|
|
|
|
| |
Credit:
The original article can be found at: http://www.cisco.com/warp/public/707/cisco-sa-20100210-ironport.shtml
|
| |
Vulnerable Systems:
* Cisco IronPort Encryption Appliance 6.5 versions prior to 6.5.2
* Cisco IronPort Encryption Appliance 6.2 versions prior to 6.2.9.1
* Cisco IronPort PostX MAP versions prior to 6.2.9.1
Immune Systems:
* Cisco IronPort C, M, appliances
* Cisco S-Series appliances
The Cisco IronPort Encryption Appliance contains two information disclosure vulnerabilities that allow remote, unauthenticated access to arbitrary files on vulnerable devices via the embedded HTTPS server. The first vulnerability affecting the Cisco IronPort Encryption Appliance administration interface is documented in IronPort bug 65921 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0143. The second vulnerability affecting the WebSafe servlet is documented in IronPort bug 65922 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0144.
The Cisco IronPort Encryption Appliance contains a remote code execution vulnerability that allows an unauthenticated attacker to run arbitrary code with elevated privileges on vulnerable devices via the embedded HTTPS server. The vulnerability is documented in IronPort bug 65923 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0145.
Successful exploitation of these vulnerabilities may allow a remote, unauthenticated attacker to access arbitrary files or execute arbitrary code with elevated privileges.
Patch Availability:
Cisco has released free software updates that address these vulnerabilities. The affected products in this advisory are directly supported by Cisco IronPort. Customers should contact Cisco IronPort technical support at the link below to obtain software fixes. Cisco IronPort technical support will assist customers in determining the correct fixes and installation procedures. Customers should direct all warranty questions to IronPort technical support.
http://www.ironport.com/support/contact_support.html
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
Workaround:
It is possible to mitigate the administration interface file access vulnerability (IronPort Bug 65921) by using the IP address restriction feature of the administration interface to limit access to trusted hosts. Access to the administration interface is not restricted by default. To configure access limits, an administrator should navigate to "Configuration -> Web Services -> Admin -> Console Security" area in the Cisco IronPort Encryption Appliance administration interface.
It is possible to workaround the remote code execution vulnerability (IronPort Bug 65923) by disabling HTTP Invoker in the Cisco IronPort Encryption Appliance configuration files. To disable the HTTP Invoker, an administrator must delete several files in the PostX application home directory and remove a directive from the web server configuration. The following files must be deleted:
jboss/server/postx/deploy/http-invoker.sar
jboss/server/postx/deploy/jms/jbossmq-httpil.sar
The following directive must be removed from the "jboss/server/postx/conf/jboss-service.xml web" server configuration file.
<mbean code="org.jboss.varia.deployment.BeanShellSubDeployer"
name="jboss.scripts:service=BSHDeployer">
</mbean>
After deleting the files and removing the directive from the configuration file, the PostX application service must be restarted. Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20100210-ironport.shtml
CVE Information:
CVE-2010-0143
CVE-2010-0144
CVE-2010-0145
Disclosure Timeline:
2010-Feb-10: Initial Public Release
|
|
|
|
|
