|
|
|
|
| |
Credit:
The information has been provided by Cisco Systems Product Security Incident Response Team.
The original article can be found at: http://www.cisco.com/warp/public/707/cisco-sa-20090121-csm.shtml
|
| |
Vulnerable Systems:
* Cisco Security Manager versions 3.1 and 3.2, prior to 3.2.2
Immune Systems:
* Cisco Security Manager 3.2.2
* Cisco Security Manager 3.0.x and earlier
* Standalone implementations of Cisco IEV
* Cisco IPS Manager Express
Cisco Security Manager is an enterprise-class management application that is designed to configure firewall, VPN, and intrusion prevention security services on Cisco network and security devices. As part of Cisco Security Manager installation, the Cisco IEV is installed by default. The IEV is a Java-based application that allows users to view and manage alerts for up to five sensors, including the ability to report top alerts, attackers, and victims over a specified number of hours or days. Users can connect to and view alerts in real time or via imported log files, configure filters and views to help manage alerts, and import and export event data for further analysis.
A vulnerability exists in the Cisco Security Manager server. When the IEV is launched, it opens several remotely available TCP ports on the Cisco Security Manager server and client. These ports could allow remote, unauthenticated root access to the IEV database and server. When IEV is closed, it closes open ports on the Cisco Security Manager client that launched the IEV but fails to close open ports on the server. If the IEV has never been used on the system, the Cisco Security Manager server is not vulnerable.
The IEV database contains events that are collected from Cisco Intrusion Prevention System (IPS) devices. The IEV server allows an unauthenticated user to add, delete, or modify the devices that are added into the IEV.
This vulnerability is documented in Cisco Bug ID: CSCsv66897
CVE Information:
CVE-2008-3820
Impact:
Successful exploitation of this vulnerability may result in remote root access to the IEV database or to the IEV Server. Upon launching the IEV remotely accessible ports are opened on the Cisco Security Manager server and the client where the IEV is launched. When the IEV application is closed these ports are subsequently closed on the client however remain open on the Cisco Security Manager server.
Workarounds:
In the event that Cisco IEV is not being used, administrators are advised to disable the functionality until a patch is applied. To disable IEV on Cisco Security Manager, perform the following steps:
1. Access the Microsoft Windows Server that Cisco Security Manager is installed on.
2. Open the Services dialog box (Choose Start > Administrative Tools > Services).
3. Locate the Cisco IPS Event Viewer service and open Properties.
4. Change Startup Type: to Disabled and click Ok.
5. Stop the Cisco IPS Event Viewer service.
6. Stop and Restart the Cisco Security Manager Daemon Manager service.
7. Confirm that the Cisco IPS Event Viewer service has not restarted.
Upon disabling the Cisco IPS Event Viewer service, the open ports on the Cisco Security Manager server will be closed.
Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20090121-csm.shtml
|
|
|
|
|
