Cisco Security Response http://tools.cisco.com/security/center/psirtrss20/CiscoSecurityResponse.xml en-us 1992-2010 Cisco Systems, Inc. All rights reserved. Cisco Security Response Cisco Systems, Inc. 15 Cisco IOS and Cisco IOS XE Type 4 Passwords Issue http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20130318-type4?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20IOS%20and%20Cisco%20IOS%20XE%20Type%204%20Passwords%20Issue&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco IOS and Cisco IOS XE Type 4 Passwords Issue" border='0' height='0' width='0'></img>This is the Cisco response to research performed by Mr. Philipp Schmidt and Mr. Jens Steube from the <a href="http://hashcat.net/oclhashcat-plus/" target="_blank">Hashcat Project</a> on the weakness of Type 4 passwords on Cisco IOS and Cisco IOS XE devices. Mr. Schmidt and Mr. Steube reported this issue to the Cisco PSIRT on March 12, 2013.<br /> <br /> Cisco would like to thank Mr. Schmidt and Mr. Steube for sharing their research with Cisco and working toward a coordinated disclosure of this issue.<br /> <br /> This Cisco Security Response is available at <a href="http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20130318-type4">http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20130318-type4</a> Tue, 07 Apr 2015 19:54:38 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20130318-type4 Distance Vector Multicast Routing Protocol Misuse http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20141006-dvmrp?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Distance%20Vector%20Multicast%20Routing%20Protocol%20Misuse&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Distance Vector Multicast Routing Protocol Misuse" border='0' height='0' width='0'></img>On October 6, 2014, John Kristoff of Team CYMRU presented at NANOG 62 the results of his research on the misuse of some debugging and troubleshooting capabilities provided by the Distance Vector Multicast Routing Protocol (DMVRP) for either distributed denial of service (DDoS) amplification attacks or information gathering purposes.<br /> <br /> The research focused on the use of the DVMRP "Ask Neighbors 2" message (which is documented at <a href="http://tools.ietf.org/html/draft-ietf-idmr-dvmrp-v3-11#page-41">http://tools.ietf.org/html/draft-ietf-idmr-dvmrp-v3-11#page-41</a>) to either:<br /> <ul> <li>query a device supporting the "Ask Neighbors 2" message in order to gather information about multicast peers (including the peer's IP address, interface on which the peer is located, and number of peers on a given interface) from the point of view of the device being queried, or,</li> <li>use a device supporting the "Ask Neighbors 2" debugging and troubleshooting message as a reflector on a DDoS amplification attack</li> </ul> Mon, 06 Oct 2014 22:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20141006-dvmrp Rootkits on Cisco IOS Devices http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20080516-rootkits?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Rootkits%20on%20Cisco%20IOS%20Devices&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Rootkits on Cisco IOS Devices" border='0' height='0' width='0'></img><p>This is the Cisco PSIRT response to an issue that was disclosed by Mr. Sebastian Muniz of Core Security Technologies at the EUSecWest security conference on May 22, 2008. </p> <p>No new vulnerability on the Cisco IOS software was disclosed during the presentation. To the best of our knowledge, no exploit code has been made publicly available, and Cisco has not received any customer reports of exploitation.</p> <p>Cisco has analyzed the available information and recommends following industry best-practices to improve the security of all network devices. Specific recommendations are available in the Additional Information section of this Security Response.</p> <p>Cisco PSIRT greatly appreciates the opportunity to work with researchers on security vulnerabilities and welcomes the opportunity to review and assist in product reports. We would like to thank Mr. Sebastian Muniz and Core Security Technologies for working with us towards the goal of keeping Cisco networks and the Internet, as a whole, secure.</p> Wed, 09 Apr 2014 12:43:25 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20080516-rootkits Der Spiegel Article on Networking Equipment Infiltration http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20131229-der-spiegel?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Der%20Spiegel%20Article%20on%20Networking%20Equipment%20Infiltration&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Der Spiegel Article on Networking Equipment Infiltration" border='0' height='0' width='0'></img>On December 29, 2013, the German news publication <em>Der Spiegel</em> published an article referencing leaked documents from the U.S. National Security Agency (NSA) that mentioned "software implants" for networking devices. Cisco is one of a number of technology companies mentioned in the article:<br /> <br /> <a href="http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html">http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html</a><br /> <br /> On December 30, 2013, the Cisco Product Security Incident Response Team (PSIRT) opened an incident to investigate the alleged creation of implants for some Cisco PIX and Cisco ASA platforms.<br /> <br /> Cisco formally requested additional information about these allegations from both the United States Government and the German news publication Der Spiegel. No further details were provided.&nbsp;<br /> <br /> The Cisco PSIRT led a comprehensive evaluation of the Cisco ASA platform, working closely with the company&rsquo;s engineering, support, and supply chain organizations around the world. The Cisco ASA platform was the primary focus, as the Cisco PIX platform has reached&nbsp;<a href="http://www.cisco.com/c/en/us/products/security/pix-500-series-security-appliances/eos-eol-notice-listing.html">End of Support</a>.<br /> <br /> The investigation (PSIRT-1384943056) reviewed Cisco&rsquo;s development and supply chain procedures, historical customer support data for ASA and PIX platforms, and operational data from devices installed in various production networks in different parts of the world.&nbsp;<br /> <br /> Advice from internal and external industry experts was used to create and implement different test scenarios focusing on the Cisco ASA platform&rsquo;s BIOS, operating system, and applications. Cisco professionals from around the world conducted tests of every existing model of the Cisco ASA family.<br /> <br /> No evidence of any procedural irregularities or tampering of the BIOS, operating system, or applications was revealed. As a result, Cisco PSIRT has now closed this investigation. Thu, 13 Mar 2014 18:56:13 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20131229-der-spiegel Use of Dual_EC_DRBG in Cisco Products http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20131016-ec-drbg?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Use%20of%20Dual_EC_DRBG%20in%20Cisco%20Products&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Use of Dual_EC_DRBG in Cisco Products" border='0' height='0' width='0'></img>Cisco is aware of the industry discussion regarding the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG) and the recent decision of the U.S. National Institute of Standards and Technology (NIST) to reopen the 800-90A Special Publication (SP) to public review.<br /> <br /> Cisco applauds the decision for increased public review of cryptographic standards and will monitor for any updates to NIST SP 800-90A.<br /> <br /> Cisco has completed an internal investigation and has confirmed that the Dual_EC_DRBG is not in use in any Cisco products. Wed, 16 Oct 2013 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20131016-ec-drbg Cisco Nexus 1000V Series Switch Software Release 4.2(1)SV1(5.2) Virtual Security Gateway Bypass Issue http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20121107-n1k?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20Nexus%201000V%20Series%20Switch%20Software%20Release%204.2(1)SV1(5.2)%20Virtual%20Security%20Gateway%20Bypass%20Issue&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco Nexus 1000V Series Switch Software Release 4.2(1)SV1(5.2) Virtual Security Gateway Bypass Issue" border='0' height='0' width='0'></img>The Cisco Product Security Incident Response Team (PSIRT) would like to notify customers of an issue that&nbsp;may impact their network security posture&nbsp;when upgrading the Cisco Nexus 1000V Series Switches to Software Release 4.2(1)SV1(5.2)&nbsp;with deployments that have Cisco Virtual Security Gateway (VSG) integration. This issue will manifest itself when administrators perform an in-service software upgrade to Software Release 4.2(1)SV1(5.2)&nbsp;from Software Release 4.2(1)SV1(5.1a)&nbsp;or earlier.<br /> <br /> After the software upgrade, a bug in Software Release 4.2(1)SV1(5.2)&nbsp;could cause all the virtual Ethernet ports on the Virtual Ethernet Modules (VEM) of the Cisco Nexus 1000V Series Switch to stay in <strong>No-Policy pass-through</strong> mode because a valid VSG license is not actively installed. As a result, the VEMs no longer use a configured Cisco VSG; therefore, the virtual machines (VM) are not firewalled and traffic is not inspected by the VSG.<br /> <br /> This software bug is documented in Cisco Bug ID <a style="cursor: pointer; color: #663399; font-family: arial,helvetica,sans-serif; background-color: #ffffff;" href="https://tools.cisco.com/bugsearch/bug/CSCud01427">CSCud01427</a> (<a style="cursor: pointer; color: #663399; font-family: arial,helvetica,sans-serif; font-size: 12px; background-color: #ffffff;" href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only) and a software bulletin for Software Release 4.2(1)SV1(5.2) is in the process of being published. Wed, 07 Nov 2012 16:00:00 PST http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20121107-n1k Multiple Vulnerabilities in OpenSSL Library http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20061108-openssl?