October 24, 2014

In Brief: Remote zero-day vulnerability found in Linksys WRT54GL router

linksys(LiveHacking.Com) –  A zero-day remote root access vulnerability has been found the Linksys WRT54GL routers with the possibility that other routers in the range are also affected. The vulnerability was found by DefenseCode who published a proof-of-concept video on YouTube.

According to DefenseCode, Cisco was contacted about the remote preauth (root access) vulnerability several months ago. The company also passed-on a detailed vulnerability description along with the PoC exploit for the vulnerability.

It seems that Cisco thought that the vulnerability was already fixed in the latest firmware, but according to DefenseCode it isn’t.

“Although we can confirm contact with DefenseCode, we have no new vulnerability information related to our WRT54GL or other home routers to share with customers at this time. We will continue to review new information that comes to light and will provide customer updates as appropriate,” said a Cisco spokeswoman told SC Magazine Australia.

However Cicso, who owns the Linksys brand, did finally admit to the problem: “Following our assessment of information recently released by DefenseCode, we have confirmed a vulnerability in the Linksys WRT54GL home router,” the company said in a e-mail to The Register. “At this point, no other Linksys products appear to be impacted.”

DefenseCode says that it will make a full disclosure of the vulnerability in the next two weeks.

Cisco updates its WebEx Player to fix four buffer overflow vulnerabilities

(LiveHacking.Com) – Cisco has released a security advisory and software updates to fix four buffer overflow vulnerabilities found in its  WebEx Recording Format (WRF) player. The advisory also covers a buffer overflow vulnerability in the Cisco Advanced Recording Format (ARF) player.  By exploiting these vulnerabilities it is possible, in some cases, for a remote attacker to execute arbitrary code on the targeted system.

The players affected are part of Cisco’s WebEx meeting system and can be used to play back meetings recorded using the WebEx format. To exploit any of the vulnerabilities, the player application must open a specially crafted WRF or ARF file. This could be achived by using social engineering and tricking the user into opening the malicious file directly (for example, by using e-mail or social media). However the vulnerabilities cannot be triggered by users who are attending a WebEx meeting.

A summary of the bugs and the Common Vulnerabilities and Exposures (CVE) identifiers have been released:

  • Cisco WebEx Arbitrary Code Execution Through ARF Files – CVE-2012-3053 – Buffer overflow allows remote attackers to execute arbitrary code via a crafted ARF file.
  • Cisco WebEx Player WRF File Heap Overflow – CVE-2012-3054 – Heap-based buffer overflow allows remote attackers to execute arbitrary code via a crafted WRF file.
  • WRF JPEG DHT Chunk Stack Buffer Overflow – CVE-2012-3055 – Stack-based buffer overflow allows remote attackers to execute arbitrary code via a crafted DHT chunk in a JPEG image within a WRF file.
  • WRF File Memory Corruption – CVE-2012-3056 – Buffer overflow allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted WRF file.
  • WRF File Audio Size Heap Overflow – CVE-2012-3057 – A heap-based buffer overflow allows remote attackers to execute arbitrary code via a crafted size field in audio data within a WRF file.

The following client builds of Cisco WebEx Business Suite (WBS 27 and WBS 28) are affected by at least one of the vulnerabilities:

  • Client builds 28.0.0 (T28 L10N)
  • Client builds 27.32.1 (T27 LD SP32 CP1) and prior
  • Client builds 27.25.10 (T27 LC SP25 EP10) and prior
  • Client builds 27.21.10 (T27 LB SP21 EP10) and prior
  • Client builds 27.11.26 (T27 L SP11 EP26) and prior

If the players were automatically installed on a PC then they will be automatically upgraded to the latest version when a users tries to access a recording file on the WebEx meeting site. If the WRF or ARF player was manually installed, users will need to manually install a new version of the player after downloading the latest version from http://www.webex.com/play-webex-recording.html.

Cisco releases security advisories about arbitrary code execution and denial-of-service vulnerabilities

(LiveHacking.Com) – Cisco has released three security advisories detailing vulnerabilites which can allow an attacker to execute arbitrary code or cause denial-of-service conditions in some of its products.

The affected products are:

  • Cisco ASA 5500 Series Adaptive Security Appliances (Cisco ASA)
  • Cisco Catalyst 6500 Series ASA Service Module (Cisco ASASM)
  • Cisco AnyConnect Secure Mobility Client
  • Cisco Application Control Engine (ACE)

According to the first advisory, Cisco ASA 5500 Series Adaptive Security Appliances (Cisco ASA) and the Cisco Catalyst 6500 Series ASA Services Module (Cisco ASASM) contain a vulnerability that can allow an unauthenticated, remote attacker to cause the reload of the affected device. However this vulnerability can only be triggered by IPv6 transit traffic. Cisco has released free software updates that addresses the vulnerability.

