Vulnerability

    CRM

Affected

    Cisco Resource Manager 1.1 or 1.0 (Solaris, Win NT)

Description

    Following info is based on  Cisco Field Notice.  Versions  1.0 and
    1.1  of  the  Cisco  Resource  Manager  (CRM) create log files and
    temporary  files   on  the   management  station   which   contain
    potentially sensitive information.  These files are not  protected
    using operating system mechanisms,  and are therefore readable  by
    all users of the system on which CRM is installed. The information
    exposed  includes  the  usernames,  passwords,  and SNMP community
    strings used by CRM to  gain access to the devices  being managed.
    Users who have  access to the  computer on which  CRM is installed
    may  gain  access  to  information  which  gives them unauthorized
    access to  the managed  routers and  switches.   This affects both
    Solaris and Windows NT systems.

    Several  different   unprotected  files   may  contain   sensitive
    information.   Applicable  Cisco   bug  IDs  include   CSCdk13298,
    CSCdk14992, CSCdk14993, and CSCdk13579.

    Remote Access Logs (CSCdk13298)
    -----------------------------
    Cisco  Resource  Manager  is  capable  of  logging a great deal of
    detailed  information  for   debugging  purposes.   Debugging   is
    ordinarily  under  control  of  the  administrator.   However,   a
    software error in CRM 1.0  and 1.1 causes debugging to  be enabled
    at all  times.   The debugging  information collected  may include
    usernames and passwords  used to log  into managed devices,   SNMP
    community strings,  and enable  passwords.   The files  containing
    this  information  are  readable  by  any  user of the computer on
    which CRM  is run.   The log  files containing  the offending data
    are:

        /var/adm/CSCOpx/files/schedule/job-id/swim_swd.log (Solaris)
        C:\Program Files\CSCOpx\files\schedule\job-id\swim_swd.log (Windows NT)

        These  files  are  created   by  software  distribution   jobs
        scheduled  with  "Distribute  Images".   Each  job has its own
        subdirectory (designated  by "job-id"  above) and  its own log
        file.

        /tmp/swim_debug.log (Solaris)
        C:\Program Files\CSCOpx\temp\swim_debug.log (Windows NT)

        This  file  is  used  for  logging  debugging information from
        Software Image Manager functions,  such as "Import image  from
        File   System/Device",   Job   administration   and    History
        administration.

    Database Update Logs (CSCdk13579)
    -------------------------------
    The "Local/Remote  Import",   "Import from  File", "Add  Devices",
    and  "Change  Device  Attributes"  functions  all record debugging
    information in files readable to any user of the computer on which
    CRM  is  run.  This  information  may  include  usernames,   login
    passwords, SNMP community strings,  and/or enable passwords.   The
    offending  information   is  recorded   in  a   log  file    named
    "dbi_debug.log", which is located  in /tmp on Solaris  systems and
    in C:\Program Files\CSCOpx\temp on Windows NT systems.

    Import Temporary Files (CSCdk14992, CSCdk14993)
    ---------------------------------------------
    The "Local/Remote Import" functions,  which are used to  load data
    into the CRM database  from databases maintained by  other network
    management  tools,  create  temporary  files containing usernames,
    login passwords,  community strings,  and enable  passwords.   The
    files are readable  to any user  of the computer  on which CRM  is
    run.  The files exist only for a short time during the information
    gathering  phase  of  an  import  operation, and are automatically
    deleted upon  successful completion  of the  operation.   However,
    should  the  information  gathering  phase  of  the operation fail
    because of some system error, the files would not be deleted.  The
    offending files have names  beginning with "DPR_", and  are stored
    in "/tmp" on Solaris systems and in "C:\Program Files\CSCOpx\temp"
    on Windows NT systems.

Solution

    Cisco  has  modified  the  CRM  software  to  eliminate all of the
    vulnerabilities  described  here.    The  first  regular   release
    containing   the  modifications  will  be  CRM  version 2.0, which
    is  tentatively  scheduled  for  release  in  early October, 1998.
    Customers who do not wish to wait for CRM version 2.0 may  install
    the CRM SWIM package version 1.1.1.  The CRM SWIM package  version
    1.1.1 is a patched version,  identical to the SWIM package  in CRM
    version 1.1,  but containing  a fix  for bug  ID CSCdk13298, which
    Cisco  believes  to  be  the  vulnerability  most  disruptive   to
    day-to-day  system  operation.   The  other vulnerabilities listed
    are not addressed by the CRM SWIM package 1.1.1.

    Workarounds for CSCdk13298
    --------------------------
    The simplest and most effective workaround for this  vulnerability
    is to prevent untrusted users  from having access to the  computer
    on which CRM is being run or to the file systems on which the  log
    files are  stored.   The file  systems in  question should  not be
    shared over a network of any  kind.  If the computer on  which CRM
    is being run must  be shared, then the  files in question must  be
    protected from  access by  untrusted users.   This may  be done by
    issuing the following Solaris commands while running as "root"  or
    "bin":

        chmod 700 /var/adm/CSCOpx/files/schedule
        chmod 700 /tmp/swim_debug.log

    Note: Each time your system  is rebooted, you will need  to change
    the permissions  on /tmp/swim_debug.log.   There is  no  analogous
    workaround for Windows NT systems.

    Workaround for CSCdk13579
    -------------------------
    The simplest and most effective workaround for this  vulnerability
    is to prevent untrusted users  from having access to the  computer
    on which CRM is being run or to the file systems on which the  log
    files  are  stored.  The  file  systems  in question should not be
    shared over a network of any  kind.  If the computer on  which CRM
    is  run  must  be   shared,  the   file  "/tmp/dbi_debug.log"   or
    "C:\Program  Files\CSCOpx\temp\dbi_debug.log"  should  be  deleted
    after  any  change  to  device  attributes.  Note that a window of
    vulnerability will exist  between the time  at which the  database
    update is performed and the time at which the file is deleted.  It
    may be  desirable to  deny access  to untrusted  users during this
    window, even  though they  may be  given access  to the  system at
    other times.

    Workaround for CSCdk14992/CSCdk14993
    ------------------------------------
    The only effective workaround for CSCdk14992 and CSCdk14993 is  to
    deny untrusted  users access  to the  system on  which CRM  is run
    during any import operation.  Cisco believes that such  operations
    are sufficiently uncommon to make this a viable option.