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Multiple%20Vulnerabilities%20in%20OpenSSL%20Library&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Multiple Vulnerabilities in OpenSSL Library" border='0' height='0' width='0'></img><p>This is the Cisco PSIRT response to the multiple security advisories published by The OpenSSL Project. The vulnerabilities are as follows: </p> <ul> <li>RSA Signature Forgery (CVE-2006-4339), described in <a href="http://www.openssl.org/news/secadv_20060905.txt" target="_blank">http://www.openssl.org/news/secadv_20060905.txt</a> <img width="18" height="18" alt="leavingcisco.com" src="http://www.cisco.com/images/exit.gif" /> </li> <li>ASN.1 Denial of Service Attacks (CVE-2006-2937, CVE-2006-2940), described in <a href="http://www.openssl.org/news/secadv_20060928.txt" target="_blank">http://www.openssl.org/news/secadv_20060928.txt</a> <img width="18" height="18" alt="leavingcisco.com" src="http://www.cisco.com/images/exit.gif" /> </li> <li>SSL_get_shared_ciphers() buffer overflow (CVE-2006-3738), also in <a href="http://www.openssl.org/news/secadv_20060928.txt" target="_blank">http://www.openssl.org/news/secadv_20060928.txt</a> <img width="18" height="18" alt="leavingcisco.com" src="http://www.cisco.com/images/exit.gif" /> </li> <li>SSLv2 Client Crash (CVE-2006-4343), also in <a href="http://www.openssl.org/news/secadv_20060928.txt" target="_blank">http://www.openssl.org/news/secadv_20060928.txt</a> <img width="18" height="18" alt="leavingcisco.com" src="http://www.cisco.com/images/exit.gif" /> </li> </ul> <p>As of this publication, there are no workarounds available for any of these vulnerabilities, but it may be possible to mitigate some of the exposure. This Security Response lists the status of each product or application when considered individually. However, in cases where multiple applications are running on the same computer, a vulnerability in one application or component can compromise the entire system. This compromise can then be leveraged against applications that would otherwise be unaffected. Therefore, users must consider all applications when determining their exposure to these vulnerabilities. Cisco strongly recommends that customers update all vulnerable applications and components to provide the greatest protection from the listed vulnerabilities. Cisco will update this document in the event of any changes. </p> Mon, 15 Oct 2012 13:20:43 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20061108-openssl NACATTACK Presentation http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070330-cta?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=NACATTACK%20Presentation&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=NACATTACK Presentation" border='0' height='0' width='0'></img><p>This is Cisco PSIRT's response to the "NACATTACK" presentation by Dror-John Roecher and Michael Thumann, presented at Blackhat Europe on March 30th, 2007. </p> <p>We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in product reports.</p> Wed, 09 May 2012 17:33:13 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070330-cta Wi-Fi Protected Setup PIN Brute Force Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wps?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Wi-Fi%20Protected%20Setup%20PIN%20Brute%20Force%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Wi-Fi Protected Setup PIN Brute Force Vulnerability" border='0' height='0' width='0'></img><p>On December 27th, 2011 US-CERT released VU#723755 available here:<a href="http://www.kb.cert.org/vuls/id/723755"><br /> http://www.kb.cert.org/vuls/id/723755</a></p> <p>The US-CERT Vulnerability Note describes a vulnerability that exists in the Wi-Fi Alliance Wi-Fi Protected Setup (WPS) certification program. The WPS certification program is based on the Wi-Fi Simple Configuration protocol, in which an Access Point (AP) has a static PIN that allows access and configuration from an External Registrar (ER). An AP with WPS enabled and configured to use a static PIN will allow a WPS-capable ER, that provides the correct PIN, to join a properly secured network. A weakness in the protocol affects all APs that have a static PIN, and may allow an unauthenticated, remote attacker to use brute force calculations to determine the AP's PIN in a short amount of time. </p> <p>The vulnerability is due to a flaw that allows an attacker to determine when the first four digits of the eight-digit PIN are known. This effectively reduces the PIN space from 10<sup>7</sup> or 10,000,000 possible values to 10<sup>4</sup> + 10<sup>3</sup>, which is 11,000 possible values. The eighth digit of the PIN is utilized as a checksum of the first seven digits and does not contribute to the available PIN space. Because the PIN space has been significantly reduced, an attacker could find the WPS PIN in as little as a few hours.</p> <p>The affected devices listed below implement a 60-second lockout after three unsuccessful attempts to authenticate to the device.&nbsp; While this does not substantially mitigate this issue, it does increase the time to exploit the protocol weakness from a few hours to at most several days.&nbsp; It is our recommendation to disable the WPS feature to prevent exploitation of this vulnerability.&nbsp;</p> <h2>Vulnerable Products:</h2> <table cellspacing="1" cellpadding="1" style="border: thin solid; width: 60%;"> <thead> </thead> <tbody> <tr> <td style="border: thin solid; text-align: center; width: 15%; vertical-align: middle;"><strong>Product Name </strong><br /> </td> <td style="border: thin solid; text-align: center; width: 15%; vertical-align: middle;"><strong>Is the WPS feature enabled by default?</strong><br /> </td> <td style="border: thin solid; text-align: center; width: 20%; vertical-align: middle;"><strong>Can the WPS feature be permanently disabled?</strong><br /> </td> </tr> <tr> <td colspan="3" style="border: thin solid; text-align: center; vertical-align: middle;"><strong>Access Points</strong><br /> </td> </tr> <tr> <td style="border: thin solid;">Cisco WAP4410N<br /> </td> <td style="border: thin solid;">Yes</td> <td style="border: thin solid;">No<br /> </td> </tr> <tr> <td colspan="3" style="border: thin solid; text-align: center; vertical-align: middle;"><strong>Unified Communication</strong>s<br /> </td> </tr> <tr> <td style="border: thin solid;">Cisco UC320W<br /> </td> <td style="border: thin solid;">Yes<br /> </td> <td style="border: thin solid;">Yes <sup>(See Note 2)</sup><br /> </td> </tr> <tr> <td colspan="3" style="border: thin solid; text-align: center; vertical-align: middle;"><strong>Wireless Routers/VPN/Firewall Devices</strong><br /> </td> </tr> <tr> <td style="border: thin solid;">Cisco RV110W<br /> </td> <td style="border: thin solid;">Yes</td> <td style="border: thin solid;">Yes</td> </tr> <tr> <td style="border: thin solid;">Cisco RV120W<br /> </td> <td style="border: thin solid;">No </td> Wed, 29 Feb 2012 20:15:55 PST http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wps Internet Key Exchange Resource Exhaustion Attack http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20060726-ike?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Internet%20Key%20Exchange%20Resource%20Exhaustion%20Attack&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Internet Key Exchange Resource Exhaustion Attack" border='0' height='0' width='0'></img><p>This is a Cisco response to an advisory published by an unaffiliated third party, Roy Hills, of NTA Monitor Ltd posted as of July 26, 2006 at <a href="http://www.nta-monitor.com/posts/2006/07/cisco-concentrator-dos.html">http://www.nta-monitor.com/posts/2006/07/cisco-concentrator-dos.html</a>, and entitled: Cisco VPN Concentrator IKE resource exhaustion DoS.</p> <p>This issue is being tracked by the following Cisco Bug IDs:</p> <ul> <li> <a href="https://tools.cisco.com/bugsearch/bug/CSCse70811">CSCse70811</a> ( <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only) (Cisco IOS® software)</li> <li> <a href="https://tools.cisco.com/bugsearch/bug/CSCse89808">CSCse89808</a> ( <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only) (Cisco VPN 3000 Concentrators)</li> <li> <a href="https://tools.cisco.com/bugsearch/bug/CSCsb51032">CSCsb51032</a> ( <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only) and <a href="https://tools.cisco.com/bugsearch/bug/CSCsb50996">CSCsb50996</a> ( <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only) (Cisco PIX firewalls running pre-7.x code)</li> <li> <a href="https://tools.cisco.com/bugsearch/bug/CSCse92254">CSCse92254</a> ( <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only) (Cisco PIX firewalls and Cisco ASA appliances running 7.x code)</li> <li> <a href="https://tools.cisco.com/bugsearch/bug/CSCse92527">CSCse92527</a> ( <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only) (Cisco Firewall Services Module [FWSM] for Cisco Catalyst 6500 switches and Cisco 7600 Series routers)</li> <li> <a href="https://tools.cisco.com/bugsearch/bug/CSCse96516">CSCse96516</a> ( <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only) (Cisco SAN-OS on MDS devices) </li> <li> <a href="https://tools.cisco.com/bugsearch/bug/CSCek52553">CSCek52553</a> ( <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only) (Cisco IOS XR software)</li> </ul> <p>We thank Roy Hills from NTA Monitor Ltd for reporting this issue to Cisco. We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in product reports. </p> Tue, 18 Oct 2011 14:39:25 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20060726-ike Infected Cisco Information Packet and Warranty CDs http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20110803-cd?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Infected%20Cisco%20Information%20Packet%20and%20Warranty%20CDs&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Infected Cisco Information Packet and Warranty CDs" border='0' height='0' width='0'></img><p>In the period of December 2010 until August 2011, Cisco shipped warranty CDs that contain a reference to a third-party website known to be a malware repository. When the CD is opened with a web browser, it automatically and without warning accesses this third-party website. Additionally, on computers where the operating system is configured to automatically open inserted media, the computer's default web browser will access the third-party site when the CD is inserted, without requiring any further action by the user.</p> <p>To the best of our knowledge, starting from December 2010 until the time of this document's publication on August 3, 2011, customers were never in a position to have their computer compromised by using the CDs provided by Cisco. Additionally, the third-party site in question is currently inactive as a malware repository, so customers are not in immediate danger of having their computers compromised. However, if this third-party web site would become active as a malware repository again, there is a potential that users could infect their operating system by opening the CD with their web browser.</p> <p>All warranty CDs printed with "Revision -F0" (or later) do not contain references to the third-party website and do not introduce a potential to compromise customers' computers. </p> <p>This issue was reported to Cisco by William Haisch. Cisco appreciates the opportunity to work with researchers on security vulnerabilities and welcomes the opportunity to review and assist in product reports.</p> Wed, 03 Aug 2011 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20110803-cd Cisco IOS Software Denial of Service Vulnerabilities http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20110505-ios?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20IOS%20Software%20Denial%20of%20Service%20Vulnerabilities&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco IOS Software Denial of Service Vulnerabilities" border='0' height='0' width='0'></img><p>This is the Cisco PSIRT (Product Security Incident Response Team) response to two postings on BugTraq by NCNIPC (China) regarding reported vulnerabilities in Cisco IOS Software.</p> <p>The original reports are available at the following links: </p> <ul> <li> <a href="http://www.securityfocus.com/archive/1/517863" target="_blank">Cisco IOS UDP Denial of Service Vulnerability</a> <img width="18" height="18" src="http://www.cisco.com/images/exit.gif" alt="leavingcisco.com" /> </li> <li> <a href="http://www.securityfocus.com/archive/1/517865/30/0/threaded" target="_blank">Cisco IOS SNMP Message Processing Denial Of Service Vulnerability</a> <img width="18" height="18" src="http://www.cisco.com/images/exit.gif" alt="leavingcisco.com" /> </li> </ul> <p>We greatly appreciate the opportunity to work with researchers on security vulnerabilities and welcome the opportunity to review and assist in product reports.</p> Tue, 05 Apr 2011 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20110505-ios Cisco IPSec VPN Implementation Group Name Enumeration Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20101124-vpn-grpname?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20IPSec%20VPN%20Implementation%20Group%20Name%20Enumeration%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco IPSec VPN Implementation Group Name Enumeration Vulnerability" border='0' height='0' width='0'></img><p>This Cisco Security Response is an updated version of an original Cisco Security Notice (<a href="http://www.cisco.com/warp/public/707/cisco-sn-20050624-vpn-grpname.shtml">http://www.cisco.com/warp/public/707/cisco-sn-20050624-vpn-grpname.shtml</a>) in response to the Cisco VPN Concentrator Group Name Enumeration Vulnerability advisory published on June 20, 2005, by NTA Monitor at <a href="http://www.nta-monitor.com/news/vpn-flaws/cisco/VPN-Concentrator/index.htm" target="_blank">http://www.nta-monitor.com/news/vpn-flaws/cisco/VPN-Concentrator/index.htm</a> <img width="18" height="18" src="http://www.cisco.com/images/exit.gif" alt="leavingcisco.com" />. </p> <p>A further Cisco VPN Concentrator Group Name Enumeration Vulnerability that affects the Cisco PIX, Cisco VPN 3000 Concentrator, and Cisco ASA was reported to Cisco by Gavin Jones of NGS Secure. This vulnerability does not affect Cisco IOS Software. In the original report, the affected device would reply to the IKE negotiation if the group name in the IKE message was valid, whereas an invalid group name would not elicit a response. These IKE-related differences in the device reply were fixed with the original Cisco Bug IDs. However, the device response does differ for the dead peer detection VID, depending on whether a valid group name has been received.</p> <p>This Security Response is posted at <a href="http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20101124-vpn-grpname">http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20101124-vpn-grpname</a>, with the original security notice posted at: <a href="http://www.cisco.com/warp/public/707/cisco-sn-20050624-vpn-grpname.shtml">http://www.cisco.com/warp/public/707/cisco-sn-20050624-vpn-grpname.shtml</a>.</p> Wed, 24 Nov 2010 17:00:00 PST http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20101124-vpn-grpname Cisco IronPort Desktop Flag Plug-in for Outlook Information Disclosure http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20100511-ironport?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20IronPort%20Desktop%20Flag%20Plug-in%20for%20Outlook%20Information%20Disclosure&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco IronPort Desktop Flag Plug-in for Outlook Information Disclosure" border='0' height='0' width='0'></img><p>The Cisco IronPort Desktop Flag Plug-in for Outlook enables Microsoft Outlook users to encrypt email messages via a Cisco IronPort Encryption Appliance or Email Security Appliance. In order to cause an email message to be encrypted, a user must click the <strong>Send Secure</strong> button to securely deliver the email message. </p> <p>If multiple email messages are being composed simultaneously and the <strong>Send Secure</strong> button is used to send more than one of the email messages, an error condition may occur where only the first email message sent is successfully encrypted. The remaining email messages sent using the <strong>Send Secure</strong> button will not be encrypted and may result in the disclosure of sensitive information if intercepted by an unauthorized party. </p> <p>There is a workaround for this issue.</p> <p>Below is an example image showing a Microsoft Outlook email composition window with the Cisco Ironport Flag Plug-in for Outlook installed. Users with no <strong>Send Secure</strong> icon in their Outlook client do not have the plug-in installed and are not affected.</p> <img src="http://www.cisco.com/warp/public/707/cisco-sr-20100511-ironport-01.gif" alt="cisco-sr-20100511-ironport-01.gif" style="border-width: 0px; border-style: solid;" /> <p> </p> <p>This response is posted at: <span class="content"></span><a href="http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20100511-ironport">http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20100511-ironport</a></p> <p></p> Tue, 11 May 2010 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20100511-ironport Unmatched Request Discloses Client Internal IP Address http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20090925-axg?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Unmatched%20Request%20Discloses%20Client%20Internal%20IP%20Address&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Unmatched Request Discloses Client Internal IP Address" border='0' height='0' width='0'></img><p>This is the Cisco PSIRT response to the statements made by Alejandro Hernandez H. in his advisory: "Cisco ACE XML Gateway &lt;= 6.0 Internal IP disclosure". </p> <p>The original email/advisory is available at <a href="http://seclists.org/fulldisclosure/2009/Sep/0369.html" target="_blank">http://seclists.org/fulldisclosure/2009/Sep/0369.html</a> <img height="18" width="18" src="http://www.cisco.com/images/exit.gif" alt="leavingcisco.com" /> </p> <p>Cisco would like to thank Alejandro Hernandez H. for discovering and reporting this vulnerability to Cisco.</p> <p>This response is posted at the following link: <a href="http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20090925-axg">http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20090925-axg</a> </p> Fri, 25 Sep 2009 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20090925-axg Cisco IOS Cross-Site Scripting Vulnerabilities http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20090114-http?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20IOS%20Cross-Site%20Scripting%20Vulnerabilities&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco IOS Cross-Site Scripting Vulnerabilities" border='0' height='0' width='0'></img><p>Three separate Cisco IOS<sup>®</sup> Hypertext Transfer Protocol (HTTP) cross-site scripting (XSS) vulnerabilities and a cross-site request forgery (CSRF) vulnerability have been reported to Cisco by three independent researchers. ProCheckup has posted a Security Advisory titled "XSS on Cisco IOS HTTP Server" posted at <a href="http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr08-19">http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr08-19</a>.</p> <p>Cisco would like to thank Adrian Pastor and Richard J. Brain of ProCheckUp and Nobuhiro Tsuji of NTT Data Security Corporation with co-operation of JPCert.</p> <p>This Cisco Security Response is posted at the following link: <a href="http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20090114-http">http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20090114-http</a>.</p> Fri, 19 Jun 2009 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20090114-http Cisco Unified MeetingPlace Stored Cross-Site Scripting Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20090226-mtgplace?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20Unified%20MeetingPlace%20Stored%20Cross-Site%20Scripting%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco Unified MeetingPlace Stored Cross-Site Scripting Vulnerability" border='0' height='0' width='0'></img><p>This is the Cisco PSIRT response to an issue discovered and reported to Cisco by the National Australia Bank Security Assurance team regarding a cross-site scripting vulnerability in Cisco Unified MeetingPlace Web Conferencing.</p> <p> The original report is available at the following link: <a href="http://www.securityfocus.com/archive/1/501251/30/0/threaded" target="_blank">http://www.securityfocus.com/archive/1/501251/30/0/threaded</a> <img width="18" height="18" src="http://www.cisco.com/images/exit.gif" alt="leavingcisco.com" /> </p> <p> The Cisco PSIRT greatly appreciates the opportunity to work with researchers on security vulnerabilities, and welcomes the opportunity to review and assist in product reports.</p> <p> </p> <p> This vulnerability is documented in Cisco bug ID <a href="https://tools.cisco.com/bugsearch/bug/CSCsv66321"> <strong>CSCsv66321</strong> </a> (<span style="font-size: 16px;"> <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only</span>) .</p> <p> </p> <p> This Cisco Security Response is posted at the following link: <a href="http://http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20090226-mtgplace">http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20090226-mtgplace</a></p> Thu, 26 Feb 2009 12:00:00 PST http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20090226-mtgplace MD5 Hashes May Allow for Certificate Spoofing http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20090115-md5?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=MD5%20Hashes%20May%20Allow%20for%20Certificate%20Spoofing&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=MD5 Hashes May Allow for Certificate Spoofing" border='0' height='0' width='0'></img><p>This is the Cisco response to research done by Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, and Benne de Weger pertaining to MD5 collisions in certificates issued by vulnerable certificate authorities.</p> <p> </p> <p> Cisco has released an IntelliShield activity bulletin detailing the specifics of this issue. This bulletin is available at the following link: <a href="http://tools.cisco.com/security/center/viewAlert.x?alertId=17341">http://tools.cisco.com/security/center/viewAlert.x?alertId=17341</a>. </p> <p> </p> <p> The Cisco Adaptive Security Appliance (ASA) and IOS may both serve as certificate authorities and by default use the MD5 hashing algorithm in the digital signatures of certificates issued to end users and devices. </p> <p> </p> <p> The hashing algorithm used in digital certificates on the Cisco ASA cannot be changed; however, the ASA is unlikely to be affected by the attacks described in this research due to the way certificates are generated on the device. Cisco recognizes the weaknesses in MD5 and plans to alter the signature algorithm used in digital certificates and modify the methods utilized in creation of CA and endpoint certificates. This will be addressed by Cisco Bug ID: <a href="https://tools.cisco.com/bugsearch/bug/CSCsw88068"> <strong>CSCsw88068</strong> </a> (<span style="font-size: 16px;"> <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only</span>) .