October 31, 2014

In Brief: Remote zero-day vulnerability found in Linksys WRT54GL router

linksys(LiveHacking.Com) –  A zero-day remote root access vulnerability has been found the Linksys WRT54GL routers with the possibility that other routers in the range are also affected. The vulnerability was found by DefenseCode who published a proof-of-concept video on YouTube.

According to DefenseCode, Cisco was contacted about the remote preauth (root access) vulnerability several months ago. The company also passed-on a detailed vulnerability description along with the PoC exploit for the vulnerability.

It seems that Cisco thought that the vulnerability was already fixed in the latest firmware, but according to DefenseCode it isn’t.

“Although we can confirm contact with DefenseCode, we have no new vulnerability information related to our WRT54GL or other home routers to share with customers at this time. We will continue to review new information that comes to light and will provide customer updates as appropriate,” said a Cisco spokeswoman told SC Magazine Australia.

However Cicso, who owns the Linksys brand, did finally admit to the problem: “Following our assessment of information recently released by DefenseCode, we have confirmed a vulnerability in the Linksys WRT54GL home router,” the company said in a e-mail to The Register. “At this point, no other Linksys products appear to be impacted.”

DefenseCode says that it will make a full disclosure of the vulnerability in the next two weeks.

Cisco releases security advisories about arbitrary code execution and denial-of-service vulnerabilities

(LiveHacking.Com) – Cisco has released three security advisories detailing vulnerabilites which can allow an attacker to execute arbitrary code or cause denial-of-service conditions in some of its products.

The affected products are:

  • Cisco ASA 5500 Series Adaptive Security Appliances (Cisco ASA)
  • Cisco Catalyst 6500 Series ASA Service Module (Cisco ASASM)
  • Cisco AnyConnect Secure Mobility Client
  • Cisco Application Control Engine (ACE)

According to the first advisory, Cisco ASA 5500 Series Adaptive Security Appliances (Cisco ASA) and the Cisco Catalyst 6500 Series ASA Services Module (Cisco ASASM) contain a vulnerability that can allow an unauthenticated, remote attacker to cause the reload of the affected device. However this vulnerability can only be triggered by IPv6 transit traffic. Cisco has released free software updates that addresses the vulnerability.

Also, the Cisco AnyConnect Secure Mobility Client is affected by multiple vulnerabilities that are exploited via the software update mechanisms. Details are as follows:

  • Cisco AnyConnect Secure Mobility Client VPN Downloader Arbitrary Code Execution Vulnerability
  • Cisco AnyConnect Secure Mobility Client VPN Downloader Software Downgrade Vulnerability
  • Cisco AnyConnect Secure Mobility Client and Cisco Secure Desktop HostScan Downloader Software Downgrade Vulnerability
  • Cisco AnyConnect Secure Mobility Client 64-bit Java VPN Downloader Arbitrary Code Execution Vulnerability

Cisco has released free software updates that address these vulnerabilities.

The third advisory describes how Cisco ACE appliances or modules are vulnerable when running in multicontext mode.  According to Cisco, for this vulnerability to be exploited two or more contexts must be configured with the same management IP address. The administrator must have valid login credentials for the incorrect context when being logged in.

Cisco Releases New Security Advisories

(LiveHacking.Com) – Cisco has released three new security advisories to address vulnerabilities in the products:

  • Cisco ASA 5500 Series Adaptive Security Appliances (ASA)
  • Cisco Catalyst 6500 Series ASA Service Module (ASASM)
  • Cisco Catalyst 6500 Series Firewall Service Module (FWSM)
  • Cisco Adaptive Security Appliance Software 7.1 and 7.2
  • Cisco Adaptive Security Appliance Software 8.0, 8.1, 8.2, 8.3, 8.4, 8.6

The first set of vulnerabilies are found in the Cisco ASA 5500 Series Adaptive Security Appliances (ASA) and Cisco Catalyst 6500 Series ASA Services Module (ASASM). The Cisco ASA UDP inspection engine that is used to inspect UDP-based protocols contains a vulnerability that could allow a remote unauthenticated attacker to trigger a reload of the Cisco ASA. The vulnerability is due to improper flow handling by the inspection engine. An attacker could exploit this vulnerability by sending a specially crafted sequence through the affected system.

