Cisco Security Advisories

Cisco IOS User Datagram Protocol Delivery Issue For IPv4/IPv6 Dual-stack Routers

Fri, 25 Apr 2008 11:00:00 PST

A device running Cisco IOS software that has Internet Protocol version 6 (IPv6) enabled may be subject to a denial of service (DoS) attack. For the device to be affected by this vulnerability the device also has to have certain Internet Protocol version 4 (IPv4) User Datagram Protocol (UDP) services enabled. To exploit this vulnerability an offending IPv6 packet must be targeted to the device. Packets that are routed throughout the router can not trigger this vulnerability. Successful exploitation will prevent the interface from receiving any additional traffic. The only exception is Resource Reservation Protocol (RSVP) service, which if exploited, will cause the device to crash. Only the interface on which the vulnerability was exploited will be affected.

Cisco Network Admission Control Shared Secret Vulnerability

Fri, 25 Apr 2008 11:00:00 PST

A vulnerability exists in the Cisco Network Admission Control (NAC) Appliance that can allow an attacker to obtain the shared secret that is used between the Cisco Clean Access Server (CAS) and the Cisco Clean Access Manager (CAM).

Multiple DLSw Denial of Service Vulnerabilities in Cisco IOS

Fri, 25 Apr 2008 05:30:00 PST

Cisco IOS contains multiple vulnerabilities in the Data-link Switching (DLSw) feature that may result in a reload or memory leaks when processing specially crafted UDP or IP Protocol 91 packets.

Cisco Unified Communications Disaster Recovery Framework Command Execution Vulnerability

Thu, 03 Apr 2008 07:00:00 PST

Several products in the Cisco Unified Communications family of products contain a command execution vulnerability in the Disaster Recovery Framework (DRF) feature. A remote, unauthenticated user could exploit this vulnerability to execute arbitrary commands that may allow full administrative access to affected systems. There is a workaround for this vulnerability.

SQL injection in Cisco Unified Communications Manager

Thu, 03 Apr 2008 05:30:00 PST

Cisco Unified Communications Manager is vulnerable to a SQL Injection attack in the parameter key of the admin and user interface pages.

Cisco IOS Multicast Virtual Private Network (MVPN) Data Leak

Fri, 28 Mar 2008 18:00:00 PST

This Applied Mitigation Bulletin is a companion document to the PSIRT Security Advisory Cisco IOS Multicast Virtual Private Network (MVPN) Data Leak and provides identification and mitigation techniques that administrators can deploy on Cisco network devices.

Cisco IOS Virtual Private Dial-up Network Denial of Service Vulnerability

Fri, 28 Mar 2008 17:30:00 PST

Two vulnerabilities exist in the virtual private dial-up network (VPDN) solution when Point-to-Point Tunneling Protocol (PPTP) is used in certain Cisco IOS releases prior to 12.3. PPTP is only one of the supported tunneling protocols used to tunnel PPP frames within the VPDN solution.

Vulnerability in Cisco IOS with OSPF, MPLS VPN, and Supervisor 32, Supervisor 720, or Route Switch Processor 720

Wed, 26 Mar 2008 09:30:00 PST

Certain Cisco Catalyst 6500 Series and Cisco 7600 Router devices that run branches of Cisco IOS based on 12.2 can be vulnerable to a denial of service vulnerability that can prevent any traffic from entering an affected interface. For a device to be vulnerable, it must be configured for Open Shortest Path First (OSPF) Sham-Link and Multi Protocol Label Switching (MPLS) Virtual Private Networking (VPN). This vulnerability only affects Cisco Catalyst 6500 Series or Catalyst 7600 Series devices with the Supervisor Engine 32 (Sup32), Supervisor Engine 720 (Sup720) or Route Switch Processor 720 RSP720) modules. The Supervisor 32, Supervisor 720, Supervisor 720-3B, Supervisor 720-3BXL, Route Switch Processor 720, Route Switch Processor 720-3C, and Route Switch Processor 720-3CXL are all potentially vulnerable.

