VARIoT IoT vulnerabilities database

vtiger CRM is prone to a remote code-execution vulnerability because the application fails to sufficiently sanitize user-supplied input. Exploiting this issue will allow attackers to execute arbitrary code within the context of the affected application. vtiger CRM 5.2.1 is vulnerable; other versions may also be affected.

There is an unknown security hole in Hitachi JP1 / IT resource management. This vulnerability is related to verification information, and no detailed vulnerability details are currently provided. The impact of this issue is currently unknown. We will update this BID when more information emerges. ---------------------------------------------------------------------- The Secunia Vulnerability Intelligence Manager (VIM) enables you to handle vulnerability threats in a simple, cost effective way. Read more and request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Hitachi JP1/IT Resource Management Authentication Information Vulnerability SECUNIA ADVISORY ID: SA45469 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45469/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45469 RELEASE DATE: 2011-07-29 DISCUSS ADVISORY: http://secunia.com/advisories/45469/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45469/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45469 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability with an unknown impact has been reported in Hitachi JP1/IT Resource Management. No further information is currently available. The vulnerability is reported in versions 09-10 through 09-10-03 and 09-11 through 09-11-02. SOLUTION: Update to version 09-50 2011.07.29 PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Hitachi (Japanese): http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS11-016/index.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Sagem F@st Routers is a router product. The Sagem Fast router (3304-V1 / 3304-V2 / 3464 / 3504) has a pre-configured root password that has not changed by default ISP and creates another administrative account. Due to a problem with the algorithm, an attacker can exploit the vulnerability to obtain a user password and access the device. Multiple Sagem F@st Routers are prone to a remote authentication-bypass vulnerability. This will completely compromise an affected device. The following routers are affected: Sagem F@st 3304 Sagem F@st 3464 Sagem F@st 3504

Multiple vendor products have security bypass vulnerabilities that allow an attacker to bypass the security mechanisms built into the affected device. This may help further attacks. Multiple vendors products are prone to a security-bypass vulnerability

The D-Link DSL-2650U is a routing device. The D-Link DSL-2650U does not properly handle HTTP requests submitted by users. A remote attacker can exploit the vulnerability to perform a denial of service attack on the device. Attackers may leverage this issue to crash the Web server on the affected device, denying service to legitimate users. D-Link DSL-2650U 1.20 is affected; other versions may also be vulnerable

Unspecified vulnerability in the Smart Install functionality in Cisco IOS 12.2 and 15.1 allows remote attackers to execute arbitrary code or cause a denial of service (device crash) via crafted TCP packets to port 4786, aka Bug ID CSCto10165. Cisco IOS is prone to a remote code-execution service vulnerability. An attacker can exploit this issue to execute arbitrary code with elevated privileges on affected devices. Successful exploits will completely compromise an affected device. This issue is tracked by Cisco Bug ID CSCto10165. Cisco's Internet Operating System (IOS) is a complex operating system optimized for Internet interconnection. Cisco has released free software updates that address this vulnerability. There are no workarounds available to mitigate this vulnerability other than disabling the Smart Install feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110928-smart-install.shtml. Note: The September 28, 2011, Cisco IOS Software Security Advisory bundled publication includes ten Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the September 2011 Bundled Publication. Individual publication links are in "Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication" at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep11.html Affected Products ================= This vulnerability only affects Cisco Catalyst Switches and Cisco Integrated Services Routers with the Smart Install feature enabled. Vulnerable Products +------------------ Devices configured as a Smart Install client or director are affected by this vulnerability. To display Smart Install information, use the "show vstack config" privileged EXEC command on the Smart Install director or client. The outputs of the show commands are different when entered on the director or on the client. The following is the output of the "show vstack config" in a device configured as a Smart Install client: switch#show vstack config Role: Client Vstack Director IP address: 10.1.1.163 The following is the output of the "show vstack config" in a Cisco Catalyst Switch configured as a Smart Install director: Director# show vstack config Role: Director Vstack Director IP address: 10.1.1.163 Vstack Mode: Basic Vstack default management vlan: 1 Vstack management Vlans: none Vstack Config file: tftp://10.1.1.100/default-config.txt Vstack Image file: tftp://10.1.1.100/c3750e-universalk9-tar.122- Join Window Details: Window: Open (default) Operation Mode: auto (default) Vstack Backup Details: Mode: On (default) Repository: flash:/vstack (default) To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the "show version" command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software." The image name displays in parentheses, followed by "Version" and the Cisco IOS Software release name. Other Cisco devices do not have the "show version" command or may provide different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 15.0(1)M1 with an installed image name of C3900-UNIVERSALK9-M: Router> show version Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Wed 02-Dec-09 17:17 by prod_rel_team !--- output truncated Additional information about Cisco IOS Software release naming conventions is available in the white paper Cisco IOS and NX-OS Software Reference Guide available at http://www.cisco.com/web/about/security/intelligence/ios-ref.html. Details ======= Smart Install is a plug-and-play configuration and image-management feature that provides zero-touch deployment for new switches and Cisco Integrated Services Routers. This means that a customer can ship a device to a location, place it in the network and power it on with no configuration required on the device. Smart Install uses TCP port 4786 for communication. An established TCP connection with a completed TCP three-way handshake is needed to be able to trigger this vulnerability. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCto10165 ("Smart Install Crashes with certain IP Packets") CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation could allow an unauthenticated, remote attacker to perform remote code execution on the affected device. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Additionally, the Cisco IOS Software Checker is available on the Cisco Security Intelligence Operations (SIO) portal at http://tools.cisco.com/security/center/selectIOSVersion.x. It provides several features for checking which Security Advisories affect specified versions of Cisco IOS Software. If a particular train is vulnerable, the earliest releases that contain the fix are listed in the First Fixed Release For This Advisory column. The First Fixed Release for All Advisories in the September 2011 Bundled Publication column lists the earliest possible releases that correct all the published vulnerabilities in the Cisco IOS Software Security Advisory bundled publication. Cisco recommends upgrading to the latest available release, where possible. +------------------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |------------+-----------------------------------------------| | Affected | First Fixed | First Fixed Release for All | | 12.0-Based | Release | Advisories in the September | | Releases | | 2011 Bundled Publication | |------------------------------------------------------------| | There are no affected 12.0 based releases | |------------------------------------------------------------| | Affected | First Fixed | First Fixed Release for All | | 12.1-Based | Release | Advisories in the September | | Releases | | 2011 Bundled Publication | |------------------------------------------------------------| | There are no affected 12.1 based releases | |------------------------------------------------------------| | Affected | First Fixed | First Fixed Release for All | | 12.2-Based | Release | Advisories in the September | | Releases | | 2011 Bundled Publication | |------------+----------------+------------------------------| | 12.2 | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.4 | |------------+----------------+------------------------------| | 12.2B | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.4 | |------------+----------------+------------------------------| | 12.2BC | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.4 | |------------+----------------+------------------------------| | 12.2BW | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2BX | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SB | |------------+----------------+------------------------------| | 12.2BY | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2BZ | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2CX | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.4 | |------------+----------------+------------------------------| | 12.2CY | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2CZ | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SB | |------------+----------------+------------------------------| | 12.2DA | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2DD | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2DX | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2EU | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | | | Releases up to and including | | 12.2EW | Not vulnerable | 12.2(20)EW4 are not | | | | vulnerable. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2EWA | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | 12.2EX | 12.2(55)EX3 | 12.2(55)EX3 | |------------+----------------+------------------------------| | 12.2EY | 12.2(58)EY | 12.2(58)EY | |------------+----------------+------------------------------| | | Vulnerable; | | | | migrate to any | | | | release in | | | | 15.0SE | | | 12.2EZ | | Vulnerable; migrate to any | | | Releases up to | release in 15.0SE | | | and including | | | | 12.2(53)EZ are | | | | not | | | | vulnerable. | | |------------+----------------+------------------------------| | 12.2FX | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SE | |------------+----------------+------------------------------| | 12.2FY | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2EX | |------------+----------------+------------------------------| | 12.2FZ | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SE | |------------+----------------+------------------------------| | 12.2IRA | Not vulnerable | Vulnerable; migrate to any | | | | release in 12.2IRG | |------------+----------------+------------------------------| | 12.2IRB | Not vulnerable | Vulnerable; migrate to any | | | | release in 12.2IRG | |------------+----------------+------------------------------| | 12.2IRC | Not vulnerable | Vulnerable; migrate to any | | | | release in 12.2IRG | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2IRD | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2IRE | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | 12.2IRF | Not vulnerable | Vulnerable; migrate to any | | | | release in 12.2IRG | |------------+----------------+------------------------------| | 12.2IRG | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2IXA | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2IXB | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2IXC | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2IXD | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2IXE | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2IXF | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2IXG | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2IXH | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | 12.2JA | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2JK | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2MB | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2MC | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.4 | |------------+----------------+------------------------------| | 12.2MRA | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SRD | |------------+----------------+------------------------------| | 12.2MRB | Not vulnerable | 12.2(33)MRB5 | |------------+----------------+------------------------------| | | | Releases prior to 12.2(30)S | | | | are vulnerable; Releases | | 12.2S | Not vulnerable | 12.2(30)S and later are not | | | | vulnerable. First fixed in | | | | Release 12.2SB | |------------+----------------+------------------------------| | | | 12.2(31)SB20 | | 12.2SB | Not vulnerable | | | | | 12.2(33)SB10 | |------------+----------------+------------------------------| | 12.2SBC | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SB | |------------+----------------+------------------------------| | 12.2SCA | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SCC | |------------+----------------+------------------------------| | 12.2SCB | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SCC | |------------+----------------+------------------------------| | 12.2SCC | Not vulnerable | 12.2(33)SCC7 | |------------+----------------+------------------------------| | 12.2SCD | Not vulnerable | 12.2(33)SCD6 | |------------+----------------+------------------------------| | | | 12.2(33)SCE1 | | 12.2SCE | Not vulnerable | | | | | 12.2(33)SCE2 | |------------+----------------+------------------------------| | 12.2SCF | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | | Releases up to | 12.2(55)SE3 | | 12.2SE | and including | | | | 12.2(54)SE are | 12.2(58)SE | | | not vulnerable | | |------------+----------------+------------------------------| | 12.2SEA | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SE | |------------+----------------+------------------------------| | 12.2SEB | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SE | |------------+----------------+------------------------------| | 12.2SEC | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SE | |------------+----------------+------------------------------| | 12.2SED | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SE | |------------+----------------+------------------------------| | 12.2SEE | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SE | |------------+----------------+------------------------------| | 12.2SEF | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SE | |------------+----------------+------------------------------| | | | Releases prior to 12.2(25) | | | | SEG4 are vulnerable; | | 12.2SEG | Not vulnerable | Releases 12.2(25)SEG4 and | | | | later are not vulnerable. | | | | First fixed in Release | | | | 12.2EX | |------------+----------------+------------------------------| | | | Releases prior to 12.2(53) | | 12.2SG | Not vulnerable | SG4 are vulnerable; Releases | | | | 12.2(53)SG4 and later are | | | | not vulnerable. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2SGA | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | 12.2SL | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2SM | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | 12.2SO | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2SQ | Not vulnerable | 12.2(50)SQ3 | |------------+----------------+------------------------------| | 12.2SRA | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SRD | |------------+----------------+------------------------------| | 12.2SRB | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SRD | |------------+----------------+------------------------------| | 12.2SRC | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SRD | |------------+----------------+------------------------------| | 12.2SRD | Not vulnerable | 12.2(33)SRD6 | |------------+----------------+------------------------------| | 12.2SRE | Not vulnerable | 12.2(33)SRE4 | |------------+----------------+------------------------------| | 12.2STE | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2SU | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.4 | |------------+----------------+------------------------------| | | | Releases prior to 12.2(29a) | | | | SV are vulnerable; Releases | | 12.2SV | Not vulnerable | 12.2(29a)SV and later are | | | | not vulnerable. Migrate to | | | | any release in 12.2SVD | |------------+----------------+------------------------------| | 12.2SVA | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2SVC | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2SVD | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2SVE | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2SW | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | 12.2SX | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SXF | |------------+----------------+------------------------------| | 12.2SXA | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SXF | |------------+----------------+------------------------------| | 12.2SXB | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SXF | |------------+----------------+------------------------------| | 12.2SXD | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SXF | |------------+----------------+------------------------------| | 12.2SXE | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SXF | |------------+----------------+------------------------------| | 12.2SXF | Not vulnerable | 12.2(18)SXF17b | |------------+----------------+------------------------------| | 12.2SXH | Not vulnerable | 12.2(33)SXH8a | |------------+----------------+------------------------------| | 12.2SXI | Not vulnerable | 12.2(33)SXI6 | |------------+----------------+------------------------------| | 12.2SXJ | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2SY | Not vulnerable | 12.2(50)SY | |------------+----------------+------------------------------| | 12.2SZ | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SB | |------------+----------------+------------------------------| | 12.2T | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.4 | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2TPC | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | 12.2XA | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XB | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.4 | |------------+----------------+------------------------------| | 12.2XC | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XD | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XE | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XF | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XG | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XH | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XI | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XJ | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XK | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XL | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XM | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XN | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | | Please see | | | 12.2XNA | Cisco IOS-XE | Please see Cisco IOS-XE | | | Software | Software Availability | | | Availability | | |------------+----------------+------------------------------| | | Please see | | | 12.2XNB | Cisco IOS-XE | Please see Cisco IOS-XE | | | Software | Software Availability | | | Availability | | |------------+----------------+------------------------------| | | Please see | | | 12.2XNC | Cisco IOS-XE | Please see Cisco IOS-XE | | | Software | Software Availability | | | Availability | | |------------+----------------+------------------------------| | | Please see | | | 12.2XND | Cisco IOS-XE | Please see Cisco IOS-XE | | | Software | Software Availability | | | Availability | | |------------+----------------+------------------------------| | | Please see | | | 12.2XNE | Cisco IOS-XE | Please see Cisco IOS-XE | | | Software | Software Availability | | | Availability | | |------------+----------------+------------------------------| | | Please see | | | 12.2XNF | Cisco IOS-XE | Please see Cisco IOS-XE | | | Software | Software Availability | | | Availability | | |------------+----------------+------------------------------| | | | Releases prior to 12.2(54)XO | | 12.2XO | Not vulnerable | are vulnerable; Releases | | | | 12.2(54)XO and later are not | | | | vulnerable. | |------------+----------------+------------------------------| | 12.2XQ | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XR | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XS | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XT | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XU | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XV | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XW | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2YA | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.4 | |------------+----------------+------------------------------| | 12.2YB | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2YC | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2YD | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2YE | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2YF | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2YG | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2YH | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2YJ | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | 12.2YK | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2YL | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | 12.2YM | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.4 | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2YN | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | 12.2YO | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2YP | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2YQ | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2YR | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2YS | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2YT | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2YU | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2YV | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2YW | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2YX | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2YY | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2YZ | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | 12.2ZA | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SXF | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2ZB | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | 12.2ZC | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2ZD | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2ZE | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.4 | |------------+----------------+------------------------------| | 12.2ZF | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.4 | |------------+----------------+------------------------------| | 12.2ZG | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2ZH | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.4 | |------------+----------------+------------------------------| | 12.2ZJ | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2ZL | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | 12.2ZP | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2ZU | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SXH | |------------+----------------+------------------------------| | 12.2ZX | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2ZY | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2ZYA | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | Affected | First Fixed | First Fixed Release for All | | 12.3-Based | Release | Advisories in the September | | Releases | | 2011 Bundled Publication | |------------------------------------------------------------| | There are no affected 12.3 based releases | |------------------------------------------------------------| | Affected | First Fixed | First Fixed Release for All | | 12.4-Based | Release | Advisories in the September | | Releases | | 2011 Bundled Publication | |------------------------------------------------------------| | There are no affected 12.4 based releases | |------------------------------------------------------------| | Affected | First Fixed | First Fixed Release for All | | 15.0-Based | Release | Advisories in the September | | Releases | | 2011 Bundled Publication | |------------------------------------------------------------| | There are no affected 15.0 based releases | |------------------------------------------------------------| | Affected | First Fixed | First Fixed Release for All | | 15.1-Based | Release | Advisories in the September | | Releases | | 2011 Bundled Publication | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 15.1EY | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | 15.1GC | Not vulnerable | Vulnerable; First fixed in | | | | Release 15.1T | |------------+----------------+------------------------------| | | 15.1(4)M2; | 15.1(4)M2; Available on | | 15.1M | Available on | 30-SEP-11 | | | 30-SEP-11 | | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 15.1MR | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | 15.1(2)S2 | | 15.1S | Not vulnerable | | | | | 15.1(3)S | |------------+----------------+------------------------------| | | | 15.1(2)T4 | | 15.1T | 15.1(3)T2 | | | | | 15.1(1)T4 on 8-Dec-2011 | |------------+----------------+------------------------------| | | Vulnerable; | | | | First fixed in | | | | Release 15.1T | | | | | Vulnerable; First fixed in | | 15.1XB | Releases up to | Release 15.1T | | | and including | | | | 15.1(1)XB are | | | | not | | | | vulnerable. | | |------------+----------------+------------------------------| | Affected | First Fixed | First Fixed Release for All | | 15.2-Based | Release | Advisories in the September | | Releases | | 2011 Bundled Publication | |------------------------------------------------------------| | There are no affected 15.2 based releases | +------------------------------------------------------------+ Cisco IOS XE Software +-------------------- Cisco IOS XE Software is not affected by the vulnerability disclosed in this advisory. Cisco IOS XR Software is not affected by the vulnerabilities disclosed in the September 28, 2011, Cisco IOS Software Security Advisory bundled publication. Workarounds =========== There are no workarounds available to mitigate this vulnerability other than disabling the Smart Install feature. The Smart Install Feature is enabled by default in client switches. No configuration is needed in client switches. If Smart Install feature is not required, and the device supports the configuration command "no vstack" as introduced by Cisco Bug ID CSCtj75729, then disabling Smart Install, with the "no vstack" configuration command mitigates this vulnerability. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20110928-smart-install.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was discovered and reported to Cisco by Greg Jones of Digital Assurance. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20110928-smart-install.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2011-September-28 | Initial public release | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/ products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/ go/psirt. +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iF4EAREIAAYFAk6Cp2kACgkQQXnnBKKRMNDdKgD+O6C0i2f0RXM757+tLSehkxsW NBAYqM590ni6eZvq7PwA/1WW59WEHU0DY2mgou/w2doZmIWczbfihzBwvIUyvHPa =mkgL -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- The new Secunia Corporate Software Inspector (CSI) 5.0 Integrates with Microsoft WSUS & SCCM and supports Apple Mac OS X. Get a free trial now and qualify for a special discount: http://secunia.com/vulnerability_scanning/corporate/trial/ ---------------------------------------------------------------------- TITLE: Cisco IOS Smart Install Unspecified Code Execution Vulnerability SECUNIA ADVISORY ID: SA46165 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46165/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46165 RELEASE DATE: 2011-09-29 DISCUSS ADVISORY: http://secunia.com/advisories/46165/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46165/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46165 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Cisco IOS, which can be exploited by malicious people to compromise a vulnerable device. Successful exploitation may allow execution of arbitrary code. Please see the vendor's advisory for a list of affected versions. SOLUTION: Update to a fixed version (please see the vendor's advisory for details). ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20110928-smart-install.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor

Cisco Adaptive Security Appliances (ASA) 5500 series devices, and the ASA Services module in Cisco Catalyst 6500 series devices, with software 7.0 before 7.0(8.13), 7.1 and 7.2 before 7.2(5.4), 8.0 before 8.0(5.25), 8.1 and 8.2 before 8.2(5.11), 8.3 before 8.3(2.23), 8.4 before 8.4(2.6), and 8.5 before 8.5(1.1) and Cisco Firewall Services Module (aka FWSM) 3.1 before 3.1(21), 3.2 before 3.2(22), 4.0 before 4.0(16), and 4.1 before 4.1(7) allow remote attackers to cause a denial of service (device reload) via crafted SunRPC traffic, aka Bug IDs CSCto92398 and CSCtq09989. The problem is Bug IDs CSCto92398 and CSCtq09989 It is a problem.Skillfully crafted by a third party SunRPC Service disruption through traffic ( Device reload ) There is a possibility of being put into a state. Multiple Cisco products are prone to multiple remote denial-of-service vulnerabilities. These issues are being tracked by Cisco Bug IDs CSCtq09972, CSCtq09978, CSCtq09986, CSCtq09989, CSCtq57802. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Firewall Services Module Advisory ID: cisco-sa-20111005-fwsm Revision 1.0 For Public Release 2011 October 05 1600 UTC (GMT) +------------------------------------------------------------------- Summary ======= The Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers is affected by the following vulnerabilities: * Syslog Message Memory Corruption Denial of Service Vulnerability * Authentication Proxy Denial of Service Vulnerability * TACACS+ Authentication Bypass Vulnerability * Sun Remote Procedure Call (SunRPC) Inspection Denial of Service Vulnerabilities * Internet Locator Server (ILS) Inspection Denial of Service Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of the vulnerabilities disclosed in this advisory. Affected versions of Cisco FWSM Software vary depending on the specific vulnerability. Refer to the "Software Version and Fixes" section for specific information on vulnerable versions. Syslog Message Memory Corruption Denial of Service Vulnerability +--------------------------------------------------------------- Devices running vulnerable versions of Cisco FWSM Software are affected by this vulnerability if the following conditions are satisfied: * The device has interfaces with IPv6 addresses * System logging is enabled (command logging enable) * The device is configured in any way to generate system log message 302015 (refer to the following examples) System log message 302015 has a default severity level of 6 (informational) so, assuming that the system administrator has not changed this default severity level, the vulnerability can be triggered if the device is logging to any destination at level 6 or level 7 (debug). As an example, the following configuration is vulnerable: logging enable ! logging console informational logging buffered informational [...] Using a custom message list (via the logging list command) that includes system log message 302015, either by severity or by explicitly including the message ID, is also a vulnerable configuration. For example, the following configuration is also vulnerable: logging enable ! logging list MYLIST level informational <and/or> logging list MYLIST message 302015 ! logging trap MYLIST Note: The default severity level of system log messages can be changed. If the default severity level of system log message 302015 is changed, and the device is configured to log to any destination at the new severity level, then the device is still vulnerable. Authentication Proxy Denial of Service Vulnerability +--------------------------------------------------- Devices running vulnerable versions of Cisco FWSM Software are affected by this vulnerability if they are configured to use Authentication, Authorization, and Accounting (AAA) for network access, also known as cut-through or authentication proxy. The network access authentication feature is enabled if the aaa authentication match or aaa authentication include commands are present in the configuration of an affected device. TACACS+ Authentication Bypass Vulnerability +------------------------------------------ Devices running vulnerable versions of Cisco FWSM Software are affected by this vulnerability if they are configured to use the Terminal Access Controller Access-Control System Plus (TACACS+) protocol for AAA. A device is configured for TACACS+ if an AAA server group is defined in a manner similar to the following: aaa-server my-tacacs-server protocol tacacs+ aaa-server my-tacacs-server (inside) host 192.168.1.1 [...] Note: In the preceding example, "my-tacacs-server" is the name of the AAA server group. SunRPC Inspection Denial of Service Vulnerabilities +-------------------------------------------------- Devices running vulnerable versions of Cisco FWSM Software are affected by these vulnerabilities if SunRPC inspection is enabled. SunRPC inspection is enabled by default. To determine whether SunRPC inspection is enabled, issue the show service-policy | include sunrpc command and confirm that the command returns output. Example output follows: FWSM# show service-policy | include sunrpc Inspect: sunrpc, packet 324, drop 5, reset-drop 0 Alternatively, a device with SunRPC inspection enabled has a configuration similar to the following (the inspect sunrpc command is the command that actually enables SunRPC inspection, although the other commands are necessary for the Cisco FWSM to actually inspect traffic): class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sunrpc ! service-policy global_policy global Note: The service policy could also be applied to a specific interface. (Global application is shown in the previous example.) ILS Inspection Denial of Service Vulnerability +--------------------------------------------- Devices running vulnerable versions of Cisco FWSM Software are affected by these vulnerabilities if inspection of the ILS protocol is enabled. ILS inspection is not enabled by default. Refer to "SunRPC Inspection Denial of Service Vulnerabilities" for information on how to determine if ILS inspection is enabled. Use the configuration keyword "ils" instead of "sunrpc". The following example shows a system with a Cisco FWSM (WS-SVC-FWM-1) installed in slot 2: switch>show module Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 1 16 SFM-capable 16 port 1000mb GBIC WS-X6516-GBIC SAL06334NS9 2 6 Firewall Module WS-SVC-FWM-1 SAD10360485 3 8 Intrusion Detection System WS-SVC-IDSM-2 SAD0932089Z 4 4 SLB Application Processor Complex WS-X6066-SLB-APC SAD093004BD 5 2 Supervisor Engine 720 (Active) WS-SUP720-3B SAL0934888E Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 1 0009.11e3.ade8 to 0009.11e3.adf7 5.1 6.3(1) 8.7(0.22)BUB Ok 2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 4.0(16) Ok 3 0014.a90c.9956 to 0014.a90c.995d 5.0 7.2(1) 7.0(4)E4 Ok 4 0014.a90c.66e6 to 0014.a90c.66ed 1.7 Unknown Unknown PwrDown 5 0013.c42e.7fe0 to 0013.c42e.7fe3 4.4 8.1(3) 12.2(33)SXH8 Ok [...] After locating the correct slot, issue the show module <slot number> command to identify the software version that is running, as shown in the following example: switch>show module 2 Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 2 6 Firewall Module WS-SVC-FWM-1 SAD10360485 Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 4.0(16) Ok [...] The preceding example shows that the Cisco FWSM is running software version 4.0(16) as indicated by the Sw column. Note: Recent versions of Cisco IOS Software will show the software version of each module in the output from the show module command; therefore, executing the show module <slot number> command is not necessary. If a Virtual Switching System (VSS) is used to allow two physical Cisco Catalyst 6500 Series switches to operate as a single logical virtual switch, the show module switch all command can display the software version of all FWSMs that belong to switch 1 and switch 2. The output from this command will be similar to the output from show module <slot number> but will include module information for the modules in each switch in the VSS. The FWSM offers firewall services with stateful packet filtering and deep packet inspection. Syslog Message Memory Corruption Denial of Service Vulnerability +--------------------------------------------------------------- The Cisco FWSM has a system log (syslog) feature that provides information for monitoring normal operation and troubleshooting network or device issues. System log messages are assigned different severities (debugging, informational, error, critical, etc.) and can be sent to different logging destinations. A denial of service vulnerability exists in the implementation of one specific system log message (message ID 302015, "Built outbound UDP connection session-id for src-intf:IP/Port to dst-intf:IP/Port ARP-Incomplete") that can cause memory corruption and lead to a lock up or crash of the Cisco FWSM in the event that that system log message needs to be generated for IPv6 traffic that has flowed through the device. The Cisco FWSM may not recover on its own and a manual reboot may be necessary to recover. System log message 302015 has a default severity level of 6 (informational). Changing the default severity level of this system message will not prevent the issue from occurring if the system is logging to any destinations at the new severity level. The Cisco FWSM must have interfaces with IPv6 addresses otherwise the problem does not occur. Authentication Proxy Denial of Service Vulnerability +--------------------------------------------------- The Cisco FWSM authentication proxy feature allows one to use AAA to control access to network resources. Specifically, the Cisco FWSM cut-through proxy challenges a user initially at the application layer and then authenticates against AAA servers. After the Cisco FWSM authenticates the user, it shifts the session flow, and all traffic flows directly between the user's computer and the network resource being accessed. A denial of service vulnerability exists in some versions of Cisco FWSM Software that affects devices configured to use authentication to grant users access to the network, also known as cut-through or authentication proxy. Vulnerable configurations are those that contain the aaa authentication match or aaa authentication include commands. The vulnerability may be triggered when there is a high number of network access authentication requests. TACACS+ Authentication Bypass Vulnerability +------------------------------------------ AAA enables the Cisco FWSM to determine who the user is (authentication), what the user can do (authorization), and what the user did (accounting). The Cisco FWSM supports TACACS+ authentication for VPN users, firewall sessions, and administrative access to the device. An authentication bypass vulnerability exists in the TACACS+ implementation in the Cisco FWSM. Successful exploitation could allow a remote attacker to bypass TACACS+ authentication of VPN users (the Cisco FWSM only allows VPN sessions for management), firewall sessions, or administrative access to the device. SunRPC Inspection Denial of Service Vulnerabilities +-------------------------------------------------- The SunRPC inspection engine enables or disables application inspection for the SunRPC protocol. SunRPC is used by Network File System (NFS) and Network Information Service (NIS). SunRPC services can run on any port. When a client attempts to access a SunRPC service on a server, it must learn the port on which the service is running. The client does this by querying the port mapper process, usually rpcbind, on the well-known port of 111. These vulnerabilities are triggered only by transit traffic; traffic that is destined to the device does not trigger these vulnerabilities. ILS Inspection Denial of Service Vulnerability +--------------------------------------------- The ILS inspection engine provides Network Address Translation (NAT) support for Microsoft NetMeeting, SiteServer, and Active Directory products that use Lightweight Directory Access Protocol (LDAP) to exchange directory information with an ILS server. The Cisco FWSM is affected by a vulnerability when ILS inspection is enabled that may cause the device to reload during the processing of a malformed ILS message. This vulnerability is triggered by transit traffic only; traffic that is destined to the device does not trigger this vulnerability. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCti83875 -- Syslog message 302015 may lead to memory corruption and CP lockup CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtn15697 -- FWSM crash in thread name uauth CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCto74274 -- Crafted TACACS+ reply considered as successful auth by FWSM CVSS Base Score - 7.9 Access Vector - Adjacent Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 6.5 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * SunRPC Inspection Denial of Service Vulnerabilities CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtq57802 -- ILS inspection crash on malformed ILS traffic CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of any of the denial of service vulnerabilities could cause an affected device to reload. Repeated exploitation could result in a sustained denial of service condition. Successful exploitation of the TACACS+ authentication bypass vulnerability could allow an attacker to bypass authentication of VPN, firewall, and/or administrative sessions. Software Versions and Fixes =========================== When considering software upgrades, also consult: http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the following Cisco FWSM Software table describes a major Cisco FWSM Software train and the earliest possible release in that train that contains the fix (the "First Fixed Release") and the anticipated date of availability (if not currently available) in the First Fixed Release column. A device that is running a release that is earlier than the release in a specific column (earlier than the First Fixed Release) is known to be vulnerable. A vulnerable release should be upgraded to the indicated release at a minimum, or a later version (later than or equal to the First Fixed Release label). These vulnerabilities and their respective workarounds are independent of each other. Syslog Message Memory Corruption Denial of Service Vulnerability +--------------------------------------------------------------- Completely disabling syslog 302015 with the command no logging message 302015 is an effective workaround for this vulnerability. Authentication Proxy Denial of Service Vulnerability +--------------------------------------------------- There are no workarounds available for this vulnerability. TACACS+ Authentication Bypass Vulnerability +------------------------------------------ There are no workarounds available for this vulnerability other than using a different authentication protocol such as RADIUS and LDAP. SunRPC Inspection Denial of Service Vulnerabilities +-------------------------------------------------- Administrators can mitigate these vulnerabilities by disabling SunRPC inspection if it is not required. Administrators can disable SunRPC inspection by issuing the no inspect sunrpc command in class configuration sub-mode in the policy map configuration. Disabling SunRPC inspection may cause SunRPC traffic to stop transiting the security appliance. ILS Inspection Denial of Service Vulnerability +--------------------------------------------- Administrators can mitigate this vulnerability by disabling ILS inspection if it is not required. Administrators can disable ILS inspection by issuing the no inspect ils command in class configuration sub-mode in the policy map configuration. Disabling ILS inspection may cause ILS traffic to stop through the security appliance. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. The Syslog Message Memory Corruption Denial of Service Vulnerability, Authentication Proxy Denial of Service Vulnerability, and TACACS+ Authentication Bypass Vulnerability were discovered during the troubleshooting of customer service requests. The SunRPC Inspection Denial of Service Vulnerabilities and ILS Inspection Denial of Service Vulnerability were discovered by Cisco during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20111005-fwsm.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2011-October-05 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iFcDBQFOjHRIQXnnBKKRMNARCAUrAP9BnUYauwq7OzqUJRuoVjBLn6T2Qh3S/LRn e0k/AYOr8AD/T7EQ/K8N+bAPmYBoJxsERyDGg80x/pxfRWFBd1s2+nE= =hr9R -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Cisco Digital Media Manager 5.2.2 and earlier, and 5.2.3, allows remote authenticated users to execute arbitrary code via vectors involving a URL and an administrative resource, aka Bug ID CSCts63878. This issue is tracked by Cisco Bug ID CSCts63878. An authenticated attacker can exploit this issue to modify application configuration settings, gaining elevated privileges. This may lead to a full compromise of the affected computer or aid in further attacks. ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: Cisco Digital Media Manager Administrative Resources Access Security Bypass Vulnerability SECUNIA ADVISORY ID: SA47651 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47651/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47651 RELEASE DATE: 2012-01-19 DISCUSS ADVISORY: http://secunia.com/advisories/47651/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47651/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47651 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Cisco Digital Media Manager, which can be exploited by malicious users to bypass certain security restrictions. Please see the vendor's advisory for the list of affected versions. SOLUTION: Update to a fixed version. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: The vendor credits Anthony Towry. ORIGINAL ADVISORY: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120118-dmm OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Cisco Show and Share is not directly affected by this vulnerability. Cisco has released free software updates that address this vulnerability. There are no workarounds that mitigate this vulnerability. This advisory is posted at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120118-dmm Affected Products ================= Vulnerable Products +------------------ The following table indicates which versions of Cisco Digital Media Manager are affected by this vulnerability: +-------------------------------------------------------------------+ | Version | Affected | |---------------------------------------+---------------------------| | prior to 5.2 | YES | |---------------------------------------+---------------------------| | 5.2.1 | YES | |---------------------------------------+---------------------------| | 5.2.1.1 | YES | |---------------------------------------+---------------------------| | 5.2.2 | YES | |---------------------------------------+---------------------------| | 5.2.2.1 | NO | |---------------------------------------+---------------------------| | 5.2.3 | YES | |---------------------------------------+---------------------------| | 5.3 | NO | +-------------------------------------------------------------------+ Note: Cisco Digital Media Manager versions prior to 5.2 reached end of software maintenance. Customers running versions prior to 5.2 should contact their Cisco support team for assistance in upgrading to a supported version of Cisco Digital Media Manager. The version information is reported under "Digital Media Manager" in the center of the page. Optionally administrators can log in to the Appliance Administration Interface (AAI), and access the main menu. BACKUP_AND_RESTORE Back up and restore. APPLIANCE_CONTROL Configure advance options NETWORK_SETTINGS Configure network parameters. DATE_TIME_SETTINGS Configure date and time CERTIFICATE_MANAGEMENT Manage all certificates in the system < OK > <LOG OUT> Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by this vulnerability. It allows users to remotely perform management tasks for Cisco Digital Signs, Cisco Cast, and Cisco Show and Share. The vulnerability is due to improper validation of unreferenced URLs, which may allow an unprivileged attacker to access administrative resources and elevate privileges. An authenticated attacker could exploit this vulnerability by sending the unreferenced URL to the affected system. Cisco Show and Share is not directly affected by this vulnerability. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCts63878 - Digital Media Manager Privilege Escalation Vulnerability CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability may allow a remote, authenticated attacker to elevate privileges and obtain full access to the affected system. Software Versions and Fixes =========================== Cisco has released free software updates that address this vulnerability. The following table contains the remediation for each affected version of Cisco Digital Media Manager: +-------------------------------------------------------------------+ | Version | Remediation | |-------------------+-----------------------------------------------| | 5.2.1 | Upgrade to 5.2.2.1 | |-------------------+-----------------------------------------------| | 5.2.1.1 | Upgrade to 5.2.2.1 | |-------------------+-----------------------------------------------| | 5.2.2 | Upgrade to 5.2.2.1 | |-------------------+-----------------------------------------------| | 5.2.3 | DMM523_PATCH-A.iso | +-------------------------------------------------------------------+ When considering software upgrades, also consult: http://www.cisco.com/go/psirt And any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Workarounds =========== There are no workarounds that mitigate this vulnerability. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this advisory: http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20120118-dmm Obtaining Fixed Software ======================== Cisco has released free software updates that address the vulnerability described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments. Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html Or as set forth at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Center on Cisco.com at: http://www.cisco.com Customers Using Third-Party Support Organizations +------------------------------------------------ Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action. The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed. Customers Without Service Contracts +---------------------------------- Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC): * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC. Refer to Cisco Worldwide Contacts at: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html For additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was reported to Cisco by Anthony Towry. Status of This Notice: Final ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120118-dmm In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +-------------------------------------------------------------------+ | Revision 1.0 | 2012-January-18 | Initial public release. | +-------------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at: http://www.cisco.com/ go/psirt +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iF4EAREIAAYFAk8W04gACgkQQXnnBKKRMND5yQD/RO41qo36jsGDPu1Mg+FM5B0g ThQ68iqyO2rzgtEpVi8A/3nFYZ2Uw58QsNhh3jRNwVnlHpSk/r2TuwUzLaMs3Kgl =cxTR -----END PGP SIGNATURE-----