Next, it has been revealed that the Cisco Catalyst 6500 Series Firewall Services Module (FWSM) contains a Protocol Independent Multicast (PIM) denial of service vulnerability. A vulnerability exists in the way PIM is implemented that may cause affected devices to reload during the processing of a PIM message when multicast routing is enabled. The vulnerability is due to improper handling of PIM messages. An attacker could exploit this vulnerability by sending a crafted PIM message to the affected system.

Lastly, Cisco is warning that the client side ActiveX control  used with Cisco ASA 5500 Series Adaptive Security Appliances (Cisco ASA) may be affected if the system has ever connected to a device that is running the Cisco Clientless VPN solution. A remote, unauthenticated attacker who could convince a user to connect to a malicious web page could exploit this issue to execute arbitrary code on the affected machine with the privileges of the web browser.

Cisco has released free software updates that address these vulnerabilities. More details can be found at cisco-sa-20120314-asacisco-sa-20120314-fwsm, and cisco-sa-20120314-asaclient.

Cisco Releases Six Security Advisories to Address Multiple Vulnerabilities

(LiveHacking.Com) – Cisco has released six security advisories to address multiple vulnerabilities for a wide range of its products. These vulnerabilities may allow a hacker to execute arbitrary code, launch a denial-of-service attack, operate with escalated privileges and bypass security restrictions.

The first of the six advisories is about the Cisco Cius Software. According to Cisco it contains a denial of service vulnerability that could cause the device to stop responding. Devices running Cius Software Versions prior to 9.2(1) SR2 are vulnerable. A remote, unauthenticated attacker could exploit this vulnerability by sending malicious network traffic to affected devices.  Cisco has released free software updates that address this vulnerability. Affected products are all Cius Wifi devices running Cius Software Version 9.2(1) SR1 and earlier.

The second vulnerability affects Cisco Unified Communications Manager devices which may allow a remote, unauthenticated attacker with the ability to send crafted Skinny Client Control Protocol (SCCP) messages to an affected device to cause a reload or execute attacker-controlled SQL code. The following products are affected Cisco Unified Communications Manager Software versions 6.x, 7.x and 8.x and Cisco Business Edition 3000, 5000, and 6000.

Cisco Unity Connection contains two vulnerabilities, a privilege escalation vulnerability and a denial of service vulnerability. Exploitation of these may allow an authenticated, remote attacker to elevate privileges and obtain full access to the affected system or cause system services to terminate unexpectedly. Cisco has released free software updates that address these vulnerabilities. Affected versions are Cisco Unity Connection 7.1 (and earlier), 8.0, 8.5 and 8.6.

The Cisco Wireless LAN Controller (WLC) product family is affected by several vulnerabilities including three different types of denial of service vulnerability (HTTP, IPv6 and WebAuth) as well as an unauthorized access vulnerability. Cisco has released free software updates that address these vulnerabilities.

Each of the following products is affected by at least one of the vulnerabilities:

  • Cisco 2000 Series WLC
  • Cisco 2100 Series WLC
  • Cisco 2500 Series WLC
  • Cisco 4100 Series WLC
  • Cisco 4400 Series WLC
  • Cisco 5500 Series WLC
  • Cisco 500 Series Wireless Express Mobility Controllers
  • Cisco Wireless Services Modules (WiSM)
  • Cisco Wireless Services Modules version 2 (WiSM version 2)
  • Cisco NME-AIR-WLC Modules for Integrated Services Routers (ISRs)
  • Cisco NM-AIR-WLC Modules for Integrated Services Routers (ISRs)
  • Cisco Catalyst 3750G Integrated WLCs
  • Cisco Flex 7500 Series Cloud Controllers

Penultimately, Cisco TelePresence Video Communication Servers running software versions prior to X7.0.1 contain vulnerabilities that could allow an attacker to cause a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities.