Cisco Secure Access Control Server for Windows User-Changeable Password Vulnerabilities

Fri, 14 Mar 2008 05:00:00 PST

Two sets of vulnerabilities were discovered in the Cisco Secure Access Control Server (ACS) for Windows User-Changeable Password (UCP) application and reported to Cisco by Felix 'FX' Lindner, Recurity Labs GmbH.

CiscoWorks Internetwork Performance Monitor Remote Command Execution Vulnerability

Thu, 13 Mar 2008 13:30:00 PST

CiscoWorks Internetwork Performance Monitor (IPM) version 2.6 for Sun Solaris and Microsoft Windows operating systems contains a vulnerability that allows remote, unauthenticated users to execute arbitrary commands. There are no workarounds for this vulnerability. Cisco has made free software available to address this issue for affected customers.

Cisco Unified IP Phone Overflow and Denial of Service Vulnerabilities

Wed, 13 Feb 2008 07:00:00 PST

Cisco Unified IP Phone models contain multiple overflow and denial of service (DoS) vulnerabilities.

Cisco Wireless Control System Tomcat mod_jk.so Vulnerability

Wed, 30 Jan 2008 06:50:00 PST

Apache Tomcat is the servlet container for JavaServlet and JavaServer Pages Web within the Cisco Wireless Control System (WCS). A vulnerability exists in the mod_jk.so URI handler within Apache Tomcat which, if exploited, may result in a remote code execution attack.

Cisco PIX and ASA Time-to-Live Vulnerability

Wed, 23 Jan 2008 07:00:00 PST

A crafted IP packet vulnerability exists in the Cisco PIX 500 Series Security Appliance (PIX) and the Cisco 5500 Series Adaptive Security Appliance (ASA) that may result in a reload of the device. This vulnerability is triggered during processing of a crafted IP packet when the Time-to-Live (TTL) decrement feature is enabled.

Default Passwords in the Application Velocity System

Wed, 23 Jan 2008 07:00:00 PST

Versions of the Cisco Application Velocity System (AVS) prior to software version AVS 5.1.0 do not prompt users to modify system account passwords during the initial configuration process. Because there is no requirement to change these credentials during the initial configuration process, an attacker may be able to leverage the accounts that have default credentials, some of which have root privileges, to take full administrative control of the AVS system.

Cisco Unified Communications Manager CTL Provider Heap Overflow

Wed, 16 Jan 2008 07:00:00 PST

Cisco Unified Communications Manager (CUCM), formerly CallManager, contains a heap overflow vulnerability in the Certificate Trust List (CTL) Provider service that could allow a remote, unauthenticated user to cause a denial of service (DoS) condition or execute arbitrary code. There is a workaround for this vulnerability.

TCP Vulnerabilities in Multiple Non-IOS Cisco Products

Tue, 08 Jan 2008 06:00:00 PST

Application Inspection Vulnerability in Cisco Firewall Services Module

Thu, 03 Jan 2008 07:00:00 PST

A vulnerability exists in the Cisco Firewall Services Module (FWSM) - a high-speed, integrated firewall module for Cisco Catalyst 6500 switches and Cisco 7600 Series routers, that may result in a reload of the FWSM. The only affected FWSM System Software Version is 3.2(3).

Cisco Security Agent for Windows Csatdi.sys Remote Buffer Overflow Vulnerability

Wed, 05 Dec 2007 07:00:00 PST

A buffer overflow vulnerability exists in a system driver used by the Cisco Security Agent for Microsoft Windows. This buffer overflow can be exploited remotely and causes corruption of kernel memory, which leads to a Windows stop error (blue screen) or to arbitrary code execution.

Multiple Vulnerabilities in Firewall Services Module (2)

Wed, 31 Oct 2007 10:00:00 PST

Two crafted packet vulnerabilities exist in the Cisco Firewall Services Module (FWSM) that may result in a reload of the FWSM. These vulnerabilities can be triggered during the processing of HTTPS requests, or during the processing of Media Gateway Control Protocol (MGCP) packets.