Also, the Cisco AnyConnect Secure Mobility Client is affected by multiple vulnerabilities that are exploited via the software update mechanisms. Details are as follows:

  • Cisco AnyConnect Secure Mobility Client VPN Downloader Arbitrary Code Execution Vulnerability
  • Cisco AnyConnect Secure Mobility Client VPN Downloader Software Downgrade Vulnerability
  • Cisco AnyConnect Secure Mobility Client and Cisco Secure Desktop HostScan Downloader Software Downgrade Vulnerability
  • Cisco AnyConnect Secure Mobility Client 64-bit Java VPN Downloader Arbitrary Code Execution Vulnerability

Cisco has released free software updates that address these vulnerabilities.

The third advisory describes how Cisco ACE appliances or modules are vulnerable when running in multicontext mode.  According to Cisco, for this vulnerability to be exploited two or more contexts must be configured with the same management IP address. The administrator must have valid login credentials for the incorrect context when being logged in.

Cisco Releases New Security Advisories

(LiveHacking.Com) – Cisco has released three new security advisories to address vulnerabilities in the products:

  • Cisco ASA 5500 Series Adaptive Security Appliances (ASA)
  • Cisco Catalyst 6500 Series ASA Service Module (ASASM)
  • Cisco Catalyst 6500 Series Firewall Service Module (FWSM)
  • Cisco Adaptive Security Appliance Software 7.1 and 7.2
  • Cisco Adaptive Security Appliance Software 8.0, 8.1, 8.2, 8.3, 8.4, 8.6

The first set of vulnerabilies are found in the Cisco ASA 5500 Series Adaptive Security Appliances (ASA) and Cisco Catalyst 6500 Series ASA Services Module (ASASM). The Cisco ASA UDP inspection engine that is used to inspect UDP-based protocols contains a vulnerability that could allow a remote unauthenticated attacker to trigger a reload of the Cisco ASA. The vulnerability is due to improper flow handling by the inspection engine. An attacker could exploit this vulnerability by sending a specially crafted sequence through the affected system.

Next, it has been revealed that the Cisco Catalyst 6500 Series Firewall Services Module (FWSM) contains a Protocol Independent Multicast (PIM) denial of service vulnerability. A vulnerability exists in the way PIM is implemented that may cause affected devices to reload during the processing of a PIM message when multicast routing is enabled. The vulnerability is due to improper handling of PIM messages. An attacker could exploit this vulnerability by sending a crafted PIM message to the affected system.

Lastly, Cisco is warning that the client side ActiveX control  used with Cisco ASA 5500 Series Adaptive Security Appliances (Cisco ASA) may be affected if the system has ever connected to a device that is running the Cisco Clientless VPN solution. A remote, unauthenticated attacker who could convince a user to connect to a malicious web page could exploit this issue to execute arbitrary code on the affected machine with the privileges of the web browser.

Cisco has released free software updates that address these vulnerabilities. More details can be found at cisco-sa-20120314-asacisco-sa-20120314-fwsm, and cisco-sa-20120314-asaclient.

Cisco Releases Six Security Advisories to Address Multiple Vulnerabilities

(LiveHacking.Com) – Cisco has released six security advisories to address multiple vulnerabilities for a wide range of its products. These vulnerabilities may allow a hacker to execute arbitrary code, launch a denial-of-service attack, operate with escalated privileges and bypass security restrictions.

The first of the six advisories is about the Cisco Cius Software. According to Cisco it contains a denial of service vulnerability that could cause the device to stop responding. Devices running Cius Software Versions prior to 9.2(1) SR2 are vulnerable. A remote, unauthenticated attacker could exploit this vulnerability by sending malicious network traffic to affected devices.  Cisco has released free software updates that address this vulnerability. Affected products are all Cius Wifi devices running Cius Software Version 9.2(1) SR1 and earlier.

The second vulnerability affects Cisco Unified Communications Manager devices which may allow a remote, unauthenticated attacker with the ability to send crafted Skinny Client Control Protocol (SCCP) messages to an affected device to cause a reload or execute attacker-controlled SQL code. The following products are affected Cisco Unified Communications Manager Software versions 6.x, 7.x and 8.x and Cisco Business Edition 3000, 5000, and 6000.

