VARIoT IoT vulnerabilities database

CertificationKits CiscoKits CCNA TFTP Server is a TFTP server that can be used to help prepare for the Cisco Certificate Exam. CertificationKits CiscoKits CCNA TFTP Server incorrectly verifies WRITE requests containing very long filenames, allowing an attacker to crash the service. CiscoKits CCNA TFTP Server is prone to a remote denial-of-service vulnerability. Successfully exploiting this issue allows remote attackers to crash the affected application, denying service to legitimate users

CertificationKits CiscoKits CCNA TFTP Server is a TFTP server that can be used to help prepare for the Cisco Certificate Exam. CertificationKits CiscoKits CCNA TFTP Server incorrectly handles read requests containing \"../\" sequences, allowing an attacker to read arbitrary files through a directory traversal attack. CiscoKits CCNA TFTP Server is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks

The SAP J2EE Engine Core is a core component of the SAP NetWeaver application platform. The SAP J2EE engine has security flaws that allow an attacker to compromise an enterprise computer system over the Internet. The impact of this issue is currently unknown. We will update this BID when more information emerges

Vtiger CRM is a Web-based Sales Capability Automation (SFA)-based Customer Relationship Management System (CRM). Multiple local file inclusion vulnerabilities exist in Vtiger CRM 5.2.1 and earlier. Because the input provided to the user is not properly filtered, an attacker can exploit the vulnerability to obtain potentially sensitive information and execute any local scripts in the web server process, jeopardizing applications and computers, and possibly causing other attacks. This may allow the attacker to compromise the application and the computer; other attacks are also possible. Vtiger CRM 5.2.1 is vulnerable; prior versions may also be affected

Hitachi Command Suite is an integrated software suite for efficient management of virtualized storage and server infrastructure. Hitachi Command Suite has a cross-site scripting vulnerability. Because some unknown input lacks filtering before returning to the user, an attacker can use the vulnerability to conduct a cross-site scripting attack, construct a malicious URI, induce users to parse, obtain sensitive information, or hijack user sessions. Multiple Hitachi Command Suite Products, including Device Manager Software and Tiered Storage Manager Software, are prone to an unspecified cross-site scripting vulnerability because they fail to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. ---------------------------------------------------------------------- Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817. Find out more: http://www.rsaconference.com/events/2012/usa/index.htm ---------------------------------------------------------------------- TITLE: Hitachi Command Suite Products Unspecified Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA48084 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48084/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48084 RELEASE DATE: 2012-02-21 DISCUSS ADVISORY: http://secunia.com/advisories/48084/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48084/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48084 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Hitachi Command Suite products, which can be exploited by malicious people to conduct cross-site scripting attacks. Certain unspecified input is not properly sanitised before being returned to the user. SOLUTION: Update to version 7.2.1-00. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: HS12-008 (English): http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS12-008/index.html HS12-008 (Japanese): http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS12-008/index.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Heap-based buffer overflow in the Reflection FTP Client (rftpcom.dll 7.2.0.106 and possibly other versions), as used in Attachmate Reflection 2008, Reflection 2011 R1 before 15.3.2.569 and R1 SP1 before, Reflection 2011 R2 before 15.4.1.327, Reflection Windows Client 7.2 SP1 before hotfix 7.2.1186, and Reflection 14.1 SP1 before 14.1.1.206, allows remote FTP servers to execute arbitrary code via a long directory name in a response to a LIST command. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: Attachmate Reflection FTP Client Response Processing Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA46879 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46879/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46879 RELEASE DATE: 2011-11-17 DISCUSS ADVISORY: http://secunia.com/advisories/46879/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46879/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46879 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Protek Research Lab's has discovered a vulnerability in Reflection for Secure IT, which can be exploited by malicious people to compromise a user's system. Successful exploitation allows execution of arbitrary code, but requires tricking a user into connecting to a malicious server. Other versions may also be affected. SOLUTION: Do not connect to untrusted FTP servers. PROVIDED AND/OR DISCOVERED BY: Francis Provencher, Protek Research Lab's ORIGINAL ADVISORY: http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=29&Itemid=29 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Koha is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input to the OPAC (Online Public Access Catalog) interface. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Versions prior to Koha 3.4.2 are vulnerable.

SQL injection vulnerability in popup.php in Zabbix 1.8.3 and 1.8.4, and possibly other versions before 1.8.9, allows remote attackers to execute arbitrary SQL commands via the only_hostid parameter. ZABBIX is a distributed network monitoring system with CS structure. Because applications fail to adequately filter user-provided data before being used in SQL queries, an attacker can exploit a vulnerability to compromise an application, access or modify data, or exploit potential vulnerabilities in the underlying database. ZABBIX is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. ZABBIX versions 1.8.3 and 1.8.4 are vulnerable. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201311-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Zabbix: Multiple vulnerabilities Date: November 25, 2013 Bugs: #312875, #394497, #428372, #452878, #486696 ID: 201311-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Zabbix, possibly leading to SQL injection attacks, Denial of Service, or information disclosure. Background ========== Zabbix is software for monitoring applications, networks, and servers. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-analyzer/zabbix < 2.0.9_rc1-r2 >= 2.0.9_rc1-r2 Description =========== Multiple vulnerabilities have been discovered in Zabbix. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker may be able to execute arbitrary SQL statements, cause a Denial of Service condition, or obtain sensitive information. Workaround ========== There is no known workaround at this time. Resolution ========== All Zabbix users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=net-analyzer/zabbix-2.0.9_rc1-r2" References ========== [ 1 ] CVE-2010-1277 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1277 [ 2 ] CVE-2011-2904 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2904 [ 3 ] CVE-2011-3263 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3263 [ 4 ] CVE-2011-4674 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4674 [ 5 ] CVE-2012-3435 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3435 [ 6 ] CVE-2013-1364 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1364 [ 7 ] CVE-2013-5572 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5572 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201311-15.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2013 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

Cross-site scripting (XSS) vulnerability in the Admin Control Center in Sentinel HASP Run-time Environment 5.95 and earlier in SafeNet Sentinel HASP (formerly Aladdin HASP SRM) run-time installer before 6.x and SDK before 5.11, as used in 7 Technologies (7T) IGSS 7 and other products, when Firefox 2.0 is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors that trigger write access to a configuration file. Safenet provides software protection and certificate management products, affected products Sentinel HASP, previously Aladdin HASP SRM is a digital certificate management program. 7T IGSS uses the SafeNet Sentinel HASP SDK for managing digital certificates. Special characters allow an attacker to build and inject HTML into a configuration file. Successful exploitation of the vulnerability allows an attacker to change the code in the configuration file. This vulnerability can be reproduced using Mozilla FIrefox 2.0, which is currently not triggered by current Mozilla Firefox, Microsoft Internet Explorer, Opera, and Google Chrome. SafeNet Sentinel HASP and 7T IGSS are prone to an HTML-injection vulnerability because they fail to properly sanitize user-supplied input. Attacker-supplied HTML and script code could be executed in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user; other attacks are also possible. ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: SafeNet Sentinel HASP Admin Control Center Script Insertion Weakness SECUNIA ADVISORY ID: SA47349 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47349/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47349 RELEASE DATE: 2011-12-22 DISCUSS ADVISORY: http://secunia.com/advisories/47349/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47349/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47349 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A weakness has been reported in SafeNet Sentinel HASP Run-time Environment, which can be exploited by malicious users to conduct script insertion attacks. Successful exploitation requires a victim to view injected data using Mozilla Firefox version 2.0. The weakness is reported in version 5.95 and prior. SOLUTION: Apply patch (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: ICS-CERT credits Carlos Mario Penagos Hollman, Synapse-labs. ORIGINAL ADVISORY: SafeNet: http://www.safenet-inc.com/support-downloads/sentinel-drivers/CVE-2011-3339/ ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-11-314-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Movicon is the first fully XML-based Scada/HMI software developed by the famous Italian automation software provider PROGEA. There is an arbitrary code execution vulnerability in Movicon 11.2 Build 1085 and other versions of dwmapi.dll. A remote attacker can open a file on a network share containing a specially crafted dynamic link library (DLL) file by tricking legitimate users into using the affected application

vtiger CRM is prone to a remote code-execution vulnerability because the application fails to sufficiently sanitize user-supplied input. Exploiting this issue will allow attackers to execute arbitrary code within the context of the affected application. vtiger CRM 5.2.1 is vulnerable; other versions may also be affected.

There is an unknown security hole in Hitachi JP1 / IT resource management. This vulnerability is related to verification information, and no detailed vulnerability details are currently provided. The impact of this issue is currently unknown. We will update this BID when more information emerges. ---------------------------------------------------------------------- The Secunia Vulnerability Intelligence Manager (VIM) enables you to handle vulnerability threats in a simple, cost effective way. Read more and request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Hitachi JP1/IT Resource Management Authentication Information Vulnerability SECUNIA ADVISORY ID: SA45469 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45469/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45469 RELEASE DATE: 2011-07-29 DISCUSS ADVISORY: http://secunia.com/advisories/45469/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45469/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45469 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability with an unknown impact has been reported in Hitachi JP1/IT Resource Management. No further information is currently available. The vulnerability is reported in versions 09-10 through 09-10-03 and 09-11 through 09-11-02. SOLUTION: Update to version 09-50 2011.07.29 PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Hitachi (Japanese): http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS11-016/index.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Sagem F@st Routers is a router product. The Sagem Fast router (3304-V1 / 3304-V2 / 3464 / 3504) has a pre-configured root password that has not changed by default ISP and creates another administrative account. Due to a problem with the algorithm, an attacker can exploit the vulnerability to obtain a user password and access the device. Multiple Sagem F@st Routers are prone to a remote authentication-bypass vulnerability. This will completely compromise an affected device. The following routers are affected: Sagem F@st 3304 Sagem F@st 3464 Sagem F@st 3504

Multiple vendor products have security bypass vulnerabilities that allow an attacker to bypass the security mechanisms built into the affected device. This may help further attacks. Multiple vendors products are prone to a security-bypass vulnerability

The D-Link DSL-2650U is a routing device. The D-Link DSL-2650U does not properly handle HTTP requests submitted by users. A remote attacker can exploit the vulnerability to perform a denial of service attack on the device. Attackers may leverage this issue to crash the Web server on the affected device, denying service to legitimate users. D-Link DSL-2650U 1.20 is affected; other versions may also be vulnerable

