks and read configuration files via XML RPC or XML RCP over the HTTPS protocol. An attacker can exploit this issue to gain unauthorized administrative access to the affected device. Successful exploits will result in the complete compromise of the affected device. These vulnerabilities also affect the legacy Richards-Zeta Mediator products. This security advisory outlines details of the following vulnerabilities: * Default credentials * Privilege escalation * Unauthorized information interception * Unauthorized information access Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of the listed vulnerabilities are available. All Mediator Framework software releases prior to 3.1.1 are affected by all vulnerabilities listed in this security advisory. This table provides information about affected software releases: +---------------------------------------+ | Cisco Bug | Affects Software | | ID | Releases | |-------------+-------------------------| | CSCtb83495 | 1.5.1, 2.2, 3.0.8 | |-------------+-------------------------| | CSCtb83607 | 2.2, 3.0.8 | |-------------+-------------------------| | CSCtb83618 | 1.5.1, 2.2, 3.0.8 | |-------------+-------------------------| | CSCtb83631 | 1.5.1, 2.2, 3.0.8 | |-------------+-------------------------| | CSCtb83505 | 1.5.1, 2.2, 3.0.8 | |-------------+-------------------------| | CSCtb83512 | 1.5.1, 2.2, 3.0.8 | +---------------------------------------+ Vulnerable Products +------------------ Users can determine the version of the Mediator Framework running on a device by logging into the device. After a successful login, the device will display the version of Mediator Framework running on the device. This ability enables the Cisco Network Building Mediator to perform any-to-any protocol translation and to provide information to the end user in a uniform presentation. These vulnerabilities are independent of each other. Default credentials +------------------ Default credentials are assigned for several predefined user accounts on the device including the administrative user account. * CSCtb83495 ( registered customers only) has been assigned the CVE identifier CVE-2010-0595. * CSCtb83607 ( registered customers only) (registered customers only) has been assigned the CVE identifier CVE-2010-0596. This vulnerability could enable any user to read and modify device configuration. * CSCtb83618 ( registered customers only) has been assigned the CVE identifier CVE-2010-0597. A malicious user able to intercept the sessions could learn any credentials used during intercepted sessions (for administrators and non-administrators alike) and could subsequently take full control of the device. * CSCtb83631 ( registered customers only) has been assigned CVE identifier CVE-2010-0598. * CSCtb83505 ( registered customers only) has been assigned CVE identifier CVE-2010-0599. * CSCtb83512 ( registered customers only) has been assigned CVE identifier CVE-2010-0600. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCtb83495 - Default credentials present on the system CVSS Base Score - 10 Access Vector Network Access Complexity Low Authentication None Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 8.3 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83607 - Privilege escalation possible over HTTP protocol CVSS Base Score - 9 Access Vector Network Access Complexity Low Authentication Single Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 7.4 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83618 - Privilege escalation possible over XML RPC protocol CVSS Base Score - 9 Access Vector Network Access Complexity Low Authentication Single Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 7.4 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83631 - Possible intercept of unencrypted HTTP sessions CVSS Base Score - 9.3 Access Vector Network Access Complexity Medium Authentication None Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 7.7 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83505 - Possible intercept of unencrypted XML RPC sessions CVSS Base Score - 9.3 Access Vector Network Access Complexity Medium Authentication None Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 7.7 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83512 - Access to sensitive information over XML RPC CVSS Base Score - 10 Access Vector Network Access Complexity Low Authentication None Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 8.3 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed Impact ====== Successful exploitation of any of these vulnerabilities could result in a malicious user taking complete control over an affected device. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the software table below names a Mediator Framework software release. If a given software release is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. Cisco recommends upgrading to the latest available release where possible. All vulnerabilities are fixed in Mediator Framework release 3.1.1 and above. Mediator Framework release 3.1.1 is the recommended migration path for all Mediator Framework releases. Vulnerabilities do not affect Mediator Operating Environment. To obtain fixed 1.5.1 and 2.2 Mediator Framework software and configTOOL version 3.1.0b1 contact Cisco TAC. Privilege escalation +------------------- There are no workarounds for these vulnerabilities. Unauthorized information interception +------------------------------------ The following workaround is applicable only to the vulnerability related to HTTP protocol. There is no workaround for the vulnerability that affects XML RPC service. The HTTPS service is enabled and running by default and no further actions are needed to enable it. The HTTP service can be disabled with configTOOL. Inside the Node tree pane, expand theservices tab, and then expand tab the network tab. Click the http_server tab, and then click the Enabled to uncheck it. Unauthorized information access +------------------------------ There is no workaround for this vulnerability. In the following examples it is assumed that the operator console has IP address 192.0.2.1. The 192.0.2.1 address must be changed to match the IP address used by the designated operator console. The following code must be entered on the console. Please refer to section 2.4 in the user guide at http://www.cisco.com/en/US/docs/security/physical_security/cnbm/User/guide/CNBM__UG.pdf for information on how to connect to the serial port using hyper-terminal. # The following rule establishes a default policy for INPUT rule chain. # The default policy is to drop all packets unless they are explicitly # permitted by a rule in the INPUT chain iptables -P INPUT DROP # This rule will allow all traffic from operator console with # IP address of 192.0.2.1 to the Cisco NBM # # Change 192.0.2.1 to match IP address used by your operators console. iptables -I INPUT 1 --source 192.0.2.1 -j ACCEPT # Repeat the previous command if you have more than one operator console. # Increment the number after the "INPUT" keyword for each console you # are adding. # # This command will allow second operator console with IP address # of 192.0.2.2 to access the Cisco NBM iptables -I INPUT 2 --source 192.0.2.2 -j ACCEPT When applying rules form the above example care must be taken to allow access to ports or protocols that are used by sensors and other devices deployed in the system that are monitored and controlled by the Cisco Network Building Mediator. Failure to do so will break connectivity to these sensors and devices. Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100526-mediator.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were discovered during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2010-May-26 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (Darwin) iEYEARECAAYFAkv9S00ACgkQ86n/Gc8U/uDJRQCcCCww9H/6P7BHqAZ9k29Tq4hj EWQAn3eEfS/iAcbfn5ERow7JQO4QmnPg =bCsA -----END PGP SIGNATURE-----

Cisco Mediator Framework 1.5.1 before 1.5.1.build.14-eng, 2.2 before 2.2.1.dev.1, and 3.0 before 3.0.9.release.1 on the Cisco Network Building Mediator NBM-2400 and NBM-4800 and the Richards-Zeta Mediator 2500 has a default password for the administrative user account and unspecified other accounts, which makes it easier for remote attackers to obtain privileged access, aka Bug ID CSCtb83495. Cisco Network Building Mediator (NBM) products are affected by multiple vulnerabilities that could allow an attacker to gain control of a vulnerable device or to cause a denial of service. The problem is Bug ID : CSCtb83495 It is a problem.Access rights may be obtained by a third party. The Cisco Network Building Mediator is a smart, interconnected building solution that intelligently interconnects and operates heating, ventilation and cooling systems (HVAC), lighting, power, security, and renewable energy systems over IP networks. There are several security vulnerabilities in Cisco Network Building Mediator, as follows: - Default Authentication Credentials (CVE-2010-0595): Multiple predefined users on the device, including administrator user accounts using default authentication information, any network access device Users can log in to the control system as an administrator.-Privilege Escalation (CVE-2010-0596, CVE-2010-0597): Vulnerability allows unauthorized users to read and modify device configurations, malicious users must be able to successfully authenticate, but do not require administrator privileges Or modify the device configuration if you know the administrator to verify the credentials. Both vulnerabilities need to be attacked via HTTP or HTTPS transport protocol. In addition, Cisco bug ID CSCtb83618 (CVE-2010-0597) vulnerability can be used for heavy-duty devices, continuous exploitation of vulnerabilities Can lead to denial of service attacks. - Unauthorized information interception (CVE-2010-0598, CVE-2010-0599): Operator workstation Cisco Network Building Mediator did not protect unauthorized interception of sessions, malicious users could intercept sessions, obtain arbitrary authentication information, and use this information to control devices. CVE-2010-0598 related vulnerabilities allow malicious users to intercept HTTP session access The administrator verifies the credentials. CVE-2010-0599 related vulnerabilities allow malicious users to intercept XML RPC session access administrator authentication credentials. - Unauthorized Information Access (CVE-2010-0600): Malicious users can read system configuration files, configuration files Contains user account information, including passwords. Attackers can perform attacks and read configuration files via XML RPC or XML RCP over the HTTPS protocol. An attacker can exploit this issue to gain unauthorized administrative access to the affected device. Successful exploits will result in the complete compromise of the affected device. Remote attackers can easily gain access. These vulnerabilities also affect the legacy Richards-Zeta Mediator products. This security advisory outlines details of the following vulnerabilities: * Default credentials * Privilege escalation * Unauthorized information interception * Unauthorized information access Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of the listed vulnerabilities are available. All Mediator Framework software releases prior to 3.1.1 are affected by all vulnerabilities listed in this security advisory. This table provides information about affected software releases: +---------------------------------------+ | Cisco Bug | Affects Software | | ID | Releases | |-------------+-------------------------| | CSCtb83495 | 1.5.1, 2.2, 3.0.8 | |-------------+-------------------------| | CSCtb83607 | 2.2, 3.0.8 | |-------------+-------------------------| | CSCtb83618 | 1.5.1, 2.2, 3.0.8 | |-------------+-------------------------| | CSCtb83631 | 1.5.1, 2.2, 3.0.8 | |-------------+-------------------------| | CSCtb83505 | 1.5.1, 2.2, 3.0.8 | |-------------+-------------------------| | CSCtb83512 | 1.5.1, 2.2, 3.0.8 | +---------------------------------------+ Vulnerable Products +------------------ Users can determine the version of the Mediator Framework running on a device by logging into the device. After a successful login, the device will display the version of Mediator Framework running on the device. This ability enables the Cisco Network Building Mediator to perform any-to-any protocol translation and to provide information to the end user in a uniform presentation. These vulnerabilities are independent of each other. Default credentials +------------------ Default credentials are assigned for several predefined user accounts on the device including the administrative user account. * CSCtb83495 ( registered customers only) has been assigned the CVE identifier CVE-2010-0595. * CSCtb83607 ( registered customers only) (registered customers only) has been assigned the CVE identifier CVE-2010-0596. This vulnerability could enable any user to read and modify device configuration. * CSCtb83618 ( registered customers only) has been assigned the CVE identifier CVE-2010-0597. A malicious user able to intercept the sessions could learn any credentials used during intercepted sessions (for administrators and non-administrators alike) and could subsequently take full control of the device. * CSCtb83631 ( registered customers only) has been assigned CVE identifier CVE-2010-0598. * CSCtb83505 ( registered customers only) has been assigned CVE identifier CVE-2010-0599. * CSCtb83512 ( registered customers only) has been assigned CVE identifier CVE-2010-0600. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCtb83495 - Default credentials present on the system CVSS Base Score - 10 Access Vector Network Access Complexity Low Authentication None Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 8.3 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83607 - Privilege escalation possible over HTTP protocol CVSS Base Score - 9 Access Vector Network Access Complexity Low Authentication Single Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 7.4 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83618 - Privilege escalation possible over XML RPC protocol CVSS Base Score - 9 Access Vector Network Access Complexity Low Authentication Single Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 7.4 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83631 - Possible intercept of unencrypted HTTP sessions CVSS Base Score - 9.3 Access Vector Network Access Complexity Medium Authentication None Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 7.7 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83505 - Possible intercept of unencrypted XML RPC sessions CVSS Base Score - 9.3 Access Vector Network Access Complexity Medium Authentication None Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 7.7 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83512 - Access to sensitive information over XML RPC CVSS Base Score - 10 Access Vector Network Access Complexity Low Authentication None Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 8.3 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed Impact ====== Successful exploitation of any of these vulnerabilities could result in a malicious user taking complete control over an affected device. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the software table below names a Mediator Framework software release. If a given software release is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. Cisco recommends upgrading to the latest available release where possible. All vulnerabilities are fixed in Mediator Framework release 3.1.1 and above. Mediator Framework release 3.1.1 is the recommended migration path for all Mediator Framework releases. Vulnerabilities do not affect Mediator Operating Environment. To obtain fixed 1.5.1 and 2.2 Mediator Framework software and configTOOL version 3.1.0b1 contact Cisco TAC. Privilege escalation +------------------- There are no workarounds for these vulnerabilities. Unauthorized information interception +------------------------------------ The following workaround is applicable only to the vulnerability related to HTTP protocol. There is no workaround for the vulnerability that affects XML RPC service. The HTTPS service is enabled and running by default and no further actions are needed to enable it. The HTTP service can be disabled with configTOOL. Inside the Node tree pane, expand theservices tab, and then expand tab the network tab. Click the http_server tab, and then click the Enabled to uncheck it. Unauthorized information access +------------------------------ There is no workaround for this vulnerability. In the following examples it is assumed that the operator console has IP address 192.0.2.1. The 192.0.2.1 address must be changed to match the IP address used by the designated operator console. The following code must be entered on the console. Please refer to section 2.4 in the user guide at http://www.cisco.com/en/US/docs/security/physical_security/cnbm/User/guide/CNBM__UG.pdf for information on how to connect to the serial port using hyper-terminal. # The following rule establishes a default policy for INPUT rule chain. # The default policy is to drop all packets unless they are explicitly # permitted by a rule in the INPUT chain iptables -P INPUT DROP # This rule will allow all traffic from operator console with # IP address of 192.0.2.1 to the Cisco NBM # # Change 192.0.2.1 to match IP address used by your operators console. iptables -I INPUT 1 --source 192.0.2.1 -j ACCEPT # Repeat the previous command if you have more than one operator console. # Increment the number after the "INPUT" keyword for each console you # are adding. # # This command will allow second operator console with IP address # of 192.0.2.2 to access the Cisco NBM iptables -I INPUT 2 --source 192.0.2.2 -j ACCEPT When applying rules form the above example care must be taken to allow access to ports or protocols that are used by sensors and other devices deployed in the system that are monitored and controlled by the Cisco Network Building Mediator. Failure to do so will break connectivity to these sensors and devices. Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100526-mediator.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were discovered during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2010-May-26 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (Darwin) iEYEARECAAYFAkv9S00ACgkQ86n/Gc8U/uDJRQCcCCww9H/6P7BHqAZ9k29Tq4hj EWQAn3eEfS/iAcbfn5ERow7JQO4QmnPg =bCsA -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Stay Compliant Alerts, Technical Descriptions, PoC, Links to patches, CVSS, CVE, Changelogs, Alternative Remediation Strategies, and much more provided in the Secunia Vulnerability Intelligence solutions Free Trial http://secunia.com/products/corporate/evm/trial/ ---------------------------------------------------------------------- TITLE: Cisco Network Building Mediator Products Multiple Vulnerabilities SECUNIA ADVISORY ID: SA39904 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/39904/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=39904 RELEASE DATE: 2010-05-27 DISCUSS ADVISORY: http://secunia.com/advisories/39904/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/39904/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=39904 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Cisco Network Building Mediator, which can be exploited by malicious users to gain escalated privileges and by malicious people to gain knowledge of sensitive information. 2) Certain sensitive information (e.g. credentials) is passed via HTTP and XML-RPC over HTTP and may, therefore, be intercepted by a third party. SOLUTION: Update to a fixed version. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Cisco Mediator Framework 2.2 before 2.2.1.dev.1 and 3.0 before 3.0.9.release.1 on the Cisco Network Building Mediator NBM-2400 and NBM-4800 and the Richards-Zeta Mediator 2500 allows remote authenticated users to read or modify the device configuration, and gain privileges, via a (1) HTTP or (2) HTTPS request, aka Bug ID CSCtb83607. The Cisco Network Building Mediator is a smart, interconnected building solution that intelligently interconnects and operates heating, ventilation and cooling systems (HVAC), lighting, power, security, and renewable energy systems over IP networks. Both vulnerabilities need to be attacked via HTTP or HTTPS transport protocol. In addition, Cisco bug ID CSCtb83618 (CVE-2010-0597) vulnerability can be used for heavy-duty devices, continuous exploitation of vulnerabilities Can lead to denial of service attacks. - Unauthorized information interception (CVE-2010-0598, CVE-2010-0599): Operator workstation Cisco Network Building Mediator did not protect unauthorized interception of sessions, malicious users could intercept sessions, obtain arbitrary authentication information, and use this information to control devices. CVE-2010-0598 related vulnerabilities allow malicious users to intercept HTTP session access The administrator verifies the credentials. CVE-2010-0599 related vulnerabilities allow malicious users to intercept XML RPC session access administrator authentication credentials. - Unauthorized Information Access (CVE-2010-0600): Malicious users can read system configuration files, configuration files Contains user account information, including passwords. Attackers can perform attacks and read configuration files via XML RPC or XML RCP over the HTTPS protocol. This issue is tracked by Cisco Bug ID CSCtb83607. An authenticated attacker can exploit this issue to read and modify configuration settings, gaining elevated privileges. This may lead to a full compromise of the affected computer or aid in further attacks. These vulnerabilities also affect the legacy Richards-Zeta Mediator products. This security advisory outlines details of the following vulnerabilities: * Default credentials * Privilege escalation * Unauthorized information interception * Unauthorized information access Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of the listed vulnerabilities are available. After a successful login, the device will display the version of Mediator Framework running on the device. This ability enables the Cisco Network Building Mediator to perform any-to-any protocol translation and to provide information to the end user in a uniform presentation. These vulnerabilities are independent of each other. Default credentials +------------------ Default credentials are assigned for several predefined user accounts on the device including the administrative user account. * CSCtb83495 ( registered customers only) has been assigned the CVE identifier CVE-2010-0595. * CSCtb83607 ( registered customers only) (registered customers only) has been assigned the CVE identifier CVE-2010-0596. This vulnerability could enable any user to read and modify device configuration. * CSCtb83618 ( registered customers only) has been assigned the CVE identifier CVE-2010-0597. Additionally, this vulnerability can be exploited to reload the affected device. A malicious user able to intercept the sessions could learn any credentials used during intercepted sessions (for administrators and non-administrators alike) and could subsequently take full control of the device. * CSCtb83631 ( registered customers only) has been assigned CVE identifier CVE-2010-0598. * CSCtb83505 ( registered customers only) has been assigned CVE identifier CVE-2010-0599. * CSCtb83512 ( registered customers only) has been assigned CVE identifier CVE-2010-0600. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCtb83495 - Default credentials present on the system CVSS Base Score - 10 Access Vector Network Access Complexity Low Authentication None Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 8.3 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83607 - Privilege escalation possible over HTTP protocol CVSS Base Score - 9 Access Vector Network Access Complexity Low Authentication Single Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 7.4 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83618 - Privilege escalation possible over XML RPC protocol CVSS Base Score - 9 Access Vector Network Access Complexity Low Authentication Single Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 7.4 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83631 - Possible intercept of unencrypted HTTP sessions CVSS Base Score - 9.3 Access Vector Network Access Complexity Medium Authentication None Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 7.7 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83505 - Possible intercept of unencrypted XML RPC sessions CVSS Base Score - 9.3 Access Vector Network Access Complexity Medium Authentication None Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 7.7 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83512 - Access to sensitive information over XML RPC CVSS Base Score - 10 Access Vector Network Access Complexity Low Authentication None Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 8.3 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed Impact ====== Successful exploitation of any of these vulnerabilities could result in a malicious user taking complete control over an affected device. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the software table below names a Mediator Framework software release. If a given software release is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. Cisco recommends upgrading to the latest available release where possible. All vulnerabilities are fixed in Mediator Framework release 3.1.1 and above. Mediator Framework release 3.1.1 is the recommended migration path for all Mediator Framework releases. Vulnerabilities do not affect Mediator Operating Environment. To obtain fixed 1.5.1 and 2.2 Mediator Framework software and configTOOL version 3.1.0b1 contact Cisco TAC. Privilege escalation +------------------- There are no workarounds for these vulnerabilities. Unauthorized information interception +------------------------------------ The following workaround is applicable only to the vulnerability related to HTTP protocol. There is no workaround for the vulnerability that affects XML RPC service. The HTTPS service is enabled and running by default and no further actions are needed to enable it. The HTTP service can be disabled with configTOOL. Inside the Node tree pane, expand theservices tab, and then expand tab the network tab. Click the http_server tab, and then click the Enabled to uncheck it. Unauthorized information access +------------------------------ There is no workaround for this vulnerability. In the following examples it is assumed that the operator console has IP address 192.0.2.1. The 192.0.2.1 address must be changed to match the IP address used by the designated operator console. The following code must be entered on the console. Please refer to section 2.4 in the user guide at http://www.cisco.com/en/US/docs/security/physical_security/cnbm/User/guide/CNBM__UG.pdf for information on how to connect to the serial port using hyper-terminal. # The following rule establishes a default policy for INPUT rule chain. # The default policy is to drop all packets unless they are explicitly # permitted by a rule in the INPUT chain iptables -P INPUT DROP # This rule will allow all traffic from operator console with # IP address of 192.0.2.1 to the Cisco NBM # # Change 192.0.2.1 to match IP address used by your operators console. iptables -I INPUT 1 --source 192.0.2.1 -j ACCEPT # Repeat the previous command if you have more than one operator console. # Increment the number after the "INPUT" keyword for each console you # are adding. # # This command will allow second operator console with IP address # of 192.0.2.2 to access the Cisco NBM iptables -I INPUT 2 --source 192.0.2.2 -j ACCEPT When applying rules form the above example care must be taken to allow access to ports or protocols that are used by sensors and other devices deployed in the system that are monitored and controlled by the Cisco Network Building Mediator. Failure to do so will break connectivity to these sensors and devices. Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100526-mediator.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were discovered during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2010-May-26 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (Darwin) iEYEARECAAYFAkv9S00ACgkQ86n/Gc8U/uDJRQCcCCww9H/6P7BHqAZ9k29Tq4hj EWQAn3eEfS/iAcbfn5ERow7JQO4QmnPg =bCsA -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Stay Compliant Alerts, Technical Descriptions, PoC, Links to patches, CVSS, CVE, Changelogs, Alternative Remediation Strategies, and much more provided in the Secunia Vulnerability Intelligence solutions Free Trial http://secunia.com/products/corporate/evm/trial/ ---------------------------------------------------------------------- TITLE: Cisco Network Building Mediator Products Multiple Vulnerabilities SECUNIA ADVISORY ID: SA39904 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/39904/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=39904 RELEASE DATE: 2010-05-27 DISCUSS ADVISORY: http://secunia.com/advisories/39904/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/39904/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=39904 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Cisco Network Building Mediator, which can be exploited by malicious users to gain escalated privileges and by malicious people to gain knowledge of sensitive information. 2) Certain sensitive information (e.g. credentials) is passed via HTTP and XML-RPC over HTTP and may, therefore, be intercepted by a third party. SOLUTION: Update to a fixed version. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Cisco Mediator Framework 1.5.1 before 1.5.1.build.14-eng, 2.2 before 2.2.1.dev.1, and 3.0 before 3.0.9.release.1 on the Cisco Network Building Mediator NBM-2400 and NBM-4800 and the Richards-Zeta Mediator 2500 allows remote authenticated users to read or modify the device configuration, and gain privileges or cause a denial of service (device reload), via a (1) XML RPC or (2) XML RPC over HTTPS request, aka Bug ID CSCtb83618. The Cisco Network Building Mediator is a smart, interconnected building solution that intelligently interconnects and operates heating, ventilation and cooling systems (HVAC), lighting, power, security, and renewable energy systems over IP networks. Both vulnerabilities need to be attacked via HTTP or HTTPS transport protocol. In addition, Cisco bug ID CSCtb83618 (CVE-2010-0597) vulnerability can be used for heavy-duty devices, continuous exploitation of vulnerabilities Can lead to denial of service attacks. - Unauthorized information interception (CVE-2010-0598, CVE-2010-0599): Operator workstation Cisco Network Building Mediator did not protect unauthorized interception of sessions, malicious users could intercept sessions, obtain arbitrary authentication information, and use this information to control devices. CVE-2010-0598 related vulnerabilities allow malicious users to intercept HTTP session access The administrator verifies the credentials. CVE-2010-0599 related vulnerabilities allow malicious users to intercept XML RPC session access administrator authentication credentials. - Unauthorized Information Access (CVE-2010-0600): Malicious users can read system configuration files, configuration files Contains user account information, including passwords. Attackers can perform attacks and read configuration files via XML RPC or XML RCP over the HTTPS protocol. This issue is tracked by Cisco Bug ID CSCtb83618. An authenticated attacker can exploit this issue to read and modify configuration settings, gaining elevated privileges. This may lead to a full compromise of the affected device. In addition, attackers can leverage this issue to cause the device to reload; successive attacks will result in a prolonged denial-of-service. These vulnerabilities also affect the legacy Richards-Zeta Mediator products. This security advisory outlines details of the following vulnerabilities: * Default credentials * Privilege escalation * Unauthorized information interception * Unauthorized information access Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of the listed vulnerabilities are available. After a successful login, the device will display the version of Mediator Framework running on the device. This ability enables the Cisco Network Building Mediator to perform any-to-any protocol translation and to provide information to the end user in a uniform presentation. These vulnerabilities are independent of each other. Default credentials +------------------ Default credentials are assigned for several predefined user accounts on the device including the administrative user account. * CSCtb83495 ( registered customers only) has been assigned the CVE identifier CVE-2010-0595. * CSCtb83607 ( registered customers only) (registered customers only) has been assigned the CVE identifier CVE-2010-0596. This vulnerability could enable any user to read and modify device configuration. * CSCtb83618 ( registered customers only) has been assigned the CVE identifier CVE-2010-0597. A malicious user able to intercept the sessions could learn any credentials used during intercepted sessions (for administrators and non-administrators alike) and could subsequently take full control of the device. * CSCtb83631 ( registered customers only) has been assigned CVE identifier CVE-2010-0598. * CSCtb83505 ( registered customers only) has been assigned CVE identifier CVE-2010-0599. * CSCtb83512 ( registered customers only) has been assigned CVE identifier CVE-2010-0600. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCtb83495 - Default credentials present on the system CVSS Base Score - 10 Access Vector Network Access Complexity Low Authentication None Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 8.3 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83607 - Privilege escalation possible over HTTP protocol CVSS Base Score - 9 Access Vector Network Access Complexity Low Authentication Single Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 7.4 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83618 - Privilege escalation possible over XML RPC protocol CVSS Base Score - 9 Access Vector Network Access Complexity Low Authentication Single Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 7.4 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83631 - Possible intercept of unencrypted HTTP sessions CVSS Base Score - 9.3 Access Vector Network Access Complexity Medium Authentication None Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 7.7 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83505 - Possible intercept of unencrypted XML RPC sessions CVSS Base Score - 9.3 Access Vector Network Access Complexity Medium Authentication None Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 7.7 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83512 - Access to sensitive information over XML RPC CVSS Base Score - 10 Access Vector Network Access Complexity Low Authentication None Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 8.3 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed Impact ====== Successful exploitation of any of these vulnerabilities could result in a malicious user taking complete control over an affected device. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the software table below names a Mediator Framework software release. If a given software release is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. Cisco recommends upgrading to the latest available release where possible. All vulnerabilities are fixed in Mediator Framework release 3.1.1 and above. Mediator Framework release 3.1.1 is the recommended migration path for all Mediator Framework releases. Vulnerabilities do not affect Mediator Operating Environment. To obtain fixed 1.5.1 and 2.2 Mediator Framework software and configTOOL version 3.1.0b1 contact Cisco TAC. Privilege escalation +------------------- There are no workarounds for these vulnerabilities. Unauthorized information interception +------------------------------------ The following workaround is applicable only to the vulnerability related to HTTP protocol. There is no workaround for the vulnerability that affects XML RPC service. The HTTPS service is enabled and running by default and no further actions are needed to enable it. The HTTP service can be disabled with configTOOL. Inside the Node tree pane, expand theservices tab, and then expand tab the network tab. Click the http_server tab, and then click the Enabled to uncheck it. Unauthorized information access +------------------------------ There is no workaround for this vulnerability. In the following examples it is assumed that the operator console has IP address 192.0.2.1. The 192.0.2.1 address must be changed to match the IP address used by the designated operator console. The following code must be entered on the console. Please refer to section 2.4 in the user guide at http://www.cisco.com/en/US/docs/security/physical_security/cnbm/User/guide/CNBM__UG.pdf for information on how to connect to the serial port using hyper-terminal. # The following rule establishes a default policy for INPUT rule chain. # The default policy is to drop all packets unless they are explicitly # permitted by a rule in the INPUT chain iptables -P INPUT DROP # This rule will allow all traffic from operator console with # IP address of 192.0.2.1 to the Cisco NBM # # Change 192.0.2.1 to match IP address used by your operators console. iptables -I INPUT 1 --source 192.0.2.1 -j ACCEPT # Repeat the previous command if you have more than one operator console. # Increment the number after the "INPUT" keyword for each console you # are adding. # # This command will allow second operator console with IP address # of 192.0.2.2 to access the Cisco NBM iptables -I INPUT 2 --source 192.0.2.2 -j ACCEPT When applying rules form the above example care must be taken to allow access to ports or protocols that are used by sensors and other devices deployed in the system that are monitored and controlled by the Cisco Network Building Mediator. Failure to do so will break connectivity to these sensors and devices. Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100526-mediator.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were discovered during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2010-May-26 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (Darwin) iEYEARECAAYFAkv9S00ACgkQ86n/Gc8U/uDJRQCcCCww9H/6P7BHqAZ9k29Tq4hj EWQAn3eEfS/iAcbfn5ERow7JQO4QmnPg =bCsA -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Stay Compliant Alerts, Technical Descriptions, PoC, Links to patches, CVSS, CVE, Changelogs, Alternative Remediation Strategies, and much more provided in the Secunia Vulnerability Intelligence solutions Free Trial http://secunia.com/products/corporate/evm/trial/ ---------------------------------------------------------------------- TITLE: Cisco Network Building Mediator Products Multiple Vulnerabilities SECUNIA ADVISORY ID: SA39904 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/39904/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=39904 RELEASE DATE: 2010-05-27 DISCUSS ADVISORY: http://secunia.com/advisories/39904/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/39904/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=39904 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Cisco Network Building Mediator, which can be exploited by malicious users to gain escalated privileges and by malicious people to gain knowledge of sensitive information. 2) Certain sensitive information (e.g. credentials) is passed via HTTP and XML-RPC over HTTP and may, therefore, be intercepted by a third party. SOLUTION: Update to a fixed version. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco Mediator Framework 1.5.1 before 1.5.1.build.14-eng, 2.2 before 2.2.1.dev.1, and 3.0 before 3.0.9.release.1 on the Cisco Network Building Mediator NBM-2400 and NBM-4800 and the Richards-Zeta Mediator 2500 does not encrypt XML RPC sessions from operator workstations, which allows remote attackers to discover Administrator credentials by sniffing the network, aka Bug ID CSCtb83505. Cisco Network Building Mediator (NBM) products are affected by multiple vulnerabilities that could allow an attacker to gain control of a vulnerable device or to cause a denial of service. The problem is Bug ID : CSCtb83505 It is a problem.Intercepted by a third party Administrator Authentication information may be overlooked. The Cisco Network Building Mediator is a smart, interconnected building solution that intelligently interconnects and operates heating, ventilation and cooling systems (HVAC), lighting, power, security, and renewable energy systems over IP networks. There are several security vulnerabilities in Cisco Network Building Mediator, as follows: - Default Authentication Credentials (CVE-2010-0595): Multiple predefined users on the device, including administrator user accounts using default authentication information, any network access device Users can log in to the control system as an administrator.-Privilege Escalation (CVE-2010-0596, CVE-2010-0597): Vulnerability allows unauthorized users to read and modify device configurations, malicious users must be able to successfully authenticate, but do not require administrator privileges Or modify the device configuration if you know the administrator to verify the credentials. Both vulnerabilities need to be attacked via HTTP or HTTPS transport protocol. In addition, Cisco bug ID CSCtb83618 (CVE-2010-0597) vulnerability can be used for heavy-duty devices, continuous exploitation of vulnerabilities Can lead to denial of service attacks. CVE-2010-0598 related vulnerabilities allow malicious users to intercept HTTP session access The administrator verifies the credentials. CVE-2010-0599 related vulnerabilities allow malicious users to intercept XML RPC session access administrator authentication credentials. - Unauthorized Information Access (CVE-2010-0600): Malicious users can read system configuration files, configuration files Contains user account information, including passwords. Attackers can perform attacks and read configuration files via XML RPC or XML RCP over the HTTPS protocol. An attacker can exploit this issue to obtain sensitive information that may lead to further attacks and possibly a full compromise of the affected device. This issue is tracked by Cisco Bug ID CSCtb83618. These vulnerabilities also affect the legacy Richards-Zeta Mediator products. This security advisory outlines details of the following vulnerabilities: * Default credentials * Privilege escalation * Unauthorized information interception * Unauthorized information access Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of the listed vulnerabilities are available. After a successful login, the device will display the version of Mediator Framework running on the device. This ability enables the Cisco Network Building Mediator to perform any-to-any protocol translation and to provide information to the end user in a uniform presentation. These vulnerabilities are independent of each other. Default credentials +------------------ Default credentials are assigned for several predefined user accounts on the device including the administrative user account. * CSCtb83495 ( registered customers only) has been assigned the CVE identifier CVE-2010-0595. * CSCtb83607 ( registered customers only) (registered customers only) has been assigned the CVE identifier CVE-2010-0596. This vulnerability could enable any user to read and modify device configuration. * CSCtb83618 ( registered customers only) has been assigned the CVE identifier CVE-2010-0597. Additionally, this vulnerability can be exploited to reload the affected device. A malicious user able to intercept the sessions could learn any credentials used during intercepted sessions (for administrators and non-administrators alike) and could subsequently take full control of the device. * CSCtb83631 ( registered customers only) has been assigned CVE identifier CVE-2010-0598. * CSCtb83505 ( registered customers only) has been assigned CVE identifier CVE-2010-0599. * CSCtb83512 ( registered customers only) has been assigned CVE identifier CVE-2010-0600. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCtb83495 - Default credentials present on the system CVSS Base Score - 10 Access Vector Network Access Complexity Low Authentication None Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 8.3 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83607 - Privilege escalation possible over HTTP protocol CVSS Base Score - 9 Access Vector Network Access Complexity Low Authentication Single Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 7.4 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83618 - Privilege escalation possible over XML RPC protocol CVSS Base Score - 9 Access Vector Network Access Complexity Low Authentication Single Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 7.4 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83631 - Possible intercept of unencrypted HTTP sessions CVSS Base Score - 9.3 Access Vector Network Access Complexity Medium Authentication None Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 7.7 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83505 - Possible intercept of unencrypted XML RPC sessions CVSS Base Score - 9.3 Access Vector Network Access Complexity Medium Authentication None Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 7.7 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83512 - Access to sensitive information over XML RPC CVSS Base Score - 10 Access Vector Network Access Complexity Low Authentication None Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 8.3 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed Impact ====== Successful exploitation of any of these vulnerabilities could result in a malicious user taking complete control over an affected device. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the software table below names a Mediator Framework software release. If a given software release is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. Cisco recommends upgrading to the latest available release where possible. All vulnerabilities are fixed in Mediator Framework release 3.1.1 and above. Mediator Framework release 3.1.1 is the recommended migration path for all Mediator Framework releases. Vulnerabilities do not affect Mediator Operating Environment. To obtain fixed 1.5.1 and 2.2 Mediator Framework software and configTOOL version 3.1.0b1 contact Cisco TAC. Privilege escalation +------------------- There are no workarounds for these vulnerabilities. Unauthorized information interception +------------------------------------ The following workaround is applicable only to the vulnerability related to HTTP protocol. There is no workaround for the vulnerability that affects XML RPC service. The HTTPS service is enabled and running by default and no further actions are needed to enable it. The HTTP service can be disabled with configTOOL. Inside the Node tree pane, expand theservices tab, and then expand tab the network tab. Click the http_server tab, and then click the Enabled to uncheck it. Unauthorized information access +------------------------------ There is no workaround for this vulnerability. In the following examples it is assumed that the operator console has IP address 192.0.2.1. The 192.0.2.1 address must be changed to match the IP address used by the designated operator console. The following code must be entered on the console. Please refer to section 2.4 in the user guide at http://www.cisco.com/en/US/docs/security/physical_security/cnbm/User/guide/CNBM__UG.pdf for information on how to connect to the serial port using hyper-terminal. # The following rule establishes a default policy for INPUT rule chain. # The default policy is to drop all packets unless they are explicitly # permitted by a rule in the INPUT chain iptables -P INPUT DROP # This rule will allow all traffic from operator console with # IP address of 192.0.2.1 to the Cisco NBM # # Change 192.0.2.1 to match IP address used by your operators console. iptables -I INPUT 1 --source 192.0.2.1 -j ACCEPT # Repeat the previous command if you have more than one operator console. # Increment the number after the "INPUT" keyword for each console you # are adding. # # This command will allow second operator console with IP address # of 192.0.2.2 to access the Cisco NBM iptables -I INPUT 2 --source 192.0.2.2 -j ACCEPT When applying rules form the above example care must be taken to allow access to ports or protocols that are used by sensors and other devices deployed in the system that are monitored and controlled by the Cisco Network Building Mediator. Failure to do so will break connectivity to these sensors and devices. Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100526-mediator.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were discovered during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2010-May-26 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (Darwin) iEYEARECAAYFAkv9S00ACgkQ86n/Gc8U/uDJRQCcCCww9H/6P7BHqAZ9k29Tq4hj EWQAn3eEfS/iAcbfn5ERow7JQO4QmnPg =bCsA -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Stay Compliant Alerts, Technical Descriptions, PoC, Links to patches, CVSS, CVE, Changelogs, Alternative Remediation Strategies, and much more provided in the Secunia Vulnerability Intelligence solutions Free Trial http://secunia.com/products/corporate/evm/trial/ ---------------------------------------------------------------------- TITLE: Cisco Network Building Mediator Products Multiple Vulnerabilities SECUNIA ADVISORY ID: SA39904 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/39904/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=39904 RELEASE DATE: 2010-05-27 DISCUSS ADVISORY: http://secunia.com/advisories/39904/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/39904/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=39904 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Cisco Network Building Mediator, which can be exploited by malicious users to gain escalated privileges and by malicious people to gain knowledge of sensitive information. 2) Certain sensitive information (e.g. credentials) is passed via HTTP and XML-RPC over HTTP and may, therefore, be intercepted by a third party. SOLUTION: Update to a fixed version. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco Mediator Framework 1.5.1 before 1.5.1.build.14-eng, 2.2 before 2.2.1.dev.1, and 3.0 before 3.0.9.release.1 on the Cisco Network Building Mediator NBM-2400 and NBM-4800 and the Richards-Zeta Mediator 2500 does not encrypt HTTP sessions from operator workstations, which allows remote attackers to discover Administrator credentials by sniffing the network, aka Bug ID CSCtb83631. Cisco Network Building Mediator (NBM) products are affected by multiple vulnerabilities that could allow an attacker to gain control of a vulnerable device or to cause a denial of service. The problem is Bug ID : CSCtb83631 Problem.Network intercepted by a third party Administrator May be able to find your credentials. The Cisco Network Building Mediator is a smart, interconnected building solution that intelligently interconnects and operates heating, ventilation and cooling systems (HVAC), lighting, power, security, and renewable energy systems over IP networks. There are several security vulnerabilities in Cisco Network Building Mediator, as follows: - Default Authentication Credentials (CVE-2010-0595): Multiple predefined users on the device, including administrator user accounts using default authentication information, any network access device Users can log in to the control system as an administrator.-Privilege Escalation (CVE-2010-0596, CVE-2010-0597): Vulnerability allows unauthorized users to read and modify device configurations, malicious users must be able to successfully authenticate, but do not require administrator privileges Or modify the device configuration if you know the administrator to verify the credentials. Both vulnerabilities need to be attacked via HTTP or HTTPS transport protocol. In addition, Cisco bug ID CSCtb83618 (CVE-2010-0597) vulnerability can be used for heavy-duty devices, continuous exploitation of vulnerabilities Can lead to denial of service attacks. CVE-2010-0598 related vulnerabilities allow malicious users to intercept HTTP session access The administrator verifies the credentials. CVE-2010-0599 related vulnerabilities allow malicious users to intercept XML RPC session access administrator authentication credentials. - Unauthorized Information Access (CVE-2010-0600): Malicious users can read system configuration files, configuration files Contains user account information, including passwords. Attackers can perform attacks and read configuration files via XML RPC or XML RCP over the HTTPS protocol. An attacker can exploit this issue to obtain sensitive information that may lead to further attacks and possibly a full compromise of the affected device. This issue is tracked by Cisco Bug ID CSCtb83631. These vulnerabilities also affect the legacy Richards-Zeta Mediator products. This security advisory outlines details of the following vulnerabilities: * Default credentials * Privilege escalation * Unauthorized information interception * Unauthorized information access Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of the listed vulnerabilities are available. After a successful login, the device will display the version of Mediator Framework running on the device. This ability enables the Cisco Network Building Mediator to perform any-to-any protocol translation and to provide information to the end user in a uniform presentation. These vulnerabilities are independent of each other. Default credentials +------------------ Default credentials are assigned for several predefined user accounts on the device including the administrative user account. * CSCtb83495 ( registered customers only) has been assigned the CVE identifier CVE-2010-0595. * CSCtb83607 ( registered customers only) (registered customers only) has been assigned the CVE identifier CVE-2010-0596. This vulnerability could enable any user to read and modify device configuration. * CSCtb83618 ( registered customers only) has been assigned the CVE identifier CVE-2010-0597. Additionally, this vulnerability can be exploited to reload the affected device. A malicious user able to intercept the sessions could learn any credentials used during intercepted sessions (for administrators and non-administrators alike) and could subsequently take full control of the device. * CSCtb83631 ( registered customers only) has been assigned CVE identifier CVE-2010-0598. * CSCtb83505 ( registered customers only) has been assigned CVE identifier CVE-2010-0599. * CSCtb83512 ( registered customers only) has been assigned CVE identifier CVE-2010-0600. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCtb83495 - Default credentials present on the system CVSS Base Score - 10 Access Vector Network Access Complexity Low Authentication None Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 8.3 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83607 - Privilege escalation possible over HTTP protocol CVSS Base Score - 9 Access Vector Network Access Complexity Low Authentication Single Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 7.4 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83618 - Privilege escalation possible over XML RPC protocol CVSS Base Score - 9 Access Vector Network Access Complexity Low Authentication Single Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 7.4 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83631 - Possible intercept of unencrypted HTTP sessions CVSS Base Score - 9.3 Access Vector Network Access Complexity Medium Authentication None Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 7.7 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83505 - Possible intercept of unencrypted XML RPC sessions CVSS Base Score - 9.3 Access Vector Network Access Complexity Medium Authentication None Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 7.7 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83512 - Access to sensitive information over XML RPC CVSS Base Score - 10 Access Vector Network Access Complexity Low Authentication None Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 8.3 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed Impact ====== Successful exploitation of any of these vulnerabilities could result in a malicious user taking complete control over an affected device. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the software table below names a Mediator Framework software release. If a given software release is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. Cisco recommends upgrading to the latest available release where possible. All vulnerabilities are fixed in Mediator Framework release 3.1.1 and above. Mediator Framework release 3.1.1 is the recommended migration path for all Mediator Framework releases. Vulnerabilities do not affect Mediator Operating Environment. To obtain fixed 1.5.1 and 2.2 Mediator Framework software and configTOOL version 3.1.0b1 contact Cisco TAC. Privilege escalation +------------------- There are no workarounds for these vulnerabilities. Unauthorized information interception +------------------------------------ The following workaround is applicable only to the vulnerability related to HTTP protocol. There is no workaround for the vulnerability that affects XML RPC service. The HTTPS service is enabled and running by default and no further actions are needed to enable it. The HTTP service can be disabled with configTOOL. Inside the Node tree pane, expand theservices tab, and then expand tab the network tab. Click the http_server tab, and then click the Enabled to uncheck it. Unauthorized information access +------------------------------ There is no workaround for this vulnerability. In the following examples it is assumed that the operator console has IP address 192.0.2.1. The 192.0.2.1 address must be changed to match the IP address used by the designated operator console. The following code must be entered on the console. Please refer to section 2.4 in the user guide at http://www.cisco.com/en/US/docs/security/physical_security/cnbm/User/guide/CNBM__UG.pdf for information on how to connect to the serial port using hyper-terminal. # The following rule establishes a default policy for INPUT rule chain. # The default policy is to drop all packets unless they are explicitly # permitted by a rule in the INPUT chain iptables -P INPUT DROP # This rule will allow all traffic from operator console with # IP address of 192.0.2.1 to the Cisco NBM # # Change 192.0.2.1 to match IP address used by your operators console. iptables -I INPUT 1 --source 192.0.2.1 -j ACCEPT # Repeat the previous command if you have more than one operator console. # Increment the number after the "INPUT" keyword for each console you # are adding. # # This command will allow second operator console with IP address # of 192.0.2.2 to access the Cisco NBM iptables -I INPUT 2 --source 192.0.2.2 -j ACCEPT When applying rules form the above example care must be taken to allow access to ports or protocols that are used by sensors and other devices deployed in the system that are monitored and controlled by the Cisco Network Building Mediator. Failure to do so will break connectivity to these sensors and devices. Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100526-mediator.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were discovered during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2010-May-26 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (Darwin) iEYEARECAAYFAkv9S00ACgkQ86n/Gc8U/uDJRQCcCCww9H/6P7BHqAZ9k29Tq4hj EWQAn3eEfS/iAcbfn5ERow7JQO4QmnPg =bCsA -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Stay Compliant Alerts, Technical Descriptions, PoC, Links to patches, CVSS, CVE, Changelogs, Alternative Remediation Strategies, and much more provided in the Secunia Vulnerability Intelligence solutions Free Trial http://secunia.com/products/corporate/evm/trial/ ---------------------------------------------------------------------- TITLE: Cisco Network Building Mediator Products Multiple Vulnerabilities SECUNIA ADVISORY ID: SA39904 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/39904/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=39904 RELEASE DATE: 2010-05-27 DISCUSS ADVISORY: http://secunia.com/advisories/39904/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/39904/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=39904 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Cisco Network Building Mediator, which can be exploited by malicious users to gain escalated privileges and by malicious people to gain knowledge of sensitive information. 2) Certain sensitive information (e.g. SOLUTION: Update to a fixed version. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco Mediator Framework 1.5.1 before 1.5.1.build.14-eng, 2.2 before 2.2.1.dev.1, and 3.0 before 3.0.9.release.1 on the Cisco Network Building Mediator NBM-2400 and NBM-4800 and the Richards-Zeta Mediator 2500 does not properly restrict network access to an unspecified configuration file, which allows remote attackers to read passwords and unspecified other account details via a (1) XML RPC or (2) XML RPC over HTTPS session, aka Bug ID CSCtb83512. Cisco Network Building Mediator (NBM) products are affected by multiple vulnerabilities that could allow an attacker to gain control of a vulnerable device or to cause a denial of service. The Cisco Network Building Mediator is a smart, interconnected building solution that intelligently interconnects and operates heating, ventilation and cooling systems (HVAC), lighting, power, security, and renewable energy systems over IP networks. There are several security vulnerabilities in Cisco Network Building Mediator, as follows: - Default Authentication Credentials (CVE-2010-0595): Multiple predefined users on the device, including administrator user accounts using default authentication information, any network access device Users can log in to the control system as an administrator.-Privilege Escalation (CVE-2010-0596, CVE-2010-0597): Vulnerability allows unauthorized users to read and modify device configurations, malicious users must be able to successfully authenticate, but do not require administrator privileges Or modify the device configuration if you know the administrator to verify the credentials. Both vulnerabilities need to be attacked via HTTP or HTTPS transport protocol. In addition, Cisco bug ID CSCtb83618 (CVE-2010-0597) vulnerability can be used for heavy-duty devices, continuous exploitation of vulnerabilities Can lead to denial of service attacks. - Unauthorized information interception (CVE-2010-0598, CVE-2010-0599): Operator workstation Cisco Network Building Mediator did not protect unauthorized interception of sessions, malicious users could intercept sessions, obtain arbitrary authentication information, and use this information to control devices. CVE-2010-0598 related vulnerabilities allow malicious users to intercept HTTP session access The administrator verifies the credentials. CVE-2010-0599 related vulnerabilities allow malicious users to intercept XML RPC session access administrator authentication credentials. - Unauthorized Information Access (CVE-2010-0600): Malicious users can read system configuration files, configuration files Contains user account information, including passwords. Information obtained will allow attackers to gain administrative access to the affected device. This issue is being tracked by Cisco Bugid CSCtb83512. These vulnerabilities also affect the legacy Richards-Zeta Mediator products. This security advisory outlines details of the following vulnerabilities: * Default credentials * Privilege escalation * Unauthorized information interception * Unauthorized information access Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of the listed vulnerabilities are available. All Mediator Framework software releases prior to 3.1.1 are affected by all vulnerabilities listed in this security advisory. This table provides information about affected software releases: +---------------------------------------+ | Cisco Bug | Affects Software | | ID | Releases | |-------------+-------------------------| | CSCtb83495 | 1.5.1, 2.2, 3.0.8 | |-------------+-------------------------| | CSCtb83607 | 2.2, 3.0.8 | |-------------+-------------------------| | CSCtb83618 | 1.5.1, 2.2, 3.0.8 | |-------------+-------------------------| | CSCtb83631 | 1.5.1, 2.2, 3.0.8 | |-------------+-------------------------| | CSCtb83505 | 1.5.1, 2.2, 3.0.8 | |-------------+-------------------------| | CSCtb83512 | 1.5.1, 2.2, 3.0.8 | +---------------------------------------+ Vulnerable Products +------------------ Users can determine the version of the Mediator Framework running on a device by logging into the device. After a successful login, the device will display the version of Mediator Framework running on the device. This ability enables the Cisco Network Building Mediator to perform any-to-any protocol translation and to provide information to the end user in a uniform presentation. These vulnerabilities are independent of each other. Default credentials +------------------ Default credentials are assigned for several predefined user accounts on the device including the administrative user account. * CSCtb83495 ( registered customers only) has been assigned the CVE identifier CVE-2010-0595. * CSCtb83607 ( registered customers only) (registered customers only) has been assigned the CVE identifier CVE-2010-0596. This vulnerability could enable any user to read and modify device configuration. * CSCtb83618 ( registered customers only) has been assigned the CVE identifier CVE-2010-0597. Additionally, this vulnerability can be exploited to reload the affected device. A malicious user able to intercept the sessions could learn any credentials used during intercepted sessions (for administrators and non-administrators alike) and could subsequently take full control of the device. * CSCtb83631 ( registered customers only) has been assigned CVE identifier CVE-2010-0598. * CSCtb83505 ( registered customers only) has been assigned CVE identifier CVE-2010-0599. * CSCtb83512 ( registered customers only) has been assigned CVE identifier CVE-2010-0600. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCtb83495 - Default credentials present on the system CVSS Base Score - 10 Access Vector Network Access Complexity Low Authentication None Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 8.3 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83607 - Privilege escalation possible over HTTP protocol CVSS Base Score - 9 Access Vector Network Access Complexity Low Authentication Single Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 7.4 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83618 - Privilege escalation possible over XML RPC protocol CVSS Base Score - 9 Access Vector Network Access Complexity Low Authentication Single Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 7.4 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83631 - Possible intercept of unencrypted HTTP sessions CVSS Base Score - 9.3 Access Vector Network Access Complexity Medium Authentication None Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 7.7 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83505 - Possible intercept of unencrypted XML RPC sessions CVSS Base Score - 9.3 Access Vector Network Access Complexity Medium Authentication None Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 7.7 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed CSCtb83512 - Access to sensitive information over XML RPC CVSS Base Score - 10 Access Vector Network Access Complexity Low Authentication None Confidentiality Impact Complete Integrity Impact Complete Availability Impact Complete CVSS Temporal Score - 8.3 Exploitability Functional Remediation Level Official Fix Report Confidence Confirmed Impact ====== Successful exploitation of any of these vulnerabilities could result in a malicious user taking complete control over an affected device. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the software table below names a Mediator Framework software release. If a given software release is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. Cisco recommends upgrading to the latest available release where possible. All vulnerabilities are fixed in Mediator Framework release 3.1.1 and above. Mediator Framework release 3.1.1 is the recommended migration path for all Mediator Framework releases. Vulnerabilities do not affect Mediator Operating Environment. To obtain fixed 1.5.1 and 2.2 Mediator Framework software and configTOOL version 3.1.0b1 contact Cisco TAC. Privilege escalation +------------------- There are no workarounds for these vulnerabilities. Unauthorized information interception +------------------------------------ The following workaround is applicable only to the vulnerability related to HTTP protocol. There is no workaround for the vulnerability that affects XML RPC service. The HTTPS service is enabled and running by default and no further actions are needed to enable it. The HTTP service can be disabled with configTOOL. Inside the Node tree pane, expand theservices tab, and then expand tab the network tab. Click the http_server tab, and then click the Enabled to uncheck it. Unauthorized information access +------------------------------ There is no workaround for this vulnerability. In the following examples it is assumed that the operator console has IP address 192.0.2.1. The 192.0.2.1 address must be changed to match the IP address used by the designated operator console. The following code must be entered on the console. Please refer to section 2.4 in the user guide at http://www.cisco.com/en/US/docs/security/physical_security/cnbm/User/guide/CNBM__UG.pdf for information on how to connect to the serial port using hyper-terminal. # The following rule establishes a default policy for INPUT rule chain. # The default policy is to drop all packets unless they are explicitly # permitted by a rule in the INPUT chain iptables -P INPUT DROP # This rule will allow all traffic from operator console with # IP address of 192.0.2.1 to the Cisco NBM # # Change 192.0.2.1 to match IP address used by your operators console. iptables -I INPUT 1 --source 192.0.2.1 -j ACCEPT # Repeat the previous command if you have more than one operator console. # Increment the number after the "INPUT" keyword for each console you # are adding. # # This command will allow second operator console with IP address # of 192.0.2.2 to access the Cisco NBM iptables -I INPUT 2 --source 192.0.2.2 -j ACCEPT When applying rules form the above example care must be taken to allow access to ports or protocols that are used by sensors and other devices deployed in the system that are monitored and controlled by the Cisco Network Building Mediator. Failure to do so will break connectivity to these sensors and devices. Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100526-mediator.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were discovered during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2010-May-26 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (Darwin) iEYEARECAAYFAkv9S00ACgkQ86n/Gc8U/uDJRQCcCCww9H/6P7BHqAZ9k29Tq4hj EWQAn3eEfS/iAcbfn5ERow7JQO4QmnPg =bCsA -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Stay Compliant Alerts, Technical Descriptions, PoC, Links to patches, CVSS, CVE, Changelogs, Alternative Remediation Strategies, and much more provided in the Secunia Vulnerability Intelligence solutions Free Trial http://secunia.com/products/corporate/evm/trial/ ---------------------------------------------------------------------- TITLE: Cisco Network Building Mediator Products Multiple Vulnerabilities SECUNIA ADVISORY ID: SA39904 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/39904/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=39904 RELEASE DATE: 2010-05-27 DISCUSS ADVISORY: http://secunia.com/advisories/39904/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/39904/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=39904 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Cisco Network Building Mediator, which can be exploited by malicious users to gain escalated privileges and by malicious people to gain knowledge of sensitive information. 2) Certain sensitive information (e.g. credentials) is passed via HTTP and XML-RPC over HTTP and may, therefore, be intercepted by a third party. SOLUTION: Update to a fixed version. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20100526-mediator.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