Cisco Unity Connection contains two vulnerabilities, a privilege escalation vulnerability and a denial of service vulnerability. Exploitation of these may allow an authenticated, remote attacker to elevate privileges and obtain full access to the affected system or cause system services to terminate unexpectedly. Cisco has released free software updates that address these vulnerabilities. Affected versions are Cisco Unity Connection 7.1 (and earlier), 8.0, 8.5 and 8.6.

The Cisco Wireless LAN Controller (WLC) product family is affected by several vulnerabilities including three different types of denial of service vulnerability (HTTP, IPv6 and WebAuth) as well as an unauthorized access vulnerability. Cisco has released free software updates that address these vulnerabilities.

Each of the following products is affected by at least one of the vulnerabilities:

  • Cisco 2000 Series WLC
  • Cisco 2100 Series WLC
  • Cisco 2500 Series WLC
  • Cisco 4100 Series WLC
  • Cisco 4400 Series WLC
  • Cisco 5500 Series WLC
  • Cisco 500 Series Wireless Express Mobility Controllers
  • Cisco Wireless Services Modules (WiSM)
  • Cisco Wireless Services Modules version 2 (WiSM version 2)
  • Cisco NME-AIR-WLC Modules for Integrated Services Routers (ISRs)
  • Cisco NM-AIR-WLC Modules for Integrated Services Routers (ISRs)
  • Cisco Catalyst 3750G Integrated WLCs
  • Cisco Flex 7500 Series Cloud Controllers

Penultimately, Cisco TelePresence Video Communication Servers running software versions prior to X7.0.1 contain vulnerabilities that could allow an attacker to cause a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities.

Lastly the Cisco Small Business (SRP 500) Series Services Ready Platforms contain the following three vulnerabilities: a web interface command injection vulnerability, a unauthenticated configuration upload vulnerability and a directory traversal vulnerability. These vulnerabilities can be exploited using sessions to the Services Ready Platform Configuration Utility web interface. Cisco has released free software updates that address these vulnerabilities.

The following Cisco SRP 520 Series models are affected if running firmware prior to version 1.1.26:

  • Cisco SRP 521W
  • Cisco SRP 526W
  • Cisco SRP 527W

The following Cisco SRP 520W-U Series models are affected if running firmware prior to version 1.2.4:

  • Cisco SRP 521W-U
  • Cisco SRP 526W-U
  • Cisco SRP 527W-U

The following Cisco SRP 540 Series models are affected if running firmware prior to version 1.2.4:

  • Cisco SRP 541W
  • Cisco SRP 546W
  • Cisco SRP 547W

Cisco Publishes Advisory About its IronPort Appliances

(LiveHacking.Com) – Cisco has released a security advisory for its IronPort Email Security Appliances (ESA) and IronPort Security Management Appliances (SMA) due to a vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code with elevated privileges. Since the appliances run AsyncOS, a modified version of the FreeBSD kernel they are vulnerable to a Telnet bug (that affects FreeBSD and many Linux distributions) which was discovered at the end of last year.

CVE-2011-4862 is a buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0. When an encryption key is supplied via the TELNET protocol, its length is not validated before the key is copied into a fixed-size buffer. An attacker who can connect to the telnetd daemon can execute arbitrary
code with the privileges of the daemon (which is usually the “root” superuser).

On a standard FreeBSD installation Telnet is disabled (and has been since 2001), but the Cisco variant has Telnet enabled by default. Fixes for the vulnerability are not yet available for AsyncOS (they are FreeBSD) so Cisco recommend disabling Telnet to mitigate this vulnerability.

Affected Cisco products:

  • Cisco IronPort Email Security Appliance (C-Series and X-Series) versions prior to 7.6.0
  • Cisco IronPort Security Management Appliance (M-Series) versions prior to 7.8.0

Note that the Cisco IronPort Web Security Appliances (S-Series) are not affected by this vulnerability.

The vulnerability in the telnetd service that affects these Cisco IronPort appliances was publicly disclosed by the FreeBSD Project on December 23rd, 2011. The FreeBSD Project advisory is available at: http://security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc

There are also modules for the Metasploit Framework that can exploit this vulnerability on affected Cisco IronPort appliances.

Cisco Issues Security Advisories For Cisco Unified Contact Center, Cisco WebEx Player, Cisco Security Agent, and Cisco Unified Communication Manager

(LiveHacking.Com) – Cisco has released security advisories to address vulnerabilities affecting Cisco Unified Contact CenterCisco WebEx Player, Cisco Security Agent, and Cisco Unified Communication Manager.