</p> <p> </p> <p> The Cisco IOS CA may be vulnerable to the attack described in this research when configured to utilize MD5 hashes in endpoint certificates. This is the default behavior; however, the device can be reconfigured to utilize a more secure hashing algorithm. Cisco plans to change this default behavior and modify the methods utilized in creation of CA and endpoint certificates. This will be addressed by Cisco Bug ID: <a href="https://tools.cisco.com/bugsearch/bug/CSCsw90626"> <strong>CSCsw90626</strong> </a> (<span style="font-size: 16px;"> <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only</span>) .</p> Thu, 15 Jan 2009 16:00:00 PST http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20090115-md5 Cisco Response to TKIP Encryption Weakness http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20081121-wpa?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20Response%20to%20TKIP%20Encryption%20Weakness&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco Response to TKIP Encryption Weakness" border='0' height='0' width='0'></img><p>Several technology trade and other press outlets have recently released stories about security vulnerabilities in the Temporal Key Integrity Protocol (TKIP). TKIP was developed after security vulnerabilities were found in the Wired Equivalency Protocol (WEP). This protocol was developed as a stopgap mechanism to address wireless security limitations in WEP for wireless devices that could not support the Advanced Encryption Standard (AES). </p> <p>TKIP is the mandatory cipher suite for the first version of the Wi-Fi Protected Access (WPA) specification and it is an option for the Wi-Fi Protected Access version 2 (WPA2) standard.</p> Fri, 21 Nov 2008 16:00:00 PST http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20081121-wpa Cisco VLAN Trunking Protocol Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20081105-vtp?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20VLAN%20Trunking%20Protocol%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco VLAN Trunking Protocol Vulnerability" border='0' height='0' width='0'></img><p>This is the Cisco response to research done by 'showrun.lee' pertaining to a crafted VTP packet denial of service vulnerability.</p> <p>We would like to thank 'showrun.lee' for reporting this vulnerability to us.</p> <p>We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in security vulnerability reports against Cisco products.</p> <p>This vulnerability is being addressed by Cisco Bug IDs:</p> <ul> <li> <a href="https://tools.cisco.com/bugsearch/bug/CSCsv05934">CSCsv05934</a> (<span style="font-size: 16px;"> <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only</span>) —Crafted VTP packet crashes switch running IOS</li> <li> <a href="https://tools.cisco.com/bugsearch/bug/CSCsv54651">CSCsv54651</a> (<span style="font-size: 16px;"> <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only</span>) —Crafted VTP packet crashes router with etherswitch module running IOS</li> <li> <a href="https://tools.cisco.com/bugsearch/bug/CSCsv11741">CSCsv11741</a> (<span style="font-size: 16px;"> <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only</span>) —Crafted VTP packet crashes switch running CatOS</li> </ul> <p>Cisco PSIRT is aware that exploit code has been made public for this vulnerability.</p> Wed, 05 Nov 2008 16:00:00 PST http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20081105-vtp Cisco Response to Outpost24 TCP State Table Manipulation Denial of Service Vulnerabilities http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20081017-tcp?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20Response%20to%20Outpost24%20TCP%20State%20Table%20Manipulation%20Denial%20of%20Service%20Vulnerabilities&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco Response to Outpost24 TCP State Table Manipulation Denial of Service Vulnerabilities" border='0' height='0' width='0'></img><p>This Security Response has an associated Security Advisory at:</p> <p> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090908-tcp24">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090908-tcp24</a> </p> <p>This is Cisco's response to research presented by Robert E. Lee and Jack Louis of Outpost24 who have announced several denial of service (DoS) vulnerabilities that involve the manipulation of TCP state table information. These vulnerabilities have been discussed on numerous websites and blogs, including a presentation delivered by Lee and Louis at the T2 conference in Helsinki, Finland on October 17, 2008. </p> <p>Cisco PSIRT is aware of the vulnerabilities and is actively investigating what impact these vulnerabilities may have on Cisco products. PSIRT will disclose any security vulnerabilities discovered in compliance with Cisco's security vulnerability policy:</p> <p> <a href="http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html">http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html</a> </p> <p>PSIRT is working with Outpost24 and the Finnish Computer Emergency Response Team (CERT-FI) as part of the industry response to these vulnerabilities. An announcement from CERT-FI is available at the following link:</p> <p> <a href="https://www.cert.fi/haavoittuvuudet/2008/tcp-vulnerabilities.html">https://www.cert.fi/haavoittuvuudet/2008/tcp-vulnerabilities.html</a> </p> Fri, 17 Oct 2008 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20081017-tcp VoIPshield Reported Vulnerabilities in Cisco Unity Server http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20081008-unity?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=VoIPshield%20Reported%20Vulnerabilities%20in%20Cisco%20Unity%20Server&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=VoIPshield Reported Vulnerabilities in Cisco Unity Server" border='0' height='0' width='0'></img><p>This is the Cisco PSIRT response to the vulnerabilities in Cisco Unity by VoIPshield, in their recent advisories (VSRCS-2008-008 to VSRCS-2008-012). The original advisories are available at: <a href="http://www.voipshield.com/" target="_blank">www.voipshield.com</a> <img width="18" height="18" src="http://www.cisco.com/images/exit.gif" alt="leavingcisco.com" />. </p> <p> The Cisco PSIRT team greatly appreciates the opportunity to work with researchers on security vulnerabilities, and we welcome the opportunity to review and assist in product reports. We thank VoIPshield for reporting this vulnerability to Cisco PSIRT. </p> <p> Workarounds and code level fixes are provided in the following sections. </p> <h3>VSRCS-2008-008: Cisco Unity Authentication Bypass</h3> <p>Cisco has issued a security advisory on this issue. </p> <p>It is available at: <a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20081008-unity">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20081008-unity</a> </p> <h3>VSRCS-2008-009: Cisco Unity Stored Cross Site Scripting Vulnerability</h3> <p>Cisco acknowledges this vulnerability and has made improvements on the front end and back end mitigations for cross site scripting attacks.</p> <p> This particular vulnerability requires an authenticated administrator to enter malicious data into the database.</p> <p> This vulnerability is documented in Cisco Bug ID <a href="https://tools.cisco.com/bugsearch/bug/"> <strong>CSCsr86345</strong> </a> (<span style="font-size: 16px;"> <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only</span>) . </p> <p> <strong>Fixed Software</strong> </p> <p> This vulnerability will be fixed in the following Cisco Unity releases:</p> <ul> <li> 4.2(1)ES162</li> <li> 5.0(1)ES56</li> <li> 7.0(2)ES8</li> </ul> <p> <strong>Workaround</strong> </p> <p>There is no workaround for this vulnerability. Use strong passwords for administrator accounts.</p> <h3>VSRCS-2008-010: Cisco Unity Session Exhaustion Denial of Service</h3> <p>Cisco acknowledges this vulnerability and has made fixed software available.</p> <p> This vulnerability only affects Cisco Unity servers configured to use anonymous authentication as described in the Installation Guide for Cisco Unity in the <a href="http://www.cisco.com/en/US/docs/voice_ip_comm/unity/5x/installation/guide/umexnofo/5xcuigumenofo100.html#wp1533581">Authentication Methods Available for the Cisco Unity Administrator</a> section. This vulnerability is documented in Cisco Bug ID <a href="https://tools.cisco.com/bugsearch/bug/CSCsr86971"> <strong>CSCsr86971</strong> </a> (<span style="font-size: 16px;"> <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only</span>) . </p> <p> <strong>Fixed Software</strong> </p> <p> This vulnerability is fixed in the following Cisco Unity releases:</p> <ul> <li> 4.2(1)ES161</li> <li> 5.0(1)ES53</li> <li> 7.0(2)ES8</li> </ul> <p> <strong>Workaround</strong> </p> <p> Administrators can change the number of SA sessions available by changing the following registry key:</p> <blockquote> <pre>\HKLC\Software\Active Voice\SystemParams\1.0\SaSessions </pre> </blockquote> <h3>VSRCS-2008-011</h3> <p>Cisco acknowledges this vulnerability. Fixed software will be included in an upcoming Windows update.</p> <p> This vulnerability is the result of a processing error in a Microsoft API used by Cisco Unity. Cisco and Microsoft have jointly investigated this issue and Microsoft will provide a fix as soon as possible. Cisco is tracking this issue with the bug <a href="https://tools.cisco.com/bugsearch/bug/CSCsr86990"> <strong>CSCsr86990</strong> </a> (<span style="font-size: 16px;"> <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only</span>) .</p> <p> <strong>Fixed Software</strong> </p> <p> This vulnerability will Wed, 08 Oct 2008 18:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20081008-unity Cisco Secure ACS Denial Of Service Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20080903-csacs?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20Secure%20ACS%20Denial%20Of%20Service%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco Secure ACS Denial Of Service Vulnerability" border='0' height='0' width='0'></img><p>This is the Cisco PSIRT response to the statements made by Laurent Butti and Gabriel Campana of Orange Labs / France Telecom Group, in their advisory: "Cisco Secure ACS EAP Parsing Vulnerability". The original advisory is available at:</p> <p> <a target="_blank" href="http://www.securityfocus.com/archive/1/495937/30/0/threaded">http://www.securityfocus.com/archive/1/495937/30/0/threaded</a> <img width="18" height="18" alt="leavingcisco.com" src="http://www.cisco.com/images/exit.gif" /> </p> <p>A specially crafted Remote Authentication Dial In User Service (RADIUS) Extensible Authentication Protocol (EAP) Message Attribute packet sent to the Cisco Secure Access Control Server (ACS) can crash the CSRadius and CSAuth processes of Cisco Secure ACS. Because this affects CSAuth all authentication requests via RADIUS or TACACS+ will be affected during exploitation of this vulnerability.</p> <p>Cisco ACS installations that are configured with AAA Clients to authenticate using TACACS+ only are not affected by this vulnerability.</p> <p>The RADIUS shared secret and a valid known Network Access Server (NAS) IP address must be known to carry out this exploit.