Cisco Security Responses

Cisco IOS Cross-Site Scripting Vulnerabilities

Fri, 19 Jun 2009 11:00:00 PST

Two separate Cisco IOS? Hypertext Transfer Protocol (HTTP) cross-site scripting (XSS) vulnerabilities have been reported to Cisco by two independent researchers.

Cisco IP Phone 7940/7960 SIP INVITE Denial of Service

Thu, 11 Jun 2009 07:00:00 PST

This is Cisco PSIRT's response to the statements made by Radu State in his message titled: CISCO Phone 7940 DOS vulnerability posted on 2007 March 20 0630 UTC (GMT). The original email is available at:http://lists.grok.org.uk/pipermail/full-disclosure/2007-March/053070.html Cisco has confirmed the findings of the statements made. Cisco IP Phone 7940/7960 SIP firmware version 7.4(0) is vulnerable to the denial of service. Firmware version 8.6(0) is not vulnerable to this issue. The latest firmware images for Cisco IP 7940/7960 phones can be obtained here: http://www.cisco.com/cgi-bin/tablebuild.pl/sip-ip-phone7960 We would like to thank Radu State, Humberto J. Abdelnur and Olivier Festor of the Madynes research team at INRIA for reporting these issues to Cisco Systems. We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in product reports.

Cisco Unified MeetingPlace Stored Cross-Site Scripting Vulnerability

Thu, 26 Feb 2009 09:20:00 PST

This is the Cisco PSIRT response to an issue discovered and reported to Cisco by the National Australia Bank Security Assurance team regarding a cross-site scripting vulnerability in Cisco Unified MeetingPlace Web Conferencing.

MD5 Hashes May Allow for Certificate Spoofing

Thu, 15 Jan 2009 07:50:00 PST

This is the Cisco response to research done by Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, and Benne de Weger pertaining to MD5 collisions in certificates issued by vulnerable certificate authorities.

Cisco Response to TKIP Encryption Weakness

Fri, 21 Nov 2008 07:00:00 PST

Cisco VLAN Trunking Protocol Vulnerability

Wed, 19 Nov 2008 06:00:00 PST

This is the Cisco response to research done by 'showrun.lee' pertaining to a crafted VTP packet denial of service vulnerability.

Cisco Response to Outpost24 TCP State Table Manipulation Denial of Service Vulnerabilities

Fri, 17 Oct 2008 07:00:00 PST

VoIPshield Reported Vulnerabilities in Cisco Unity Server

Wed, 08 Oct 2008 11:10:00 PST

This is the Cisco PSIRT response to the vulnerabilities in Cisco Unity by VoIPshield, in their recent advisories (VSRCS-2008-008 to VSRCS-2008-012). The original advisories are available at: www.voipshield.com .

Cisco Secure ACS Denial Of Service Vulnerability

Wed, 03 Sep 2008 08:00:00 PST

This is the Cisco PSIRT response to the statements made by Laurent Butti and Gabriel Campana of Orange Labs / France Telecom Group, in their advisory: "Cisco Secure ACS EAP Parsing Vulnerability". The original advisory is available at: http://www.securityfocus.com/archive/1/495937/30/0/threaded

Internet Key Exchange Resource Exhaustion Attack

Mon, 28 Jul 2008 10:00:00 PST

This is a Cisco PSIRT response to an advisory published by an unaffiliated third party, Roy Hills, of NTA Monitor Ltd posted as of July 26, 2006 at http://www.nta-monitor.com/posts/2006/07/cisco-concentrator-dos.html, and entitled: Cisco VPN Concentrator IKE resource exhaustion DoS.

Vulnerability in Java Secure Socket Extension

Mon, 30 Jun 2008 10:30:00 PST

This is the Cisco PSIRT response to the vulnerability in Java Secure Socket Extension (JSSE) disclosed by Sun Microsystems on July 10, 2007, the details of which are available at http://sunsolve.sun.com/search/document.do?assetkey=1-26-102997-1

Wide Area Application Services (WAAS) Common UNIX Printing System (CUPS) Vulnerability

Wed, 25 Jun 2008 07:00:00 PST

This is the Cisco PSIRT response to a security advisory regarding a vulnerability in Common UNIX Printing System (CUPS). The CUPS security advisory can be found at http://www.cups.org/str.php?L2561.

Rootkits on Cisco IOS Devices

Mon, 23 Jun 2008 14:00:00 PST

This is the Cisco PSIRT response to an issue that will be disclosed at the EUSecWest security conference on May 22nd, 2008 by Mr. Sebastian Muniz of Core Security Technologies.

Catalyst 6500 and Cisco 7600 Series Devices Accessible via Loopback Address

Wed, 20 Feb 2008 07:00:00 PST

This document is the Cisco PSIRT response to an issue regarding Cisco Catalyst 6500 and Cisco 7600 series devices that was discovered and reported to Cisco by Lee E. Rian .

