- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Cisco Security Manager Vulnerability
------------------------------------------------------------------------
SUMMARY
Cisco Security Manager contains a vulnerability when it is used with Cisco
IPS Event Viewer (IEV) that results in open TCP ports on both the Cisco
Security Manager server and IEV client. An unauthenticated, remote
attacker could leverage this vulnerability to access the MySQL databases
or IEV server.
DETAILS
Vulnerable Systems:
* Cisco Security Manager versions 3.1 and 3.2, prior to 3.2.2
Immune Systems:
* Cisco Security Manager 3.2.2
* Cisco Security Manager 3.0.x and earlier
* Standalone implementations of Cisco IEV
* Cisco IPS Manager Express
Cisco Security Manager is an enterprise-class management application that
is designed to configure firewall, VPN, and intrusion prevention security
services on Cisco network and security devices. As part of Cisco Security
Manager installation, the Cisco IEV is installed by default. The IEV is a
Java-based application that allows users to view and manage alerts for up
to five sensors, including the ability to report top alerts, attackers,
and victims over a specified number of hours or days. Users can connect to
and view alerts in real time or via imported log files, configure filters
and views to help manage alerts, and import and export event data for
further analysis.
A vulnerability exists in the Cisco Security Manager server. When the IEV
is launched, it opens several remotely available TCP ports on the Cisco
Security Manager server and client. These ports could allow remote,
unauthenticated root access to the IEV database and server. When IEV is
closed, it closes open ports on the Cisco Security Manager client that
launched the IEV but fails to close open ports on the server. If the IEV
has never been used on the system, the Cisco Security Manager server is
not vulnerable.
The IEV database contains events that are collected from Cisco Intrusion
Prevention System (IPS) devices. The IEV server allows an unauthenticated
user to add, delete, or modify the devices that are added into the IEV.
This vulnerability is documented in Cisco Bug ID:
<http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsv66897> CSCsv66897
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3820>
CVE-2008-3820
Impact:
Successful exploitation of this vulnerability may result in remote root
access to the IEV database or to the IEV Server. Upon launching the IEV
remotely accessible ports are opened on the Cisco Security Manager server
and the client where the IEV is launched. When the IEV application is
closed these ports are subsequently closed on the client however remain
open on the Cisco Security Manager server.
Workarounds:
In the event that Cisco IEV is not being used, administrators are advised
to disable the functionality until a patch is applied. To disable IEV on
Cisco Security Manager, perform the following steps:
1. Access the Microsoft Windows Server that Cisco Security Manager is
installed on.
2. Open the Services dialog box (Choose Start > Administrative Tools >
Services).
3. Locate the Cisco IPS Event Viewer service and open Properties.
4. Change Startup Type: to Disabled and click Ok.
5. Stop the Cisco IPS Event Viewer service.
6. Stop and Restart the Cisco Security Manager Daemon Manager service.
7. Confirm that the Cisco IPS Event Viewer service has not restarted.
Upon disabling the Cisco IPS Event Viewer service, the open ports on the
Cisco Security Manager server will be closed.
Additional mitigations that can be deployed on Cisco devices within the
network are available in the Cisco Applied Mitigation Bulletin companion
document for this advisory:
<http://www.cisco.com/warp/public/707/cisco-amb-20090121-csm.shtml>
http://www.cisco.com/warp/public/707/cisco-amb-20090121-csm.shtml
ADDITIONAL INFORMATION
The information has been provided by <mailto:psirt@cisco.com> Cisco
Systems Product Security Incident Response Team.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20090121-csm.shtml>
http://www.cisco.com/warp/public/707/cisco-sa-20090121-csm.shtml
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment