Administrator's credentials can be changed using the procedure as
described in Cisco Network Building Mediator User Guide at
Details of the procedure are given in the section 2-10 Recovering the
Cisco Network Building Mediator Password.
There are no workarounds for these vulnerabilities.
Unauthorized information interception
The following workaround is applicable only to the vulnerability
related to HTTP protocol. There is no workaround for the vulnerability that
affects XML RPC service.
The workaround for this vulnerability is to disable HTTP service and
use HTTPS instead. The HTTPS service is enabled and running by default and no
further actions are needed to enable it. The HTTP service can be disabled with
configTOOL. The configTOOL is the software running on the operator workstation
and is used to configure the Multi-Protocol Exchange of the Cisco Network
After applying this workaround to software releases 1.5.1 and 2.2,
configTOOL version 3.1.0b1 is required to continue configuring Cisco Network
Building Mediator via configTOOL.
To start configTOOL, double-click the Cisco Network Building
Mediator configTOOL shortcut icon on the desktop, or choose
Start > All Programs > Network Building Mediator
configTOOL. Connect to a Cisco Network Building Mediator using the
procedure as described in Cisco Network Building Mediator User
section 3-2 Connecting to the Cisco Network Building Mediator Using
configTOOL. Inside the Node tree pane, expand
theservices tab, and then expand tab the
network tab. Click the http_server tab, and
then click the Enabled to uncheck it.
Unauthorized information access
There is no workaround for this vulnerability.
The following mitigation can reduce risk from unauthorized access to
the Cisco Network Building Mediator and minimize the risks associated with the
vulnerabilities described in this advisory. This mitigation is not effective
against unauthorized information interception vulnerabilities as exploitation
of these vulnerabilities do not depend on accessing the device itself, but on
intercepting session between an operator console and the Cisco Network Building
Administrators are advised to be selective when choosing the devices
that are allowed to establish connections to the Cisco Network Building
Mediator. The following rules will allow only legitimate operator console(s) to
establish sessions to the Cisco Network Building Mediator. To execute following
commands you must have Administrator privileges on the Cisco Network Building
Mediator. In the following examples it is assumed that the operator console has
IP address 192.0.2.1. The 192.0.2.1 address must be changed to match the IP
address used by the designated operator console. The following code must be
entered on the console. Please refer to section 2.4 in the user guide at
for information on how to connect to the serial port using hyper-terminal.
# The following rule establishes a default policy for INPUT rule chain.
# The default policy is to drop all packets unless they are explicitly
# permitted by a rule in the INPUT chain
iptables -P INPUT DROP
# This rule will allow all traffic from operator console with
# IP address of 192.0.2.1 to the Cisco NBM
# Change 192.0.2.1 to match IP address used by your operators console.
iptables -I INPUT 1 --source 192.0.2.1 -j ACCEPT
# Repeat the previous command if you have more than one operator console.
# Increment the number after the "INPUT" keyword for each console you
# are adding.
# This command will allow second operator console with IP address
# of 192.0.2.2 to access the Cisco NBM
iptables -I INPUT 2 --source 192.0.2.2 -j ACCEPT
When applying rules form the above example care must be taken to allow
access to ports or protocols that are used by sensors and other devices
deployed in the system that are monitored and controlled by the Cisco Network
Building Mediator. Failure to do so will break connectivity to these sensors
Additional mitigation techniques that can be deployed on Cisco devices
within the network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory: