|
----- Original Message ----- From: "Cisco Systems Product Security Incident Response Team" <psirt@cisco.com> To: <bugtraq@securityfocus.com> Sent: Wednesday, August 13, 2003 7:37 AM Subject: Cisco Security Advisory: CiscoWorks Application Vulnerabilities > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Cisco Security Advisory: CiscoWorks Application Vulnerabilities > > Revision Numeral 1.0: INTERIM > ============================= > > For Public Release 2003 August 13 UTC 1500 > > - ------------------------------------------------------------------------ ------- > > Contents > ======== > > Summary > Affected Products > Details > Impact > Software Versions and Fixes > Obtaining Fixed Software > Workarounds > Exploitation and Public Announcements > Status of This Notice: INTERIM > Distribution > Revision History > Cisco Security Procedures > > - ------------------------------------------------------------------------ ------- > > Summary > ======= > > CiscoWorks Common Management Foundation (CMF), also packaged as part of > CiscoWorks CD One, provides an application infrastructure foundation, > allowing all CiscoWorks applications to share a common model for data > storage, login, user role definitions, access privileges, and security > protocols, as well as for navigation and launch management. > > Two vulnerabilities exist in CiscoWorks CMF versions prior to and > including 2.1. The first vulnerability is a privilege escalation > vulnerability where a guest user may obtain administrative privileges > within the application via a specially crafted URL. The second > vulnerability is an ability to run arbitrary commands on the CiscoWorks > server due to an error in processing user input. > > This notice will be posted at > http://www.cisco.com/warp/public/707/cisco-sa-20030813-cmf.shtml. > > Cisco is making patches available for CMF versions 2.0 and 2.1, free of > charge, to correct the problem. > > Affected Products > ================= > > The following products are affected: > > * All versions of CiscoWorks CD One (1st through 5th editions) > > * Resource Manager Essentials (RME) versions 2.0, 2.1, and 2.2 > > * Cisco Resource Manager (CRM) versions 1.0 and 1.1 > > CiscoWorks CD One is included as the base for all CiscoWorks management > solutions, such as the LAN Management Solution, Routed WAN Management > Solution, Small Network Management Solution, and VPN/Security Management > Solution. > > To determine the version of the Common Management Foundation which is > installed, navigate through the menus within CiscoWorks starting with > the tab on the left titled "Server Configuration" and locate the screen > titled "Applications and Versions" under the folder named "About the > Server". Look for the entry in the table labeled "Common Management > Foundation" and the corresponding version. > > Details > ======= > > The first vulnerability allows a non-privileged user of the CiscoWorks > application, including the guest account if enabled, to send a specially > crafted URL to the CiscoWorks server to acquire administrative > privileges without authentication. Cisco Bug ID CSCdy33916 describes > this vulnerability. > > The second vulnerability permits an authenticated user of the CiscoWorks > application to run arbitrary commands on the CiscoWorks server as > "casuser", the username under which the application runs. Cisco Bug ID > CSCea15281 describes this vulnerability. > > Impact > ====== > > * CSCdy33916 - The guest user or a normal user is capable, with a > specifically crafted URL, of obtaining administrative privileges > within the application allowing the user to perform tasks which it > might otherwise not be allowed to do. Examples of such tasks might > be approval of scheduled changes, such as software upgrades, adding > and removing devices, adding, removing, and modifying accounts with > the server, and viewing device configurations stored in the local > archive. > > * CSCea15281 - A normal user is capable, with a specifically crafted > URL, of running commands remotely on the CiscoWorks server to perform > tasks which they may otherwise not have access to do. Examples of > such tasks might be viewing device configurations stored in the local > archive. > > Software Versions and Fixes > =========================== > > Both vulnerabilities have been resolved in CiscoWorks Common Services 2.2. > > Patches for CMF versions 2.0 and 2.1 should be available by the end > of August 2003 (date subject to change). Should the availability date > change, Cisco will update this advisory to reflect the new availability > date. > > Obtaining Fixed Software > ======================== > > Customers with contracts should obtain upgraded software through > their regular update channels. For most customers, this means that > upgrades should be obtained through the Product Upgrade Tool at > http://tools.cisco.com/gct/Upgrade/jsp/index.jsp ( registered customers > only) . > > Customers whose Cisco products are provided or maintained through prior > or existing agreement with third-party support organizations such as > Cisco Partners, authorized resellers, or service providers should > contact that support organization for assistance with the upgrade, which > should be free of charge. > > Customers who purchase/license the product directly from Cisco, but who > do not hold a Cisco service contract and customers who purchase through > third-party vendors, but are unsuccessful at obtaining fixed software > through their point of sale should obtain an applicable software patch > by contacting the Cisco Technical Assistance Center (TAC). TAC contacts > are as follows. > > * +1 800 553 2447 (toll free from within North America) > * +1 408 526 7209 (toll call from anywhere in the world) > * e-mail: tac@cisco.com > > Please have your product serial number available and give the URL of > this notice as evidence of your entitlement to a free patch. Free > patches for non-contract customers must be requested through the TAC. > > Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" > for software upgrades. > > If you need assistance with the implementation of the workarounds, or > have questions on the workarounds, please contact the Cisco Technical > Assistance Center (TAC). > > See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for > additional TAC contact information, including special localized > telephone numbers and instructions and e-mail addresses for use in > various languages. > > Workarounds > =========== > > * CSCdy33916 - The guest user account may be disabled, limiting the > exposure to only the trusted users of the CiscoWorks server. However, > a software upgrade or patch is required to completely resolve the > vulnerability. > > * CSCea15281 - There is no workaround. A software upgrade or patch is > required. > > Exploitation and Public Announcements > ===================================== > > The Cisco PSIRT is not aware of any malicious use of the vulnerabilities > described in this advisory. > > The vulnerabilities described in this advisory were both > originally found by internal testing. Prior to disclosure, the > bug described by CSCdy33916 was also reported by Omicron from > Portcullis Computer Security Ltd. Their report can be found at > http://www.portcullis-security.com/News/archives/advisory/cisco-sa-20030813. htm > > Status of This Notice: INTERIM > ============================== > > This is an INTERIM advisory. Although Cisco cannot guarantee the > accuracy of all statements in this notice, all of the facts have been > checked to the best of our ability. Cisco does not anticipate issuing > updated versions of this advisory unless there is some material change > in the facts. Should there be a significant change in the facts, Cisco > will update this advisory. > > A stand-alone copy or paraphrase of the text of this security advisory > that omits the distribution URL in the following section is an > uncontrolled copy, and may lack important information or contain factual > errors. > > Distribution > ============ > > This advisory will be posted on Cisco's worldwide website at > http://www.cisco.com/warp/public/707/cisco-sa-20030813-cmf.shtml > > In addition to worldwide web posting, a text version of this notice is > clear-signed with the Cisco PSIRT PGP key and is posted to the following > e-mail and Usenet news recipients. > > * cust-security-announce@cisco.com > * bugtraq@securityfocus.com > * full-disclosure@lists.netsys.com > * first-teams@first.org (includes CERT/CC) > * cisco@spot.colorado.edu > * cisco-nsp@puck.nether.net > * comp.dcom.sys.cisco > * Various internal Cisco mailing lists > > Future updates of this advisory, if any, will be placed on Cisco's > worldwide website, but may or may not be actively announced on mailing > lists or newsgroups. Users concerned about this problem are encouraged > to check the above URL for any updates. > > Revision History > ================ > > +---------------------------------------------+ > | Revision | 2003-August-13 | Initial Public | > | 1.0 | | Release | > +---------------------------------------------+ > > Cisco Security Procedures > ========================= > > Complete information on reporting security vulnerabilities > in Cisco products, obtaining assistance with security > incidents, and registering to receive security information > from Cisco, is available on Cisco's worldwide website at > http://www.cisco.com/warp/public/707/sec_incident_response.shtml. > This includes instructions for press inquiries regarding Cisco > security notices. All Cisco security advisories are available at > http://www.cisco.com/go/psirt/. > > - ------------------------------------------------------------------------ ------- > > This notice is Copyright 2003 by Cisco Systems, Inc. This notice may > be redistributed freely after the release date given at the top of the > text, provided that redistributed copies are complete and unmodified, > and include all date and version information. > > - ------------------------------------------------------------------------ ------- > > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.2 > > iQA/AwUBPzpa53sxqM8ytrWQEQL5AwCeNWTRizaz5YV529HJiilDdy40B6QAoKV7 > I2GtoEemWYKerdrwJdbvsBTm > =xv5+ > -----END PGP SIGNATURE----- >