</p> <p>The Cisco PSIRT team greatly appreciates the opportunity to work with researchers on security vulnerabilities, and we welcome the opportunity to review and assist in product reports. We thank Laurent Butti and Gabriel Campana of Orange Labs / France Telecom Group for reporting this vulnerability to Cisco PSIRT.</p> <p>Software patches are available for customers with support contracts and should be obtained through their regular support channels. The upgrade to fixed software is not a free upgrade. See Software Versions and Fixes section within this advisory for further information on obtaining fixed software. </p> Wed, 03 Sep 2008 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20080903-csacs Wide Area Application Services (WAAS) Common UNIX Printing System (CUPS) Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20080625-waas?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Wide%20Area%20Application%20Services%20(WAAS)%20Common%20UNIX%20Printing%20System%20(CUPS)%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Wide Area Application Services (WAAS) Common UNIX Printing System (CUPS) Vulnerability" border='0' height='0' width='0'></img><p>This is the Cisco PSIRT response to a security advisory regarding a vulnerability in Common UNIX Printing System (CUPS). The CUPS security advisory can be found at <a href="http://www.cups.org/str.php?L2561">http://www.cups.org/str.php?L2561</a>.</p> <p>The Cisco Wide Area Application Services (WAAS) incorporates a print server based on the integration of open source CUPS technology, which is affected by this CUPS vulnerability.</p> <p>This vulnerability can be remotely exploited and could result in execution of arbitrary code on the Cisco WAAS products.</p> Wed, 25 Jun 2008 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20080625-waas CiscoWorks Server XSS Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20071205-cw?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=CiscoWorks%20Server%20XSS%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=CiscoWorks Server XSS Vulnerability" border='0' height='0' width='0'></img><p>This is the Cisco PSIRT response to an issue that was discovered and reported to Cisco by David Lewis of Liquidmatrix.org regarding a cross-site scripting (XSS) vulnerability in CiscoWorks Server login page.</p> <p>The original report is available at the following link: <a href="http://www.liquidmatrix.org/blog/2007/12/05/advisory-cross-site-scripting-in-ciscoworks/">http://www.liquidmatrix.org/blog/2007/12/05/advisory-cross-site-scripting-in-ciscoworks/</a>. </p> <p>We greatly appreciate the opportunity to work with researchers on security vulnerabilities and welcome the opportunity to review and assist in product reports.</p> <p>This vulnerability is documented in Cisco bug ID <a href="https://tools.cisco.com/bugsearch/bug/CSCsk69289">CSCsk69289</a> ( <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only) .</p> <p>This Cisco Security Response is posted at the following link:&nbsp;http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20071205-cw<a href="http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20071205-cw"></a></p> <p>This vulnerability has been assigned CVE ID CVE-2007-5582.</p> Wed, 05 Dec 2007 16:00:00 PST http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20071205-cw Cisco Unified IP Phone Remote Eavesdropping http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20071128-phone.shtml?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20Unified%20IP%20Phone%20Remote%20Eavesdropping&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco Unified IP Phone Remote Eavesdropping" border='0' height='0' width='0'></img><p>This is the Cisco PSIRT response to a presentation given at the Hack.Lu 2007 security conference by Joffrey Czarny of Telindus regarding a technique to remotely eavesdrop using Cisco Unified IP Phones.</p> <p>The original report is available at the following link:</p> <p> <a href="http://www.hack.lu/archive/2007/hacklu07_Remote_wiretapping.pdf">http://www.hack.lu/archive/2007/hacklu07_Remote_wiretapping.pdf</a> </p> <p>We greatly appreciate the opportunity to work with researchers on security vulnerabilities and welcome the opportunity to review and assist in product reports.</p> <p>This Cisco Security Response is posted at the following link:</p> <p> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20071128-phone">http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20071128-phone</a> </p> Wed, 28 Nov 2007 16:00:00 PST http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20071128-phone.shtml Cisco Unified MeetingPlace XSS Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20071107-mp?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20Unified%20MeetingPlace%20XSS%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco Unified MeetingPlace XSS Vulnerability" border='0' height='0' width='0'></img><p>This is the Cisco PSIRT response to an issue that was discovered and reported to Cisco by Joren McReynolds regarding a cross-site scripting (XSS) vulnerability in Cisco Unified MeetingPlace Web Conferencing.</p> <p>The original report is available at the following link: <a href="http://secunia.com/advisories/26462/" style="word-break: break-all;">http://secunia.com/advisories/26462/</a> </p> <p>We greatly appreciate the opportunity to work with researchers on security vulnerabilities and welcome the opportunity to review and assist in product reports.</p> <p>This vulnerability is documented in Cisco bug ID <a href="https://tools.cisco.com/bugsearch/bug/CSCsk17122" style="word-break: break-all;"><b>CSCsk17122</b> </a>(<span style="font-size: 16px;"> <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only</span>) .</p> <p>Since Cisco published this response, other variations of XSS associated with <i>FirstName</i> or <i>LastName</i> parameters have been discovered. These additional XSS vulnerabilities are documented in Cisco bug ID <a href="https://tools.cisco.com/bugsearch/bug/CSCth13602" style="word-break: break-all;"><b>CSCth13602</b> </a>(<span style="font-size: 16px;"> <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only</span>) .</p> <p>Both Cisco bug ID fixes are required for a complete fix to the XSS vulnerabilities.</p> <p>This Cisco Security Response is posted at the following link: </p> <p><a href="http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20071107-mp" style="word-break: break-all;">http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20071107-mp</a>. </p> <p>This vulnerability has been assigned CVE ID CVE-2007-5581.</p> Wed, 07 Nov 2007 13:00:00 PST http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20071107-mp Extensible Authentication Protocol Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20071019-eap?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Extensible%20Authentication%20Protocol%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Extensible Authentication Protocol Vulnerability" border='0' height='0' width='0'></img><p>This is the Cisco PSIRT response to a presentation that was delivered by Laurent Butti, Julien Tinnès and Franck Veysset of France Telecom Group at Hack.lu on October 19th, 2007.</p> <p>The presentation identifies a vulnerability in Cisco's implementation of Extensible Authentication Protocol (EAP) that exists when processing a crafted EAP Response Identity packet. This vulnerability affects several Cisco products that have support for wired or wireless EAP implementations.</p> <p>The Cisco PSIRT team greatly appreciates the opportunity to work with researchers on security vulnerabilities, and we welcome the opportunity to review and assist in product reports.</p> <p>This vulnerability is documented in the following Cisco bug IDs:</p> <ul> <li>Wireless EAP - <a href="https://tools.cisco.com/bugsearch/bug/CSCsj56438">CSCsj56438</a> (<a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only) </li> <li>Wired EAP - <a href="https://tools.cisco.com/bugsearch/bug/CSCsb45696">CSCsb45696</a> (<a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only) and <a href="https://tools.cisco.com/bugsearch/bug/CSCsc55249">CSCsc55249</a> (<a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only) </li> </ul> <p>This Cisco Security Response is available at the following link: <a href="http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20071019-eap">http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20071019-eap</a>.</p> Fri, 19 Oct 2007 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20071019-eap Cisco IOS Line Printer Daemon (LPD) Protocol Stack Overflow http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20071010-lpd.shtml?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20IOS%20Line%20Printer%20Daemon%20(LPD)%20Protocol%20Stack%20Overflow&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco IOS Line Printer Daemon (LPD) Protocol Stack Overflow" border='0' height='0' width='0'></img><p>This is the Cisco Product Security Incident Response Team (PSIRT) response to an issue discovered and reported to Cisco by Andy Davis from IRM, Plc. regarding a stack overflow in the Cisco IOS Line Printer Daemon (LPD) Protocol feature. The original post is available at the following link:</p> <p> <a target="_blank" href="http://www.irmplc.com/index.php/155-Advisory-024">http://www.irmplc.com/index.php/155-Advisory-024</a> <img alt="leavingcisco.com" src="http://www.cisco.com/images/exit.gif" height="18" width="18" /> </p> <p>Cisco greatly appreciates the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in product reports. </p> Wed, 10 Oct 2007 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20071010-lpd.shtml Catalyst 6500 and Cisco 7600 Series Devices Accessible via Loopback Address http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070926-lb?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Catalyst%206500%20and%20Cisco%207600%20Series%20Devices%20Accessible%20via%20Loopback%20Address&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Catalyst 6500 and Cisco 7600 Series Devices Accessible via Loopback Address" border='0' height='0' width='0'></img><p>This document is the Cisco PSIRT response to an issue regarding Cisco Catalyst 6500 and Cisco 7600 series devices that was discovered and reported to Cisco by Lee E. Rian.</p> <p> </p> <p> The original report has been posted to full-disclosure mailing list.</p> <p> </p> <p> Cisco PSIRT greatly appreciates the opportunity to work with researchers on security vulnerabilities, and we welcome the opportunity to review and assist in product reports.</p> <p> </p> <p> This vulnerability is documented in Cisco bug ID <a href="https://tools.cisco.com/bugsearch/bug/CSCek49649"> <strong>CSCek49649</strong> </a> ( <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only) </p> <p> </p> <p> This Cisco Security Response is available at the following link: <a href="http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070926-lb">http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070926-lb</a> </p> Wed, 26 Sep 2007 22:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070926-lb Cisco IOS Reload on Regular Expression Processing http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070912-regexp?