Multiple Vulnerabilities in Cisco PIX and ASA Appliance

Fri, 19 Oct 2007 13:00:00 PST

Two crafted packet vulnerabilities exist in the Cisco PIX 500 Series Security Appliance (PIX) and the Cisco 5500 Series Adaptive Security Appliance (ASA) that may result in a reload of the device. These vulnerabilities are triggered during processing of Media Gateway Control Protocol (MGCP) packets, or during processing of Transport Layer Security (TLS) traffic that terminates on the PIX or ASA security appliance.

Cisco Unified Communications Web-based Management Vulnerability

Wed, 17 Oct 2007 07:00:00 PST

Unified Contact Center and Intelligent Contact Management products contain a vulnerability that may result in unauthorized access to the web-based reporting and script monitoring tool (Web View) and the web-based configuration tool (Web Admin).

Cisco Unified Communications Manager Denial of Service Vulnerabilities

Wed, 17 Oct 2007 07:00:00 PST

Cisco Unified Communications Manager (CUCM), formerly CallManager, contains two denial of service (DoS) vulnerabilities. Large volumes of UDP Session Initiation Protocol (SIP) INVITE messages may cause a resource exhaustion condition on CUCM systems resulting in a kernel panic. The CUCM Trivial File Transfer Protocol (TFTP) service contains a buffer overflow vulnerability that may result in a denial of service condition or allow a remote, unauthenticated user to execute arbitrary code. There are no workarounds for these vulnerabilities.

Cisco Wireless Control System Conversion Utility Adds Default Password

Wed, 10 Oct 2007 07:00:00 PST

Customers who use the CiscoWorks Wireless LAN Solution Engine (WLSE) may use a conversion utility to convert over to a Cisco Wireless Control System (WCS). This conversion utility creates and uses administrative accounts with default credentials. Because there is no requirement to change these credentials during the conversion process, an attacker may be able to leverage the accounts that have default credentials to take full administrative control of the WCS after the conversion has been completed.

Local Privilege Escalation Vulnerabilities in Cisco VPN Client

Wed, 12 Sep 2007 07:00:00 PST

Two vulnerabilities exist in the Cisco VPN Client for Microsoft Windows that may allow unprivileged users to elevate their privileges to those of the LocalSystem account.

Cisco Video Surveillance IP Gateway and Services Platform Authentication Vulnerabilities

Wed, 05 Sep 2007 07:00:00 PST

Cisco Video Surveillance IP Gateway video encoder and decoder, Services Platform (SP), and Integrated Services Platform (ISP) devices contain authentication vulnerabilities that allow remote users with network connectivity to gain the complete administrative control of vulnerable devices. There are no workarounds for these vulnerabilities.

Denial of Service Vulnerabilities in Content Switching Module

Wed, 05 Sep 2007 07:00:00 PST

The Cisco Content Switching Modules (CSM) and Cisco Content Switching Module with SSL (CSM-S) contain two vulnerabilities that can lead to a denial of service (DoS) condition. The first vulnerability exists when processing TCP packets, and the second vulnerability affects devices with service termination enabled.

XSS and SQL Injection in Cisco CallManager/Unified Communications Manager Logon Page

Fri, 31 Aug 2007 13:00:00 PST

Cisco CallManager and Unified Communications Manager are vulnerable to cross-site Scripting (XSS) and SQL Injection attacks in the lang variable of the admin and user logon pages. A successful attack may allow an attacker to run JavaScript on computer systems connecting to CallManager or Unified Communications Manager servers, and has the potential to disclose information within the database.

Voice Vulnerabilities in Cisco IOS and Cisco Unified Communications Manager

Mon, 20 Aug 2007 06:00:00 PST

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Cisco IOS Next Hop Resolution Protocol Vulnerability

Fri, 10 Aug 2007 08:00:00 PST

The Cisco Next Hop Resolution Protocol (NHRP) feature in Cisco IOS. contains a vulnerability that can result in a restart of the device or possible remote code execution.