U.S.Robotics USR5463 is a popular router device in foreign countries. The application device does not properly perform any legal verification of the request, allowing the user to perform partial management operations through HTTP requests. If you build malicious parameters passed to the /cgi-bin/setup_ddns.exe script and entice the user to click, you can change the device configuration and more. U.S.Robotics USR5463 firmware is prone to a cross-site request-forgery vulnerability. Successful exploits may allow attackers to perform unauthorized actions on the affected device in the context of a logged-in user. This may allow attackers to gain access to or modify sensitive information and perform HTML-injection attacks. U.S.Robotics USR5463 firmware versions 0.01 through 0.06 are vulnerable. ---------------------------------------------------------------------- Stay Compliant Alerts, Technical Descriptions, PoC, Links to patches, CVSS, CVE, Changelogs, Alternative Remediation Strategies, and much more provided in the Secunia Vulnerability Intelligence solutions Free Trial http://secunia.com/products/corporate/evm/trial/ ---------------------------------------------------------------------- TITLE: USR5463 802.11g Wireless Router Cross-Site Request Forgery SECUNIA ADVISORY ID: SA39889 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/39889/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=39889 RELEASE DATE: 2010-05-25 DISCUSS ADVISORY: http://secunia.com/advisories/39889/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/39889/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=39889 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: David K. has reported a vulnerability in the USR5463 802.11g Wireless Router, which can be exploited by malicious people to conduct cross-site request forgery attacks. This can be exploited to e.g. conduct script insertion attacks via specially crafted parameters passed to the /cgi-bin/setup_ddns.exe script. SOLUTION: Do not browse untrusted websites or follow untrusted links while logged-in to the device. PROVIDED AND/OR DISCOVERED BY: David K. OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The web interface in McAfee Email Gateway (formerly IronMail) 6.7.1 allows remote authenticated users, with only Read privileges, to gain Write privileges to modify configuration via the save action in a direct request to admin/systemWebAdminConfig.do. Secure Mail is prone to a remote security vulnerability. ---------------------------------------------------------------------- Stay Compliant Alerts, Technical Descriptions, PoC, Links to patches, CVSS, CVE, Changelogs, Alternative Remediation Strategies, and much more provided in the Secunia Vulnerability Intelligence solutions Free Trial http://secunia.com/products/corporate/evm/trial/ ---------------------------------------------------------------------- TITLE: McAfee Email Gateway Web Access Security Bypass Vulnerability SECUNIA ADVISORY ID: SA39881 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/39881/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=39881 RELEASE DATE: 2010-05-24 DISCUSS ADVISORY: http://secunia.com/advisories/39881/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/39881/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=39881 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Nahuel Grisol\xeda has reported a vulnerability in McAfee Email Gateway, which can be exploited by malicious users to bypass certain security restrictions. The vulnerability is caused due to the Web Access interface performing insufficient checks for requests received from unprivileged users. This can be exploited by a user without write privileges to make configuration changes and e.g. add an administrative user. The vulnerability is reported in version 6.7.1. Other versions may also be affected. SOLUTION: Restrict access to the Web Access console to trusted users only. PROVIDED AND/OR DISCOVERED BY: Nahuel Grisol\xeda, Cybsec ORIGINAL ADVISORY: Cybsec: http://www.cybsec.com/vuln/cybsec_advisory_2010_0501_Ironmail_Advisory_Web_Access_Broken.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple cross-site request forgery (CSRF) vulnerabilities in the web interface on the Cisco Scientific Atlanta WebSTAR DPC2100R2 cable modem with firmware 2.0.2r1256-060303 allow remote attackers to hijack the authentication of administrators for requests that (1) reset the modem, (2) erase the firmware, (3) change the administrative password, (4) install modified firmware, or (5) change the access level, as demonstrated by a request to goform/_aslvl. The Cisco DPC2100R2 is a cable TV CABLE MODEM. - Cross-site request forgery attacks. Multiple functions provided by the WEB interface cannot establish a session correctly and restrict access by authorized users. - The Cisco DPC2100R2 device has access control mechanisms of 0-2 (some devices are 0-3). Due to the lack of proper checking for some operations that require authorization, the attacker submits a specially constructed POST request without any verification reset. Equipment and installation of new software. Other attacks are also possible. Firmware versions prior to 2.0.2.r1256-100324as are vulnerable. \xa0Testing was performed on a DPC2100R2 modem, with firmware v2.0.2r1256-060303. 1. \xa0An attacker may create a malicious website that, when visited by a victim, updates these settings on the victim's modem on the victim's behalf without their authorization or need for any additional user interaction. \xa0This issue has been assigned CVE-2010-2025. 2. Insufficient authentication. The modem's access control scheme, which has levels numbered from 0-2 (or 0-3 on some other models), is not properly checked before performing operations that should require authentication, including resetting the modem and installing new firmware. The modem requires the proper access level to access web interface pages containing forms that allow a user to perform these actions, but does not properly authenticate the pages that actually carry out these actions. By sending a POST request directly to these pages, these actions may be performed without any authentication. Attacks may be performed by an attacker on the local network or by leveraging the CSRF vulnerability. This issue has been assigned CVE-2010-2026. ==Identifying Vulnerable Installations== Most home installations of this modem will feature a web interface that is accessible at "http://192.168.100.1". \xa0The following proof-of-concept code may be used to test for vulnerability. \xa0It leverages the CSRF vulnerability to change the access level of your modem to the most restrictive settings (a harmless action). \xa0If your modem is vulnerable, then you will be presented with a message stating that your settings have been successfully updated. \xa0If you are greeted with a page stating there was a "Password confirmation error", then your modem password has been changed from the default but you are still vulnerable. \xa0If you are greeted with an HTTP authentication form or other message, then your model is not vulnerable. <html> <head> <title>Test for CSRF vulnerability in WebSTAR modems</title> </head> <body> <form name="csrf" method="post" action="http://192.168.100.1/goform/_aslvl"> <input type="hidden" name="SAAccessLevel" value="0"> <input type="hidden" name="SAPassword" value="W2402"> </form> <script>document.csrf.submit()</script> </body> </html> ==Solution== In most cases, home users will be unable to update vulnerable firmware without assistance from their cable providers. \xa0For the DPC2100R2 modems, the latest version string is dpc2100R2-v202r1256-100324as. To prevent exploitation of CSRF vulnerabilities, users are always encouraged to practice safe browsing habits and avoid visiting unknown or untrusted websites. ==Credits== These vulnerabilities were discovered by Dan Rosenberg (dan.j.rosenberg@gmail.com). Thanks to Matthew Bergin for suggesting I should look at cable modems. ==Timeline== 1/26/10 - Vulnerability reported to Cisco 1/26/10 - Response, issue assigned internal tracking number 2/26/10 - Status update requested 2/26/10 - Response 5/15/10 - Status update requested 5/17/10 - Response, confirmation that newest firmware resolves issues 5/17/10 - Disclosure date set 5/24/10 - Disclosure ==References== CVE identifiers CVE-2010-2025 and CVE-2010-2026 have been assigned to these issues

The web interface on the Cisco Scientific Atlanta WebSTAR DPC2100R2 cable modem with firmware 2.0.2r1256-060303 allows remote attackers to bypass authentication, and reset the modem or replace the firmware, via a direct request to an unspecified page. The Cisco DPC2100R2 is a cable TV CABLE MODEM. - Cross-site request forgery attacks. Multiple functions provided by the WEB interface cannot establish a session correctly and restrict access by authorized users. The attacker builds a malicious WEB site, entice the user to click, and can be authorized to change the administrator password, reset the device, install new firmware, and so on. - The Cisco DPC2100R2 device has access control mechanisms of 0-2 (some devices are 0-3). Due to the lack of proper checking for some operations that require authorization, the attacker submits a specially constructed POST request without any verification reset. Equipment and installation of new software. Cisco DPC2100 (formerly Scientific Atlanta DPC2100) is prone to multiple security-bypass and cross-site request-forgery vulnerabilities. Other attacks are also possible. Firmware versions prior to 2.0.2.r1256-100324as are vulnerable. \xa0Testing was performed on a DPC2100R2 modem, with firmware v2.0.2r1256-060303. 1. \xa0An attacker may create a malicious website that, when visited by a victim, updates these settings on the victim's modem on the victim's behalf without their authorization or need for any additional user interaction. \xa0This issue has been assigned CVE-2010-2025. 2. Insufficient authentication. The modem's access control scheme, which has levels numbered from 0-2 (or 0-3 on some other models), is not properly checked before performing operations that should require authentication, including resetting the modem and installing new firmware. The modem requires the proper access level to access web interface pages containing forms that allow a user to perform these actions, but does not properly authenticate the pages that actually carry out these actions. By sending a POST request directly to these pages, these actions may be performed without any authentication. Attacks may be performed by an attacker on the local network or by leveraging the CSRF vulnerability. This issue has been assigned CVE-2010-2026. ==Identifying Vulnerable Installations== Most home installations of this modem will feature a web interface that is accessible at "http://192.168.100.1". \xa0The following proof-of-concept code may be used to test for vulnerability. \xa0It leverages the CSRF vulnerability to change the access level of your modem to the most restrictive settings (a harmless action). \xa0If your modem is vulnerable, then you will be presented with a message stating that your settings have been successfully updated. \xa0If you are greeted with a page stating there was a "Password confirmation error", then your modem password has been changed from the default but you are still vulnerable. \xa0If you are greeted with an HTTP authentication form or other message, then your model is not vulnerable. <html> <head> <title>Test for CSRF vulnerability in WebSTAR modems</title> </head> <body> <form name="csrf" method="post" action="http://192.168.100.1/goform/_aslvl"> <input type="hidden" name="SAAccessLevel" value="0"> <input type="hidden" name="SAPassword" value="W2402"> </form> <script>document.csrf.submit()</script> </body> </html> ==Solution== In most cases, home users will be unable to update vulnerable firmware without assistance from their cable providers. \xa0For the DPC2100R2 modems, the latest version string is dpc2100R2-v202r1256-100324as. To prevent exploitation of CSRF vulnerabilities, users are always encouraged to practice safe browsing habits and avoid visiting unknown or untrusted websites. ==Credits== These vulnerabilities were discovered by Dan Rosenberg (dan.j.rosenberg@gmail.com). Thanks to Matthew Bergin for suggesting I should look at cable modems. ==Timeline== 1/26/10 - Vulnerability reported to Cisco 1/26/10 - Response, issue assigned internal tracking number 2/26/10 - Status update requested 2/26/10 - Response 5/15/10 - Status update requested 5/17/10 - Response, confirmation that newest firmware resolves issues 5/17/10 - Disclosure date set 5/24/10 - Disclosure ==References== CVE identifiers CVE-2010-2025 and CVE-2010-2026 have been assigned to these issues