Cisco TelePresence Software before TE 4.1.1 on the Cisco IP Video Phone E20 has a default password for the root account after an upgrade to TE 4.1.0, which makes it easier for remote attackers to modify the configuration via an SSH session, aka Bug ID CSCtw69889, a different vulnerability than CVE-2011-2555. The problem is Bug ID CSCtw69889 It is a problem. This vulnerability CVE-2011-2555 Is a different vulnerability.By a third party SSH The settings may be changed through the session. Cisco IP Video Phone E20 is prone to a remote authentication-bypass vulnerability. An attacker can exploit this issue to gain unauthorized root access to the affected device. Successful exploits will result in the complete compromise of the device. The vulnerability is due to an architectural change that was made in the way the system maintains administrative accounts. An attacker who is able to take advantage of this vulnerability could log in to the device as the root user and perform arbitrary actions with elevated privileges. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. The TE 4.1.0 release has been deferred from Cisco.com and Tandberg.com, and is no longer available for download. The deferral notice can be found at the following link: Software Deferral Notice Administrators can determine the version of software running on their device by logging in to the command-line interface (CLI) as the admin user and issuing the xstatus systemunit command and finding the SystemUnit Software Version field. Example: $: ssh admin@203.0.113.134 TANDBERG Codec Release TE4.1.0.137456 SW Release Date: 2011-11-18 OK xstatus systemunit *s SystemUnit ProductType: "TANDBERG Codec" *s SystemUnit ProductId: "TANDBERG E20" *s SystemUnit Uptime: 91273 *s SystemUnit Software Version: "TE4.1.0.137456" *s SystemUnit Software Name: "s52100" *s SystemUnit Software ReleaseDate: "2011-11-18" *s SystemUnit Hardware Module SerialNumber: "M1AD18B023025" *s SystemUnit Hardware Module MainBoard: "101390-6" *s SystemUnit Hardware Module BootSoftware: "U-Boot 2010.06-36" *s SystemUnit State System: Initialized *s SystemUnit State Subsystem Application: Initialized *s SystemUnit State Cradle: On *s SystemUnit State CameraLid: Off *s SystemUnit ContactInfo: "demo.user@example.com" *s SystemUnit Bluetooth Devices 1 Name: "9xxPlantronics" *s SystemUnit Bluetooth Devices 1 Address: "L023:8F:425M3D" *s SystemUnit Bluetooth Devices 1 Type: 2360324 *s SystemUnit Bluetooth Devices 1 Status: bonded *s SystemUnit Bluetooth Devices 1 LastSeen: "2011-12-20 11:49:36" ** end OK Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by this vulnerability. This single super account utilized the same password for both the admin and root authentication and was always enabled. With the introduction of TE 4.1.0, an architectural change was made to help harden the devices by allowing administrators to disable the root account. The intended result of this change is to separate the super account into two accounts, root and admin, while subsequently disabling the root account by default. It was found that in many cases, customers upgrading from a previous release of TE software to TE 4.1.0 are likely to experience an error condition in which the root account is not properly disabled. This creates a situation in which the root account is accessible via SSH with a default password. It was subsequently discovered that the command implemented to allow an administrator to enable or disable the root account does not function correctly. Workarounds are available in the Workarounds section of this document. These workarounds involve changing the root and admin passwords to administrator-defined values. Vulnerability Scoring Details ============================= Cisco has scored the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response. Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks. Cisco has provided additional information regarding CVSS at the following link: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtw69889 - Cisco TelePresence TE Software Default Root Account Vulnerability CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.7 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability could allow an unauthenticated, remote attacker to gain root access to the affected device. This could allow the attacker to take arbitrary actions on the device with elevated privileges. Software Versions and Fixes =========================== When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at: http://www.cisco.com/go/psirt And review subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco TelePresence Software version TE 4.1.1 is available on Cisco.com and replaces TE 4.1.0. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments. Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html Or as set forth at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Center on Cisco.com at: http://www.cisco.com Customers Using Third-Party Support Organizations +------------------------------------------------ Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action. The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed. Customers Without Service Contracts +---------------------------------- Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC): * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC. Refer to Cisco Worldwide Contacts at: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html For additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages. Exploitation and Public Announcements ===================================== The Cisco Product Security Incidence Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. This vulnerability was discovered internally. Status of This Notice: Final ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco Security Intelligence Operations at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120118-te Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses: * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates. Revision History ================ +-------------------------------------------------------------------+ | Revision 1.0 | 2012-January-18 | Initial Public Release | +-------------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at: http://www.cisco.com/ go/psirt +-------------------------------------------------------------------- Copyright 2010-2012 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iF4EAREIAAYFAk8W04IACgkQQXnnBKKRMNCWzwD/XJg6ZExNa1xHUZ0cLRjzefT5 nAE+tnRMfQo2m/79FewA/1gWGvSvM8jgY8OkpaE1mi/EelNYhB3Uk9FDXXMAdTEl =AFEp -----END PGP SIGNATURE-----

The TopAccess web-based management interface on TOSHIBA TEC e-Studio multi-function peripheral (MFP) devices with firmware 30x through 302, 35x through 354, and 4xx through 421 allows remote attackers to bypass authentication and obtain administrative privileges via unspecified vectors. Multiple e-Studio series products provided by TOSHIBA TEC CORPORATION contain an authentication bypass vulnerability. e-Studio is a multi-function peripheral (MFP). Multiple e-Studio series products contain a vulnerability in web-based management utility, which may result in an authentication bypass.An attacker that can access the product may log in with administrative privileges. As a result, settings may be changed and credential information may be viewed. Multiple Toshiba e-Studio devices are prone to a security-bypass vulnerability. Successful exploits will allow attackers to bypass certain security restrictions and gain access in the context of the device. A remote attacker can exploit this vulnerability to bypass authentication with an unknown vector and obtain administrator-level privileges