Unspecified vulnerability in the Smart Install functionality in Cisco IOS 12.2 and 15.1 allows remote attackers to execute arbitrary code or cause a denial of service (device crash) via crafted TCP packets to port 4786, aka Bug ID CSCto10165. Cisco IOS is prone to a remote code-execution service vulnerability. An attacker can exploit this issue to execute arbitrary code with elevated privileges on affected devices. Successful exploits will completely compromise an affected device. This issue is tracked by Cisco Bug ID CSCto10165. Cisco's Internet Operating System (IOS) is a complex operating system optimized for Internet interconnection. Cisco has released free software updates that address this vulnerability. There are no workarounds available to mitigate this vulnerability other than disabling the Smart Install feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110928-smart-install.shtml. Note: The September 28, 2011, Cisco IOS Software Security Advisory bundled publication includes ten Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the September 2011 Bundled Publication. Individual publication links are in "Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication" at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep11.html Affected Products ================= This vulnerability only affects Cisco Catalyst Switches and Cisco Integrated Services Routers with the Smart Install feature enabled. Vulnerable Products +------------------ Devices configured as a Smart Install client or director are affected by this vulnerability. To display Smart Install information, use the "show vstack config" privileged EXEC command on the Smart Install director or client. The outputs of the show commands are different when entered on the director or on the client. The following is the output of the "show vstack config" in a device configured as a Smart Install client: switch#show vstack config Role: Client Vstack Director IP address: 10.1.1.163 The following is the output of the "show vstack config" in a Cisco Catalyst Switch configured as a Smart Install director: Director# show vstack config Role: Director Vstack Director IP address: 10.1.1.163 Vstack Mode: Basic Vstack default management vlan: 1 Vstack management Vlans: none Vstack Config file: tftp://10.1.1.100/default-config.txt Vstack Image file: tftp://10.1.1.100/c3750e-universalk9-tar.122- Join Window Details: Window: Open (default) Operation Mode: auto (default) Vstack Backup Details: Mode: On (default) Repository: flash:/vstack (default) To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the "show version" command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software." The image name displays in parentheses, followed by "Version" and the Cisco IOS Software release name. Other Cisco devices do not have the "show version" command or may provide different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 15.0(1)M1 with an installed image name of C3900-UNIVERSALK9-M: Router> show version Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Wed 02-Dec-09 17:17 by prod_rel_team !--- output truncated Additional information about Cisco IOS Software release naming conventions is available in the white paper Cisco IOS and NX-OS Software Reference Guide available at http://www.cisco.com/web/about/security/intelligence/ios-ref.html. Details ======= Smart Install is a plug-and-play configuration and image-management feature that provides zero-touch deployment for new switches and Cisco Integrated Services Routers. This means that a customer can ship a device to a location, place it in the network and power it on with no configuration required on the device. Smart Install uses TCP port 4786 for communication. An established TCP connection with a completed TCP three-way handshake is needed to be able to trigger this vulnerability. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCto10165 ("Smart Install Crashes with certain IP Packets") CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation could allow an unauthenticated, remote attacker to perform remote code execution on the affected device. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Additionally, the Cisco IOS Software Checker is available on the Cisco Security Intelligence Operations (SIO) portal at http://tools.cisco.com/security/center/selectIOSVersion.x. It provides several features for checking which Security Advisories affect specified versions of Cisco IOS Software. If a particular train is vulnerable, the earliest releases that contain the fix are listed in the First Fixed Release For This Advisory column. The First Fixed Release for All Advisories in the September 2011 Bundled Publication column lists the earliest possible releases that correct all the published vulnerabilities in the Cisco IOS Software Security Advisory bundled publication. Cisco recommends upgrading to the latest available release, where possible. +------------------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |------------+-----------------------------------------------| | Affected | First Fixed | First Fixed Release for All | | 12.0-Based | Release | Advisories in the September | | Releases | | 2011 Bundled Publication | |------------------------------------------------------------| | There are no affected 12.0 based releases | |------------------------------------------------------------| | Affected | First Fixed | First Fixed Release for All | | 12.1-Based | Release | Advisories in the September | | Releases | | 2011 Bundled Publication | |------------------------------------------------------------| | There are no affected 12.1 based releases | |------------------------------------------------------------| | Affected | First Fixed | First Fixed Release for All | | 12.2-Based | Release | Advisories in the September | | Releases | | 2011 Bundled Publication | |------------+----------------+------------------------------| | 12.2 | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.4 | |------------+----------------+------------------------------| | 12.2B | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.4 | |------------+----------------+------------------------------| | 12.2BC | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.4 | |------------+----------------+------------------------------| | 12.2BW | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2BX | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SB | |------------+----------------+------------------------------| | 12.2BY | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2BZ | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2CX | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.4 | |------------+----------------+------------------------------| | 12.2CY | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2CZ | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SB | |------------+----------------+------------------------------| | 12.2DA | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2DD | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2DX | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2EU | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | | | Releases up to and including | | 12.2EW | Not vulnerable | 12.2(20)EW4 are not | | | | vulnerable. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2EWA | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | 12.2EX | 12.2(55)EX3 | 12.2(55)EX3 | |------------+----------------+------------------------------| | 12.2EY | 12.2(58)EY | 12.2(58)EY | |------------+----------------+------------------------------| | | Vulnerable; | | | | migrate to any | | | | release in | | | | 15.0SE | | | 12.2EZ | | Vulnerable; migrate to any | | | Releases up to | release in 15.0SE | | | and including | | | | 12.2(53)EZ are | | | | not | | | | vulnerable. | | |------------+----------------+------------------------------| | 12.2FX | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SE | |------------+----------------+------------------------------| | 12.2FY | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2EX | |------------+----------------+------------------------------| | 12.2FZ | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SE | |------------+----------------+------------------------------| | 12.2IRA | Not vulnerable | Vulnerable; migrate to any | | | | release in 12.2IRG | |------------+----------------+------------------------------| | 12.2IRB | Not vulnerable | Vulnerable; migrate to any | | | | release in 12.2IRG | |------------+----------------+------------------------------| | 12.2IRC | Not vulnerable | Vulnerable; migrate to any | | | | release in 12.2IRG | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2IRD | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2IRE | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | 12.2IRF | Not vulnerable | Vulnerable; migrate to any | | | | release in 12.2IRG | |------------+----------------+------------------------------| | 12.2IRG | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2IXA | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2IXB | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2IXC | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2IXD | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2IXE | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2IXF | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2IXG | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2IXH | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | 12.2JA | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2JK | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2MB | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2MC | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.4 | |------------+----------------+------------------------------| | 12.2MRA | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SRD | |------------+----------------+------------------------------| | 12.2MRB | Not vulnerable | 12.2(33)MRB5 | |------------+----------------+------------------------------| | | | Releases prior to 12.2(30)S | | | | are vulnerable; Releases | | 12.2S | Not vulnerable | 12.2(30)S and later are not | | | | vulnerable. First fixed in | | | | Release 12.2SB | |------------+----------------+------------------------------| | | | 12.2(31)SB20 | | 12.2SB | Not vulnerable | | | | | 12.2(33)SB10 | |------------+----------------+------------------------------| | 12.2SBC | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SB | |------------+----------------+------------------------------| | 12.2SCA | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SCC | |------------+----------------+------------------------------| | 12.2SCB | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SCC | |------------+----------------+------------------------------| | 12.2SCC | Not vulnerable | 12.2(33)SCC7 | |------------+----------------+------------------------------| | 12.2SCD | Not vulnerable | 12.2(33)SCD6 | |------------+----------------+------------------------------| | | | 12.2(33)SCE1 | | 12.2SCE | Not vulnerable | | | | | 12.2(33)SCE2 | |------------+----------------+------------------------------| | 12.2SCF | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | | Releases up to | 12.2(55)SE3 | | 12.2SE | and including | | | | 12.2(54)SE are | 12.2(58)SE | | | not vulnerable | | |------------+----------------+------------------------------| | 12.2SEA | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SE | |------------+----------------+------------------------------| | 12.2SEB | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SE | |------------+----------------+------------------------------| | 12.2SEC | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SE | |------------+----------------+------------------------------| | 12.2SED | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SE | |------------+----------------+------------------------------| | 12.2SEE | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SE | |------------+----------------+------------------------------| | 12.2SEF | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SE | |------------+----------------+------------------------------| | | | Releases prior to 12.2(25) | | | | SEG4 are vulnerable; | | 12.2SEG | Not vulnerable | Releases 12.2(25)SEG4 and | | | | later are not vulnerable. | | | | First fixed in Release | | | | 12.2EX | |------------+----------------+------------------------------| | | | Releases prior to 12.2(53) | | 12.2SG | Not vulnerable | SG4 are vulnerable; Releases | | | | 12.2(53)SG4 and later are | | | | not vulnerable. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2SGA | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | 12.2SL | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2SM | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | 12.2SO | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2SQ | Not vulnerable | 12.2(50)SQ3 | |------------+----------------+------------------------------| | 12.2SRA | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SRD | |------------+----------------+------------------------------| | 12.2SRB | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SRD | |------------+----------------+------------------------------| | 12.2SRC | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SRD | |------------+----------------+------------------------------| | 12.2SRD | Not vulnerable | 12.2(33)SRD6 | |------------+----------------+------------------------------| | 12.2SRE | Not vulnerable | 12.2(33)SRE4 | |------------+----------------+------------------------------| | 12.2STE | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2SU | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.4 | |------------+----------------+------------------------------| | | | Releases prior to 12.2(29a) | | | | SV are vulnerable; Releases | | 12.2SV | Not vulnerable | 12.2(29a)SV and later are | | | | not vulnerable. Migrate to | | | | any release in 12.2SVD | |------------+----------------+------------------------------| | 12.2SVA | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2SVC | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2SVD | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2SVE | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2SW | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | 12.2SX | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SXF | |------------+----------------+------------------------------| | 12.2SXA | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SXF | |------------+----------------+------------------------------| | 12.2SXB | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SXF | |------------+----------------+------------------------------| | 12.2SXD | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SXF | |------------+----------------+------------------------------| | 12.2SXE | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SXF | |------------+----------------+------------------------------| | 12.2SXF | Not vulnerable | 12.2(18)SXF17b | |------------+----------------+------------------------------| | 12.2SXH | Not vulnerable | 12.2(33)SXH8a | |------------+----------------+------------------------------| | 12.2SXI | Not vulnerable | 12.2(33)SXI6 | |------------+----------------+------------------------------| | 12.2SXJ | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2SY | Not vulnerable | 12.2(50)SY | |------------+----------------+------------------------------| | 12.2SZ | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SB | |------------+----------------+------------------------------| | 12.2T | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.4 | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2TPC | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | 12.2XA | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XB | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.4 | |------------+----------------+------------------------------| | 12.2XC | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XD | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XE | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XF | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XG | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XH | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XI | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XJ | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XK | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XL | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XM | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XN | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | | Please see | | | 12.2XNA | Cisco IOS-XE | Please see Cisco IOS-XE | | | Software | Software Availability | | | Availability | | |------------+----------------+------------------------------| | | Please see | | | 12.2XNB | Cisco IOS-XE | Please see Cisco IOS-XE | | | Software | Software Availability | | | Availability | | |------------+----------------+------------------------------| | | Please see | | | 12.2XNC | Cisco IOS-XE | Please see Cisco IOS-XE | | | Software | Software Availability | | | Availability | | |------------+----------------+------------------------------| | | Please see | | | 12.2XND | Cisco IOS-XE | Please see Cisco IOS-XE | | | Software | Software Availability | | | Availability | | |------------+----------------+------------------------------| | | Please see | | | 12.2XNE | Cisco IOS-XE | Please see Cisco IOS-XE | | | Software | Software Availability | | | Availability | | |------------+----------------+------------------------------| | | Please see | | | 12.2XNF | Cisco IOS-XE | Please see Cisco IOS-XE | | | Software | Software Availability | | | Availability | | |------------+----------------+------------------------------| | | | Releases prior to 12.2(54)XO | | 12.2XO | Not vulnerable | are vulnerable; Releases | | | | 12.2(54)XO and later are not | | | | vulnerable. | |------------+----------------+------------------------------| | 12.2XQ | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XR | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XS | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XT | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XU | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XV | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2XW | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2YA | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.4 | |------------+----------------+------------------------------| | 12.2YB | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2YC | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2YD | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2YE | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2YF | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2YG | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2YH | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2YJ | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | 12.2YK | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2YL | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | 12.2YM | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.4 | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2YN | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | 12.2YO | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2YP | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2YQ | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2YR | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2YS | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2YT | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2YU | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2YV | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2YW | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2YX | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2YY | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2YZ | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | 12.2ZA | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SXF | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2ZB | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | 12.2ZC | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2ZD | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2ZE | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.4 | |------------+----------------+------------------------------| | 12.2ZF | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.4 | |------------+----------------+------------------------------| | 12.2ZG | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2ZH | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.4 | |------------+----------------+------------------------------| | 12.2ZJ | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2ZL | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | 12.2ZP | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | 12.2ZU | Not vulnerable | Vulnerable; First fixed in | | | | Release 12.2SXH | |------------+----------------+------------------------------| | 12.2ZX | Not vulnerable | Not vulnerable | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2ZY | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 12.2ZYA | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | Affected | First Fixed | First Fixed Release for All | | 12.3-Based | Release | Advisories in the September | | Releases | | 2011 Bundled Publication | |------------------------------------------------------------| | There are no affected 12.3 based releases | |------------------------------------------------------------| | Affected | First Fixed | First Fixed Release for All | | 12.4-Based | Release | Advisories in the September | | Releases | | 2011 Bundled Publication | |------------------------------------------------------------| | There are no affected 12.4 based releases | |------------------------------------------------------------| | Affected | First Fixed | First Fixed Release for All | | 15.0-Based | Release | Advisories in the September | | Releases | | 2011 Bundled Publication | |------------------------------------------------------------| | There are no affected 15.0 based releases | |------------------------------------------------------------| | Affected | First Fixed | First Fixed Release for All | | 15.1-Based | Release | Advisories in the September | | Releases | | 2011 Bundled Publication | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 15.1EY | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | 15.1GC | Not vulnerable | Vulnerable; First fixed in | | | | Release 15.1T | |------------+----------------+------------------------------| | | 15.1(4)M2; | 15.1(4)M2; Available on | | 15.1M | Available on | 30-SEP-11 | | | 30-SEP-11 | | |------------+----------------+------------------------------| | | | Vulnerable; contact your | | | | support organization per the | | 15.1MR | Not vulnerable | instructions in the | | | | Obtaining Fixed Software | | | | section of this advisory. | |------------+----------------+------------------------------| | | | 15.1(2)S2 | | 15.1S | Not vulnerable | | | | | 15.1(3)S | |------------+----------------+------------------------------| | | | 15.1(2)T4 | | 15.1T | 15.1(3)T2 | | | | | 15.1(1)T4 on 8-Dec-2011 | |------------+----------------+------------------------------| | | Vulnerable; | | | | First fixed in | | | | Release 15.1T | | | | | Vulnerable; First fixed in | | 15.1XB | Releases up to | Release 15.1T | | | and including | | | | 15.1(1)XB are | | | | not | | | | vulnerable. | | |------------+----------------+------------------------------| | Affected | First Fixed | First Fixed Release for All | | 15.2-Based | Release | Advisories in the September | | Releases | | 2011 Bundled Publication | |------------------------------------------------------------| | There are no affected 15.2 based releases | +------------------------------------------------------------+ Cisco IOS XE Software +-------------------- Cisco IOS XE Software is not affected by the vulnerability disclosed in this advisory. Cisco IOS XR Software is not affected by the vulnerabilities disclosed in the September 28, 2011, Cisco IOS Software Security Advisory bundled publication. Workarounds =========== There are no workarounds available to mitigate this vulnerability other than disabling the Smart Install feature. The Smart Install Feature is enabled by default in client switches. No configuration is needed in client switches. If Smart Install feature is not required, and the device supports the configuration command "no vstack" as introduced by Cisco Bug ID CSCtj75729, then disabling Smart Install, with the "no vstack" configuration command mitigates this vulnerability. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20110928-smart-install.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was discovered and reported to Cisco by Greg Jones of Digital Assurance. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20110928-smart-install.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2011-September-28 | Initial public release | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/ products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/ go/psirt. +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iF4EAREIAAYFAk6Cp2kACgkQQXnnBKKRMNDdKgD+O6C0i2f0RXM757+tLSehkxsW NBAYqM590ni6eZvq7PwA/1WW59WEHU0DY2mgou/w2doZmIWczbfihzBwvIUyvHPa =mkgL -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- The new Secunia Corporate Software Inspector (CSI) 5.0 Integrates with Microsoft WSUS & SCCM and supports Apple Mac OS X. Get a free trial now and qualify for a special discount: http://secunia.com/vulnerability_scanning/corporate/trial/ ---------------------------------------------------------------------- TITLE: Cisco IOS Smart Install Unspecified Code Execution Vulnerability SECUNIA ADVISORY ID: SA46165 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46165/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46165 RELEASE DATE: 2011-09-29 DISCUSS ADVISORY: http://secunia.com/advisories/46165/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46165/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46165 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Cisco IOS, which can be exploited by malicious people to compromise a vulnerable device. Successful exploitation may allow execution of arbitrary code. Please see the vendor's advisory for a list of affected versions. SOLUTION: Update to a fixed version (please see the vendor's advisory for details). ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20110928-smart-install.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor

Cisco Adaptive Security Appliances (ASA) 5500 series devices, and the ASA Services module in Cisco Catalyst 6500 series devices, with software 7.0 before 7.0(8.13), 7.1 and 7.2 before 7.2(5.4), 8.0 before 8.0(5.25), 8.1 and 8.2 before 8.2(5.11), 8.3 before 8.3(2.23), 8.4 before 8.4(2.6), and 8.5 before 8.5(1.1) and Cisco Firewall Services Module (aka FWSM) 3.1 before 3.1(21), 3.2 before 3.2(22), 4.0 before 4.0(16), and 4.1 before 4.1(7) allow remote attackers to cause a denial of service (device reload) via crafted SunRPC traffic, aka Bug IDs CSCto92398 and CSCtq09989. The problem is Bug IDs CSCto92398 and CSCtq09989 It is a problem.Skillfully crafted by a third party SunRPC Service disruption through traffic ( Device reload ) There is a possibility of being put into a state. Multiple Cisco products are prone to multiple remote denial-of-service vulnerabilities. These issues are being tracked by Cisco Bug IDs CSCtq09972, CSCtq09978, CSCtq09986, CSCtq09989, CSCtq57802. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Firewall Services Module Advisory ID: cisco-sa-20111005-fwsm Revision 1.0 For Public Release 2011 October 05 1600 UTC (GMT) +------------------------------------------------------------------- Summary ======= The Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers is affected by the following vulnerabilities: * Syslog Message Memory Corruption Denial of Service Vulnerability * Authentication Proxy Denial of Service Vulnerability * TACACS+ Authentication Bypass Vulnerability * Sun Remote Procedure Call (SunRPC) Inspection Denial of Service Vulnerabilities * Internet Locator Server (ILS) Inspection Denial of Service Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of the vulnerabilities disclosed in this advisory. Affected versions of Cisco FWSM Software vary depending on the specific vulnerability. Refer to the "Software Version and Fixes" section for specific information on vulnerable versions. Syslog Message Memory Corruption Denial of Service Vulnerability +--------------------------------------------------------------- Devices running vulnerable versions of Cisco FWSM Software are affected by this vulnerability if the following conditions are satisfied: * The device has interfaces with IPv6 addresses * System logging is enabled (command logging enable) * The device is configured in any way to generate system log message 302015 (refer to the following examples) System log message 302015 has a default severity level of 6 (informational) so, assuming that the system administrator has not changed this default severity level, the vulnerability can be triggered if the device is logging to any destination at level 6 or level 7 (debug). As an example, the following configuration is vulnerable: logging enable ! logging console informational logging buffered informational [...] Using a custom message list (via the logging list command) that includes system log message 302015, either by severity or by explicitly including the message ID, is also a vulnerable configuration. For example, the following configuration is also vulnerable: logging enable ! logging list MYLIST level informational <and/or> logging list MYLIST message 302015 ! logging trap MYLIST Note: The default severity level of system log messages can be changed. If the default severity level of system log message 302015 is changed, and the device is configured to log to any destination at the new severity level, then the device is still vulnerable. Authentication Proxy Denial of Service Vulnerability +--------------------------------------------------- Devices running vulnerable versions of Cisco FWSM Software are affected by this vulnerability if they are configured to use Authentication, Authorization, and Accounting (AAA) for network access, also known as cut-through or authentication proxy. The network access authentication feature is enabled if the aaa authentication match or aaa authentication include commands are present in the configuration of an affected device. TACACS+ Authentication Bypass Vulnerability +------------------------------------------ Devices running vulnerable versions of Cisco FWSM Software are affected by this vulnerability if they are configured to use the Terminal Access Controller Access-Control System Plus (TACACS+) protocol for AAA. A device is configured for TACACS+ if an AAA server group is defined in a manner similar to the following: aaa-server my-tacacs-server protocol tacacs+ aaa-server my-tacacs-server (inside) host 192.168.1.1 [...] Note: In the preceding example, "my-tacacs-server" is the name of the AAA server group. SunRPC Inspection Denial of Service Vulnerabilities +-------------------------------------------------- Devices running vulnerable versions of Cisco FWSM Software are affected by these vulnerabilities if SunRPC inspection is enabled. SunRPC inspection is enabled by default. To determine whether SunRPC inspection is enabled, issue the show service-policy | include sunrpc command and confirm that the command returns output. Example output follows: FWSM# show service-policy | include sunrpc Inspect: sunrpc, packet 324, drop 5, reset-drop 0 Alternatively, a device with SunRPC inspection enabled has a configuration similar to the following (the inspect sunrpc command is the command that actually enables SunRPC inspection, although the other commands are necessary for the Cisco FWSM to actually inspect traffic): class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sunrpc ! service-policy global_policy global Note: The service policy could also be applied to a specific interface. (Global application is shown in the previous example.) ILS Inspection Denial of Service Vulnerability +--------------------------------------------- Devices running vulnerable versions of Cisco FWSM Software are affected by these vulnerabilities if inspection of the ILS protocol is enabled. ILS inspection is not enabled by default. Refer to "SunRPC Inspection Denial of Service Vulnerabilities" for information on how to determine if ILS inspection is enabled. Use the configuration keyword "ils" instead of "sunrpc". The following example shows a system with a Cisco FWSM (WS-SVC-FWM-1) installed in slot 2: switch>show module Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 1 16 SFM-capable 16 port 1000mb GBIC WS-X6516-GBIC SAL06334NS9 2 6 Firewall Module WS-SVC-FWM-1 SAD10360485 3 8 Intrusion Detection System WS-SVC-IDSM-2 SAD0932089Z 4 4 SLB Application Processor Complex WS-X6066-SLB-APC SAD093004BD 5 2 Supervisor Engine 720 (Active) WS-SUP720-3B SAL0934888E Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 1 0009.11e3.ade8 to 0009.11e3.adf7 5.1 6.3(1) 8.7(0.22)BUB Ok 2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 4.0(16) Ok 3 0014.a90c.9956 to 0014.a90c.995d 5.0 7.2(1) 7.0(4)E4 Ok 4 0014.a90c.66e6 to 0014.a90c.66ed 1.7 Unknown Unknown PwrDown 5 0013.c42e.7fe0 to 0013.c42e.7fe3 4.4 8.1(3) 12.2(33)SXH8 Ok [...] After locating the correct slot, issue the show module <slot number> command to identify the software version that is running, as shown in the following example: switch>show module 2 Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 2 6 Firewall Module WS-SVC-FWM-1 SAD10360485 Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 4.0(16) Ok [...] The preceding example shows that the Cisco FWSM is running software version 4.0(16) as indicated by the Sw column. Note: Recent versions of Cisco IOS Software will show the software version of each module in the output from the show module command; therefore, executing the show module <slot number> command is not necessary. If a Virtual Switching System (VSS) is used to allow two physical Cisco Catalyst 6500 Series switches to operate as a single logical virtual switch, the show module switch all command can display the software version of all FWSMs that belong to switch 