-----BEGIN PGP SIGNED MESSAGE-----
__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Cisco CRM Temporary File Vulnerability
August 19, 1998 15:00 GMT Number I-086
______________________________________________________________________________
PROBLEM: A vulnerability has been identified in the Cisco Resource
Manager (CRM). The temporary files and log files created on the
management station contain potentially sensitive information.
PLATFORM: Cisco Management Workstations running CRM versions 1.0 and 1.1.
This affects both Solaris and Windows NT systems.
DAMAGE: The information exposed includes the usernames, passwords, and
SNMP community strings used by CRM to gain access to the
devices being managed.
SOLUTION: Apply patches or workarounds.
______________________________________________________________________________
VULNERABILITY Cisco has no reports of malicious exploitation of the
ASSESSMENT: vulnerabilities listed in this advisory.
______________________________________________________________________________
[ Start Cisco Systems, Inc. Advisory ]
Field Notice:
CRM Temporary File Vulnerability
================================
For release 09:00 AM US/Pacific, Thursday, August 13, 1998
Contents
========
* Summary
* Who is Affected
* Impact
* Details
o Remote Access Logs (CSCdk13298)
+ Workarounds for CSCdk13298
o Database Update Logs (CSCdk13579)
+ Workaround for CSCdk13579
o Import Temporary Files (CSCdk14992, CSCdk14993)
+ Workaround for CSCdk14992/CSCdk14993
o Planned Software Fixes
o Exploitation and Public Announcements
* Status of This Notice
o Distribution
o Revision History
* Cisco Security Procedures
Summary
=======
Versions 1.0 and 1.1 of the Cisco Resource Manager (CRM) create log files
and temporary files on the management station which contain potentially
sensitive information. These files are not protected using operating system
mechanisms, and are therefore readable by all users of the system on which
CRM is installed. The information exposed includes the usernames, passwords,
and SNMP community strings used by CRM to gain access to the devices being
managed.
Users who have access to the computer on which CRM is installed may gain
access to information which gives them unauthorized access to the managed
routers and switches. This affects both Solaris and Windows NT systems.
There are workarounds for this problem, and a patch is available for CRM
1.1. There is no patch for CRM 1.0. Other than to install the patch, the
most effective solution for most installations is simply to deny untrusted
users any access to the computer on which CRM is installed or to its file
systems.
Who is Affected
===============
All customers who run Cisco Resource Manager 1.1 or 1.0, and who allow
untrusted users access to the computer on which CRM is run or to its file
systems, are affected by these vulnerabilities.
Impact
======
Users who have direct access to the machine on which CRM is installed, or
who have network access to the files specified in the "Details" section of
this document, may gain unauthorized access to the managed devices. The
unauthorized access gained may include administrative access and the ability
to modify device configurations.
Details
=======
Several different unprotected files may contain sensitive information.
Applicable Cisco bug IDs include CSCdk13298, CSCdk14992, CSCdk14993, and
CSCdk13579.
Remote Access Logs (CSCdk13298)
- -------------------------------
Cisco Resource Manager is capable of logging a great deal of detailed
information for debugging purposes. Debugging is ordinarily under control of
the administrator. However, a software error in CRM 1.0 and 1.1 causes
debugging to be enabled at all times. The debugging information collected
may include usernames and passwords used to log into managed devices, SNMP
community strings, and enable passwords. The files containing this
information are readable by any user of the computer on which CRM is run.
The log files containing the offending data are:
* /var/adm/CSCOpx/files/schedule/job-id/swim_swd.log (Solaris)
C:\Program Files\CSCOpx\files\schedule\job-id\swim_swd.log (Windows NT)
These files are created by software distribution jobs scheduled with
"Distribute Images". Each job has its own subdirectory (designated by
"job-id" above) and its own log file.
* /tmp/swim_debug.log (Solaris)
C:\Program Files\CSCOpx\temp\swim_debug.log (Windows NT)
This file is used for logging debugging information from Software Image
Manager functions, such as "Import image from File System/Device", Job
administration and History administration.
Workarounds for CSCdk13298
- ------
The simplest and most effective workaround for this vulnerability is to
prevent untrusted users from having access to the computer on which CRM is
being run or to the file systems on which the log files are stored. The file
systems in question should not be shared over a network of any kind.
If the computer on which CRM is being run must be shared, then the files in
question must be protected from access by untrusted users. This may be done
by issuing the following Solaris commands while running as "root" or "bin":
chmod 700 /var/adm/CSCOpx/files/schedule
chmod 700 /tmp/swim_debug.log
Note: Each time your system is rebooted, you will need to change the
permissions on /tmp/swim_debug.log.
There is no analogous workaround for Windows NT systems.
Database Update Logs (CSCdk13579)
- ---------------------------------
The "Local/Remote Import", "Import from File", "Add Devices", and "Change
Device Attributes" functions all record debugging information in files
readable to any user of the computer on which CRM is run. This information
may include usernames, login passwords, SNMP community strings, and/or
enable passwords.
The offending information is recorded in a log file named "dbi_debug.log",
which is located in /tmp on Solaris systems and in C:\Program
Files\CSCOpx\temp on Windows NT systems.
Workaround for CSCdk13579
- ------
The simplest and most effective workaround for this vulnerability is to
prevent untrusted users from having access to the computer on which CRM is
being run or to the file systems on which the log files are stored. The file
systems in question should not be shared over a network of any kind.
If the computer on which CRM is run must be shared, the file
"/tmp/dbi_debug.log" or "C:\Program Files\CSCOpx\temp\dbi_debug.log" should
be deleted after any change to device attributes. Note that a window of
vulnerability will exist between the time at which the database update is
performed and the time at which the file is deleted. It may be desirable to
deny access to untrusted users during this window, even though they may be
given access to the system at other times.
Import Temporary Files (CSCdk14992, CSCdk14993)
- -----------------------------------------------
The "Local/Remote Import" functions, which are used to load data into the
CRM database from databases maintained by other network management tools,
create temporary files containing usernames, login passwords, community
strings, and enable passwords. The files are readable to any user of the
computer on which CRM is run. The files exist only for a short time during
the information gathering phase of an import operation, and are
automatically deleted upon successful completion of the operation. However,
should the information gathering phase of the operation fail because of some
system error, the files would not be deleted.
The offending files have names beginning with "DPR_", and are stored in
"/tmp" on Solaris systems and in "C:\Program Files\CSCOpx\temp" on Windows
NT systems.
Workaround for CSCdk14992/CSCdk14993
- ------
The only effective workaround for CSCdk14992 and CSCdk14993 is to deny
untrusted users access to the system on which CRM is run during any import
operation. Cisco believes that such operations are sufficiently uncommon to
make this a viable option.
Planned Software Fixes
- ----------------------
Cisco has modified the CRM software to eliminate all of the vulnerabilities
described in this notice. The first regular release containing the
modifications will be CRM version 2.0, which is tentatively scheduled for
release in early October, 1998. This schedule is subject to change.
Customers who do not wish to wait for CRM version 2.0 may install the CRM
SWIM package version 1.1.1. The CRM SWIM package version 1.1.1 is a patched
version, identical to the SWIM package in CRM version 1.1, but containing a
fix for bug ID CSCdk13298, which Cisco believes to be the vulnerability most
disruptive to day-to-day system operation. The other vulnerabilities listed
in this notice are not addressed by the CRM SWIM package 1.1.1.
Customers with service contracts may obtain updates through their usual
channels; those who are registered users of CCO (Cisco's Worldwide Web site)
may download the CRM SWIM package version 1.1.1 update from CCO site at
http://www.cisco.com/pcgi-bin/tablebuild.pl/crm-packages.
Customers without service contracts should contact the Cisco TAC for
assistance. The CRM SWIM package 1.1.1 patch (but not the CRM 2.0 upgrade)
will be made available free of charge to all CRM customers, regardless of
service contract status. Please reference the URL of this notice as evidence
of your entitlement to the patch.
There will be no patched version of CRM 1.0. CRM 1.0 customers are eligible
for free upgrades to CRM 1.1 and the CRM SWIM package version 1.1.1.
Customers who wish to continue to use CRM 1.0 are strongly encouraged to
prevent all access by untrusted users to the computers on which they run CRM
or to those computers' file systems.
Exploitation and Public Announcements
=====================================
Cisco has had no reports of malicious exploitation of the vulnerabilities
listed in this notice.
Cisco knows of no public announcements of these vulnerabilities before the
date of this notice.
Status of This Notice
=====================
This is a final field notice. Although Cisco cannot guarantee the accuracy
of all statements in this notice, all the facts have been checked to the
best of our ability. Cisco does not anticipate issuing updated versions of
this notice unless there is some material change in the facts. Should there
be a significant change in the facts, Cisco may update this notice.