The web management interface on the Cisco RVS4000 Gigabit Security Router with software 1.x before 1.3.3.4 and 2.x before 2.0.2.7, and the WRVS4400N Gigabit Security Router with software before 2.0.2.1, allows remote attackers to read the backup configuration file, and consequently execute arbitrary code, via unspecified vectors, aka Bug ID CSCtn23871. The problem is Bug ID CSCtn23871 It is a problem.A third party may read the backup configuration file and, as a result, execute arbitrary code. The Cisco RVS4000/WRVS4400N is a Gigabit Cisco router. If the administrator of the device previously created a configuration backup using Administration --> Backup & Restore --> Backup, the remote unauthenticated user can access the backup configuration file, which includes all device configuration parameters, including HTTP authentication password and VPN shared key. (PSKs). Cisco RVS4000 and WRVS4400N routers are prone to an information-disclosure vulnerability. An attacker can exploit this issue to obtain potentially sensitive information. This may aid in further attacks. This issue is being tracked by Cisco bug ID CSCtn23871. ---------------------------------------------------------------------- Alerts when vulnerabilities pose a threat to your infrastructure The enhanced reporting module of the Secunia Vulnerability Intelligence Manager (VIM) enables you to combine advisory and ticket information, and generate policy compliance statistics. Using your asset list preferences, customised notifications are issued as soon as a new vulnerability is discovered - a valuable tool for documenting mitigation strategies. Watch our quick solution overview: http://www.youtube.com/user/Secunia#p/a/u/0/M1Y9sJqR2SY ---------------------------------------------------------------------- TITLE: Cisco RVS4000 / WRVS4400N Gigabit Security Routers Multiple Vulnerabilities SECUNIA ADVISORY ID: SA44724 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/44724/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=44724 RELEASE DATE: 2011-05-26 DISCUSS ADVISORY: http://secunia.com/advisories/44724/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/44724/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=44724 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Cisco RVS4000 and WRVS4400N Gigabit Security Routers, which can be exploited by malicious users to compromise a vulnerable system and by malicious people to disclose sensitive information. 1) The web management interface does not properly restrict access to the backup configuration file, which can be exploited to download the file and disclose sensitive information. 2) Input passed via the "ping" or "traceroute" parameters to the web management interface is not properly sanitised before being used. This can be exploited to inject and execute arbitrary shell commands. 3) An unspecified error in the web management interface can be exploited to retrieve the administrator's private and public keys for SSL certificates. Please see the vendor's advisory for the list of affected products. SOLUTION: Apply updates when available (Scheduled for June 19, 2011). Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: The vendor credits Michal Sajdak, Securitum. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20110525-rvs4000.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The web management interface on the Cisco RVS4000 Gigabit Security Router with software 1.x before 1.3.3.4 and 2.x before 2.0.2.7, and the WRVS4400N Gigabit Security Router with software before 2.0.2.1, allows remote authenticated users to execute arbitrary commands via the (1) ping test parameter or (2) traceroute test parameter, aka Bug ID CSCtn23871. The Cisco RVS4000/WRVS4400N is a Gigabit Cisco router. The Cisco RVS4000/WRVS4400N has a root command arbitrary command injection vulnerability. This issue is being tracked by Cisco bug ID CSCtn23871. ---------------------------------------------------------------------- Alerts when vulnerabilities pose a threat to your infrastructure The enhanced reporting module of the Secunia Vulnerability Intelligence Manager (VIM) enables you to combine advisory and ticket information, and generate policy compliance statistics. Using your asset list preferences, customised notifications are issued as soon as a new vulnerability is discovered - a valuable tool for documenting mitigation strategies. Watch our quick solution overview: http://www.youtube.com/user/Secunia#p/a/u/0/M1Y9sJqR2SY ---------------------------------------------------------------------- TITLE: Cisco RVS4000 / WRVS4400N Gigabit Security Routers Multiple Vulnerabilities SECUNIA ADVISORY ID: SA44724 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/44724/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=44724 RELEASE DATE: 2011-05-26 DISCUSS ADVISORY: http://secunia.com/advisories/44724/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/44724/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=44724 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Cisco RVS4000 and WRVS4400N Gigabit Security Routers, which can be exploited by malicious users to compromise a vulnerable system and by malicious people to disclose sensitive information. 1) The web management interface does not properly restrict access to the backup configuration file, which can be exploited to download the file and disclose sensitive information. 2) Input passed via the "ping" or "traceroute" parameters to the web management interface is not properly sanitised before being used. This can be exploited to inject and execute arbitrary shell commands. 3) An unspecified error in the web management interface can be exploited to retrieve the administrator's private and public keys for SSL certificates. Please see the vendor's advisory for the list of affected products. SOLUTION: Apply updates when available (Scheduled for June 19, 2011). Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: The vendor credits Michal Sajdak, Securitum. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20110525-rvs4000.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco IOS XR 3.6.x, 3.8.x before 3.8.3, and 3.9.x before 3.9.1 does not properly remove sshd_lock files from /tmp/, which allows remote attackers to cause a denial of service (disk consumption) by making many SSHv1 connections, aka Bug ID CSCtd64417. The problem is Bug ID CSCtd64417 It is a problem.A large number of third parties SSHv1 Service disruption via connection ( Disk consumption ) There is a possibility of being put into a state. Available disk space in the '/tmp' filesystem may be consumed. An attacker can exploit this issue to cause a denial-of-service condition. This issue is being tracked by Cisco Bug ID CSCtd64417. ---------------------------------------------------------------------- Alerts when vulnerabilities pose a threat to your infrastructure The enhanced reporting module of the Secunia Vulnerability Intelligence Manager (VIM) enables you to combine advisory and ticket information, and generate policy compliance statistics. Using your asset list preferences, customised notifications are issued as soon as a new vulnerability is discovered - a valuable tool for documenting mitigation strategies. Watch our quick solution overview: http://www.youtube.com/user/Secunia#p/a/u/0/M1Y9sJqR2SY ---------------------------------------------------------------------- TITLE: Cisco IOS XR Multiple Vulnerabilities SECUNIA ADVISORY ID: SA44725 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/44725/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=44725 RELEASE DATE: 2011-05-26 DISCUSS ADVISORY: http://secunia.com/advisories/44725/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/44725/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=44725 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Cisco IOS XR, which can be exploited by malicious people to cause a DoS (Denial of Service). 1) An unspecified error exists when processing IPv4 packets originating from the Cisco Line Card or Cisco CRS MSC and can be exploited to crash the NetIO process. Successful exploitation of this vulnerability requires that an IPv4 address is configured on one of the interfaces of a Cisco Line Card or Cisco CRS MSC. 3) An unspecified error when processing IPv4 packets can be exploited to reload the SPA (Shared Port Adapters) Interface Processor. Successful exploitation of this vulnerability requires that an IPv4 address is configured on any of the SPA interface processor interfaces. SOLUTION: Apply updates. Please see the vendor's advisory for more information. PROVIDED AND/OR DISCOVERED BY: 1) Reported by the vendor. 2) The vendor credits a customer. 3) Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20110525-iosxr.shtml http://www.cisco.com/warp/public/707/cisco-sa-20110525-iosxr-ssh.shtml http://www.cisco.com/warp/public/707/cisco-sa-20110525-iosxrspa.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Cisco Security Advisory: Cisco IOS XR Software SSHv1 Denial of Service Vulnerability Advisory ID: cisco-sa-20110525-iosxr-ssh Revision 1.0 For Public Release 2011 May 25 1600 UTC (GMT) +--------------------------------------------------------------------- Summary ======= Cisco IOS XR Software contains a vulnerability in the SSH application that may result in a denial of service condition when the SSH version 1 (SSHv1) protocol is used. Cisco has released free software updates that address this vulnerability. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20110525-iosxr-ssh.shtml Affected Products ================= This vulnerability affects all unfixed versions of Cisco IOS XR Software devices configured to accept SSHv1 connections. Details on the affected versions can be found in the Software Versions and Fixes section of this advisory. Vulnerable Products +------------------ To determine the Cisco IOS XR Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS XR Software by displaying text similar to "Cisco IOS XR Software". The software version is displayed after the text "Cisco IOS XR Software". The following example identifies a Cisco CRS-1 that is running Cisco IOS XR Software Release 3.6.2: RP/0/RP0/CPU0:CRS#show version Tue Aug 18 14:25:17.407 AEST Cisco IOS XR Software, Version 3.6.2[00] Copyright (c) 2008 by Cisco Systems, Inc. ROM: System Bootstrap, Version 1.49(20080319:195807) [CRS-1 ROMMON], CRS uptime is 4 weeks, 4 days, 1 minute System image file is "disk0:hfr-os-mbi-3.6.2/mbihfr-rp.vm" cisco CRS-8/S (7457) processor with 4194304K bytes of memory. 7457 processor at 1197Mhz, Revision 1.2 17 Packet over SONET/SDH network interface(s) 1 DWDM controller(s) 17 SONET/SDH Port controller(s) 8 TenGigabitEthernet/IEEE 802.3 interface(s) 2 Ethernet/IEEE 802.3 interface(s) 1019k bytes of non-volatile configuration memory. 38079M bytes of hard disk. 981440k bytes of ATA PCMCIA card at disk 0 (Sector size 512 bytes). Configuration register on node 0/0/CPU0 is 0x102 Boot device on node 0/0/CPU0 is mem: !--- output truncated The following example identifies a Cisco 12404 router that is running Cisco IOS XR Software Release 3.7.1: RP/0/0/CPU0:GSR#show version Cisco IOS XR Software, Version 3.7.1[00] Copyright (c) 2008 by Cisco Systems, Inc. ROM: System Bootstrap, Version 12.0(20051020:160303) SOFTWARE Copyright (c) 1994-2005 by cisco Systems, Inc. GSR uptime is 3 weeks, 6 days, 3 hours, 20 minutes System image file is "disk0:c12k-os-mbi-3.7.1/mbiprp-rp.vm" cisco 12404/PRP (7457) processor with 2097152K bytes of memory. 7457 processor at 1266Mhz, Revision 1.2 1 Cisco 12000 Series Performance Route Processor 1 Cisco 12000 Series - Multi-Service Blade Controller 1 1 Port ISE Packet Over SONET OC-48c/STM-16 Controller (1 POS) 1 Cisco 12000 Series SPA Interface Processor-601/501/401 3 Ethernet/IEEE 802.3 interface(s) 1 SONET/SDH Port controller(s) 1 Packet over SONET/SDH network interface(s) 4 PLIM QoS controller(s) 8 FastEthernet/IEEE 802.3 interface(s) 1016k bytes of non-volatile configuration memory. 1000496k bytes of disk0: (Sector size 512 bytes). 65536k bytes of Flash internal SIMM (Sector size 256k). Configuration register on node 0/0/CPU0 is 0x2102 Boot device on node 0/0/CPU0 is disk0: !--- output truncated Additional information about Cisco IOS XR Software release naming conventions is available in "White Paper: Cisco IOS Reference Guide" at the following link: http://www.cisco.com/web/about/security/intelligence/ios-ref.html#9 Additional information about Cisco IOS XR Software time-based release model is available in "White Paper: Guidelines for Cisco IOS XR Software" at the following link: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8803/ps5845/product_bulletin_c25-478699.html SSHv1 is configured in Cisco IOS XR Software with the configuration command ssh server enable. The device is vulnerable if it is running an affected Cisco IOS XR Software release and has SSHv1 enabled. The following example shows a device that is running Cisco IOS XR Software that is configured with SSHv1: (Router)# show running-config | inc ssh ssh server vrf default If the command returns "ssh server v2", then the SSH server is not configured to accept SSHv1 connections and the device is not vulnerable. Details ======= This vulnerability affects Cisco IOS XR devices that are running affected software releases and are configured to accept SSHv1 connections. This file begins with the text "sshd_lock" and may not be properly removed when the session ends. Multiple connections may consume all available space in the /tmp filesystem and cause the system to crash, leading to a denial of service condition. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss * SSHv1 may leave /tmp/sshd_lock files CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of this vulnerability may cause the Cisco IOS XR device to crash, resulting in a denial of service condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. This bug was introduced in Cisco IOS XR Software release 3.6.2 and is fixed with SMU hfr-k9sec-3.6.2.CSCtd74795. The SMU ID for this fix in 3.6.2 is AA03656. This vulnerability has been fixed in 3.8.3, 3.9.1, and 4.0.0 for customers running later software versions. Software version 3.7 is not affected by this vulnerability. Workarounds =========== SSHv1 can be disabled by configuring the SSH server to only accept SSHv2 connections. In order to configure a device to only accept SSHv2 connections, administrators can issue the command ssh server v2 Administrators should manually remove lock files after disabling SSHv1 or after the server is upgraded to a non-vulnerable version. The command run rm /tmp/sshd_lock* will delete any sshd_lock files on the system. Obtaining Fixed Software ======================== Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. Customers encountering device crashes during normal network operations reported this vulnerability to Cisco. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20110323-iosxr-ssh.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2011-May-25 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iFcDBQFN3SrhQXnnBKKRMNARCMu4AP4sb55wScS5dyO9F1CbzE+tZp+E2r6gakmT u/BqhPQ9CgD/R4mHpfDC1jTzmyibPUinOZ6Bhw1DLdiqxz0QjXl/iDQ= =E67d -----END PGP SIGNATURE-----