Information Leakage Using IPv6 Routing Header in Cisco IOS and Cisco IOS-XR

Thu, 09 Aug 2007 09:00:00 PST

Cisco IOS and Cisco IOS XR contain a vulnerability when processing specially crafted IPv6 packets with a Type 0 Routing Header present. Exploitation of this vulnerability can lead to information leakage on affected IOS and IOS XR devices, and may also result in a crash of the affected IOS device. Successful exploitation on an affected device running Cisco IOS XR will not result in a crash of the device itself, but may result in a crash of the IPv6 subsystem.

Cisco IOS Secure Copy Authorization Bypass Vulnerability

Wed, 08 Aug 2007 07:00:00 PST

The server side of the Secure Copy (SCP) implementation in Cisco Internetwork Operating System (IOS) contains a vulnerability that allows any valid user, regardless of privilege level, to transfer files to and from an IOS device that is configured to be a Secure Copy server. This vulnerability could allow valid users to retrieve or write to any file on the device's filesystem, including the device's saved configuration. This configuration file may include passwords or other sensitive information.

Wireless ARP Storm Vulnerabilities

Tue, 31 Jul 2007 05:35:00 PST

Cisco Wireless LAN Controllers (WLC) contain multiple vulnerabilities in the handling of Address Resolution Protocol (ARP) packets that could result in a denial of service (DoS) in certain environments.

Denial of Service Vulnerability in Cisco Wide Area Application Services (WAAS) Software

Sat, 21 Jul 2007 07:00:00 PST

The Cisco Wide Area Application Services (WAAS) software contains a denial of service (DoS) vulnerability that may cause some devices that run WAAS software (WAE appliance and NM-WAE-502 module) to stop processing all types of traffic, including data traffic and management traffic. This condition may occur if a device running WAAS software is configured for Edge Services, which utilizes Common Internet File System (CIFS) optimization and receives a flood of TCP SYN packets on port 139 or 445.

Cisco Unified Communications Manager Overflow Vulnerabilities

Wed, 11 Jul 2007 07:00:00 PST

Cisco Unified Communications Manager (CUCM), formerly CallManager, and Cisco Unified Presence Server (CUPS) contain two vulnerabilities that could allow an unauthorized administrator to activate and terminate CUCM / CUPS system services and access SNMP configuration information.

Cisco Unified Communications Manager and Presence Server Unauthorized Access Vulnerabilities

Wed, 11 Jul 2007 07:00:00 PST

Vulnerability In Crypto Library

Thu, 28 Jun 2007 07:00:00 PST

A vulnerability has been discovered in a third party cryptographic library which is used by a number of Cisco products. This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password).

Multiple Vulnerabilities in Cisco IOS While Processing SSL Packets

Wed, 27 Jun 2007 06:50:00 PST

Cisco IOS devices may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.

Multiple Vulnerabilities in Wireless Control System

Thu, 31 May 2007 18:30:00 PST

Cisco Wireless Control System (WCS) contains multiple vulnerabilities which may allow a remote user to access sensitive configuration information about access points managed by WCS, read from and write to arbitrary files on a WCS system, log in to a WCS system with a default administrator password, execute script code in a WCS user's web browser, and access directories which may reveal sensitive WCS configuration information. There are workarounds for several, but not all, of these vulnerabilities. See the Workarounds section for more information. Cisco has made free software available to address these vulnerabilities for affected customers.

Multiple Vulnerabilities in the Cisco Wireless LAN Controller and Cisco Lightweight Access Points

Wed, 16 May 2007 13:30:00 PST

The Cisco Wireless LAN Controller (WLC) manages Cisco Aironet access points using the Lightweight Access Point Protocol (LWAPP). The WLC contains multiple vulnerabilities that could result in a denial of service (DoS) condition, information disclosure, or access control list changes, or allow an attacker to gain full administrative access.

Multiple Vulnerabilities in the IOS FTP Server

Wed, 09 May 2007 07:00:00 PST

Multiple vulnerabilities exist in the Cisco IOS File Transfer Protocol (FTP) Server feature. These vulnerabilities include Denial of Service, improper verification of user credentials and the ability to read or write any file in the device's filesystem, including the device's saved configuration, which may include passwords or other sensitive information.