Distribution
- ------------
This notice will be posted on Cisco's Worldwide Web site at
http://www.cisco.com/warp/public/770/crmtmp-pub.shtml. In addition to
Worldwide Web posting, the initial version of this notice is being sent to
the following e-mail recipients:
* cust-security-announce@cisco.com
* Various internal Cisco mailing lists
Future updates to this notice, if any, will be placed on Cisco's Worldwide
Web server, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
URL given above for any updates.
Revision History
Revision 1.1, Initial released version
11:50 AM
US/Pacific,
11-AUG-1998
Cisco Security Procedures
=========================
Please report security issues with Cisco products, and/or sensitive security
intrusion emergencies involving Cisco products, to security-alert@cisco.com.
Reports may be encrypted using PGP; public RSA and DSS keys for
"security-alert@cisco.com" are on the public PGP keyservers.
The alias "security-alert@cisco.com" is used only for reports incoming to
Cisco. Mail sent to the list goes only to a very small group of users within
Cisco. Neither outside users nor unauthorized Cisco employees may subscribe
to "security-alert@cisco.com".
Please do not use "security-alert@cisco.com" for configuration questions,
for security intrusions that you do not consider to be sensitive
emergencies, or for general, non-security-related support requests. We do
not have the capacity to handle such requests through this channel, and will
refer them to the TAC, delaying response to your questions. We advise
contacting the TAC directly with these requests. TAC contact information is
as follows:
* Voice telephone: +1 800 553 2447 (toll-free from within North America)
* Voice telephone: +1 408 526 7209 (toll call from anywhere in the world)
* Electronic mail: tac@cisco.com
All formal public security notices generated by Cisco are sent to the public
mailing list "cust-security-announce@cisco.com". For information on
subscribing to this mailing list, send a message containing the single line
"info cust-security-announce" to "majordomo@cisco.com". An analogous list,
"cust-security-discuss@cisco.com" is available for public discussion of the
notices and of other Cisco security issues.
======================================================================
This notice is copyright 1998 by Cisco Systems, Inc. This notice may be
redistributed freely after the release date given at the top of the notice,
provided that redistributed copies are complete and unmodified, including
all date and version information.
[ End Cisco Systems, Inc. Advisory ]
______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Cisco Systems, Inc. for the
information contained in this bulletin.
______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@llnl.gov
For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 925-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
(or http://ciac.llnl.gov -- they're the same machine)
Anonymous FTP: ftp.ciac.org
(or ciac.llnl.gov -- they're the same machine)
Modem access: +1 (925) 423-4753 (28.8K baud)
+1 (925) 423-3331 (28.8K baud)
CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
information and Bulletins, important computer security information;
2. SPI-ANNOUNCE for official news about Security Profile Inspector
(SPI) software updates, new features, distribution and
availability;
3. SPI-NOTES, for discussion of problems and solutions regarding the
use of SPI products.
Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, spi-announce OR spi-notes for list-name:
E-mail to ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov:
subscribe list-name
e.g., subscribe ciac-bulletin
You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email. This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.
If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
I-076: SGI IRIX ioconfig(1M) and disk_bandwidth(1M) Vulnerability
I-077: Mime Name Vulnerability in Outlook and Messenger
I-078: HP-UX ftp Security Vulnerability
I-079: IBM AIX "sdrd" daemon Vulnerability
I-080: Microsoft Exchange Denial of Service Attacks
I-081: HP-UX & MPEix Predictive Vulnerability
I-082: HP-UX Netscape Servers Vulnerability
I-083: Eudora Pro E-Mail Attachment Vulnerability
I-084: Cisco IOS Remote Router Crash
I-085: Microsoft IE Upgrade Trojan Horse Program
-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition
iQCVAwUBNdsZ3rnzJzdsy3QZAQH5QQP9FnUMWyWKLkUk4FRSRWaNtr/KeCjpaoJt
U6bazXmNfn/WNghowq1uLE/9B0ys2K8qVB4KSKszk38j/noyWyo5KhajgRtina0Y
kxNujMXIYPm1PQA4D8KCHRNgNR50gPZajP6jK4vIYR0euFAsNQ8uk2AaraxFYCms
gmGqIQdgFfY=
=EKpw
-----END PGP SIGNATURE-----
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
