Cisco Security Responses

Catalyst 6500 and Cisco 7600 Series Devices Accessible via Loopback Address

Wed, 20 Feb 2008 07:00:00 PST

This document is the Cisco PSIRT response to an issue regarding Cisco Catalyst 6500 and Cisco 7600 series devices that was discovered and reported to Cisco by Lee E. Rian .

CiscoWorks Server XSS Vulnerability

Wed, 05 Dec 2007 09:40:00 PST

This is the Cisco PSIRT response to an issue that was discovered and reported to Cisco by David Lewis of Liquidmatrix.org regarding a cross-site scripting (XSS) vulnerability in CiscoWorks Server login page.

Extensible Authentication Protocol Vulnerability

Sun, 02 Dec 2007 18:00:00 PST

This is the Cisco PSIRT response to a presentation that was delivered by Laurent Butti, Julien Tinnhs and Franck Veysset of France Telecom Group at Hack.lu on October 19th, 2007.

Cisco Unified IP Phone Remote Eavesdropping

Fri, 30 Nov 2007 07:00:00 PST

This is the Cisco PSIRT response to a presentation given at the Hack.Lu 2007 security conference by Joffery Czarny of Telindus regarding a technique to remotely eavesdrop using Cisco Unified IP Phones.

Cisco Unified MeetingPlace XSS Vulnerability (November 2007)

Wed, 07 Nov 2007 04:00:00 PST

This is the Cisco PSIRT response to an issue that was discovered and reported to Cisco by Joren McReynolds regarding a cross-site scripting (XSS) vulnerability in Cisco Unified MeetingPlace Web Conferencing.

Cisco IOS Line Printer Daemon (LPD) Protocol Stack Overflow

Wed, 10 Oct 2007 07:00:00 PST

This is the Cisco Product Security Incident Response Team (PSIRT) response to an issue discovered and reported to Cisco by Andy Davis from IRM, Plc. regarding a stack overflow in the Cisco IOS Line Printer Daemon (LPD) Protocol feature. The original post is available at the following link:

Cisco IOS Reload on Regular Expression Processing

Wed, 19 Sep 2007 09:00:00 PST

This is the Cisco Product Security Incident Response Team (PSIRT) response to a vulnerability that was reported on the Cisco NSP mailing list on August 17, 2007 regarding the crash and reload of devices running Cisco IOS. after executing a command that uses, either directly or indirectly, a regular expression.

VTY Authentication Bypass Vulnerability

Fri, 07 Sep 2007 08:30:00 PST

This is the Cisco PSIRT response to the NileSOFT Security Advisory entitled "Bypass Authentication Vulnerability on Cisco Catalyst 3750 12.2(25)" posted on August 29th, 2007, at 1800 UTC (GMT).

Multiple SIP Vulnerabilities in the Cisco 7960 IP Phones

Tue, 21 Aug 2007 13:00:00 PST

This is the Cisco PSIRT response to an issue discovered and reported to Cisco by Radu State, Humberto J. Abdelnur and Oliver Festor regarding two Session Initiation Protocol (SIP) vulnerabilities in the Cisco 7940/7960 IP Phones.

Cisco Unified MeetingPlace XSS Vulnerability

Wed, 15 Aug 2007 06:00:00 PST

This is the Cisco PSIRT response to an issue discovered and reported to Cisco by Roger Jefferiss and Rob Pope of SecureTest Ltd, UK regarding cross-site scripting (XSS) vulnerability in Cisco Unified MeetingPlace Web Conferencing.

Vulnerability in Java Secure Socket Extension

Thu, 26 Jul 2007 04:40:00 PST

This is the Cisco PSIRT response to the vulnerability in Java Secure Socket Extension (JSSE) disclosed by Sun Microsystems on July 10, 2007, the details of which are available at http://sunsolve.sun.com/search/document.do?assetkey=1-26-102997-1

Multiple Vulnerabilities in OpenSSL Library

Wed, 25 Jul 2007 04:00:00 PST

This is the Cisco PSIRT response to the multiple security advisories published by The OpenSSL Project. The vulnerabilities are as follows: RSA Signature Forgery (CVE-2006-4339), described in http://www.openssl.org/news/secadv_20060905.txt ASN.1 Denial of Service Attacks (CVE-2006-2937, CVE-2006-2940), described in http://www.openssl.org/news/secadv_20060928.txt SSL_get_shared_ciphers() buffer overflow (CVE-2006-3738), also in http://www.openssl.org/news/secadv_20060928.txt SSLv2 Client Crash (CVE-2006-4343), also in http://www.openssl.org/news/secadv_20060928.txt

Cisco CallManager Input Validation Vulnerability

Fri, 29 Jun 2007 05:00:00 PST

This is Cisco PSIRT's response to the statements made by Marc Ruef and Stefan Friedi from scip AG in their message "Cisco CallManager 4.1 Input Validation Vulnerability," posted on 2007 May 23 at 1600 UTC (GMT).