Cisco IOS XR 3.9.x and 4.0.x before 4.0.3 and 4.1.x before 4.1.1, when an SPA interface processor is installed, allows remote attackers to cause a denial of service (device reload) via a crafted IPv4 packet, aka Bug ID CSCto45095. An attacker can exploit this issue to cause a denial-of-service condition. This issue is being tracked by Cisco Bug ID CSCto45095. ---------------------------------------------------------------------- Alerts when vulnerabilities pose a threat to your infrastructure The enhanced reporting module of the Secunia Vulnerability Intelligence Manager (VIM) enables you to combine advisory and ticket information, and generate policy compliance statistics. Using your asset list preferences, customised notifications are issued as soon as a new vulnerability is discovered - a valuable tool for documenting mitigation strategies. Watch our quick solution overview: http://www.youtube.com/user/Secunia#p/a/u/0/M1Y9sJqR2SY ---------------------------------------------------------------------- TITLE: Cisco IOS XR Multiple Vulnerabilities SECUNIA ADVISORY ID: SA44725 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/44725/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=44725 RELEASE DATE: 2011-05-26 DISCUSS ADVISORY: http://secunia.com/advisories/44725/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/44725/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=44725 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Cisco IOS XR, which can be exploited by malicious people to cause a DoS (Denial of Service). 1) An unspecified error exists when processing IPv4 packets originating from the Cisco Line Card or Cisco CRS MSC and can be exploited to crash the NetIO process. 2) An error in the SSH server when handling an SSHv1 connection does not delete sshd_lock files in the /tmp directory. This can be exploited to consume all available disk space in the /tmp filesystem and cause a crash. Please see the vendor's advisory for the list of affected products and versions. SOLUTION: Apply updates. Please see the vendor's advisory for more information. PROVIDED AND/OR DISCOVERED BY: 1) Reported by the vendor. 2) The vendor credits a customer. 3) Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20110525-iosxr.shtml http://www.cisco.com/warp/public/707/cisco-sa-20110525-iosxr-ssh.shtml http://www.cisco.com/warp/public/707/cisco-sa-20110525-iosxrspa.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Cisco has released free Software Maintenance Units (SMU) that address this vulnerability. Workarounds that mitigate this vulnerability are not available. Vulnerable Products +------------------ This vulnerability affects all Engine 5 Line Cards on the Cisco XR 12000 Series Routers. The engine 5 line cards are the SIP-600, SIP-601, SIP-501, and SIP-401. To determine the Cisco IOS XR Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command-line interface (CLI) command to display the system banner. The system banner confirms that the device is running Cisco IOS XR Software by displaying text that is similar to "Cisco IOS XR Software". The software version is displayed after the text "Cisco IOS XR Software". The following example identifies a Cisco XR 12000 Series Router that is running Cisco IOS XR Software Release 3.9.1: RP/0/0/CPU0:example#show version Wed Dec 15 10:16:47.117 singa Cisco IOS XR Software, Version 3.9.1[00] Copyright (c) 2010 by Cisco Systems, Inc. ROM: System Bootstrap, Version 12.0(20090302:133850) [rtauro-sw30346-33S 1.23dev(0.36)] DEVELOPMENT SOFTWARE Copyright (c) 1994-2009 by cisco Systems, Inc. example uptime is 26 minutes System image file is "disk0:c12k-os-mbi-3.9.1/mbiprp-rp.vm" cisco 12404/PRP (7457) processor with 3145728K bytes of memory. 7457 processor at 1266Mhz, Revision 1.2 1 Cisco 12000 Series Performance Route Processor 1 Cisco 12000 Series SPA Interface Processor-601/501/401 1 Cisco 12000 4 Port Gigabit Ethernet Controller (4 GigabitEthernet) 3 Management Ethernet 5 PLIM_QOS 8 FastEthernet 4 GigabitEthernet/IEEE 802.3 interface(s) 1019k bytes of non-volatile configuration memory. 982304k bytes of disk0: (Sector size 512 bytes). 62420k bytes of disk1: (Sector size 512 bytes). 65536k bytes of Flash internal SIMM (Sector size 256k). !--- output truncated To determine if a SPA interface processor is installed in the device, administrators can log in to the device and issue the show platform command to display the system line cards. The following products are not affected by this vulnerability: * Cisco 12000 Series SPA interface processors running Cisco IOS Software * Cisco XR 12000 Series Engine 3 Line Cards * Cisco ASR 9000 Series Aggregation Services Routers * Cisco Carrier Routing System Series Routers No other Cisco products are currently known to be affected by this vulnerability Details ======= Cisco IOS XR Software, which is part of the Cisco IOS Software family, uses a microkernel-based distributed operating system infrastructure. Cisco IOS XR Software runs on the Cisco CRS, Cisco 12000 Series Routers, and Cisco ASR 9000 Series Aggregation Services Routers. When the SPA interface processor receives specific IPv4 packets destined for either a network or a network broadcast address of a configured interface, it will reload and produce an error message that is similar to what is shown in the example that follows. Transit traffic through the device does not trigger this vulnerability. RP/0/4/CPU0:Example#LC/0/1/CPU0:Apr 26 17:16:31.745 : tx_xbma[85]: %L2-E5EGRESSQ-4-INTERRUPT : WIM error: reg 0x200000 This vulnerability is documented in Cisco bug ID CSCto45095 ( registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2011-1651. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * Cisco XR 12000 Series SPA Interface Processor Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability may result in a reloading of the SPA interface processor. Repeated exploitation could result in a sustained denial of service (DoS) condition. Software Versions and Fixes =========================== When considering software upgrades, also consult: http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +--------------------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |----------+---------------------------------------------------| | Affected | | | First | | 3.2.X | SMU ID | SMU NAME | Fixed | | through | | | Release | |3.8.X |---------------------------------------------------| | Based | There are no affected 3.2.X through 3.8.X based | | Releases | releases | |----------+---------------------------------------------------| | Affected | | | First | | 3.9.X | SMU ID | SMU NAME | Fixed | | Based | | | Release | | Releases | | | | |----------+---------+------------------------------+----------| | | | | No first | | | | | fixed | | | | | release; | | 3.9.0 | None | No SMU available; Contact | Migrate | | | | your Support Organization | to | | | | | 4.0.3, | | | | | 4.1.1 or | | | | | later. | |----------+---------+------------------------------+----------| | | | | No first | | | | | fixed | | | | | release; | | 3.9.1 | AA04896 | c12k-os-mbi-3.9.1.CSCto45095 | Migrate | | | | | to | | | | | 4.0.3, | | | | | 4.1.1 or | | | | | later. | |----------+---------+------------------------------+----------| | | | | No first | | | | | fixed | | | | | release; | | 3.9.2 | AA04907 | c12k-os-mbi-3.9.2.CSCto45095 | Migrate | | | | | to | | | | | 4.0.3, | | | | | 4.1.1 or | | | | | later. | |----------+---------+------------------------------+----------| | Affected | | | First | | 4.0.x | SMU ID | SMU NAME | Fixed | | Based | | | Release | | Releases | | | | |----------+---------+------------------------------+----------| | 4.0.0 | None | No SMU available; Contact | 4.0.3 | | | | your Support Organization | | |----------+---------+------------------------------+----------| | 4.0.1 | AA04884 | c12k-4.0.1.CSCto45095 | 4.0.3 | |----------+---------------------------------------------------| | 4.0.3 | Not Affected | |----------+---------------------------------------------------| | Affected | | | First | | 4.1.x | SMU ID | SMU NAME | Fixed | | Based | | | Release | | Releases | | | | |----------+---------+------------------------------+----------| | 4.1.0 | None | No SMU available; Contact | 4.1.1 | | | | your Support Organization | | |----------+---------------------------------------------------| | 4.1.1 | Not Affected | +--------------------------------------------------------------+ Workarounds There are no workarounds for this vulnerability. Using Infrastructure Access Control Lists (iACLs) may help limit the attack surface of this vulnerability. Although it is often difficult to block traffic that transits a network, it is possible to identify traffic that should never be allowed to target infrastructure devices and block that traffic at the border of networks. As a network security best practice, iACLs should be considered a long-term addition to good network security. Because some of the packets used in this vulnerability could utilize UDP as a transport, it could be possible to spoof the sender's IP address, which may defeat ACLs that permit communication to these ports from trusted IP addresses. Unicast RPF should be considered to be used in conjunction to offer a better mitigation solution. For more information on iACLs, consult the document "Limit Network Access with Access Control Lists" at the following location: http://www.cisco.com/web/about/security/intelligence/CiscoIOSXR.html#19 Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was discovered when handling customer support calls. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20110525-iosxrspa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2011-May-25 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iFcDBQFN3RrPQXnnBKKRMNARCIkEAP9sE4FjJ6/IyOGqzNxOBcg3q+u3kGcjazdc ln2xYeCyVgD/cRgImB/vxfJGe90DmEryeSmG61J/v4LcMM4RTUF6G/0= =71Y8 -----END PGP SIGNATURE-----

Cisco IOS XR 3.8.3, 3.8.4, and 3.9.1 allows remote attackers to cause a denial of service (NetIO process restart or device reload) via a crafted IPv4 packet, aka Bug ID CSCth44147. An attacker can exploit this issue to cause a denial-of-service condition. This issue is being tracked by Cisco Bug ID CSCth44147. A remote attacker could exploit this vulnerability to crash the application and deny service to legitimate users. ---------------------------------------------------------------------- Alerts when vulnerabilities pose a threat to your infrastructure The enhanced reporting module of the Secunia Vulnerability Intelligence Manager (VIM) enables you to combine advisory and ticket information, and generate policy compliance statistics. Using your asset list preferences, customised notifications are issued as soon as a new vulnerability is discovered - a valuable tool for documenting mitigation strategies. Watch our quick solution overview: http://www.youtube.com/user/Secunia#p/a/u/0/M1Y9sJqR2SY ---------------------------------------------------------------------- TITLE: Cisco IOS XR Multiple Vulnerabilities SECUNIA ADVISORY ID: SA44725 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/44725/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=44725 RELEASE DATE: 2011-05-26 DISCUSS ADVISORY: http://secunia.com/advisories/44725/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/44725/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=44725 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been reported in Cisco IOS XR, which can be exploited by malicious people to cause a DoS (Denial of Service). 2) An error in the SSH server when handling an SSHv1 connection does not delete sshd_lock files in the /tmp directory. This can be exploited to consume all available disk space in the /tmp filesystem and cause a crash. 3) An unspecified error when processing IPv4 packets can be exploited to reload the SPA (Shared Port Adapters) Interface Processor. Successful exploitation of this vulnerability requires that an IPv4 address is configured on any of the SPA interface processor interfaces. Please see the vendor's advisory for the list of affected products and versions. SOLUTION: Apply updates. Please see the vendor's advisory for more information. PROVIDED AND/OR DISCOVERED BY: 1) Reported by the vendor. 2) The vendor credits a customer. 3) Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20110525-iosxr.shtml http://www.cisco.com/warp/public/707/cisco-sa-20110525-iosxr-ssh.shtml http://www.cisco.com/warp/public/707/cisco-sa-20110525-iosxrspa.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Successful exploitation could cause the NetIO process to restart. Under a sustained attack, the Cisco CRS Modular Services Card (MSC) on a Cisco Carrier Routing System (CRS) or a Line Card on a Cisco 12000 Series Router or Cisco ASR 9000 Series Aggregation Services Router will reload. Cisco has released free Software Maintenance Units (SMU) that address this vulnerability. There are no workarounds for this vulnerability. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20110525-iosxr.shtml Affected Products ================= This vulnerability affects any device that is running Cisco IOS XR Software Releases 3.8.3, 3.8.4, or 3.9.1 and has an IPv4 address configured on one of the interfaces of a Cisco Line Card or Cisco CRS MSC. Vulnerable Products +------------------ Cisco IOS XR Software Releases 3.8.3, 3.8.4, and 3.9.1 are affected when they are running on the following Cisco hardware platforms: * Cisco ASR 9000 Series Aggregation Services Routers * Cisco Carrier Routing System * Cisco XR 12000 Series Routers To determine the Cisco IOS XR Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The software version is displayed after the text "Cisco IOS XR Software". The following example identifies a Cisco XR 12000 Series Router that is running Cisco IOS XR Software Release 3.9.1: RP/0/0/CPU0:example#show version Wed Dec 15 10:16:47.117 singa Cisco IOS XR Software, Version 3.9.1[00] Copyright (c) 2010 by Cisco Systems, Inc. ROM: System Bootstrap, Version 12.0(20090302:133850) [rtauro-sw30346-33S 1.23dev(0.36)] DEVELOPMENT SOFTWARE Copyright (c) 1994-2009 by cisco Systems, Inc. example uptime is 26 minutes System image file is "disk0:c12k-os-mbi-3.9.1/mbiprp-rp.vm" cisco 12404/PRP (7457) processor with 3145728K bytes of memory. 7457 processor at 1266Mhz, Revision 1.2 1 Cisco 12000 Series Performance Route Processor 1 Cisco 12000 Series SPA Interface Processor-601/501/401 1 Cisco 12000 4 Port Gigabit Ethernet Controller (4 GigabitEthernet) 3 Management Ethernet 5 PLIM_QOS 8 FastEthernet 4 GigabitEthernet/IEEE 802.3 interface(s) 1019k bytes of non-volatile configuration memory. 982304k bytes of disk0: (Sector size 512 bytes). 62420k bytes of disk1: (Sector size 512 bytes). 65536k bytes of Flash internal SIMM (Sector size 256k). The following products are not affected by this vulnerability: * Cisco IOS Software * Cisco IOS XE Software for Cisco ASR 1000 Series Routers * Cisco NX-OS Software No other Cisco products are currently known to be affected by this vulnerability. Details ======= Cisco IOS XR Software, which is part of the Cisco IOS Software family, uses a microkernel-based distributed operating system infrastructure. Cisco IOS XR Software runs on the Cisco CRS, Cisco 12000 Series Routers, and Cisco ASR 9000 Series Aggregation Services Routers. When a Cisco Line Card or Cisco CRS MSC sends a specific IPv4 packet, the NetIO process will restart. Although a crash is caused by a packet that originates from the Cisco Line Card or Cisco CRS MSC, an unauthenticated, remote user can trigger the vulnerability by sending specific IP packets to or through the device. In the latter scenario, the Cisco Line Card or Cisco CRS MSC will create the specific IPv4 packet response that triggers the vulnerability This vulnerability is documented in Cisco bug ID CSCth44147 ( registered customers only) and has been assigned CVE ID CVE-2011-0943. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss * CSCth44147: NetIO Process crashes when generating specific IP packet CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability may result in a reload of the Cisco CRS MSC on a Cisco CRS or the line cards on a Cisco 12000 Series Router or Cisco ASR 9000 Series Aggregation Services Router. Repeated exploitation could result in a sustained DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult: http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +------------------------------------------------------------------+ | Major | Availability of Repaired Releases | | | Release | | | |-----------+---------------------------------------------------+--| | Affected | | | | | | 3.2.X | | | First | | | through | SMU ID | SMU NAME | Fixed | | | 3.7.X - | | | Release | | | Based | | | | | | Releases | | | | | |---------------------------------------------------------------+--| | There are no affected 3.2.X through 3.7.X - based releases | | |---------------------------------------------------------------+--| | Affected | | | First | | | 3.8.X | SMU ID | SMU NAME | Fixed | | | Based | | | Release | | | Releases | | | | | |-----------+------------------------------------------------------| | 3.8.0 | Not Vulnerable. | |-----------+------------------------------------------------------| | 3.8.1 | Not Vulnerable. | |-----------+------------------------------------------------------| | 3.8.2 | Not Vulnerable. | |-----------+------------------------------------------------------| | | CRS: | | No first | | | | AA04566 | hfr-base-3.8.3.CSCth44147 | fixed | | | | | | release; | | | |----------+-----------------------------|migrate |--| | 3.8.3 | ASR9K | Not Applicable | to | | | | | | 3.9.X, | | | |----------+-----------------------------|4.0.X, |--| | | XR12000 | Not Applicable | or | | | | | | later. | | |-----------+----------+-----------------------------+----------+--| | | CRS: | | No first | | | | AA04565 | hfr-base-3.8.4.CSCth44147 | fixed | | | | | | release; | | | |----------+-----------------------------|migrate |--| | 3.8.4 | ASR9K | Not Applicable | to | | | | | | 3.9.2, | | | |----------+-----------------------------|4.X.0, |--| | | XR12000: | | or | | | | AA04567 | c12k-base-3.8.4.CSCth44147 | later. | | | | | | | | |-----------+----------+-----------------------------+----------+--| | Affected | | | First | | | 3.9.X | SMU ID | SMU NAME | Fixed | | | Based | | | Release | | | Releases | | | | | |-----------+------------------------------------------------------| | 3.9.0 | Not Vulnerable. | |-----------+------------------------------------------------------| | | CRS: | hfr-base-3.9.1.CSCth44147 | | | | | AA04564 | | | | | |----------+-----------------------------| |--| | 3.9.1 | ASR9K: | asr9k-base-3.9.1.CSCth44147 | 3.9.2 | | | | AA04563 | | | | | |----------+-----------------------------| |--| | | XR12000: | c12k-base-3.9.1.CSCth44147 | | | | | AA04530 | | | | |-----------+------------------------------------------------------| | 3.9.2 | Not Vulnerable. | |-----------+------------------------------------------------------| | Affected | | | | 4.0.X - | There are no affected 4.0.X - based releases | | | based | | | | Releases. | | | |-----------+---------------------------------------------------+--| | Affected | | | | 4.1.X | There are no affected 4.1.X based releases. | | | Based | | | | Releases | | | +------------------------------------------------------------------+ Workarounds =========== There are no workarounds for this vulnerability. Using Infrastructure Access Control Lists (iACLs) may help limit the attack surface of this vulnerability. Although it is often difficult to block traffic that transits a network, it is possible to identify traffic that should never be allowed to target infrastructure devices and block that traffic at the border of networks. iACLs are a network security best practice and should be considered as a long-term addition to good network security. Because some packets that may be used to exploit this vulnerability could utilize UDP as a transport, an attacker could spoof the sender's IP address, which may defeat ACLs that permit communication to these ports from trusted IP addresses. To provide a better mitigation solution, administrators should consider using Unicast Reverse Path Forwarding (Unicast RPF) in conjunction with iACLs. For more information on iACLs, consult the document "Limit Network Access with Access Control Lists" at the following link: http://www.cisco.com/web/about/security/intelligence/CiscoIOSXR.html#19 Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was discovered during the handling of customer support calls. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20110525-iosxr.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2011-May-25 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iFcDBQFN3RqIQXnnBKKRMNARCFVnAP9055GGNzOdS4o6ca7nIpjU4jWY2930jsGp iuPOrCybNAD+LFjrUG0Lgx2J2zerdps17lMTixKZyRyrUn9r5lM9G6k= =dXMx -----END PGP SIGNATURE-----