Lastly the Cisco Small Business (SRP 500) Series Services Ready Platforms contain the following three vulnerabilities: a web interface command injection vulnerability, a unauthenticated configuration upload vulnerability and a directory traversal vulnerability. These vulnerabilities can be exploited using sessions to the Services Ready Platform Configuration Utility web interface. Cisco has released free software updates that address these vulnerabilities.

The following Cisco SRP 520 Series models are affected if running firmware prior to version 1.1.26:

  • Cisco SRP 521W
  • Cisco SRP 526W
  • Cisco SRP 527W

The following Cisco SRP 520W-U Series models are affected if running firmware prior to version 1.2.4:

  • Cisco SRP 521W-U
  • Cisco SRP 526W-U
  • Cisco SRP 527W-U

The following Cisco SRP 540 Series models are affected if running firmware prior to version 1.2.4:

  • Cisco SRP 541W
  • Cisco SRP 546W
  • Cisco SRP 547W

Cisco Publishes Advisory About its IronPort Appliances

(LiveHacking.Com) – Cisco has released a security advisory for its IronPort Email Security Appliances (ESA) and IronPort Security Management Appliances (SMA) due to a vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code with elevated privileges. Since the appliances run AsyncOS, a modified version of the FreeBSD kernel they are vulnerable to a Telnet bug (that affects FreeBSD and many Linux distributions) which was discovered at the end of last year.

CVE-2011-4862 is a buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0. When an encryption key is supplied via the TELNET protocol, its length is not validated before the key is copied into a fixed-size buffer. An attacker who can connect to the telnetd daemon can execute arbitrary
code with the privileges of the daemon (which is usually the “root” superuser).

On a standard FreeBSD installation Telnet is disabled (and has been since 2001), but the Cisco variant has Telnet enabled by default. Fixes for the vulnerability are not yet available for AsyncOS (they are FreeBSD) so Cisco recommend disabling Telnet to mitigate this vulnerability.

Affected Cisco products:

  • Cisco IronPort Email Security Appliance (C-Series and X-Series) versions prior to 7.6.0
  • Cisco IronPort Security Management Appliance (M-Series) versions prior to 7.8.0

Note that the Cisco IronPort Web Security Appliances (S-Series) are not affected by this vulnerability.

The vulnerability in the telnetd service that affects these Cisco IronPort appliances was publicly disclosed by the FreeBSD Project on December 23rd, 2011. The FreeBSD Project advisory is available at: http://security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc

There are also modules for the Metasploit Framework that can exploit this vulnerability on affected Cisco IronPort appliances.

Cisco Issues Multiple Security Advisories

(LiveHacking.Com) – Cisco has published three different security advisories detailing vulnerabilities in the Cisco ASA 5500 Series Adaptive Security Appliances, Cisco Catalyst 6500 Series ASA Services Module, Cisco Firewall Services Module, and Cisco Network Admission Control Manager.

If exploited, these vulnerabilities would allow an attacker to cause a denial-of-service condition, bypass authentication mechanisms, or obtain sensitive information.

Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module are affected by multiple vulnerabilities as follows:

  • MSN Instant Messenger (IM) Inspection Denial of Service vulnerability
  • TACACS+ Authentication Bypass vulnerability
  • Four SunRPC Inspection Denial of Service vulnerabilities
  • Internet Locator Service (ILS) Inspection Denial of Service vulnerability

The Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers is affected by the following vulnerabilities:

  • Syslog Message Memory Corruption Denial of Service Vulnerability
  • Authentication Proxy Denial of Service Vulnerability
  • TACACS+ Authentication Bypass Vulnerability
  • Sun Remote Procedure Call (SunRPC) Inspection Denial of Service Vulnerabilities
  • Internet Locator Server (ILS) Inspection Denial of Service Vulnerability

The Cisco Network Admission Control (NAC) Manager contains a directory traversal vulnerability that may allow an unauthenticated attacker to obtain system information.