CiscoWorks Server XSS Vulnerability

Wed, 05 Dec 2007 09:40:00 PST

This is the Cisco PSIRT response to an issue that was discovered and reported to Cisco by David Lewis of Liquidmatrix.org regarding a cross-site scripting (XSS) vulnerability in CiscoWorks Server login page.

Extensible Authentication Protocol Vulnerability

Sun, 02 Dec 2007 18:00:00 PST

This is the Cisco PSIRT response to a presentation that was delivered by Laurent Butti, Julien Tinnhs and Franck Veysset of France Telecom Group at Hack.lu on October 19th, 2007.

Cisco Unified IP Phone Remote Eavesdropping

Fri, 30 Nov 2007 07:00:00 PST

This is the Cisco PSIRT response to a presentation given at the Hack.Lu 2007 security conference by Joffery Czarny of Telindus regarding a technique to remotely eavesdrop using Cisco Unified IP Phones.

Cisco Unified MeetingPlace XSS Vulnerability (November 2007)

Wed, 07 Nov 2007 04:00:00 PST

This is the Cisco PSIRT response to an issue that was discovered and reported to Cisco by Joren McReynolds regarding a cross-site scripting (XSS) vulnerability in Cisco Unified MeetingPlace Web Conferencing.

Cisco IOS Line Printer Daemon (LPD) Protocol Stack Overflow

Wed, 10 Oct 2007 07:00:00 PST

This is the Cisco Product Security Incident Response Team (PSIRT) response to an issue discovered and reported to Cisco by Andy Davis from IRM, Plc. regarding a stack overflow in the Cisco IOS Line Printer Daemon (LPD) Protocol feature. The original post is available at the following link:

Cisco IOS Reload on Regular Expression Processing

Wed, 19 Sep 2007 09:00:00 PST

This is the Cisco Product Security Incident Response Team (PSIRT) response to a vulnerability that was reported on the Cisco NSP mailing list on August 17, 2007 regarding the crash and reload of devices running Cisco IOS. after executing a command that uses, either directly or indirectly, a regular expression.

VTY Authentication Bypass Vulnerability

Fri, 07 Sep 2007 08:30:00 PST

This is the Cisco PSIRT response to the NileSOFT Security Advisory entitled "Bypass Authentication Vulnerability on Cisco Catalyst 3750 12.2(25)" posted on August 29th, 2007, at 1800 UTC (GMT).

Multiple SIP Vulnerabilities in the Cisco 7960 IP Phones

Wed, 22 Aug 2007 05:30:00 PST

This is the Cisco PSIRT response to an issue discovered and reported to Cisco by Radu State, Humberto J. Abdelnur and Oliver Festor regarding two Session Initiation Protocol (SIP) vulnerabilities in the Cisco 7940/7960 IP Phones.

Cisco Unified MeetingPlace XSS Vulnerability

Wed, 15 Aug 2007 06:00:00 PST

This is the Cisco PSIRT response to an issue discovered and reported to Cisco by Roger Jefferiss and Rob Pope of SecureTest Ltd, UK regarding cross-site scripting (XSS) vulnerability in Cisco Unified MeetingPlace Web Conferencing.

Multiple Vulnerabilities in OpenSSL Library

Wed, 25 Jul 2007 04:00:00 PST

This is the Cisco PSIRT response to the multiple security advisories published by The OpenSSL Project. The vulnerabilities are as follows: RSA Signature Forgery (CVE-2006-4339), described in http://www.openssl.org/news/secadv_20060905.txt ASN.1 Denial of Service Attacks (CVE-2006-2937, CVE-2006-2940), described in http://www.openssl.org/news/secadv_20060928.txt SSL_get_shared_ciphers() buffer overflow (CVE-2006-3738), also in http://www.openssl.org/news/secadv_20060928.txt SSLv2 Client Crash (CVE-2006-4343), also in http://www.openssl.org/news/secadv_20060928.txt

Cisco Trust Agent - Mac OS X Privilege Escalation Vulnerability

Tue, 12 Jun 2007 05:00:00 PST

This is the Cisco PSIRT response to an issue discovered and reported to Cisco by Adam Blake of Deloitte, UK regarding a vulnerability in Cisco Trust Agent (CTA) installations on Mac OS X. The original report is available at the following link: http://www.securityfocus.com/archive/1/471041/30/0/flat.

Cisco CallManager Input Validation Vulnerability

Wed, 23 May 2007 07:00:00 PST

This is Cisco PSIRT's response to the statements made by Marc Ruef and Stefan Friedi from scip AG in their message "Cisco CallManager 4.1 Input Validation Vulnerability," posted on 2007 May 23 at 1600 UTC (GMT).