Cisco TelePresence Recording Server 1.7.2.x before 1.7.2.1 has a default password for the root administrator account, which makes it easier for remote attackers to modify the configuration via an SSH session, aka Bug ID CSCtr76182. The problem is Bug ID CSCtr76182 It is a problem.By a third party SSH The settings may be changed through the session. Cisco TelePresence is a telepresence conferencing solution developed by Cisco. An attacker can exploit this issue to gain unauthorized administrative access to the affected device. Successful exploits will result in the complete compromise of the affected device. This issue is being tracked by Cisco bug ID CSCtr76182. A workaround exists to mitigate this vulnerability. Cisco has released free software updates that address this vulnerability. Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by this vulnerability. Details ======= The Cisco TelePresence solution allows an immersive, in-person communication and collaboration over the network with colleagues, prospects, and partners, even when they are located in opposite hemispheres. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss * CSCtr76182 - Root account enabled with default password CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.7 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of this vulnerability could allow a remote attacker to use these default credentials to modify the system configuration and settings. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Workarounds =========== A workaround exists to mitigate and fix this vulnerability. The workaround requires manual intervention on the affected system. Please contact the Cisco Technical Assistance Center (TAC) for instructions on how to implement this workaround. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20110729-tp.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts ================================ Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers without Service Contracts =================================== Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== Potential exploitation was reported directly to Cisco by a single customer. The PSIRT is not aware of any widespread exploitation or public announcements of this vulnerability. Status of this Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20110729-tp.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2011-July-29 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iFcDBQFOMrmnQXnnBKKRMNARCE5CAP9TjtNJudeQVXIBi+RXClP25IBQ+4ONAT6S bZTKB2cYtQD/W8gzsL8LTFg+yjVXhMQ2wzttSqHcKvsTjAfmJYTR+wY= =2sNt -----END PGP SIGNATURE-----