Network administrators should review the security advisories cisco-sa-20111005-asacisco-sa-20111005-fwsm, and cisco-sa-20111005-nac and apply any necessary updates.

Cisco IOS Smart Install Remote Code Execution Vulnerability

(LiveHacking.Com) – Cisco has released a security advisory to address a vulnerability in the Smart Install feature of Cisco Catalyst Switches running Cisco IOS Software that could allow an unauthenticated, remote attacker to perform remote code execution on the affected device. Smart Install uses TCP port 4786 for communication. An established TCP connection with a completed TCP three-way handshake is needed to be able to trigger this vulnerability.

There are no workarounds available to mitigate this vulnerability other than disabling the Smart Install feature. But Cisco has released free software updates that address this vulnerability.

Cisco Issues New Security Advisories

(LiveHacking.Com) – Cisco has released two security advisories to address vulnerabilities which may allow an unauthenticated attacker to execute arbitrary code. The problems are in the CiscoWorks LAN Management Solution, the Cisco Unified Service Monitor, and the Cisco Unified Operations Manager.

Two vulnerabilities exist in the CiscoWorks LAN Management Solution software that could allow an unauthenticated, remote attacker to execute arbitrary code on affected servers.

Also, two vulnerabilities exist in the Cisco Unified Service Monitor and Cisco Unified Operations Manager software that could allow an unauthenticated, remote attacker to execute arbitrary code on affected servers.

In both cases these vulnerabilities can be triggered by sending a series of crafted packets to the affected server over TCP port 9002. Cisco has released free software updates that address all of these vulnerabilities.

Affect products are:

  • CiscoWorks LAN Management Solution software releases 3.1, 3.2, and 4.0.
  • Cisco LAN Management Solution versions 3.1 and 3.2 (only if the Device Fault Management component is installed).
  • Cisco LAN Management Solution versions 4.0.
  • All versions of Cisco Unified Service Monitor and Cisco Unified Operations Manager prior to 8.6.

 

Cisco Issues Three Security Advisories and Software Updates

(LiveHacking.Com) – Cisco has issued three security advisories, including free software updates, to address vulnerabilities affecting the Cisco Unified Communications Manager, the Cisco Unified Presence Server, and the Cisco Intercompany Media Engine. These vulnerabilities may allow an attacker to disclose sensitive information or cause a denial-of-service condition.

  1. Cisco Unified Communications Manager contains five DoS vulnerabilities that could cause a critical process to fail, resulting in disruption of voice services.
  2. Cisco Unified Communications Manager and Cisco Unified Presence Server contain an open query interface that could allow an unauthenticated, remote attacker to disclose the contents of the underlying databases on affected product versions.
  3. Two denial of service (DoS) vulnerabilities exist in the Cisco Intercompany Media Engine. An unauthenticated attacker could exploit these vulnerabilities by sending crafted Service Advertisement Framework (SAF) packets to an affected device, which may cause the device to reload.

More information can be found:

Cisco Releases Details of Vulnerability in Cisco TelePresence Recording Server Software

(LiveHacking.Com) — Cisco has released a security advisory and a corresponding applied mitigation bulletin to address vulnerabilities in the Cisco TelePresence Recording Server Software Release 1.7.2.0.  Cisco TelePresence is a in-person communication and collaboration tool.

According to Cisco, Version 1.7.2.0 of its TelePresence Recording Server Software includes a root administrator account that is enabled by default. Successful exploitation of this vulnerability could allow a remote attacker to use these default credentials to modify the system configuration and settings. An attacker could use this account to modify the system configuration and settings by means of an SSH session.

Cisco’s workaround involves the use of  infrastructure access control lists (iACLs) to perform policy enforcement of traffic sent to the equipment. Administrators can construct an iACL to explicitly allow only authorized traffic to be sent to the infrastructure devices. However Cisco point out that the iACL workaround cannot provide complete protection against this vulnerability when the attack originates from a trusted source address.