HTTP Full-Width and Half-Width Unicode Encoding Evasion

Fri, 18 May 2007 11:00:00 PST

The U.S. Computer Emergency Response Team (US-CERT) has reported a network evasion technique using full-width and half-width unicode characters that affects several Cisco products. The US-CERT advisory is available at the following link: http://www.kb.cert.org/vuls/id/739224

DHCP Relay Agent Vulnerability in Cisco PIX and ASA Appliances

Wed, 02 May 2007 07:00:00 PST

This is a Cisco response to a CERT/CC advisory posted on May 2, 2007, entitled "Cisco ASA fails to properly process DHCP relay packets".

PHP HTML Entity Encoder Heap Overflow Vulnerability in Multiple Web-Based Management Interfaces

Wed, 25 Apr 2007 07:20:00 PST

This is a response to a Hardened-PHP Project advisory posted on November 3, 2006, entitled "PHP HTML Entity Encoder Heap Overflow Vulnerability."

Cross-Site Scripting Vulnerability in Online Help System

Wed, 11 Apr 2007 05:30:00 PST

A cross-site scripting (XSS) vulnerability in the online help system distributed with several Cisco products has been independently reported to Cisco by Erwin Paternotte from Fox-IT and by Cassio Goldschmidt. The vulnerability would allow an attacker to execute arbitrary scripting code in a user's web browser if the attacker is successful in enticing the user to follow a specially crafted, malicious URL.

NACATTACK Presentation

Fri, 30 Mar 2007 05:10:00 PST

This is Cisco PSIRT's response to the "NACATTACK" presentation by Dror-John Roecher and Michael Thumann, presented at Blackhat Europe on March 30th, 2007.

Cisco VTP Vulnerability

Tue, 27 Mar 2007 16:00:00 PST

An issue has been reported to the Cisco PSIRT involving malformed VLAN Trunking Protocol (VTP) packets. This attack may cause the target device to reload, causing a Denial of Service (DoS).

Potential Exploitation of Default Administrative Credentials

Thu, 15 Feb 2007 07:20:00 PST

This is a response to a Symantec published research paper posted on their website at http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby_pharming_how_clicking_1.html and http://www.symantec.com/avcenter/reference/Driveby_Pharming.pdf, and entitled 'Drive-by Pharming'. In particular, this response focuses on the information in the Symantec paper, as relevant to certain of Cisco's non-consumer products. These products are specified in the 'Cisco Routers Impacted' section below.

RealVNC Remote Authentication Bypass Vulnerability

Wed, 11 Oct 2006 10:00:00 PST

This is Cisco PSIRT's response to the CERT advisory http://www.kb.cert.org/vuls/id/117929 and acknowledged by Real VNC at http://www.realvnc.com/products/free/4.1/release-notes.html . This vulnerability was originally discovered by James Evans.

Cisco VLAN Trunking Protocol Vulnerabilities

Wed, 13 Sep 2006 07:00:00 PST

This is a Cisco response to an advisory published by FX of Phenoelit posted as of September 13, 2006, at http://www.securityfocus.com/archive/1/445896/30/0/threaded and entitled "Cisco Systems IOS VTP multiple vulnerabilities".

Cisco IOS GRE Decapsulation Vulnerability

Wed, 06 Sep 2006 14:00:00 PST

This is a Cisco response to an advisory published by FX of Phenoelit posted as of September 06, 2006, at http://www.securityfocus.com/archive/1/445322/30/0/threaded, and entitled "Cisco Systems IOS GRE decapsulation fault".

NAC Agent Installation Bypass

Sat, 26 Aug 2006 10:00:00 PST

This is the Cisco PSIRT response to the statements made by Andreas Gal and Joachim Feise in their advisory entitled "NAC agent installation bypass", available at http://www.securityfocus.com/archive/1/444424/30/0/threaded We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in product reports.

Mitigating Exploitation of the MS06-040 Service Buffer Vulnerability

Mon, 21 Aug 2006 11:00:00 PST

This document contains information to assist Cisco customers in mitigating attempts to exploit the Microsoft Server Service Buffer Overflow Vulnerability. There is a remote code execution vulnerability in Server Service that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system.

Unconfirmed SIP Inspection Vulnerability

Tue, 15 Aug 2006 11:00:00 PST

This is the initial response from the Cisco Product Security Incident Response Team (PSIRT) in regards to a potential vulnerability originally disclosed at the recent Black Hat USA 2006 Briefings. In a presentation entitled "SIP Stack Fingerprinting and Stack Difference Attacks", Hendrik Scholz referenced a potential vulnerability in the way the Cisco PIX 500 Series Security Appliances handle inspection of Session Initiation Protocol (SIP) messages.

SIP User Directory Information Disclosure

Wed, 02 Aug 2006 07:00:00 PST

SIP User Directory Information Disclosure