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20IOS%20Reload%20on%20Regular%20Expression%20Processing&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco IOS Reload on Regular Expression Processing" border='0' height='0' width='0'></img><p>This is the Cisco Product Security Incident Response Team (PSIRT) response to a vulnerability that was reported on the Cisco NSP mailing list on August 17, 2007 regarding the crash and reload of devices running Cisco IOS® after executing a command that uses, either directly or indirectly, a regular expression. The original post is available at the following link:</p> <p><a href="http://puck.nether.net/pipermail/cisco-nsp/2007-August/043002.html">http://puck.nether.net/pipermail/cisco-nsp/2007-August/043002.html</a> </p> <p>The Cisco PSIRT posted a preliminary response on the same day and is available at the following link:</p> <p><a href="http://puck.nether.net/pipermail/cisco-nsp/2007-August/043010.html">http://puck.nether.net/pipermail/cisco-nsp/2007-August/043010.html</a> </p> <p>Preliminary research pointed to a previously known issue that was documented as Cisco bug ID <a href="https://tools.cisco.com/bugsearch/bug/CSCsb08386"><strong>CSCsb08386</strong> </a>(<a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only) , and entitled "PRP crash by show ip bgp regexp", which was already resolved. Further research indicates that the current issue is a different but related vulnerability.</p> <p>There are no workarounds available for this vulnerability. Cisco will update this document in the event of any changes. </p> Wed, 12 Sep 2007 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070912-regexp VTY Authentication Bypass Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070829-vty?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=VTY%20Authentication%20Bypass%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=VTY Authentication Bypass Vulnerability" border='0' height='0' width='0'></img><h2><a name="response"></a> </h2> <p>This is the Cisco PSIRT response to the NileSOFT Security Advisory entitled "Bypass Authentication Vulnerability on Cisco Catalyst 3750 12.2(25)" posted on August 29th, 2007, at 1800 UTC (GMT).</p> <p>The original advisory was posted to a Korean website.</p> <p>This vulnerability was previously discovered and reported to Cisco by a customer in April 2005, and the contents of the Cisco Bug ID have been available on Cisco.com since April 2005. This is a platform independent vulnerability, and is not limited to just the Catalyst 3750 device. </p> <p>This vulnerability is documented in Cisco Bug ID <a href="https://tools.cisco.com/bugsearch/bug/CSCsa91175">CSCsa91175</a> (<span style="font-size: 10px;"> <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only</span>) .</p> <p>This Cisco Security Response is posted at the following link: <a href="http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070829-vty">http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070829-vty</a>.</p> Wed, 29 Aug 2007 18:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070829-vty Multiple SIP Vulnerabilities in the Cisco 7960 IP Phones http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070821-sip?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Multiple%20SIP%20Vulnerabilities%20in%20the%20Cisco%207960%20IP%20Phones&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Multiple SIP Vulnerabilities in the Cisco 7960 IP Phones" border='0' height='0' width='0'></img><p>This is the Cisco PSIRT response to an issue discovered and reported to Cisco by Radu State, Humberto J. Abdelnur and Olivier Festor regarding two Session Initiation Protocol (SIP) vulnerabilities in the Cisco 7940/7960 IP Phones.</p> <p> The original reports are available at the following links:</p> <p> <a href="http://archives.neohapsis.com/archives/fulldisclosure/2007-08/0385.html">http://archives.neohapsis.com/archives/fulldisclosure/2007-08/0385.html</a> </p> <p> <a href="http://archives.neohapsis.com/archives/fulldisclosure/2007-08/0386.html">http://archives.neohapsis.com/archives/fulldisclosure/2007-08/0386.html</a> </p> <p> We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in product reports.</p> <p> Cisco has confirmed the following: This issue is documented as Cisco bug ID <a href="https://tools.cisco.com/bugsearch/bug/CSCsi68191">CSCsi68191</a> (<span> <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only</span>) . Cisco IP Phone 7940/7960 SIP firmware versions prior to 8.7(0) are vulnerable to the denial of service attacks detailed in the reports. Firmware versions 8.7(0) and later are not vulnerable to this issue. Version 8.7(0) firmware images for Cisco IP 7940/7960 phones can be obtained here: </p> <p> <a href="http://www.cisco.com/pcgi-bin/tablebuild.pl/sip-ip-phone7960?psrtdcat20e2">http://www.cisco.com/pcgi-bin/tablebuild.pl/sip-ip-phone7960?psrtdcat20e2</a> (<span> <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only</span>) </p> Tue, 21 Aug 2007 22:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070821-sip Cisco Unified MeetingPlace XSS Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070808-mp?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20Unified%20MeetingPlace%20XSS%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco Unified MeetingPlace XSS Vulnerability" border='0' height='0' width='0'></img><p>This is the Cisco PSIRT response to an issue discovered and reported to Cisco by Roger Jefferiss and Rob Pope of SecureTest Ltd, UK regarding cross-site scripting (XSS) vulnerability in Cisco Unified MeetingPlace Web Conferencing.</p> <p>The original report is available at the following link: <a href="http://lists.grok.org.uk/pipermail/full-disclosure/2007-August/056073.html">http://lists.grok.org.uk/pipermail/full-disclosure/2007-August/056073.html</a>.</p> <p>We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in product reports.</p> <p>This vulnerability is documented in Cisco bug ID <a href="https://tools.cisco.com/bugsearch/bug/CSCsi33940">CSCsi33940</a> (<a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only) .</p> <p>Since publication of this advisory, Cisco has received several support calls related to security scanners still flagging the STPL or FTPL parameter as vulnerable to XSS attacks. Cisco has addressed this in Cisco bug ID <a href="https://tools.cisco.com/bugsearch/bug/CSCtd69750">CSCtd69750</a>.</p> <p>This Cisco Security Response is posted at the following link: <a href="http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070808-mp">http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070808-mp</a>.</p> Wed, 08 Aug 2007 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070808-mp Vulnerability in Java Secure Socket Extension http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070725-jsse?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Vulnerability%20in%20Java%20Secure%20Socket%20Extension&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Vulnerability in Java Secure Socket Extension" border='0' height='0' width='0'></img><p>This is the Cisco PSIRT response to the vulnerability in Java Secure Socket Extension (JSSE) disclosed by Sun Microsystems on July 10, 2007, the details of which are available at <a href="http://sunsolve.sun.com/search/document.do?assetkey=1-26-102997-1">http://sunsolve.sun.com/search/document.do?assetkey=1-26-102997-1</a>.</p> <p>There are no workarounds available for this vulnerability. Cisco recommends that customers update all vulnerable applications and components to provide the greatest protection from the listed vulnerability. Cisco will update this document in the event of any changes. </p> Wed, 25 Jul 2007 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070725-jsse Cisco Trust Agent - Mac OS X Privilege Escalation Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070611-cta?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20Trust%20Agent%20-%20Mac%20OS%20X%20Privilege%20Escalation%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco Trust Agent - Mac OS X Privilege Escalation Vulnerability" border='0' height='0' width='0'></img><p>This is the Cisco PSIRT response to an issue discovered and reported to Cisco by Adam Blake of Deloitte, UK regarding a vulnerability in Cisco Trust Agent (CTA) installations on Mac OS X. The original report is available at the following link: <a href="http://www.securityfocus.com/archive/1/471041/30/0/flat">http://www.securityfocus.com/archive/1/471041/30/0/flat</a>.</p> <p>We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in product reports.</p> <p>This vulnerability is documented in Cisco bug ID: <a href="https://tools.cisco.com/bugsearch/bug/CSCsi58799">CSCsi58799</a> (<a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only)</p> <p>This Cisco Security Response is posted at the following link: <a href="http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070611-cta">http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070611-cta</a>.</p> Mon, 11 Jun 2007 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070611-cta Cisco CallManager Input Validation Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070523-ccm?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20CallManager%20Input%20Validation%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco CallManager Input Validation Vulnerability" border='0' height='0' width='0'></img><p>This is Cisco PSIRT's response to the statements made by Marc Ruef and Stefan Friedi from scip AG in their message "Cisco CallManager 4.1 Input Validation Vulnerability," posted on 2007 May 23 at 1600 UTC (GMT).</p> <p>The original emails were posted to BugTraq and Full-Disclosure.</p> <p>In their postings, Marc Ruef and Stefan Friedi illustrate how to bypass the web application firewall used in Cisco CallManager. This means of bypass can be used to display graphics, scripts, or other information downloaded from an external web site. This technique may also be used to conduct cross-site scripting attacks. Cisco confirms that the example the authors Ruef and Friedi provided bypasses the web application firewall and that there may be other methods for bypassing the web application firewall.</p> <p>Cisco has made improvements to the input validation mechanisms in CallManager that may mitigate the risks associated with this security vulnerability. These improvements have been incorporated into 4.2(3)sr2, 3.3(5)sr3, 4.1(3)sr5 and 4.3(1)sr1. This issue is being tracked by the following Cisco Bug ID:</p> <ul> <li> <a href="https://tools.cisco.com/bugsearch/bug/CSCsi12374"> <strong>CSCsi12374</strong> </a> ( <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only) -Improvements in User Input Validation </li> </ul> <p>Service releases of CallManager software are available at the following link: <a href="http://www.cisco.com/public/sw-center/sw-voice.shtml">http://www.cisco.com/public/sw-center/sw-voice.shtml</a> ( <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only) </p> <p></p> Wed, 23 May 2007 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070523-ccm HTTP Full-Width and Half-Width Unicode Encoding Evasion http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070514-unicode?