Next Page >>
TCP ports
Software are currently known to be affected by this vulnerability.
Details
=======
Completion of the 3-way handshake to the associated TCP port number
(s) of any of the features outlined below is required in order for
the vulnerability to be successfully exploited.
Airline Product Set (ALPS)
+-------------------------
Cisco Security Agent for Microsoft Windows. This buffer overflow can be
exploited remotely and causes corruption of kernel memory, which leads
to a Windows stop error (blue screen) or to arbitrary code execution.
The vulnerability is triggered during processing of a crafted TCP
segment destined to TCP port 139 or 445. These ports are used by the
Microsoft Server Message Block (SMB) protocol.
Cisco has released free software updates that address this
vulnerability.
Note: Only the Cisco SBC module reloads after successful
exploitation. The Cisco 7600 series router does not reload and it is
not affected by this vulnerability.
Note: TCP port 2000 is typically used by Skinny Call Control Protocol
(SCCP) applications. However, the Cisco SBC module uses TCP port 2000
for high availability (redundancy) communication, but does not use
the SCCP for this purpose.
This vulnerability is documented in Cisco Bug IDs CSCsq18958 (
Clientless WebVPN, SSL VPN Client, and AnyConnect connections are
enabled via the webvpn command. For example, the following
configuration shows a Cisco ASA with WebVPN configured and enabled.
In this case the ASA will listen for WebVPN connections on the
default port, TCP port 443:
http server enable
!
webvpn
enable outside
* HTTP Server DoS
Cisco Unified IP Phone 7935 and 7936 devices running SCCP
firmware contain a DoS vulnerability in their internal HTTP
server. By sending a specially crafted HTTP request to TCP port
80 on a vulnerable phone, it may be possible to cause the phone
to reboot. It is possible to workaround this issue by disabling
the internal HTTP server on vulnerable phones. The internal HTTP
server only listens to TCP port 80. This vulnerability is
corrected in SCCP firmware version 3.2(17) for 7935 devices and
The Certificate Trust List (CTL) Provider service of Cisco Unified
Communications Manager version 5.x contains a memory consumption
vulnerability that occurs when a series of malformed TCP packets are
received by a vulnerable Cisco Unified Communications Manager system
and may result in a DoS condition. The CTL Provider service listens
by default on TCP port 2444 and is user configurable. The CTL
Provider service is enabled by default. There is a workaround for
this vulnerability. The vulnerability is fixed in Cisco Unified
Communications Manager version 5.1(3). The vulnerability is
documented in Cisco Bug ID CSCsj80609 and has been assigned the
CVE identifier CVE-2008-1742.
Cisco devices that are running Cisco IOS Software are vulnerable when
they are configured for NAT and contain support for one or more of
the following features:
* NetMeeting Directory NAT (LDAP on TCP port 389)
* NAT for Session Initiation Protocol (SIP)
* NAT for H.323
The preferred method to verify whether NAT is enabled on a Cisco IOS
device is to log in to the device and issue the "show ip nat
The Certificate Trust List (CTL) Provider service of Cisco Unified
Communications Manager version 5.x contains a memory consumption
vulnerability that occurs when a series of malformed TCP packets are
received by a vulnerable Cisco Unified Communications Manager system
and may result in a DoS condition. The CTL Provider service listens
by default on TCP port 2444 and is user configurable. The CTL
Provider service is enabled by default. There is a workaround for
this vulnerability. The vulnerability is fixed in Cisco Unified
Communications Manager version 5.1(3). The vulnerability is
documented in Cisco Bug ID CSCsj80609 and has been assigned the
CVE identifier CVE-2008-1742.
Details
=======
The Skinny Call Control Protocol (SCCP) enables voice communication
between an SCCP client and a Call Manager (CM). Typically, the CM
provides service to the SCCP clients on TCP Port 2000 by default.
Initially, an SCCP client connects to the CM by establishing a TCP
connection; the client will also establish a TCP connection with a
secondary CM, if available.
The NAT SCCP Fragmentation Support feature prevents skinny control
Workarounds
===========
Administrators can mitigate the SCCP- and SIP-related vulnerabilities
by implementing filtering on screening devices to permit access to
TCP ports 2000 and 2443, and TCP and UDP ports 5060 and 5061 only
from networks that require SCCP and SIP access to Cisco Unified
Communications Manager appliances.
It is possible to mitigate the CTI Manager vulnerability by disabling
the CTI Manager service t is not necessary; however, this workaround
stream data transfer, reliability, efficient flow control, full-duplex
operation, and multiplexing.
When TCP connections are terminated in Cisco IOS Software, they are
allocated a transmission control block (TCB). All allocated TCBs,
associated TCP port numbers, and the TCP state are displayed in the
output of the "show tcp brief all" command-line interface (CLI) command.
Cisco IOS Software version 15.1(2)T contains a vulnerability that could
cause an embryonic TCP connection to remain in SYNRCVD or SYNSENT
state without a further TCP state transition. Examining the output of
Computer Telephony Integration Manager Related Vulnerability
The Computer Telephony Integration (CTI) Manager service of CUCM
versions 5.x and 6.x contains a vulnerability when handling malformed
input that may result in a DoS condition. The CTI Manager service
listens by default on TCP port 2748 and is not user-configurable.
There is no workaround for this vulnerability. This vulnerability is
fixed in CUCM versions 5.1(3c) and 6.1(2). This vulnerability is
documented in Cisco Bug ID CSCso75027 and has been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2008-2061.
and then associated to the instance of the ICM/IPCC Active Directory
hierarchy will have correct permissions. Filters such as Transit ACLs
can then be used to allow access to the Administration Workstation
from only the trusted hosts.
Filters that deny HTTP packets using TCP port 80 and HTTPS packets
using TCP port 443 should be deployed throughout the network as part
of a tACL policy for protection of traffic that enters the network at
ingress access points. This policy should be configured to protect
the network device where the filter is applied and other devices
behind it. Filters for HTTP packets using TCP port 80 and HTTPS
A successful exploit could cause the web server to crash or allow the
attacker to execute arbitrary code on the server. Any code would
execute with system administrative privileges.
The vulnerability could be exploited over TCP port 443 or 1741.
Note: The default HTTP and HTTPS ports can be reconfigured on the
server.
The vulnerability affects both CiscoWorks Common Services for Oracle
Details
=======
The Skinny Client Control Protocol (SCCP) enables voice communication
between an SCCP client and a Call Manager (CM). Typically, the CM
provides service to the SCCP clients on TCP Port 2000 by default.
Initially, an SCCP client connects to the CM by establishing a TCP
connection; the client will also establish a TCP connection with a
secondary CM, if available.
The NAT SCCP Fragmentation Support feature enables the Skinny
===========
Filters such as Transit ACLs (tACLs) can be used to allow access to
the Administration Workstation from only trusted hosts.
Filters that deny HTTP packets using HTTPS packets using TCP port 443
and TCP port 1741 should be deployed throughout the network as part
of a tACL policy to protect the network from traffic that enters the
network at ingress access points. This policy should be configured to
protect the network device where the filter is applied and other
devices that are behind it. Filters for HTTPS packets that use TCP
determine if the CTL Provider service is enabled on a CUCM server.
The CTL Provider service of the CUCM contains a heap overflow
vulnerability that could allow a remote, unauthenticated user to
cause a DoS condition or execute arbitrary code. The CTL Provider
service listens on TCP port 2444 by default, but the port can be
modified by the user. This issue is documented in Cisco Bug ID
CSCsj22605.
Vulnerability Scoring Details
=============================
*Vulnerability Description*
The Borland Interbase 2007 database server [1] is vulnerable to an
integer overflow when a malformed packet is sent to the default TCP port
3050. The integer overflow can cause a stack overflow, which allows
arbitrary code execution with system privileges.
*Vulnerable Packages*
Unified Communications Manager Administration interface. The software
version can also be determined by running the "show version active"
command via the command-line interface.
A SIP trunk must be configured for the Cisco Unified CallManager
server to begin listening for SIP messages on TCP and UDP port 5060
and TCP/5061. However, in Cisco Unified Communications Manager
versions 5.x and later, the use of SIP as a call signaling protocol
is enabled by default and cannot be disabled.
Cisco IOS Software is also affected by this vulnerability, but it is
Multiple CGI command injection vulnerabilities exist in Cisco
TelePresence endpoint devices that could allow a remote,
authenticated attacker to execute arbitrary commands with elevated
privileges. To exploit these vulnerabilities, an attacker must submit
a malformed request to an affected device via TCP port 8082.
