Cisco Security Agent (CSA) for Linux contains a denial of service vulnerability involving port scans. By performing a port scan against a system running a vulnerable version of CSA, it is possible to cause the system to become unresponsive. Cisco Unified CallManager (CUCM) and Cisco Unified Presence Server (CUPS) ship with a vulnerable CSA version.
There are workarounds for this vulnerability. Cisco has made free software available to address this vulnerability for affected customers.
Vulnerable Products:
The following CSA versions are vulnerable to the port scanning issue:
* CSA version 4.5 for Linux (standalone and managed) prior to Hotfix 4.5.1.657
* CSA version 5.0 for Linux (standalone and managed) prior to Hotfix 5.0.0.193
The following Cisco products include a standalone CSA for Linux version which are also vulnerable to this issue:
* Cisco Unified CallManager (CUCM) 5.0 versions including 5.0(4)
* Cisco Unified Presence Server (CUPS) 1.0 versions including 1.0(2)
Products Confirmed Not Vulnerable:
The following CSA Agent versions are not vulnerable to the port scanning issue:
* CSA version 5.1 (standalone and managed) for Linux
* All CSA versions (standalone and managed) for Windows
* All CSA versions (standalone and managed) for Solaris
No other Cisco products are currently known to be affected by this vulnerability.
Details:
Cisco Security Agent (CSA) provides threat protection for server and desktop computing systems. CSA for Linux is vulnerable to a denial of service attack that may be triggered during the identification of network port scans. By running a port scan with specific options, it is possible to cause excessive system resource consumption resulting in a denial of service. It is possible to mitigate this vulnerability by restricting network access to vulnerable systems to trusted networks. This issue is not a Linux operating system issue. CSA versions for other operating systems (Windows, Solaris) are not affected by this vulnerability. This issue is documented in Cisco Bug ID CSCse98684 ( registered customers only) .
Cisco Unified CallManager 5.0 versions, including 5.0(4), ship with a vulnerable version of CSA. A new CallManager Options Package (COP) file is available to update the CSA version on CallManager 5.0(4). Future versions of CallManager will include the updated CSA version. This issue is documented in Cisco Bug ID CSCse97601 ( registered customers only) .
Cisco Unified Presence Server 1.0 versions, including 1.0(2), ship with a vulnerable version of CSA. A new COP file is available to update the CSA version on CUPS 1.0(2). Future versions of CUPS will include the updated CSA version. This issue is documented in Cisco Bug ID CSCsg40052 ( registered customers only) .
Impact:
Successful exploitation of the port scan vulnerability against a Linux system running a vulnerable version of CSA may cause the system to become unresponsive due to resource exhaustion while a port scan is underway. This may result in the failure of critical processes and remote network connectivity. Repeated port scans may result in a prolonged denial of service. If a CUCM or CUPS system running a vulnerable CSA version is scanned, voice operations may become unavailable for the duration of the port scan.
Workarounds:
It is possible to workaround the Linux port scan vulnerability by disabling the Netshield rule in managed agents via the CSA Management Center (CSAMC) console (not possible for standalone and CUCM/CUPS agents). Administrators should exercise caution when employing this workaround because it may open a system to additional network denial of service attacks. With the Netshield rule disabled, CSA will still provide protection against buffer overflows and other malicious activities.