Unspecified vulnerability in Cisco IOS 12.2SRE before 12.2(33)SRE4, 15.0, and 15.1, and IOS XE 2.1.x through 3.3.x, when an MPLS domain is configured, allows remote attackers to cause a denial of service (device reload) via an ICMPv6 packet, related to an expired MPLS TTL, aka Bug ID CSCtj30155. The problem is Bug ID CSCtj30155 It is a problem.By a third party ICMPv6 Service disruption via packets ( Reload device ) There is a possibility of being put into a state. Cisco IOS is prone to multiple remote denial-of-service vulnerabilities. An attacker can exploit these issues to cause an affected device to reload, denying service to legitimate users. These issues are being tracked by Cisco Bug IDs: CSCto07919 CSCtj30155. ---------------------------------------------------------------------- Ovum says ad hoc tools are out-dated. The best practice approach? Fast vulnerability intelligence, threat handling, and setup in one tool. Read the new report on the Secunia VIM: http://secunia.com/products/corporate/vim/ovum_2011_request/ ---------------------------------------------------------------------- TITLE: Cisco IOS MPLS IPv6 and ICMPv6 Packet Processing Two Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA46145 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46145/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46145 RELEASE DATE: 2011-10-31 DISCUSS ADVISORY: http://secunia.com/advisories/46145/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46145/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46145 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to cause a DoS (Denial of Service). Please see the vendor's advisory for a list of affected versions. SOLUTION: Update to a fixed version (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20110928-ipv6mpls.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. For more information: SA46145 The vulnerabilities are reported in versions 2.1.x through 2.6.x and 3.2.xS. These vulnerabilities are: * Crafted IPv6 Packet May Cause MPLS-Configured Device to Reload * ICMPv6 Packet May Cause MPLS-Configured Device to Reload Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110928-ipv6mpls.shtml. Note: The September 28, 2011, Cisco IOS Software Security Advisory bundled publication includes ten Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the September 2011 Bundled Publication. Individual publication links are in "Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication" at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep11.html Affected Products ================= Vulnerable Products +------------------ Cisco IOS Software or Cisco IOS XE Software devices (hereafter both referenced as Cisco IOS Software in this document) that are running vulnerable versions of Cisco IOS Software and configured for MPLS are affected by two vulnerabilities related to IPv6 traffic that traverses an MPLS domain. The two vulnerabilities are independent of each other. Note: IPv6 does not need to be configured on the affected devices themselves. The vulnerabilities do require the MPLS label switched packets to have specific IPv6 payloads to be exploited. To determine whether a device is configured for MPLS, log in to the device and issue the command-line interface (CLI) command "show mpls interface". If the IP state is "Yes", the device is vulnerable. The following example shows a device that has MPLS configured on interface Ethernet0/0: Router#show mpls interface Interface IP Tunnel BGP Static Operational Ethernet0/0 Yes (ldp) No No No Yes Router# The following two examples show responses from a device with MPLS forwarding disabled. The first example shows a return of no interfaces: router#show mpls interface Interface IP Tunnel BGP Static Operational routers# In the second example, the device provides a message indicating that MPLS forwarding is not configured: router#show mpls interface no MPLS apps enabled or MPLS not enabled on any interfaces router# To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the "show version" command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software." The image name displays in parentheses, followed by "Version" and the Cisco IOS Software release name. Other Cisco devices do not have the "show version" command or may provide different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 15.0(1)M1 with an installed image name of C3900-UNIVERSALK9-M: Router> show version Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Wed 02-Dec-09 17:17 by prod_rel_team !--- output truncated Additional information about Cisco IOS Software release naming conventions is available in the white paper Cisco IOS and NX-OS Software Reference Guide at http://www.cisco.com/web/about/security/intelligence/ios-ref.html. Products Confirmed Not Vulnerable +-------------------------------- Devices that are not configured for MPLS are not vulnerable. Details ======= The packet handling nodes in an MPLS network are called provider routers (P routers) and provider edge routers (PE routers) and are configured with MPLS. Both P and PE routers are vulnerable to both the vulnerabilities disclosed in this advisory. In networks that have MPLS enabled and could carry MPLS label switched packets with IPv6 payloads, the device may crash when processing MPLS label switched packets with specific IPv6 payloads. Typical deployment scenarios that would be affected by either vulnerability would be Cisco IPv6 Provider Edge Router (6PE) or IPv6 VPN Provider Edge Router (6VPE). The crafted packet used to exploit this vulnerability would be silently discarded in Cisco IOS Software if received on an interface where the packet did not have an MPLS label. This vulnerability is documented in Cisco bug ID CSCto07919 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2011-3274. The packet used to exploit this vulnerability would not affect Cisco IOS Software if received on an interface where the packet did not have an MPLS label. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCto07919 ("Crafted IPv6 packet may cause MPLS configured device to reload") CVSS Base Score - 6.1 Access Vector - Adjacent Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.0 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtj30155 ("ICMPv6 packet may cause MPLS configured device to reload") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities may cause the device to reload. Repeated exploitation could result in a sustained denial of service condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Additionally, the Cisco IOS Software Checker is available on the Cisco Security Intelligence Operations (SIO) portal at http://tools.cisco.com/security/center/selectIOSVersion.x. It provides several features for checking which Security Advisories affect specified versions of Cisco IOS Software. Cisco IOS Software +----------------- Each row of the following Cisco IOS Software table corresponds to a Cisco IOS Software train. If a particular train is vulnerable, the earliest releases that contain the fix are listed in the First Fixed Release For This Advisory column. The First Fixed Release for All Advisories in the September 2011 Bundled Publication column lists the earliest possible releases that correct all the published vulnerabilities in the Cisco IOS Software Security Advisory bundled publication. Cisco recommends upgrading to the latest available release, where possible. +------------------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |------------+-----------------------------------------------| | Affected | | First Fixed Release | | 12.0-Based | First Fixed Release | for All Advisories in | | Releases | For This Advisory | the September 2011 | | | | Bundled Publication | |------------------------------------------------------------| | There are no affected 12.0-based releases | |------------------------------------------------------------| | Affected | | First Fixed Release | | 12.1-Based | First Fixed Release | for All Advisories in | | Releases | For This Advisory | the September 2011 | | | | Bundled Publication | |------------+-----------------------+-----------------------| | 12.1E | Not vulnerable | 12.2(18)SXF17b | |------------+-----------------------+-----------------------| | Affected | | First Fixed Release | | 12.2-Based | First Fixed Release | for All Advisories in | | Releases | For This Advisory | the September 2011 | | | | Bundled Publication | |------------+-----------------------+-----------------------| | 12.2 | Not vulnerable | Vulnerable; first | | | | fixed in Release 12.4 | |------------+-----------------------+-----------------------| | 12.2B | Not vulnerable | Vulnerable; first | | | | fixed in Release 12.4 | |------------+-----------------------+-----------------------| | 12.2BC | Not vulnerable | Vulnerable; first | | | | fixed in Release 12.4 | |------------+-----------------------+-----------------------| | 12.2BW | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2BX | Not vulnerable | fixed in Release | | | | 12.2SB | |------------+-----------------------+-----------------------| | 12.2BY | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2BZ | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2CX | Not vulnerable | Vulnerable; first | | | | fixed in Release 12.4 | |------------+-----------------------+-----------------------| | 12.2CY | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2CZ | Not vulnerable | fixed in Release | | | | 12.2SB | |------------+-----------------------+-----------------------| | 12.2DA | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2DD | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2DX | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2EU | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | | | Releases up to and | | 12.2EW | Not vulnerable | including 12.2(20)EW4 | | | | are not vulnerable. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2EWA | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | 12.2EX | Not vulnerable | 12.2(55)EX3 | |------------+-----------------------+-----------------------| | 12.2EY | Not vulnerable | 12.2(58)EY | |------------+-----------------------+-----------------------| | | | Vulnerable; migrate | | 12.2EZ | Not vulnerable | to any release in | | | | 15.0SE | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2FX | Not vulnerable | fixed in Release | | | | 12.2SE | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2FY | Not vulnerable | fixed in Release | | | | 12.2EX | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2FZ | Not vulnerable | fixed in Release | | | | 12.2SE | |------------+-----------------------+-----------------------| | | | Vulnerable; migrate | | 12.2IRA | Not vulnerable | to any release in | | | | 12.2IRG | |------------+-----------------------+-----------------------| | | | Vulnerable; migrate | | 12.2IRB | Not vulnerable | to any release in | | | | 12.2IRG | |------------+-----------------------+-----------------------| | | | Vulnerable; migrate | | 12.2IRC | Not vulnerable | to any release in | | | | 12.2IRG | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2IRD | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2IRE | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; migrate | | 12.2IRF | Not vulnerable | to any release in | | | | 12.2IRG | |------------+-----------------------+-----------------------| | 12.2IRG | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2IXA | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2IXB | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2IXC | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2IXD | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2IXE | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2IXF | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2IXG | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2IXH | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | 12.2JA | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2JK | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2MB | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2MC | Not vulnerable | Vulnerable; first | | | | fixed in Release 12.4 | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2MRA | Not vulnerable | fixed in Release | | | | 12.2SRD | |------------+-----------------------+-----------------------| | 12.2MRB | Not vulnerable | 12.2(33)MRB5 | |------------+-----------------------+-----------------------| | | | Releases prior to | | | | 12.2(30)S are | | | | vulnerable; Releases | | 12.2S | Not vulnerable | 12.2(30)S and later | | | | are not vulnerable. | | | | First fixed in | | | | Release 12.2SB | |------------+-----------------------+-----------------------| | | | 12.2(31)SB20 | | 12.2SB | Not vulnerable | | | | | 12.2(33)SB10 | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SBC | Not vulnerable | fixed in Release | | | | 12.2SB | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SCA | Not vulnerable | fixed in Release | | | | 12.2SCC | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SCB | Not vulnerable | fixed in Release | | | | 12.2SCC | |------------+-----------------------+-----------------------| | 12.2SCC | Not vulnerable | 12.2(33)SCC7 | |------------+-----------------------+-----------------------| | 12.2SCD | Not vulnerable | 12.2(33)SCD6 | |------------+-----------------------+-----------------------| | | | 12.2(33)SCE1 | | 12.2SCE | Not vulnerable | | | | | 12.2(33)SCE2 | |------------+-----------------------+-----------------------| | 12.2SCF | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | | | 12.2(55)SE3 | | 12.2SE | Not vulnerable | | | | | 12.2(58)SE | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SEA | Not vulnerable | fixed in Release | | | | 12.2SE | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SEB | Not vulnerable | fixed in Release | | | | 12.2SE | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SEC | Not vulnerable | fixed in Release | | | | 12.2SE | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SED | Not vulnerable | fixed in Release | | | | 12.2SE | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SEE | Not vulnerable | fixed in Release | | | | 12.2SE | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SEF | Not vulnerable | fixed in Release | | | | 12.2SE | |------------+-----------------------+-----------------------| | | | Releases prior to | | | | 12.2(25)SEG4 are | | | | vulnerable; Releases | | 12.2SEG | Not vulnerable | 12.2(25)SEG4 and | | | | later are not | | | | vulnerable. First | | | | fixed in Release | | | | 12.2EX | |------------+-----------------------+-----------------------| | | | Releases prior to | | | | 12.2(53)SG4 are | | 12.2SG | Not vulnerable | vulnerable; Releases | | | | 12.2(53)SG4 and later | | | | are not vulnerable. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2SGA | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | 12.2SL | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2SM | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | 12.2SO | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2SQ | Not vulnerable | 12.2(50)SQ3 | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SRA | Not vulnerable | fixed in Release | | | | 12.2SRD | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SRB | Not vulnerable | fixed in Release | | | | 12.2SRD | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SRC | Not vulnerable | fixed in Release | | | | 12.2SRD | |------------+-----------------------+-----------------------| | 12.2SRD | Not vulnerable | 12.2(33)SRD6 | |------------+-----------------------+-----------------------| | 12.2SRE | 12.2(33)SRE4 | 12.2(33)SRE4 | |------------+-----------------------+-----------------------| | 12.2STE | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2SU | Not vulnerable | Vulnerable; first | | | | fixed in Release 12.4 | |------------+-----------------------+-----------------------| | | | Releases prior to | | | | 12.2(29a)SV are | | | | vulnerable; Releases | | 12.2SV | Not vulnerable | 12.2(29a)SV and later | | | | are not vulnerable. | | | | Migrate to any | | | | release in 12.2SVD | |------------+-----------------------+-----------------------| | 12.2SVA | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2SVC | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2SVD | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2SVE | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2SW | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SX | Not vulnerable | fixed in Release | | | | 12.2SXF | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SXA | Not vulnerable | fixed in Release | | | | 12.2SXF | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SXB | Not vulnerable | fixed in Release | | | | 12.2SXF | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SXD | Not vulnerable | fixed in Release | | | | 12.2SXF | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SXE | Not vulnerable | fixed in Release | | | | 12.2SXF | |------------+-----------------------+-----------------------| | 12.2SXF | Not vulnerable | 12.2(18)SXF17b | |------------+-----------------------+-----------------------| | 12.2SXH | Not vulnerable | 12.2(33)SXH8a | |------------+-----------------------+-----------------------| | 12.2SXI | Not vulnerable | 12.2(33)SXI6 | |------------+-----------------------+-----------------------| | 12.2SXJ | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2SY | Not vulnerable | 12.2(50)SY | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2SZ | Not vulnerable | fixed in Release | | | | 12.2SB | |------------+-----------------------+-----------------------| | 12.2T | Not vulnerable | Vulnerable; first | | | | fixed in Release 12.4 | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2TPC | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | 12.2XA | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XB | Not vulnerable | Vulnerable; first | | | | fixed in Release 12.4 | |------------+-----------------------+-----------------------| | 12.2XC | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XD | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XE | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XF | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XG | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XH | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XI | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XJ | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XK | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XL | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XM | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XN | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XNA | See Cisco IOS-XE | See Cisco IOS-XE | | | Software Availability | Software Availability | |------------+-----------------------+-----------------------| | 12.2XNB | See Cisco IOS-XE | See Cisco IOS-XE | | | Software Availability | Software Availability | |------------+-----------------------+-----------------------| | 12.2XNC | See Cisco IOS-XE | See Cisco IOS-XE | | | Software Availability | Software Availability | |------------+-----------------------+-----------------------| | 12.2XND | See Cisco IOS-XE | See Cisco IOS-XE | | | Software Availability | Software Availability | |------------+-----------------------+-----------------------| | 12.2XNE | See Cisco IOS-XE | See Cisco IOS-XE | | | Software Availability | Software Availability | |------------+-----------------------+-----------------------| | 12.2XNF | See Cisco IOS-XE | See Cisco IOS-XE | | | Software Availability | Software Availability | |------------+-----------------------+-----------------------| | | | Releases prior to | | | | 12.2(54)XO are | | 12.2XO | Not vulnerable | vulnerable; Releases | | | | 12.2(54)XO and later | | | | are not vulnerable. | |------------+-----------------------+-----------------------| | 12.2XQ | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XR | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XS | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XT | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XU | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XV | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2XW | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2YA | Not vulnerable | Vulnerable; first | | | | fixed in Release 12.4 | |------------+-----------------------+-----------------------| | 12.2YB | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2YC | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2YD | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2YE | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2YF | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2YG | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2YH | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2YJ | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | 12.2YK | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2YL | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | 12.2YM | Not vulnerable | Vulnerable; first | | | | fixed in Release 12.4 | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2YN | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | 12.2YO | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2YP | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2YQ | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2YR | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2YS | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2YT | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2YU | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2YV | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2YW | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2YX | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2YY | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2YZ | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2ZA | Not vulnerable | fixed in Release | | | | 12.2SXF | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2ZB | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | 12.2ZC | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2ZD | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2ZE | Not vulnerable | Vulnerable; first | | | | fixed in Release 12.4 | |------------+-----------------------+-----------------------| | 12.2ZF | Not vulnerable | Vulnerable; first | | | | fixed in Release 12.4 | |------------+-----------------------+-----------------------| | 12.2ZG | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2ZH | Not vulnerable | Vulnerable; first | | | | fixed in Release 12.4 | |------------+-----------------------+-----------------------| | 12.2ZJ | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2ZL | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | 12.2ZP | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | | | Vulnerable; first | | 12.2ZU | Not vulnerable | fixed in Release | | | | 12.2SXH | |------------+-----------------------+-----------------------| | 12.2ZX | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2ZY | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2ZYA | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | Affected | | First Fixed Release | | 12.3-Based | First Fixed Release | for All Advisories in | | Releases | For This Advisory | the September 2011 | | | | Bundled Publication | |------------------------------------------------------------| | There are no affected 12.3-based releases | |------------------------------------------------------------| | Affected | | First Fixed Release | | 12.4-Based | First Fixed Release | for All Advisories in | | Releases | For This Advisory | the September 2011 | | | | Bundled Publication | |------------------------------------------------------------| | There are no affected 12.4-based releases | |------------------------------------------------------------| | Affected | | First Fixed Release | | 15.0-Based | First Fixed Release | for All Advisories in | | Releases | For This Advisory | the September 2011 | | | | Bundled Publication | |------------+-----------------------+-----------------------| | 15.0M | 15.0(1)M7 | 15.0(1)M7 | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 15.0MR | instructions in the | instructions in the | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 15.0MRA | instructions in the | instructions in the | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | 15.0S | See Cisco IOS-XE | See Cisco IOS-XE | | | Software Availability | Software Availability | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 15.0SA | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | 15.0SE | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 15.0SG | See Cisco IOS-XE | See Cisco IOS-XE | | | Software Availability | Software Availability | |------------+-----------------------+-----------------------| | | Vulnerable; first | Vulnerable; first | | 15.0XA | fixed in Release | fixed in Release | | | 15.1T | 15.1T | |------------+-----------------------+-----------------------| | 15.0XO | See Cisco IOS-XE | See Cisco IOS-XE | | | Software Availability | Software Availability | |------------+-----------------------+-----------------------| | Affected | | First Fixed Release | | 15.1-Based | First Fixed Release | for All Advisories in | | Releases | For This Advisory | the September 2011 | | | | Bundled Publication | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 15.1EY | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; first | Vulnerable; first | | 15.1GC | fixed in Release | fixed in Release | | | 15.1T | 15.1T | |------------+-----------------------+-----------------------| | 15.1M | 15.1(4)M1 | 15.1(4)M2; Available | | | | on 30-SEP-11 | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 15.1MR | Not vulnerable | instructions in the | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | 15.1S | See Cisco IOS-XE | See Cisco IOS-XE | | | Software Availability | Software Availability | |------------+-----------------------+-----------------------| | | 15.1(1)T4; Available | | | | on 09-DEC-11 | 15.1(2)T4 | | 15.1T | | | | | 15.1(2)T4 | 15.1(1)T4 on | | | | 8-Dec-2011 | | | 15.1(3)T2 | | |------------+-----------------------+-----------------------| | | Vulnerable; first | Vulnerable; first | | 15.1XB | fixed in Release | fixed in Release | | | 15.1T | 15.1T | |------------+-----------------------+-----------------------| | Affected | | First Fixed Release | | 15.2-Based | First Fixed Release | for All Advisories in | | Releases | For This Advisory | the September 2011 | | | | Bundled Publication | |------------------------------------------------------------| | There are no affected 15.2-based releases | +------------------------------------------------------------+ Cisco IOS XE Software +-------------------- Cisco IOS XE Software is affected by the vulnerability disclosed in this document. +------------------------------------------------------------+ | Cisco | First Fixed | First Fixed Release for All | | IOS XE | Release For | Advisories in the September | | Release | This Advisory | 2011 Bundled Publication | |----------+----------------+--------------------------------| | | Vulnerable; | | | 2.1.x | migrate to | Vulnerable; migrate to 3.3.2S | | | 3.3.2S or | or later | | | later | | |----------+----------------+--------------------------------| | | Vulnerable; | | | 2.2.x | migrate to | Vulnerable; migrate to 3.3.2S | | | 3.3.2S or | or later | | | later | | |----------+----------------+--------------------------------| | | Vulnerable; | | | 2.3.x | migrate to | Vulnerable; migrate to 3.3.2S | | | 3.3.2S or | or later | | | later | | |----------+----------------+--------------------------------| | | Vulnerable; | | | 2.4.x | migrate to | Vulnerable; migrate to 3.3.2S | | | 3.3.2S or | or later | | | later | | |----------+----------------+--------------------------------| | | Vulnerable; | | | 2.5.x | migrate to | Vulnerable; migrate to 3.3.2S | | | 3.3.2S or | or later | | | later | | |----------+----------------+--------------------------------| | | Vulnerable; | | | 2.6.x | migrate to | Vulnerable; migrate to 3.3.2S | | | 3.3.2S or | or later | | | later | | |----------+----------------+--------------------------------| | 3.1.xS | 3.1.4S | Vulnerable; migrate to 3.3.2S | | | | or later | |----------+----------------+--------------------------------| | 3.1.xSG | Not vulnerable | Vulnerable; migrate to 3.2.0SG | | | | or later | |----------+----------------+--------------------------------| | | Vulnerable; | | | 3.2.xS | migrate to | Vulnerable; migrate to 3.3.2S | | | 3.3.2S or | or later | | | later | | |----------+----------------+--------------------------------| | 3.2.xSG | Not vulnerable | Not vulnerable | |----------+----------------+--------------------------------| | 3.3.xS | 3.3.2S | 3.3.2S | |----------+----------------+--------------------------------| | 3.4.xS | Not vulnerable | Not vulnerable | +------------------------------------------------------------+ For mapping of Cisco IOS XE to Cisco IOS releases, please refer to the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, and Cisco IOS XE 3SG Release Notes. Cisco IOS XR Software +-------------------- Cisco IOS XR Software is not affected by the vulnerability disclosed in this document. Cisco IOS XR Software is not affected by any of the vulnerabilities in the September 2011 bundled publication. Workarounds =========== For both vulnerabilities the following workaround applies: Disabling MPLS TTL Propagation +----------------------------- Disabling MPLS TTL propagation will prevent exploitation of these vulnerabilities. MPLS TTL propagation will have to be disabled on all PE routers in the MPLS domain. To disable MPLS TTL propagation, enter the global configuration command "no mpls ip propagate-ttl". If only "no mpls ip propagate-ttl forward" is configured, the vulnerabilities could still be exploited from within the MPLS domain. For more information about the MPLS TTL propagation command, refer to the configuration guide at: http://www.cisco.com/en/US/docs/ios/mpls/command/reference/mp_m1.html#wp1013846 Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/ tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were discovered when handling customer support calls. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20110928-ipv6mpls.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2011-September-28 | Initial public release | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iF4EAREIAAYFAk6Cp2QACgkQQXnnBKKRMNBQSAD9F2jD01t7WK98WW1TcHuB0ORh ttZaRD2ayENEbxklbQgA/j6rRzsG/jk1QW1pJjZme3WKwdvNLy9BzRPTsONBz5Cv =kk0N -----END PGP SIGNATURE-----