An attacker must perform a three-way TCP handshake and establish a
valid session to exploit this vulnerability.
* Cisco TelePresence endpoint - CSCtb31640 ( registered customers
Summary
=======
Cisco Security Manager contains a vulnerability when it is used with
Cisco IPS Event Viewer (IEV) that results in open TCP ports on both
the Cisco Security Manager server and IEV client. An unauthenticated,
remote attacker could leverage this vulnerability to access the MySQL
databases or IEV server.
Cisco has released free software updates that address this
Clientless WebVPN Connections
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Clientless WebVPN connections are enabled via the "webvpn" command. For
example, the following configuration shows an ASA running 8.0 software
with clientless WebVPN configured and enabled. In this case the ASA will
listen for WebVPN connections on the default port, TCP port 443:
http server enable
!
webvpn
enable outside
Exploitation allows an attacker to execute arbitrary shell commands with
elevated privileges. Since this server runs with root privileges, an
attacker could gain complete control of the affected the system.
Note that authentication is required to reach these ASP applications via
the administration server on TCP port 5100. However, several methods of
bypassing and circumventing authentication have been discovered,
rendering that requirement irrelevant.
IV. DETECTION
Details
=======
A Cisco IOS device that is configured for SSLVPN or SSH may reload
when it receives a specially crafted TCP packet on TCP port 443
(SSLVPN) or TCP port 22 (SSH). Completion of the three-way handshake
to the associated TCP port number of these features is required for
the vulnerability to be successfully exploited; however,
authentication is not required. A Cisco IOS device that is configured
for IKE encrypted nonces may reload when it receives a specially
Crafted HTTPS packet will crash device
+--------------------------------------
A device configured for SSLVPN may reload or hang when it receives a
specially crafted HTTPS packet. Completion of the 3-way handshake to
the associated TCP port number of the SSLVPN feature is required in
order for the vulnerability to be successfully exploited, however
authentication is "not" required. The default TCP port number for
SSLVPN is 443.
This vulnerability is documented in Cisco bug ID CSCsk62253
might trigger a stack buffer overflow in the system kernel. A remote attacker
might cause system with CSA installed to restart or BSOD. By sending carefully
crafted data an attacker might cause remote code execution, thus gains complete
control over the system.
By default CSA allows access to TCP ports 139 and 445. After establishing a
session to TCP ports 139 and 445, an attacker can complete an exploitation
without any authentication simply by sending a single packet.
Cisco Security Agent for Windows version 5.2.0.225 and prior are affected.
Other Cisco software that uses CSA component is also affected.
Cisco Unified Communications Manager contains two vulnerabilities that
involve the processing of SCCP packets. These issues may allow a
remote, unauthenticated attacker with the ability to send crafted SCCP
messages to an affected device to cause a reload or execute
attacker-controlled SQL code. Both SCCP ports (TCP ports 2000 and
2443) are affected.
Cisco Unified Communications Manager SCCP Registration may Cause Reload
+----------------------------------------------------------------------
===============
All the current Samsung TV and BD systems can be controlled remotely
via iPad, Android and other software/devices supporting the protocol
used on TCP port 55000:
http://itunes.apple.com/us/app/samsung-remote/id359580639
https://play.google.com/store/apps/details?id=com.samsung.remoteTV
The vulnerabilities require only the Ethernet/wi-fi network connected
responsible for handling all aspects of call setup and termination.
Voice and video are the most popular types of sessions that SIP
handles, but the protocol has the flexibility to accommodate other
applications that require call setup and termination.
NAT for SIP translates packets using UDP (port 5060) or TCP (port
5060) as the underlying transport protocol. The NAT for SIP DoS
vulnerability can be exploited only with the use of UDP port 5060
packets.
This vulnerability is documented in Cisco bug ID CSCtf17624
video calls across IP networks such as the Internet. SIP is
responsible for handling all aspects of call setup and termination.
Voice and video are the most popular types of sessions that SIP
handles, but the protocol has the flexibility to accommodate other
applications that require call setup and termination. SIP call
signaling can use UDP (port 5060), TCP (port 5060), or Transport
Layer Security (TLS; TCP port 5061) as the underlying transport
protocol.
Three vulnerabilities exist in the SIP implementation in Cisco IOS
Software that may allow a remote attacker to cause an affected device
Next Page>>
|