Cisco Trust Agent - Mac OS X Privilege Escalation Vulnerability

Tue, 12 Jun 2007 05:00:00 PST

This is the Cisco PSIRT response to an issue discovered and reported to Cisco by Adam Blake of Deloitte, UK regarding a vulnerability in Cisco Trust Agent (CTA) installations on Mac OS X. The original report is available at the following link: http://www.securityfocus.com/archive/1/471041/30/0/flat.

HTTP Full-Width and Half-Width Unicode Encoding Evasion

Fri, 18 May 2007 11:00:00 PST

The U.S. Computer Emergency Response Team (US-CERT) has reported a network evasion technique using full-width and half-width unicode characters that affects several Cisco products. The US-CERT advisory is available at the following link: http://www.kb.cert.org/vuls/id/739224

DHCP Relay Agent Vulnerability in Cisco PIX and ASA Appliances

Wed, 02 May 2007 07:00:00 PST

This is a Cisco response to a CERT/CC advisory posted on May 2, 2007, entitled "Cisco ASA fails to properly process DHCP relay packets".

PHP HTML Entity Encoder Heap Overflow Vulnerability in Multiple Web-Based Management Interfaces

Wed, 25 Apr 2007 07:20:00 PST

This is a response to a Hardened-PHP Project advisory posted on November 3, 2006, entitled "PHP HTML Entity Encoder Heap Overflow Vulnerability."

Cross-Site Scripting Vulnerability in Online Help System

Wed, 11 Apr 2007 05:30:00 PST

A cross-site scripting (XSS) vulnerability in the online help system distributed with several Cisco products has been independently reported to Cisco by Erwin Paternotte from Fox-IT and by Cassio Goldschmidt. The vulnerability would allow an attacker to execute arbitrary scripting code in a user's web browser if the attacker is successful in enticing the user to follow a specially crafted, malicious URL.

NACATTACK Presentation

Fri, 30 Mar 2007 05:10:00 PST

This is Cisco PSIRT's response to the "NACATTACK" presentation by Dror-John Roecher and Michael Thumann, presented at Blackhat Europe on March 30th, 2007.

Cisco IP Phone 7940/7960 SIP INVITE Denial of Service

Tue, 20 Mar 2007 13:30:00 PST

This is Cisco PSIRT's response to the statements made by Radu State in his message titled: CISCO Phone 7940 DOS vulnerability posted on 2007 March 20 0630 UTC (GMT). The original email is available at:http://lists.grok.org.uk/pipermail/full-disclosure/2007-March/053070.html Cisco has confirmed the findings of the statements made. Cisco IP Phone 7940/7960 SIP firmware version 7.4(0) is vulnerable to the denial of service. Firmware version 8.6(0) is not vulnerable to this issue. The latest firmware images for Cisco IP 7940/7960 phones can be obtained here: http://www.cisco.com/cgi-bin/tablebuild.pl/sip-ip-phone7960 We would like to thank Radu State, Humberto J. Abdelnur and Olivier Festor of the Madynes research team at INRIA for reporting these issues to Cisco Systems. We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in product reports.

Potential Exploitation of Default Administrative Credentials

Thu, 15 Feb 2007 07:20:00 PST

This is a response to a Symantec published research paper posted on their website at http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby_pharming_how_clicking_1.html and http://www.symantec.com/avcenter/reference/Driveby_Pharming.pdf, and entitled 'Drive-by Pharming'. In particular, this response focuses on the information in the Symantec paper, as relevant to certain of Cisco's non-consumer products. These products are specified in the 'Cisco Routers Impacted' section below.

Cisco VTP Vulnerability

Tue, 30 Jan 2007 08:00:00 PST

An issue has been reported to the Cisco PSIRT involving malformed VLAN Trunking Protocol (VTP) packets. This attack may cause the target device to reload, causing a Denial of Service (DoS).

RealVNC Remote Authentication Bypass Vulnerability

Wed, 11 Oct 2006 10:00:00 PST

This is Cisco PSIRT's response to the CERT advisory http://www.kb.cert.org/vuls/id/117929 and acknowledged by Real VNC at http://www.realvnc.com/products/free/4.1/release-notes.html . This vulnerability was originally discovered by James Evans.

Cisco VLAN Trunking Protocol Vulnerabilities

Wed, 13 Sep 2006 07:00:00 PST

This is a Cisco response to an advisory published by FX of Phenoelit posted as of September 13, 2006, at http://www.securityfocus.com/archive/1/445896/30/0/threaded and entitled "Cisco Systems IOS VTP multiple vulnerabilities".

Cisco IOS GRE Decapsulation Vulnerability

Wed, 06 Sep 2006 14:00:00 PST

This is a Cisco response to an advisory published by FX of Phenoelit posted as of September 06, 2006, at http://www.securityfocus.com/archive/1/445322/30/0/threaded, and entitled "Cisco Systems IOS GRE decapsulation fault".

Internet Key Exchange Resource Exhaustion Attack

Fri, 01 Sep 2006 14:30:00 PST

This is a Cisco PSIRT response to an advisory published by an unaffiliated third party, Roy Hills, of NTA Monitor Ltd posted as of July 26, 2006 at http://www.nta-monitor.com/posts/2006/07/cisco-concentrator-dos.html, and entitled: Cisco VPN Concentrator IKE resource exhaustion DoS.