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=HTTP%20Full-Width%20and%20Half-Width%20Unicode%20Encoding%20Evasion&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=HTTP Full-Width and Half-Width Unicode Encoding Evasion" border='0' height='0' width='0'></img><p> The U.S. Computer Emergency Response Team (US-CERT) has reported a network evasion technique using Unicode encoding that affects security products that perform deep packet inspection of HyperText Transfer Protocol (HTTP) requests. The US-CERT advisory is available at the following link: </p> <p> <a href="http://www.kb.cert.org/vuls/id/739224">http://www.kb.cert.org/vuls/id/739224</a> </p> <p> By encoding the Uniform Resource Locators (URLs) in HTTP requests using certain full-width or half-width Unicode characters, an attacker may be able to evade detection of the HTTP-based attack by an Intrusion Prevention System (IPS) or firewall. This may allow the attacker to covertly scan and attack systems normally protected by an IPS or firewall. </p> <p> Cisco confirms that some Cisco products are affected by the vulnerability described in the US-CERT advisory. </p> <p> This response is posted at the following link: </p> <p> <a href="http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070514-unicode">http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070514-unicode</a> </p> Tue, 22 May 2007 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070514-unicode DHCP Relay Agent Vulnerability in Cisco PIX and ASA Appliances http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070502-pix?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=DHCP%20Relay%20Agent%20Vulnerability%20in%20Cisco%20PIX%20and%20ASA%20Appliances&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=DHCP Relay Agent Vulnerability in Cisco PIX and ASA Appliances" border='0' height='0' width='0'></img><p>This is a Cisco response to a CERT/CC advisory posted on May 2, 2007, entitled "Cisco ASA fails to properly process DHCP relay packets". This advisory is available at the following link: <a href="http://www.kb.cert.org/vuls/id/530057">http://www.kb.cert.org/vuls/id/530057</a> </p> <p>Cisco confirms the memory exhaustion vulnerability as per the advisory published by CERT/CC and confirms this vulnerability impacts the PIX and ASA appliance for system software 7.2 only. Exploitation of the vulnerability may lead to a Denial of Service condition against the appliance. </p> <p>The Firewall Services Module (FWSM) is not affected by this vulnerability. </p> <p>PSIRT would like to thank Grant Deffenbaugh and Lisa Sittler from the CERT/CC for reporting this vulnerability to Cisco. </p> <p>We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in security vulnerability reports against Cisco products.</p> Wed, 02 May 2007 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070502-pix PHP HTML Entity Encoder Heap Overflow Vulnerability in Multiple Web-Based Management Interfaces http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070425-http?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=PHP%20HTML%20Entity%20Encoder%20Heap%20Overflow%20Vulnerability%20in%20Multiple%20Web-Based%20Management%20Interfaces&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=PHP HTML Entity Encoder Heap Overflow Vulnerability in Multiple Web-Based Management Interfaces" border='0' height='0' width='0'></img><p>This is a response to a Hardened-PHP Project advisory posted on November 3, 2006, entitled "PHP HTML Entity Encoder Heap Overflow Vulnerability." This advisory is available at the following link: <a href="http://www.hardened-php.net/advisory_132006.138.html">http://www.hardened-php.net/advisory_132006.138.html</a>. </p> <p> </p> <p> Several Cisco devices leverage PHP HTML support and are affected by the described vulnerability. The affected devices are listed below.</p> <p> </p> <p> There are no workarounds for this vulnerability.</p> <p>Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory at the following link: <a href="http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20070425-http">http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20070425-http</a>.</p> <p>This Cisco Security Response is posted at the following link: <a href="http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070425-http">http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070425-http</a>.</p> Wed, 25 Apr 2007 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070425-http Cisco IP Phone 7940/7960 SIP INVITE Denial of Service http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070320-sip?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20IP%20Phone%207940/7960%20SIP%20INVITE%20Denial%20of%20Service&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco IP Phone 7940/7960 SIP INVITE Denial of Service" border='0' height='0' width='0'></img><p>This is the Cisco PSIRT response to an issue disclosed by Mr Radu State on a message sent to the Full-disclosure mailing list on March 20, 2007 with a subject of "CISCO Phone 7940 DOS vulnerability". The original message is available at <a href="http://lists.grok.org.uk/pipermail/full-disclosure/2007-March/053063.html">http://lists.grok.org.uk/pipermail/full-disclosure/2007-March/053063.html</a>.</p> <p> Cisco has confirmed the findings of the statements made. Cisco IP Phone 7940/7960 SIP firmware version 7.4(0) is vulnerable to the denial of service. Firmware version 8.6(0) is not vulnerable to this issue. The latest firmware images for Cisco IP 7940/7960 phones can be obtained here:</p> <p> </p> <p> <a href="http://www.cisco.com/pcgi-bin/tablebuild.pl/sip-ip-phone7960?psrtdcat20e2">http://www.cisco.com/pcgi-bin/tablebuild.pl/sip-ip-phone7960?psrtdcat20e2</a> </p> <p> </p> <p> We would like to thank Radu State, Humberto J. Abdelnur and Olivier Festor of the Madynes research team at INRIA for reporting these issues to Cisco Systems.</p> <p> </p> <p> We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in product reports.</p> Tue, 20 Mar 2007 22:30:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070320-sip Cross-Site Scripting Vulnerability in Online Help System http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070315-xss?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cross-Site%20Scripting%20Vulnerability%20in%20Online%20Help%20System&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cross-Site Scripting Vulnerability in Online Help System" border='0' height='0' width='0'></img><p> A cross-site scripting (XSS) vulnerability in the online help system distributed with several Cisco products has been independently reported to Cisco by Erwin Paternotte from Fox-IT and by Cassio Goldschmidt. </p> <p> The vulnerability would allow an attacker to execute arbitrary scripting code in a user's web browser if the attacker is successful in enticing the user to follow a specially crafted, malicious URL. </p> <p> Multiple Cisco products are affected because the vulnerable online help system is used by several Cisco products. </p> <p> This response is posted at <a href="http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070315-xss">http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070315-xss</a> </p> <h2> <a name="add"></a></h2> Thu, 15 Mar 2007 17:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070315-xss Cisco VTP Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070129-vtp?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20VTP%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco VTP Vulnerability" border='0' height='0' width='0'></img><p> An issue has been reported to the Cisco PSIRT involving malformed VLAN Trunking Protocol (VTP) packets. This attack may cause the target device to reload, causing a Denial of Service (DoS).</p> <p>Such an attack must be executed on a local ethernet segment, and the VTP domain name must be known to the attacker. Additionally, these attacks must be executed against a switch port that is configured for trunking. Non-trunk access ports are not affected. </p> <p>This issue is tracked as Cisco Bug ID <a href="https://tools.cisco.com/bugsearch/bug/CSCsa67294">CSCsa67294</a> (<span> <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only</span>) .</p> <h3>Details</h3> <p> The VLAN Trunking Protocol (VTP) is a Layer 2 protocol that manages the addition, deletion, and renaming of VLANS on a network-wide basis in order to maintain VLAN configuration consistency. </p> <p>VTP packets are exchanged by VLAN-aware switches. For more information on VTP, consult the following link: <a href="http://www.cisco.com/en/US/docs/switches/lan/catalyst2940/software/release/12.1_19_ea1/configuration/guide/swvtp.html">http://www.cisco.com/en/US/products/hw/switches/ps663/products_configuration_guide_chapter09186a00800e47e3.html</a>. </p> <p>Upon receiving a malformed VTP packet, certain devices may reload. The attack could be executed repeatedly causing a extended Denial of Service.</p> <p>In order to successfully exploit this vulnerability, the attacker must know the VTP domain name, as well as send the malformed VTP packet to a port on the switch configured for trunking. </p> <p>This does not affect switch ports that are configured for voice vlans. A complete Inter-Switch Link (ISL) or 802.1q trunk port is required for the device to be vulnerable. </p> <p>These platforms are affected:</p> <ul> <li> Cisco 2900XL Series</li> <li> Cisco 2900XL LRE Series </li> <li> Cisco 2940 Series </li> <li> Cisco 2950 Series </li> <li> Cisco 2950-LRE Series </li> <li> Cisco 2955 Series </li> <li> Cisco 3500XL Series </li> <li> Cisco IGESM </li> </ul> <p>No other Cisco products are known to be vulnerable to this issue. </p> <p>This issue was made public on 26-Jan-2007 on the Full-Disclosure and Bugtraq mailing lists. The Cisco bug ID <a href="https://tools.cisco.com/bugsearch/bug/CSCsa67294">CSCsa67294</a> (<span> <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only</span>) was made available to registered customers in May of 2005. </p> <p>We would like to thank David Barroso Berrueta and Alfredo Andres Omella for reporting this vulnerability to us. You can find their release here: <a href="http://www.s21sec.com/es/avisos/s21sec-034-en.txt">http://www.s21sec.com/es/avisos/s21sec-034-en.txt</a>. </p> <p>We greatly appreciate the opportunity to work with researchers on security vulnerabilities and welcome the opportunity to review and assist in security vulnerability reports against Cisco products.</p> <h3>Workarounds</h3> <p>In order to mitigate your exposure, ensure that only known, trusted devices are connected to ports configured for ISL or 802.1q trunking. </p> <p>More information on securing L2 networks can be found in the Cisco SAFE Layer 2 Security document at this location: <a href="http://www.cisco.com/en/US/netsol/ns744/networking_solutions_program_home.html">http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a008014870f.shtml</a> </p> Mon, 29 Jan 2007 21:15:00 PST http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070129-vtp Cisco VLAN Trunking Protocol Vulnerabilities http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20060913-vtp?