(LiveHacking.Com) – Cisco has released a security advisory for its IronPort Email Security Appliances (ESA) and IronPort Security Management Appliances (SMA) due to a vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code with elevated privileges. Since the appliances run AsyncOS, a modified version of the FreeBSD kernel they are vulnerable to a Telnet bug (that affects FreeBSD and many Linux distributions) which was discovered at the end of last year.
CVE-2011-4862 is a buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0. When an encryption key is supplied via the TELNET protocol, its length is not validated before the key is copied into a fixed-size buffer. An attacker who can connect to the telnetd daemon can execute arbitrary
code with the privileges of the daemon (which is usually the “root” superuser).
On a standard FreeBSD installation Telnet is disabled (and has been since 2001), but the Cisco variant has Telnet enabled by default. Fixes for the vulnerability are not yet available for AsyncOS (they are FreeBSD) so Cisco recommend disabling Telnet to mitigate this vulnerability.
Affected Cisco products:
- Cisco IronPort Email Security Appliance (C-Series and X-Series) versions prior to 7.6.0
- Cisco IronPort Security Management Appliance (M-Series) versions prior to 7.8.0
Note that the Cisco IronPort Web Security Appliances (S-Series) are not affected by this vulnerability.
The vulnerability in the telnetd service that affects these Cisco IronPort appliances was publicly disclosed by the FreeBSD Project on December 23rd, 2011. The FreeBSD Project advisory is available at: http://security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc
There are also modules for the Metasploit Framework that can exploit this vulnerability on affected Cisco IronPort appliances.