NAC Agent Installation Bypass

Sat, 26 Aug 2006 10:00:00 PST

This is the Cisco PSIRT response to the statements made by Andreas Gal and Joachim Feise in their advisory entitled "NAC agent installation bypass", available at http://www.securityfocus.com/archive/1/444424/30/0/threaded We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in product reports.

Mitigating Exploitation of the MS06-040 Service Buffer Vulnerability

Mon, 21 Aug 2006 11:00:00 PST

This document contains information to assist Cisco customers in mitigating attempts to exploit the Microsoft Server Service Buffer Overflow Vulnerability. There is a remote code execution vulnerability in Server Service that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system.

Unconfirmed SIP Inspection Vulnerability

Tue, 15 Aug 2006 11:00:00 PST

This is the initial response from the Cisco Product Security Incident Response Team (PSIRT) in regards to a potential vulnerability originally disclosed at the recent Black Hat USA 2006 Briefings. In a presentation entitled "SIP Stack Fingerprinting and Stack Difference Attacks", Hendrik Scholz referenced a potential vulnerability in the way the Cisco PIX 500 Series Security Appliances handle inspection of Session Initiation Protocol (SIP) messages.

SIP User Directory Information Disclosure

Wed, 02 Aug 2006 07:00:00 PST

SIP User Directory Information Disclosure

Cisco Secure ACS Weak Session Management Vulnerability

Wed, 28 Jun 2006 11:00:00 PST

This is the Cisco PSIRT response to the statements made by Darren Bounds in his advisory: Cisco Secure ACS Weak Session Management Vulnerability. The original email/advisory is available at http://archives.neohapsis.com/archives/fulldisclosure/2006-06/0618.html and http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/047301.html

Input Validation/Output Encoding Vulnerabilities in Cisco CallManager Allow Script Injection Attacks

Thu, 22 Jun 2006 15:00:00 PST

This is the Cisco PSIRT response to the statements made by Jake Reynolds and FishNet Security in his advisory: Input Validation/Output Encoding Vulnerabilities in Cisco CallManager Allow Script Injection Attacks. The original email/advisory is available at http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/047015.html.

Cisco Secure ACS for UNIX Cross Site Scripting Vulnerability

Thu, 15 Jun 2006 08:00:00 PST

This is Cisco PSIRT response to the statements made by Fujitsu Services Limited in their advisory, posted on June 15, 2006 to several external mailing lists.

WebVPN Cross-Site Scripting Vulnerability

Tue, 13 Jun 2006 12:00:00 PST

This is the response of the Cisco Product Security Incident Response Team (PSIRT) to the statements made by Michal Zalewski in his message entitled "SSL VPNs and security", which he posted to the Bugtraq and full-disclosure mailing lists on June 8, 2006.

Symantec SYMSA-2006-003 Cisco Secure ACS for Windows - Administrator Password Disclosure

Mon, 08 May 2006 12:45:00 PST

This is Cisco PSIRT's response to the statements made by Symantec in its advisory: SYMSA-2006-003, posted on May 8, 2006.

PIX/ASA/FWSM Websense/N2H2 Content Filter Bypass

Mon, 08 May 2006 08:00:00 PST

This is Cisco PSIRT's response to the statements made by George Gal in his advisory: WebSense Content Filter Bypass in conjunction with Cisco PIX in packet filter mode, posted on May 08, 2006.

Privilege Escalation on Multiple Cisco Products

Wed, 19 Apr 2006 06:10:00 PST

This is Cisco PSIRT's response to the privilege escalation vulnerability. By exploiting this vulnerability, an authenticated attacker on the command line interface may obtain shell access to the underlying operating system by injecting specially crafted commands.

Cisco PIX embryonic state machine TTL(n-1) DoS and Cisco PIX embryonic state machine 1b data DoS

Tue, 07 Mar 2006 11:30:00 PST

This is Cisco PSIRT's response to the statements made by Arhont Ltd.- Information Security in their messages [Full-disclosure] Cisco PIX embryonic state machine TTL(n-1) DoS and [Full-disclosure] Cisco PIX embryonic state machine 1b data DoS, both posted on March 7, 2006.

AAA Command Authorization by-pass

Wed, 01 Mar 2006 07:00:00 PST

A vulnerability exists within Cisco Internetwork Operating System (IOS) Authentication, Authorization, and Accounting (AAA) command authorization feature, where command authorization checks are not performed on commands executed from the Tool Command Language (Tcl) exec shell. This may allow authenticated users to bypass command authorization checks in some configurations resulting in unauthorized privilege escalation.

Cisco IP Phone 7940 DoS Exploit posted on milw0rm.com

Fri, 13 Jan 2006 14:15:00 PST

This is a response to the Cisco IP Phone DoS exploit posted to http://www.milw0rm.com/ on January 10, 2006. When directed at port 80 of an affected phone, the exploit will cause the phone to reload.