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20VLAN%20Trunking%20Protocol%20Vulnerabilities&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco VLAN Trunking Protocol Vulnerabilities" border='0' height='0' width='0'></img><p>This is a Cisco response to an advisory published by FX of Phenoelit posted as of September 13, 2006, at <a href="http://www.securityfocus.com/archive/1/445896/30/0/threaded" target="_blank">http://www.securityfocus.com/archive/1/445896/30/0/threaded</a> <img width="18" height="18" src="http://www.cisco.com/images/exit.gif" alt="leavingcisco.com" />, and entitled "Cisco Systems IOS VTP multiple vulnerabilities".</p> <p>We would like to thank FX and Phenoelit Group for reporting these vulnerabilities to us.</p> <p> We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in security vulnerability reports against Cisco products.</p> <p>These vulnerabilities are addressed by Cisco Bug IDs:</p> <ul> <li> <a href="https://tools.cisco.com/bugsearch/bug/CSCsd52629">CSCsd52629</a> (<span style="font-size: 16px;"> <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only</span>) , <a href="https://tools.cisco.com/bugsearch/bug/CSCsd34759">CSCsd34759</a> (<span style="font-size: 16px;"> <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only</span>) — VTP version field DoS </li> <li> <a href="https://tools.cisco.com/bugsearch/bug/CSCse40078">CSCse40078</a> (<span style="font-size: 16px;"> <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only</span>) , <a href="https://tools.cisco.com/bugsearch/bug/CSCse47765">CSCse47765</a> (<span style="font-size: 16px;"> <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only</span>) — Integer Wrap in VTP revision</li> <li> <a href="https://tools.cisco.com/bugsearch/bug/CSCsd34855">CSCsd34855</a> (<span style="font-size: 16px;"> <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only</span>) , <a href="https://tools.cisco.com/bugsearch/bug/CSCei54611">CSCei54611</a> (<span style="font-size: 16px;"> <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only</span>) — Buffer Overflow in VTP VLAN name</li> <li> <a href="https://tools.cisco.com/bugsearch/bug/CSCsg03449">CSCsg03449</a> (<span style="font-size: 16px;"> <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only</span>) — Etherswitch module VLAN Trunking Protocol Vulnerabilities</li> </ul> Wed, 13 Sep 2006 17:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20060913-vtp Cisco IOS GRE Decapsulation Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20060906-gre?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20IOS%20GRE%20Decapsulation%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco IOS GRE Decapsulation Vulnerability" border='0' height='0' width='0'></img><p>This is a Cisco response to an advisory published by FX of Phenoelit posted as of September 06, 2006, at <a href="http://www.securityfocus.com/archive/1/445322/30/0/threaded" target="_blank">http://www.securityfocus.com/archive/1/445322/30/0/threaded</a> <img width="18" height="18" alt="leavingcisco.com" src="http://www.cisco.com/images/exit.gif" />, and entitled "Cisco Systems IOS GRE decapsulation fault". </p> <p>This issue is being tracked by the following Cisco bug IDs:</p> <ul> <li><a href="https://tools.cisco.com/bugsearch/bug/CSCuk27655">CSCuk27655</a> (<a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only) — GRE: make implementation RFC 2784 and RFC 2890 compliant </li> <li><a href="https://tools.cisco.com/bugsearch/bug/CSCea22552">CSCea22552</a> (<a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only) — GRE: implementation of Reserved0 field not RFC2784 compliant </li> <li><a href="https://tools.cisco.com/bugsearch/bug/CSCei62762">CSCei62762</a> (<a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only)— GRE: IP GRE Tunnel with Routing Present Bit not dropped </li> </ul> <p>We would like to thank FX from Phenoelit for reporting this issue to Cisco. We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in product reports.</p> Wed, 06 Sep 2006 23:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20060906-gre NAC Agent Installation Bypass http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20060826-nac?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=NAC%20Agent%20Installation%20Bypass&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=NAC Agent Installation Bypass" border='0' height='0' width='0'></img><p>This is the Cisco PSIRT response to the statements made by Andreas Gal and Joachim Feise in their advisory entitled "NAC agent installation bypass", available at <a href="http://www.securityfocus.com/archive/1/444424/30/0/threaded">http://www.securityfocus.com/archive/1/444424/30/0/threaded</a> </p> <p>We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in product reports.</p> Sat, 26 Aug 2006 19:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20060826-nac Unconfirmed SIP Inspection Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20060815-sip?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Unconfirmed%20SIP%20Inspection%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Unconfirmed SIP Inspection Vulnerability" border='0' height='0' width='0'></img><p> This is the initial response from the Cisco Product Security Incident Response Team (PSIRT) in regards to a potential vulnerability originally disclosed at the recent Black Hat USA 2006 Briefings. In a presentation entitled "SIP Stack Fingerprinting and Stack Difference Attacks", Hendrik Scholz referenced a potential vulnerability in the way the Cisco PIX 500 Series Security Appliances handle inspection of Session Initiation Protocol (SIP) messages.</p> <p> After extensive testing, Cisco has been unable to reproduce this issue and cannot confirm Mr. Scholz's claims.</p> <p> Cisco will update this Security Response should new information become available.</p> Tue, 15 Aug 2006 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20060815-sip SIP User Directory Information Disclosure http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20060802-sip?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=SIP%20User%20Directory%20Information%20Disclosure&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=SIP User Directory Information Disclosure" border='0' height='0' width='0'></img><p>This is the Cisco PSIRT response to the statements made by Dave Endler and Mark Collier in their presentation, 'Hacking Voice over IP (VoIP) Exposed' at BlackHat USA 2006.</p> <p>We would like to thank Dave Endler for reporting this issue to us.</p> <p>We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in product reports.</p> <p>This issue is currently being tracked by Cisco bug ID <a href="https://tools.cisco.com/bugsearch/bug/CSCse92417">CSCse92417</a> (<a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only) for IOS CallManager Express (CME).</p> <p>Cisco CallManager has been tested and is not vulnerable to this attack.</p> Wed, 02 Aug 2006 16:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20060802-sip Cisco Secure ACS Weak Session Management Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20060623-acs?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20Secure%20ACS%20Weak%20Session%20Management%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=Cisco Secure ACS Weak Session Management Vulnerability" border='0' height='0' width='0'></img><p>This is the Cisco PSIRT response to the statements made by Darren Bounds in his advisory: Cisco Secure ACS Weak Session Management Vulnerability. The original email/advisory is available at</p> <p> <a href="http://www.securityfocus.com/archive/1/438161" target="_blank">http://www.securityfocus.com/archive/1/438161</a> <img width="18" height="18" src="http://www.cisco.com/images/exit.gif" alt="leavingcisco.com" /> </p> <p> and</p> <p> <a href="http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/047301.html" target="_blank">http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/047301.html</a> <img width="18" height="18" src="http://www.cisco.com/images/exit.gif" alt="leavingcisco.com" /> </p> <p>The attacks described in the report take advantage of a weakness in the default configuration of the Cisco Secure Access Control Server (ACS).</p> <p>These issues are being tracked by the following Cisco ID numbers (registered customers only)</p> <ul> <li> <a href="https://tools.cisco.com/bugsearch/bug/CSCse26754"> <strong>CSCse26754</strong> </a> (<span style="font-size: 16px;"> <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only</span>) —ACS/ACSE Administration may do limited session validation. </li> <li> <a href="https://tools.cisco.com/bugsearch/bug/CSCse63433"> <strong>CSCse63433</strong> </a> (<span style="font-size: 16px;"> <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only</span>) —ACS Unix "Fast Admin" may do limited session validation. </li> <li> <a href="https://tools.cisco.com/bugsearch/bug/CSCse26719"> <strong>CSCse26719</strong> </a> (<span style="font-size: 16px;"> <a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only</span>) —Cisco Secure Port Redirect may be predictable. </li> </ul> <p>Cisco PSIRT will update this security response on an "as-needed" basis as additional information on these issues become available. </p> Fri, 23 Jun 2006 22:00:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20060623-acs RealVNC Remote Authentication Bypass Vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20060622-cmm?vs_f=Cisco%20Security%20Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=RealVNC%20Remote%20Authentication%20Bypass%20Vulnerability&vs_k=1 <img src="http://www.cisco.com/swa/j/zag2_vs_log1.asc?Log=1&vs_f=Cisco Security Response&vs_cat=Security%20Intelligence&vs_type=RSS&vs_k=1&vs_p=RealVNC Remote Authentication Bypass Vulnerability" border='0' height='0' width='0'></img><p>This is Cisco PSIRT's response to the CERT advisory <a href="http://www.kb.cert.org/vuls/id/117929" target="_blank">http://www.kb.cert.org/vuls/id/117929</a> <img width="18" height="18" alt="leavingcisco.com" src="http://www.cisco.com/images/exit.gif" /> and acknowledged by Real VNC at <a href="http://www.realvnc.com/products/free/4.1/release-notes.html" target="_blank">http://www.realvnc.com/products/free/4.1/release-notes.html</a> <img width="18" height="18" alt="leavingcisco.com" src="http://www.cisco.com/images/exit.gif" />. This vulnerability was originally discovered by James Evans.</p> <p>The original CERT advisory is available at <a href="http://www.kb.cert.org/vuls/id/117929" target="_blank">http://www.kb.cert.org/vuls/id/117929</a> <img width="18" height="18" alt="leavingcisco.com" src="http://www.cisco.com/images/exit.gif" />.</p> <p>This issue is being tracked by these Cisco bug IDs:</p> <ul> <li><a href="https://tools.cisco.com/bugsearch/bug/CSCse32811"><strong>CSCse32811</strong> </a>(<a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only) —RealVNC allows remote access to Windows 2000 server console without password. </li> <li><a href="https://tools.cisco.com/bugsearch/bug/CSCsf02450"><strong>CSCsf02450</strong> </a>(<a href="http://tools.cisco.com/RPF/register/register.do">registered</a> customers only) —RealVNC allows remote access to IP/VC 3540/DCS server console. </li> </ul> Thu, 22 Jun 2006 15:30:00 PDT http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20060622-cmm