1 and switch 2. The output from this command will be similar to the output from show module <slot number> but will include module information for the modules in each switch in the VSS. The FWSM offers firewall services with stateful packet filtering and deep packet inspection. Syslog Message Memory Corruption Denial of Service Vulnerability +--------------------------------------------------------------- The Cisco FWSM has a system log (syslog) feature that provides information for monitoring normal operation and troubleshooting network or device issues. System log messages are assigned different severities (debugging, informational, error, critical, etc.) and can be sent to different logging destinations. A denial of service vulnerability exists in the implementation of one specific system log message (message ID 302015, "Built outbound UDP connection session-id for src-intf:IP/Port to dst-intf:IP/Port ARP-Incomplete") that can cause memory corruption and lead to a lock up or crash of the Cisco FWSM in the event that that system log message needs to be generated for IPv6 traffic that has flowed through the device. The Cisco FWSM may not recover on its own and a manual reboot may be necessary to recover. System log message 302015 has a default severity level of 6 (informational). Changing the default severity level of this system message will not prevent the issue from occurring if the system is logging to any destinations at the new severity level. The Cisco FWSM must have interfaces with IPv6 addresses otherwise the problem does not occur. Authentication Proxy Denial of Service Vulnerability +--------------------------------------------------- The Cisco FWSM authentication proxy feature allows one to use AAA to control access to network resources. Specifically, the Cisco FWSM cut-through proxy challenges a user initially at the application layer and then authenticates against AAA servers. After the Cisco FWSM authenticates the user, it shifts the session flow, and all traffic flows directly between the user's computer and the network resource being accessed. A denial of service vulnerability exists in some versions of Cisco FWSM Software that affects devices configured to use authentication to grant users access to the network, also known as cut-through or authentication proxy. Vulnerable configurations are those that contain the aaa authentication match or aaa authentication include commands. The vulnerability may be triggered when there is a high number of network access authentication requests. TACACS+ Authentication Bypass Vulnerability +------------------------------------------ AAA enables the Cisco FWSM to determine who the user is (authentication), what the user can do (authorization), and what the user did (accounting). The Cisco FWSM supports TACACS+ authentication for VPN users, firewall sessions, and administrative access to the device. An authentication bypass vulnerability exists in the TACACS+ implementation in the Cisco FWSM. Successful exploitation could allow a remote attacker to bypass TACACS+ authentication of VPN users (the Cisco FWSM only allows VPN sessions for management), firewall sessions, or administrative access to the device. SunRPC Inspection Denial of Service Vulnerabilities +-------------------------------------------------- The SunRPC inspection engine enables or disables application inspection for the SunRPC protocol. SunRPC is used by Network File System (NFS) and Network Information Service (NIS). SunRPC services can run on any port. When a client attempts to access a SunRPC service on a server, it must learn the port on which the service is running. The client does this by querying the port mapper process, usually rpcbind, on the well-known port of 111. These vulnerabilities are triggered only by transit traffic; traffic that is destined to the device does not trigger these vulnerabilities. ILS Inspection Denial of Service Vulnerability +--------------------------------------------- The ILS inspection engine provides Network Address Translation (NAT) support for Microsoft NetMeeting, SiteServer, and Active Directory products that use Lightweight Directory Access Protocol (LDAP) to exchange directory information with an ILS server. The Cisco FWSM is affected by a vulnerability when ILS inspection is enabled that may cause the device to reload during the processing of a malformed ILS message. This vulnerability is triggered by transit traffic only; traffic that is destined to the device does not trigger this vulnerability. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCti83875 -- Syslog message 302015 may lead to memory corruption and CP lockup CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtn15697 -- FWSM crash in thread name uauth CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCto74274 -- Crafted TACACS+ reply considered as successful auth by FWSM CVSS Base Score - 7.9 Access Vector - Adjacent Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 6.5 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * SunRPC Inspection Denial of Service Vulnerabilities CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtq57802 -- ILS inspection crash on malformed ILS traffic CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of any of the denial of service vulnerabilities could cause an affected device to reload. Repeated exploitation could result in a sustained denial of service condition. Successful exploitation of the TACACS+ authentication bypass vulnerability could allow an attacker to bypass authentication of VPN, firewall, and/or administrative sessions. Software Versions and Fixes =========================== When considering software upgrades, also consult: http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the following Cisco FWSM Software table describes a major Cisco FWSM Software train and the earliest possible release in that train that contains the fix (the "First Fixed Release") and the anticipated date of availability (if not currently available) in the First Fixed Release column. A device that is running a release that is earlier than the release in a specific column (earlier than the First Fixed Release) is known to be vulnerable. A vulnerable release should be upgraded to the indicated release at a minimum, or a later version (later than or equal to the First Fixed Release label). These vulnerabilities and their respective workarounds are independent of each other. Syslog Message Memory Corruption Denial of Service Vulnerability +--------------------------------------------------------------- Completely disabling syslog 302015 with the command no logging message 302015 is an effective workaround for this vulnerability. Authentication Proxy Denial of Service Vulnerability +--------------------------------------------------- There are no workarounds available for this vulnerability. TACACS+ Authentication Bypass Vulnerability +------------------------------------------ There are no workarounds available for this vulnerability other than using a different authentication protocol such as RADIUS and LDAP. SunRPC Inspection Denial of Service Vulnerabilities +-------------------------------------------------- Administrators can mitigate these vulnerabilities by disabling SunRPC inspection if it is not required. Administrators can disable SunRPC inspection by issuing the no inspect sunrpc command in class configuration sub-mode in the policy map configuration. Disabling SunRPC inspection may cause SunRPC traffic to stop transiting the security appliance. ILS Inspection Denial of Service Vulnerability +--------------------------------------------- Administrators can mitigate this vulnerability by disabling ILS inspection if it is not required. Administrators can disable ILS inspection by issuing the no inspect ils command in class configuration sub-mode in the policy map configuration. Disabling ILS inspection may cause ILS traffic to stop through the security appliance. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. The Syslog Message Memory Corruption Denial of Service Vulnerability, Authentication Proxy Denial of Service Vulnerability, and TACACS+ Authentication Bypass Vulnerability were discovered during the troubleshooting of customer service requests. The SunRPC Inspection Denial of Service Vulnerabilities and ILS Inspection Denial of Service Vulnerability were discovered by Cisco during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20111005-fwsm.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2011-October-05 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iFcDBQFOjHRIQXnnBKKRMNARCAUrAP9BnUYauwq7OzqUJRuoVjBLn6T2Qh3S/LRn e0k/AYOr8AD/T7EQ/K8N+bAPmYBoJxsERyDGg80x/pxfRWFBd1s2+nE= =hr9R -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Cisco Digital Media Manager 5.2.2 and earlier, and 5.2.3, allows remote authenticated users to execute arbitrary code via vectors involving a URL and an administrative resource, aka Bug ID CSCts63878. This issue is tracked by Cisco Bug ID CSCts63878. An authenticated attacker can exploit this issue to modify application configuration settings, gaining elevated privileges. This may lead to a full compromise of the affected computer or aid in further attacks. ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: Cisco Digital Media Manager Administrative Resources Access Security Bypass Vulnerability SECUNIA ADVISORY ID: SA47651 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47651/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47651 RELEASE DATE: 2012-01-19 DISCUSS ADVISORY: http://secunia.com/advisories/47651/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47651/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47651 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Cisco Digital Media Manager, which can be exploited by malicious users to bypass certain security restrictions. Please see the vendor's advisory for the list of affected versions. SOLUTION: Update to a fixed version. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: The vendor credits Anthony Towry. ORIGINAL ADVISORY: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120118-dmm OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Cisco Show and Share is not directly affected by this vulnerability. Cisco has released free software updates that address this vulnerability. There are no workarounds that mitigate this vulnerability. This advisory is posted at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120118-dmm Affected Products ================= Vulnerable Products +------------------ The following table indicates which versions of Cisco Digital Media Manager are affected by this vulnerability: +-------------------------------------------------------------------+ | Version | Affected | |---------------------------------------+---------------------------| | prior to 5.2 | YES | |---------------------------------------+---------------------------| | 5.2.1 | YES | |---------------------------------------+---------------------------| | 5.2.1.1 | YES | |---------------------------------------+---------------------------| | 5.2.2 | YES | |---------------------------------------+---------------------------| | 5.2.2.1 | NO | |---------------------------------------+---------------------------| | 5.2.3 | YES | |---------------------------------------+---------------------------| | 5.3 | NO | +-------------------------------------------------------------------+ Note: Cisco Digital Media Manager versions prior to 5.2 reached end of software maintenance. Customers running versions prior to 5.2 should contact their Cisco support team for assistance in upgrading to a supported version of Cisco Digital Media Manager. The version information is reported under "Digital Media Manager" in the center of the page. Optionally administrators can log in to the Appliance Administration Interface (AAI), and access the main menu. BACKUP_AND_RESTORE Back up and restore. APPLIANCE_CONTROL Configure advance options NETWORK_SETTINGS Configure network parameters. DATE_TIME_SETTINGS Configure date and time CERTIFICATE_MANAGEMENT Manage all certificates in the system < OK > <LOG OUT> Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by this vulnerability. It allows users to remotely perform management tasks for Cisco Digital Signs, Cisco Cast, and Cisco Show and Share. The vulnerability is due to improper validation of unreferenced URLs, which may allow an unprivileged attacker to access administrative resources and elevate privileges. An authenticated attacker could exploit this vulnerability by sending the unreferenced URL to the affected system. Cisco Show and Share is not directly affected by this vulnerability. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCts63878 - Digital Media Manager Privilege Escalation Vulnerability CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability may allow a remote, authenticated attacker to elevate privileges and obtain full access to the affected system. Software Versions and Fixes =========================== Cisco has released free software updates that address this vulnerability. The following table contains the remediation for each affected version of Cisco Digital Media Manager: +-------------------------------------------------------------------+ | Version | Remediation | |-------------------+-----------------------------------------------| | 5.2.1 | Upgrade to 5.2.2.1 | |-------------------+-----------------------------------------------| | 5.2.1.1 | Upgrade to 5.2.2.1 | |-------------------+-----------------------------------------------| | 5.2.2 | Upgrade to 5.2.2.1 | |-------------------+-----------------------------------------------| | 5.2.3 | DMM523_PATCH-A.iso | +-------------------------------------------------------------------+ When considering software upgrades, also consult: http://www.cisco.com/go/psirt And any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Workarounds =========== There are no workarounds that mitigate this vulnerability. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this advisory: http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20120118-dmm Obtaining Fixed Software ======================== Cisco has released free software updates that address the vulnerability described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments. Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html Or as set forth at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Center on Cisco.com at: http://www.cisco.com Customers Using Third-Party Support Organizations +------------------------------------------------ Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action. The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed. Customers Without Service Contracts +---------------------------------- Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC): * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC. Refer to Cisco Worldwide Contacts at: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html For additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was reported to Cisco by Anthony Towry. Status of This Notice: Final ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120118-dmm In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +-------------------------------------------------------------------+ | Revision 1.0 | 2012-January-18 | Initial public release. | +-------------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at: http://www.cisco.com/ go/psirt +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iF4EAREIAAYFAk8W04gACgkQQXnnBKKRMND5yQD/RO41qo36jsGDPu1Mg+FM5B0g ThQ68iqyO2rzgtEpVi8A/3nFYZ2Uw58QsNhh3jRNwVnlHpSk/r2TuwUzLaMs3Kgl =cxTR -----END PGP SIGNATURE-----

