Cisco's cache engine suffers from three security problems that allow bypassing authentication in certain cases:
The first security hole in Cisco's cache engine allows an unauthorized person to substitute the website's content with arbitrary material. This new content would be viewable only by users of the affected (or "polluted") Cache Engine. This vulnerability has Cisco bug ID CSCdm63310.
The second vulnerability allows an unauthorized person to view performance information via the web interface of the Cache Engine. This vulnerability has Cisco bug ID CSCdp20180.
The third vulnerability is that a null username and password pair is accepted as valid authentication credentials. This vulnerability has Cisco bug ID CSCdj56294.
Credit:
The information has been provided by: Cisco.
If you are using a Cisco Cache Engine that has not been upgraded to version 2.0.3, you are vulnerable to the first two issues (CSCdm63310 and CSCdp20180). If you are running a Cache Engine that has not been upgraded to version 1.5, you are vulnerable to all three issues (CSCdm63310, CSCdp20180, and CSCdj56294).
Cisco bug ID CSCdm63310 (replacing web content):
Content can be stored on the Cisco Cache Engine, provided a well-known host name, and clients behind that Cisco Cache Engine will only receive the Cisco Cache Engine content for that well-known host name. This allows an opportunistic content provider to populate a Cisco Cache Engine with content of their choosing, yet make it appear as any other host name was serving this content. The clients using this "polluted" cache engine would be the only ones to see this tainted content, causing confusion and service disruption. Version 2.0.3 of the Cisco Cache Engine provides additional authentication to verify that the hostname provided actually belongs to the site providing the content.
Cisco bug ID CSCdp20180 (viewing performance information):
Though the Cache Engine web administration pages request authentication, a script can be written to bypass the authentication request and gain access to the performance statistics without authentication. This problem has been fixed by adding extra security checks to verify the Java monitor applet that provides the performance statistics has been properly authenticated.
For Cisco bug ID CSCdj56294 (null username/password):
This issue permits an unauthorized person to alter files on the Cache Engine, ranging from blocked site lists to alternate software versions.
Affected and Repaired Software Versions
Cisco Cache Engine 2050, Release 1.0 through 1.7.6.
Cisco Cache Engine 500, Release 2.0.1 through 2.0.2.
All issues are fixed in the Cisco Cache Engine 500, Release 2.0.3 or later.
All issues are fixed in Cisco Cache Engine version 2.0.3. CSCdj56294 is resolved in Cisco Cache Engine version 1.5, and higher. However, due to issues CSCdp20180 and CSCdm63310, it is strongly recommended that customers upgrade to Cisco Cache Engine version 2.0.3.
Software version 2.0.3 will only apply to the following Cisco Cache Engine Hardware platforms: CE-550, CE-505, and CE-550-DS3. The CE-2050 chassis cannot be upgraded to version 2.0.3, and you will need to contact the Cisco TAC for assistance.
Workarounds
Workarounds to prevent an attacker from taking advantage of the vulnerability described in CSCdm63310 include disabling the Cisco Cache Engine or specifying a strict list of permitted sites that would restrict clients to a list of known, valid websites. The procedure for enabling URL restriction is detailed in Cache Engine documentation version 1.7 at the following link:
Workarounds for both CSCdp20180 and CSCdj56294 include other means of limiting access to both web based management and FTP ports on the Cache Engine, such as firewalls or access lists on routers to limit traffic to those ports.
It is strongly recommended to upgrade to version 2.0.3 of the Cisco Cache Engine.