Multiple integer overflows in src/image.c in Ziproxy before 3.0.1 allow remote attackers to execute arbitrary code via (1) a large JPG image, related to the jpg2bitmap function or (2) a large PNG image, related to the png2bitmap function, leading to heap-based buffer overflows. Ziproxy is a forwarded, non-cached, compressed HTTP proxy server. Ziproxy can compress images into low quality JPEG files or JPEG 2000 and compress (gzip or) HTML and other text-like data. Ziproxy has an integer overflow, and a remote attacker can exploit the vulnerability to execute arbitrary instructions with application privileges. Ziproxy is prone to multiple integer-overflow vulnerabilities because it fails to properly validate user-supplied data. Failed exploit attempts will likely result in denial-of-service conditions. Ziproxy 3.0 is vulnerable; other versions may also be affected. ====================================================================== Secunia Research 24/05/2010 - Ziproxy Two Integer Overflow Vulnerabilities - ====================================================================== Table of Contents Affected Software....................................................1 Severity.............................................................2 Vendor's Description of Software.....................................3 Description of Vulnerability.........................................4 Solution.............................................................5 Time Table...........................................................6 Credits..............................................................7 References...........................................................8 About Secunia........................................................9 Verification........................................................10 ====================================================================== 1) Affected Software * Ziproxy 3.0.0 NOTE: Other versions may also be affected. ====================================================================== 2) Severity Rating: Highly critical Impact: System access Where: Remote ====================================================================== 3) Vendor's Description of Software "Ziproxy is forwarding, non-caching, compressing HTTP proxy server. Product Link: http://ziproxy.sourceforge.net/ ====================================================================== 4) Description of Vulnerability Secunia Research has discovered two vulnerabilities in Ziproxy, which can be exploited by malicious people to compromise a vulnerable system. ====================================================================== 5) Solution Update to version 3.0.1. ====================================================================== 6) Time Table 19/05/2010 - Vendor notified. 19/05/2010 - Vendor response. 20/05/2010 - Vendor issues fixed version. 24/05/2010 - Public disclosure. ====================================================================== 7) Credits Discovered by Stefan Cornelius, Secunia Research. ====================================================================== 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2010-1513 for the vulnerabilities. ====================================================================== 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ ====================================================================== 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2010-75/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ====================================================================== _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Stay Compliant Alerts, Technical Descriptions, PoC, Links to patches, CVSS, CVE, Changelogs, Alternative Remediation Strategies, and much more provided in the Secunia Vulnerability Intelligence solutions Free Trial http://secunia.com/products/corporate/evm/trial/ ---------------------------------------------------------------------- TITLE: Ziproxy Two Integer Overflow Vulnerabilities SECUNIA ADVISORY ID: SA39941 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/39941/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=39941 RELEASE DATE: 2010-05-25 DISCUSS ADVISORY: http://secunia.com/advisories/39941/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/39941/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=39941 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Secunia Research has discovered some vulnerabilities in Ziproxy, which can be exploited by malicious people to compromise a vulnerable system. ORIGINAL ADVISORY: Secunia Research: http://secunia.com/secunia_research/2010-75/ OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Rumba FTP client ActiveX control is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. Successful exploits may allow an attacker to execute arbitrary code in the context of a user running the affected application. Failed attempts will likely result in denial-of-service conditions. The issue affects Rumba FTP client version 4.2.0.0.

Vulnerability Introduction: IIS is a webserver launched by Microsoft. It is widely used. It supports ASP/asp.net and supports other languages such as PHP. However, 80sec found that there is a serious security problem in the higher version of IIS. According to the default configuration provided on the network, the server may leak the server-side script source code, or it may mistakenly use any type of file in PHP mode. Parsing, so that a malicious attacker may compromise the IIS server that supports PHP, especially the virtual host user may be affected. Vulnerability Analysis: IIS supports running PHP in CGI mode, but in this mode, IIS processing requests may cause some of the same problems as the nginx security vulnerabilities mentioned in 80sec. Any user can remotely use any type of file as PHP. The way to parse, you can see the way PHP supports in Phpinfo, which may be the problem if it is CGI/FAST-CGI.

U.S.Robotics USR5463 is a popular router device in foreign countries. The 'setup_ddns.exe' script included in USRobotics USR5463 firmware does not handle user input correctly. Remote attackers can exploit vulnerabilities for cross-site scripting attacks. After enticing the target users to view, they can obtain sensitive information such as COOKIE and hijack the target user session. U.S.Robotics USR5463 firmware is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied data. Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible. U.S.Robotics firmware USR5463 0.06 is vulnerable

Nginx is a high-performance web server that is widely used. It is not only often used as a reverse proxy, but also very well supported for PHP. 80sec found that there is a more serious security problem. By default, any type of file may be parsed in PHP by server error. The attacker can execute arbitrary PHP code with WEB permission. Nginx supports php running by default in cgi mode, such as location ~ \\.php$ {root html; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;include fastcgi_params; The } method supports the parsing of php. When the location selects the request, it uses the URI environment variable to select. The key variable SCRIPT_FILENAME passed to the backend Fastcgi is determined by the $fastcgi_script_name generated by nginx, and the analysis can be seen by $fastcgi_script_name It is directly controlled by the URI environment variable, here is the point where the problem occurs. In order to better support the extraction of PATH_INFO, the cgi.fix_pathinfo option exists in the PHP configuration options, the purpose is to extract the real script name from SCRIPT_FILENAME. So suppose there is a http://www.80sec.com/80sec.jpg, you can visit http://www.80sec.com/80sec.jpg/80sec.php in the following way. nginx is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks. The issue affects nginx 0.6.36 and prior

The D-Link DI-724P+ is a wireless router device. In the device management WEB interface, under the \"wireless\" tab, the script can be injected from the GET string. By injecting arbitrary HTML and malicious script code, it can be executed on the target user's browser. The affected URL is: http://192.168.0.1/wlap.htm. D-Link DI-724P+ router is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input data. Exploiting this issue may allow an attacker to execute HTML and script code in the context of the device, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible

IncrediMail is an email mail client. The ImShExtU.dll ActiveX control included with IncrediMail does not properly filter the input parameters submitted to the DoWebMenuAction() method. Submitting a long string can trigger a stack-based buffer overflow. An attacker could build a malicious web page to entice a user to access the vulnerability.

Hitachi Web Server is prone to a denial-of-service vulnerability when it is configured to use Secure Sockets Layer (SSL). Attackers can exploit this issue to cause denial-of-service conditions by sending malformed packets to an affected server. ---------------------------------------------------------------------- Secunia CSI integrated with Microsoft WSUS and Microsoft SCCM for 3rd party Patch Management Free webinars http://secunia.com/vulnerability_scanning/corporate/webinars/ ---------------------------------------------------------------------- TITLE: Hitachi Web Server SSL Denial of Service Vulnerability SECUNIA ADVISORY ID: SA40066 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/40066/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=40066 RELEASE DATE: 2010-06-04 DISCUSS ADVISORY: http://secunia.com/advisories/40066/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/40066/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=40066 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Hitachi has acknowledged a vulnerability in Hitachi Web Server, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an unspecified error within the SSL function when receiving an invalid packet. Further information is currently not available. SOLUTION: Please see the vendor's advisory for fix information. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: HS10-008: http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS10-008/index.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------