Buffer overflow in the cuil component in Cisco Telepresence System Integrator C Series 4.x before TC4.2.0 allows remote authenticated users to cause a denial of service (endpoint reboot or process crash) or possibly execute arbitrary code via a long location parameter to the getxml program, aka Bug ID CSCtq46496. Cisco Telepresence System Integrator C of cuil The component contains a buffer overflow vulnerability. Cisco TelePresence Endpoint is prone to memory-corruption and HTML-injection vulnerabilities. An attacker can exploit the HTML-injection issue to execute arbitrary script code in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials. Other attacks are also possible. An attacker can exploit the memory-corruption issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions. The solution provides components such as audio and video spaces, which can provide remote participants with a "face-to-face" virtual meeting room effect. ---------------------------------------------------------------------- Ovum says ad hoc tools are out-dated. The best practice approach? Fast vulnerability intelligence, threat handling, and setup in one tool. Read the new report on the Secunia VIM: http://secunia.com/products/corporate/vim/ovum_2011_request/ ---------------------------------------------------------------------- TITLE: TANDBERG C Series Endpoints Script Insertion and Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA46057 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46057/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46057 RELEASE DATE: 2011-09-22 DISCUSS ADVISORY: http://secunia.com/advisories/46057/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46057/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46057 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in TANDBERG C Series Endpoints, which can be exploited by malicious users to conduct script insertion attacks and cause a DoS (Denial of Service). 1) Input passed as the Call ID when calling another endpoint is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed on an affected device when the malicious data is being viewed. 2) An error in the tshell application can be exploited to dereference an invalid memory address via overly long strings passed via the "location" parameter to the getXML script. The vulnerabilities are reported in version 4.1.2 and prior. SOLUTION: Update to version 4.2.0, which fixes vulnerability #2. Filter malicious characters and character sequences using a proxy. ORIGINAL ADVISORY: http://www.senseofsecurity.com.au/advisories/SOS-11-010 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Sense of Security - Security Advisory - SOS-11-010 Release Date. 19-Sep-2011 Last Update. - Vendor Notification Date. 21-Feb-2011 Product. Cisco Affected versions. C <= TC4.1.2, MXP <= F9.1 Severity Rating. Low - Medium Impact. Cookie/credential theft, impersonation, loss of confidentiality, client-side code execution, denial of service. Solution Status. Vendor patch References. 1. CVE-2011-2544 (CSCtq46488) 2. CVE-2011-2543 (CSCtq46496) 3. CVE-2011-2577 (CSCtq46500) Details. Cisco TelePresence is an umbrella term for Video Conferencing Hardware and Software, Infrastructure and Endpoints. The C & MXP Series are the Endpoints used on desks or in boardrooms to provide users with a termination point for Video Conferencing. 1. Post-authentication HTML Injection - CVE-2011-2544 (CSCtq46488): Cisco TelePresence Endpoints have a web interface (HTTP or HTTPS) for managing, configuring and reporting. It is possible to set the Call ID (with H.323 or SIP) to a HTML value. If a call is made to another endpoint and an authenticated user browses to the web interface on the endpoint receiving the call (e.g. to view call statistics), the HTML will render locally within the context of the logged in user. From this point it is possible to make changes to the system as the authenticated user. The flaw is due to the flexibility of the H.323 ID or SIP Display Name fields and failure to correctly validate user input. Examples (MXP): Rebooting the system: <IMG SRC="/reboot&Yes=please"> The attacker may also choose to change passwords in the system, disable encryption or enable telnet: <IMG SRC=/html_select_status?reload=other.ssi&telnet=On> <IMG SRC=/html_select_status?reload=security.ssi&/Configuration/ Conference/Encryption/Mode=Off&/Configuration/SystemUnit/Password=test> 2. Post-authentication Memory Corruption - CVE-2011-2543 (CSCtq46496): Cisco TelePresence systems (Endpoints and Infrastructure) use XPath for setting and getting configuration. Example syntax is: http://ip/getxml?location=/Configuration/Video The request is sent to a locally listening shell (tshell). This is the case for all requests relating to performing an action on the system (e.g. config get or set). The shell then sends the input to the "main" application (/app/main, id=0), and the data is passed as a parameter. It was discovered that the getXML handle does not properly perform length checking on the user supplied input before passing it to the tshell. Furthermore, there is no length checking performed in the tshell and no bounds checking performed in the main application where the parameter is consumed. As such, it is possible to send input that exceeds the size of the receiving buffer, subsequently causing an invalid address to be read. This causes a reboot on the Endpoints. The VCS will not reboot, the process will crash by SIGSEGV (or sigabrt) but it will restart the process itself which drops all calls. Proof of Concept: GET /wsgi/getxml?location="+("A"*5200)+("\x60"*4)+("X"*4)+"HTTP/1.1\r\n Host: 192.168.6.99\r\n\r\n" Received signal SIGSEGV (11) in thread 0x129e8480, TID 2670 Illegal memory access at: 0x5858585c Registers: GPR00: 00f2c908 129e5960 129ef920 00000005 00000040 0000000c 00000037 0f315580 GPR08: 00000005 129e5a70 129e5a80 58585858 0f3272d4 11589858 129e6896 0000000b GPR16: 129e6084 11164a1c 00000000 129e6894 00000037 1299ca18 00000005 00000002 GPR24: 129e59a8 00000002 0f3ea3a4 129e5a64 00000037 00000005 0f410bac 129e5960 GPR24: 129e59a8 00000002 0f3ea3a4 129e5a64 00000037 00000005 0f410bac 129e5960 NIP: 0f39abc8 MSR: 0000d032 OGPR3: 00000002 As you can see, the crash string is passed as a parameter in GPR 8. 3. Pre-authentication SIP Denial of Service - CVE-2011-2577 (CSCtq46500): Cisco TelePresence Endpoints utilise SIP for the call setup protocol. Sending a SIP INVITE with a 4x8 a"s in the MAC Address field and the receive field causes the system to reboot. Proof of Concept: MXP: Exception 0x1100 : Data TLB load miss Active task FsmMain FSM process : SipTrnsp(0) FSM message : SipTrnsp_Send_Msg_Req from SipTrnsp(0) Data TLB miss (DMISS) : 0x00000000 (illegal addr. accessed) Solution. Upgrade to TC4.2 for the C series to fix validation issues. Discovered by. David Klein, Sense of Security Labs. About us. Sense of Security is a leading provider of information security and risk management solutions. Our team has expert skills in assessment and assurance, strategy and architecture, and deployment through to ongoing management. We are Australia's premier application penetration testing firm and trusted IT security advisor to many of the countries largest organisations. Sense of Security Pty Ltd Level 8, 66 King St Sydney NSW 2000 AUSTRALIA T: +61 (0)2 9290 4444 F: +61 (0)2 9290 4455 W: http://www.senseofsecurity.com.au E: info@senseofsecurity.com.au Twitter: @ITsecurityAU The latest version of this advisory can be found at: http://www.senseofsecurity.com.au/advisories/SOS-11-010.pdf Other Sense of Security advisories can be found at: http://www.senseofsecurity.com.au/research/it-security-advisories.php . Restrict access to trusted users only

Cross-site scripting (XSS) vulnerability in the web interface in Cisco TelePresence System MXP Series F9.1 and earlier allows remote authenticated users to inject arbitrary web script or HTML via a crafted Call ID, as demonstrated by resultant cross-site request forgery (CSRF) attacks that change passwords or cause a denial of service, aka Bug ID CSCtq46488. Cisco TelePresence System MXP of Web The interface contains a cross-site scripting vulnerability. The problem is Bug ID CSCtq46488 It is a problem.A crafted call by a remotely authenticated user ID Through any Web Script or HTML May be inserted. Cisco TelePresence Endpoint is prone to memory-corruption and HTML-injection vulnerabilities. An attacker can exploit the HTML-injection issue to execute arbitrary script code in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials. Other attacks are also possible. An attacker can exploit the memory-corruption issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions. The solution provides components such as audio and video spaces, which can provide remote participants with a "face-to-face" virtual meeting room effect. Steal cookie authentication configuration. ---------------------------------------------------------------------- Ovum says ad hoc tools are out-dated. The best practice approach? Fast vulnerability intelligence, threat handling, and setup in one tool. Read the new report on the Secunia VIM: http://secunia.com/products/corporate/vim/ovum_2011_request/ ---------------------------------------------------------------------- TITLE: TANDBERG C Series Endpoints Script Insertion and Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA46057 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46057/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46057 RELEASE DATE: 2011-09-22 DISCUSS ADVISORY: http://secunia.com/advisories/46057/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46057/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46057 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in TANDBERG C Series Endpoints, which can be exploited by malicious users to conduct script insertion attacks and cause a DoS (Denial of Service). 1) Input passed as the Call ID when calling another endpoint is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed on an affected device when the malicious data is being viewed. 2) An error in the tshell application can be exploited to dereference an invalid memory address via overly long strings passed via the "location" parameter to the getXML script. The vulnerabilities are reported in version 4.1.2 and prior. SOLUTION: Update to version 4.2.0, which fixes vulnerability #2. Filter malicious characters and character sequences using a proxy. ORIGINAL ADVISORY: http://www.senseofsecurity.com.au/advisories/SOS-11-010 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Sense of Security - Security Advisory - SOS-11-010 Release Date. 19-Sep-2011 Last Update. - Vendor Notification Date. 21-Feb-2011 Product. Cisco Affected versions. C <= TC4.1.2, MXP <= F9.1 Severity Rating. Low - Medium Impact. Cookie/credential theft, impersonation, loss of confidentiality, client-side code execution, denial of service. Solution Status. Vendor patch References. 1. CVE-2011-2544 (CSCtq46488) 2. CVE-2011-2543 (CSCtq46496) 3. CVE-2011-2577 (CSCtq46500) Details. Cisco TelePresence is an umbrella term for Video Conferencing Hardware and Software, Infrastructure and Endpoints. The C & MXP Series are the Endpoints used on desks or in boardrooms to provide users with a termination point for Video Conferencing. 1. Post-authentication HTML Injection - CVE-2011-2544 (CSCtq46488): Cisco TelePresence Endpoints have a web interface (HTTP or HTTPS) for managing, configuring and reporting. It is possible to set the Call ID (with H.323 or SIP) to a HTML value. If a call is made to another endpoint and an authenticated user browses to the web interface on the endpoint receiving the call (e.g. to view call statistics), the HTML will render locally within the context of the logged in user. From this point it is possible to make changes to the system as the authenticated user. The flaw is due to the flexibility of the H.323 ID or SIP Display Name fields and failure to correctly validate user input. Examples (MXP): Rebooting the system: <IMG SRC="/reboot&Yes=please"> The attacker may also choose to change passwords in the system, disable encryption or enable telnet: <IMG SRC=/html_select_status?reload=other.ssi&telnet=On> <IMG SRC=/html_select_status?reload=security.ssi&/Configuration/ Conference/Encryption/Mode=Off&/Configuration/SystemUnit/Password=test> 2. Post-authentication Memory Corruption - CVE-2011-2543 (CSCtq46496): Cisco TelePresence systems (Endpoints and Infrastructure) use XPath for setting and getting configuration. Example syntax is: http://ip/getxml?location=/Configuration/Video The request is sent to a locally listening shell (tshell). This is the case for all requests relating to performing an action on the system (e.g. config get or set). The shell then sends the input to the "main" application (/app/main, id=0), and the data is passed as a parameter. It was discovered that the getXML handle does not properly perform length checking on the user supplied input before passing it to the tshell. Furthermore, there is no length checking performed in the tshell and no bounds checking performed in the main application where the parameter is consumed. As such, it is possible to send input that exceeds the size of the receiving buffer, subsequently causing an invalid address to be read. This causes a reboot on the Endpoints. The VCS will not reboot, the process will crash by SIGSEGV (or sigabrt) but it will restart the process itself which drops all calls. Proof of Concept: GET /wsgi/getxml?location="+("A"*5200)+("\x60"*4)+("X"*4)+"HTTP/1.1\r\n Host: 192.168.6.99\r\n\r\n" Received signal SIGSEGV (11) in thread 0x129e8480, TID 2670 Illegal memory access at: 0x5858585c Registers: GPR00: 00f2c908 129e5960 129ef920 00000005 00000040 0000000c 00000037 0f315580 GPR08: 00000005 129e5a70 129e5a80 58585858 0f3272d4 11589858 129e6896 0000000b GPR16: 129e6084 11164a1c 00000000 129e6894 00000037 1299ca18 00000005 00000002 GPR24: 129e59a8 00000002 0f3ea3a4 129e5a64 00000037 00000005 0f410bac 129e5960 GPR24: 129e59a8 00000002 0f3ea3a4 129e5a64 00000037 00000005 0f410bac 129e5960 NIP: 0f39abc8 MSR: 0000d032 OGPR3: 00000002 As you can see, the crash string is passed as a parameter in GPR 8. 3. Pre-authentication SIP Denial of Service - CVE-2011-2577 (CSCtq46500): Cisco TelePresence Endpoints utilise SIP for the call setup protocol. Sending a SIP INVITE with a 4x8 a"s in the MAC Address field and the receive field causes the system to reboot. Proof of Concept: MXP: Exception 0x1100 : Data TLB load miss Active task FsmMain FSM process : SipTrnsp(0) FSM message : SipTrnsp_Send_Msg_Req from SipTrnsp(0) Data TLB miss (DMISS) : 0x00000000 (illegal addr. accessed) Solution. Upgrade to TC4.2 for the C series to fix validation issues. Discovered by. David Klein, Sense of Security Labs. About us. Sense of Security is a leading provider of information security and risk management solutions. Our team has expert skills in assessment and assurance, strategy and architecture, and deployment through to ongoing management. We are Australia's premier application penetration testing firm and trusted IT security advisor to many of the countries largest organisations. Sense of Security Pty Ltd Level 8, 66 King St Sydney NSW 2000 AUSTRALIA T: +61 (0)2 9290 4444 F: +61 (0)2 9290 4455 W: http://www.senseofsecurity.com.au E: info@senseofsecurity.com.au Twitter: @ITsecurityAU The latest version of this advisory can be found at: http://www.senseofsecurity.com.au/advisories/SOS-11-010.pdf Other Sense of Security advisories can be found at: http://www.senseofsecurity.com.au/research/it-security-advisories.php . Restrict access to trusted users only

Cross-site request forgery (CSRF) vulnerability in redpass.cgi in D-Link DSL-2640B Firmware EU_4.00 allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via the sysPassword parameter. D-Link is Taiwan's first publicly traded online company, with its own D-Link brand marketing computer network products in more than 100 countries around the world. Other attacks are also possible. The D-Link DSL-2640B router is prone to a cross-site request-forgery vulnerability. This issue affects D-Link DSL-2640B. D-Link is a network company founded by Taiwan D-Link Group, dedicated to the R&D, production and marketing of LAN, broadband network, wireless network, voice network and related network equipment