  • Cisco Unified Contact Center Express Directory Traversal Vulnerability – Cisco Unified Contact Center Express (UCCX or Unified CCX) and Cisco Unified IP Interactive Voice Response (Unified IP-IVR) contain a directory traversal vulnerability that may allow a remote, unauthenticated attacker to retrieve arbitrary files from the filesystem. Cisco has released free software updates that address this vulnerability.
  • Buffer Overflow Vulnerabilities in the Cisco WebEx Player – Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Recording Format (WRF) player. In some cases, exploitation of the vulnerabilities could allow a remote attacker to execute arbitrary code on the system with the privileges of a targeted user. Cisco has released free software updates that address these vulnerabilities.
  • Cisco Security Agent Remote Code Execution Vulnerabilities – Cisco Security Agent is affected by vulnerabilities that could allow an unauthenticated attacker to perform remote code execution on the affected device. These vulnerabilities are in a third-party library (Oracle Outside In). Cisco has released free software updates that address these vulnerabilities.
  • Cisco Unified Communications Manager Directory Traversal Vulnerability – Cisco Unified Communications Manager contains a directory traversal vulnerability that may allow an unauthenticated, remote attacker to retrieve arbitrary files from the filesystem. Cisco has released free software updates that address this vulnerability.

 

 

 

Cisco Issues Multiple Security Advisories

(LiveHacking.Com) – Cisco has published three different security advisories detailing vulnerabilities in the Cisco ASA 5500 Series Adaptive Security Appliances, Cisco Catalyst 6500 Series ASA Services Module, Cisco Firewall Services Module, and Cisco Network Admission Control Manager.

If exploited, these vulnerabilities would allow an attacker to cause a denial-of-service condition, bypass authentication mechanisms, or obtain sensitive information.

Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module are affected by multiple vulnerabilities as follows:

  • MSN Instant Messenger (IM) Inspection Denial of Service vulnerability
  • TACACS+ Authentication Bypass vulnerability
  • Four SunRPC Inspection Denial of Service vulnerabilities
  • Internet Locator Service (ILS) Inspection Denial of Service vulnerability

The Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers is affected by the following vulnerabilities:

  • Syslog Message Memory Corruption Denial of Service Vulnerability
  • Authentication Proxy Denial of Service Vulnerability
  • TACACS+ Authentication Bypass Vulnerability
  • Sun Remote Procedure Call (SunRPC) Inspection Denial of Service Vulnerabilities
  • Internet Locator Server (ILS) Inspection Denial of Service Vulnerability

The Cisco Network Admission Control (NAC) Manager contains a directory traversal vulnerability that may allow an unauthenticated attacker to obtain system information.

Network administrators should review the security advisories cisco-sa-20111005-asacisco-sa-20111005-fwsm, and cisco-sa-20111005-nac and apply any necessary updates.

Cisco IOS Smart Install Remote Code Execution Vulnerability

(LiveHacking.Com) – Cisco has released a security advisory to address a vulnerability in the Smart Install feature of Cisco Catalyst Switches running Cisco IOS Software that could allow an unauthenticated, remote attacker to perform remote code execution on the affected device. Smart Install uses TCP port 4786 for communication. An established TCP connection with a completed TCP three-way handshake is needed to be able to trigger this vulnerability.

There are no workarounds available to mitigate this vulnerability other than disabling the Smart Install feature. But Cisco has released free software updates that address this vulnerability.

Cisco Issues New Security Advisories

(LiveHacking.Com) – Cisco has released two security advisories to address vulnerabilities which may allow an unauthenticated attacker to execute arbitrary code. The problems are in the CiscoWorks LAN Management Solution, the Cisco Unified Service Monitor, and the Cisco Unified Operations Manager.

Two vulnerabilities exist in the CiscoWorks LAN Management Solution software that could allow an unauthenticated, remote attacker to execute arbitrary code on affected servers.

Also, two vulnerabilities exist in the Cisco Unified Service Monitor and Cisco Unified Operations Manager software that could allow an unauthenticated, remote attacker to execute arbitrary code on affected servers.

In both cases these vulnerabilities can be triggered by sending a series of crafted packets to the affected server over TCP port 9002. Cisco has released free software updates that address all of these vulnerabilities.

Affect products are:

  • CiscoWorks LAN Management Solution software releases 3.1, 3.2, and 4.0.
  • Cisco LAN Management Solution versions 3.1 and 3.2 (only if the Device Fault Management component is installed).
  • Cisco LAN Management Solution versions 4.0.
  • All versions of Cisco Unified Service Monitor and Cisco Unified Operations Manager prior to 8.6.