Cisco TelePresence Software before TE 4.1.1 on the Cisco IP Video Phone E20 has a default password for the root account after an upgrade to TE 4.1.0, which makes it easier for remote attackers to modify the configuration via an SSH session, aka Bug ID CSCtw69889, a different vulnerability than CVE-2011-2555. The problem is Bug ID CSCtw69889 It is a problem. This vulnerability CVE-2011-2555 Is a different vulnerability.By a third party SSH The settings may be changed through the session. Cisco IP Video Phone E20 is prone to a remote authentication-bypass vulnerability. An attacker can exploit this issue to gain unauthorized root access to the affected device. Successful exploits will result in the complete compromise of the device. The vulnerability is due to an architectural change that was made in the way the system maintains administrative accounts. An attacker who is able to take advantage of this vulnerability could log in to the device as the root user and perform arbitrary actions with elevated privileges. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. The TE 4.1.0 release has been deferred from Cisco.com and Tandberg.com, and is no longer available for download. The deferral notice can be found at the following link: Software Deferral Notice Administrators can determine the version of software running on their device by logging in to the command-line interface (CLI) as the admin user and issuing the xstatus systemunit command and finding the SystemUnit Software Version field. Example: $: ssh admin@203.0.113.134 TANDBERG Codec Release TE4.1.0.137456 SW Release Date: 2011-11-18 OK xstatus systemunit *s SystemUnit ProductType: "TANDBERG Codec" *s SystemUnit ProductId: "TANDBERG E20" *s SystemUnit Uptime: 91273 *s SystemUnit Software Version: "TE4.1.0.137456" *s SystemUnit Software Name: "s52100" *s SystemUnit Software ReleaseDate: "2011-11-18" *s SystemUnit Hardware Module SerialNumber: "M1AD18B023025" *s SystemUnit Hardware Module MainBoard: "101390-6" *s SystemUnit Hardware Module BootSoftware: "U-Boot 2010.06-36" *s SystemUnit State System: Initialized *s SystemUnit State Subsystem Application: Initialized *s SystemUnit State Cradle: On *s SystemUnit State CameraLid: Off *s SystemUnit ContactInfo: "demo.user@example.com" *s SystemUnit Bluetooth Devices 1 Name: "9xxPlantronics" *s SystemUnit Bluetooth Devices 1 Address: "L023:8F:425M3D" *s SystemUnit Bluetooth Devices 1 Type: 2360324 *s SystemUnit Bluetooth Devices 1 Status: bonded *s SystemUnit Bluetooth Devices 1 LastSeen: "2011-12-20 11:49:36" ** end OK Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by this vulnerability. This single super account utilized the same password for both the admin and root authentication and was always enabled. With the introduction of TE 4.1.0, an architectural change was made to help harden the devices by allowing administrators to disable the root account. The intended result of this change is to separate the super account into two accounts, root and admin, while subsequently disabling the root account by default. It was found that in many cases, customers upgrading from a previous release of TE software to TE 4.1.0 are likely to experience an error condition in which the root account is not properly disabled. This creates a situation in which the root account is accessible via SSH with a default password. It was subsequently discovered that the command implemented to allow an administrator to enable or disable the root account does not function correctly. Workarounds are available in the Workarounds section of this document. These workarounds involve changing the root and admin passwords to administrator-defined values. Vulnerability Scoring Details ============================= Cisco has scored the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response. Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks. Cisco has provided additional information regarding CVSS at the following link: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtw69889 - Cisco TelePresence TE Software Default Root Account Vulnerability CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.7 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability could allow an unauthenticated, remote attacker to gain root access to the affected device. This could allow the attacker to take arbitrary actions on the device with elevated privileges. Software Versions and Fixes =========================== When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at: http://www.cisco.com/go/psirt And review subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco TelePresence Software version TE 4.1.1 is available on Cisco.com and replaces TE 4.1.0. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments. Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html Or as set forth at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Center on Cisco.com at: http://www.cisco.com Customers Using Third-Party Support Organizations +------------------------------------------------ Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action. The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed. Customers Without Service Contracts +---------------------------------- Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC): * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC. Refer to Cisco Worldwide Contacts at: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html For additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages. Exploitation and Public Announcements ===================================== The Cisco Product Security Incidence Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. This vulnerability was discovered internally. Status of This Notice: Final ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco Security Intelligence Operations at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120118-te Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses: * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates. Revision History ================ +-------------------------------------------------------------------+ | Revision 1.0 | 2012-January-18 | Initial Public Release | +-------------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at: http://www.cisco.com/ go/psirt +-------------------------------------------------------------------- Copyright 2010-2012 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iF4EAREIAAYFAk8W04IACgkQQXnnBKKRMNCWzwD/XJg6ZExNa1xHUZ0cLRjzefT5 nAE+tnRMfQo2m/79FewA/1gWGvSvM8jgY8OkpaE1mi/EelNYhB3Uk9FDXXMAdTEl =AFEp -----END PGP SIGNATURE-----

The TopAccess web-based management interface on TOSHIBA TEC e-Studio multi-function peripheral (MFP) devices with firmware 30x through 302, 35x through 354, and 4xx through 421 allows remote attackers to bypass authentication and obtain administrative privileges via unspecified vectors. Multiple e-Studio series products provided by TOSHIBA TEC CORPORATION contain an authentication bypass vulnerability. e-Studio is a multi-function peripheral (MFP). Multiple e-Studio series products contain a vulnerability in web-based management utility, which may result in an authentication bypass.An attacker that can access the product may log in with administrative privileges. As a result, settings may be changed and credential information may be viewed. Multiple Toshiba e-Studio devices are prone to a security-bypass vulnerability. Successful exploits will allow attackers to bypass certain security restrictions and gain access in the context of the device. A remote attacker can exploit this vulnerability to bypass authentication with an unknown vector and obtain administrator-level privileges