Next Page >>
access control lists
No response received.
Remediation Steps:
No patch currently exists for this issue. To limit exposure,
network access to these devices should be limited to authorized
personnel through the use of Access Control Lists and proper
network segmentation.
Finding 2: Directory Traversal in Camera Web Server
CVE: CVE-2010-4231
* Crafted TCP ACK Packet Vulnerability
* Crafted TLS Packet Vulnerability
* Instant Messenger Inspection Vulnerability
* Vulnerability Scan Denial of Service
* Control-plane Access Control List Vulnerability
The first four vulnerabilities may lead to a denial of service (DoS)
condition and the fifth vulnerability may allow an attacker to bypass
control-plane access control lists (ACL).
The Cisco Wireless LAN Controller (WLC) product family is affected by
these vulnerabilities:
* Two denial of service (DoS) vulnerabilities
* Three privilege escalation vulnerabilities
* Two access control list (ACL) bypass vulnerabilities
Note: These vulnerabilities are independent of one another. A device
may be affected by one vulnerability and not affected by another.
Cisco has released free software updates that address these
"transport input none" on the vty lines of a vulnerable device will
prevent it from being exploited on TCP port 23. However, if the Cisco
IOS SSH server feature is configured on the device, "transport input
none" will not prevent the device from being exploited on TCP port 22.
Configuration of vty access control lists can partially mitigate this
vulnerability because the vulnerability can be exploited using spoofed
IP source addresses.
Border Gateway Protocol
+----------------------
* Crafted H.323 packet DoS vulnerability
* SQL*Net packet DoS vulnerability
* Access control list (ACL) bypass vulnerability
Workarounds are available for some of the vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml.
===========
The following workarounds have been identified for these
vulnerabilities.
Infrastructure Access Control Lists
+----------------------------------
Although it is often difficult to block traffic that transits a
network, it is possible to identify traffic that should never be
allowed to target infrastructure devices and block that traffic at
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software Object-group Access
Control List Bypass Vulnerability
Advisory ID: cisco-sa-20090923-acl
Revision 1.0
The following mitigations have been identified for this
vulnerability, which may help protect an infrastructure until an
upgrade to a fixed version of Cisco IOS software can be scheduled:
Infrastructure Access Control Lists
+----------------------------------
Although it is often difficult to block traffic that transits a
network, it is possible to identify traffic that should never be
allowed to target infrastructure devices and block that traffic at
Workarounds
===========
There are no available workarounds other than disabling the affected
features and protecting SSH access with the use of VTY access control
lists.
Use the "no webvpn enable" command to disable SSL VPN use.
For Cisco IOS the SSH server can be disabled by applying the command
"crypto key zeroize rsa" while in configuration mode. The SSH server is
Workarounds
There are no workarounds for this vulnerability.
Using Infrastructure Access Control Lists (iACLs) may help limit the
attack surface of this vulnerability. Although it is often difficult
to block traffic that transits a network, it is possible to identify
traffic that should never be allowed to target infrastructure devices
and block that traffic at the border of networks. As a network
security best practice, iACLs should be considered a long-term
===========
The following mitigation and identification methods have been
identified for these vulnerabilities:
Infrastructure Access Control Lists
+----------------------------------
Although it is often difficult to block traffic that transits a
network, it is possible to identify traffic that should never be
allowed to target infrastructure devices and block that traffic at
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco Nexus 5000 and 3000 Series Switches
Access Control List Bypass Vulnerability
Advisory ID: cisco-sa-20110907-nexus
Revision 1.0
Local exploitation of an insecure permission vulnerability in multiple
Check Point Zone Labs products allows attackers to escalate privileges
or disable protection.
The vulnerability specifically exists in the default file Access Control
List (ACL) settings that are applied during installation. When an
administrator installs any of the Zone Labs ZoneAlarm tools, the
default ACL allows any user to modify the installed files. Some of the
programs run as system services. This allows a user to simply replace
an installed ZoneAlarm file with their own code that will later be
executed with system-level privileges.
Additional information on the configuration and use of the CoPP
feature is available at the following links:
http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804fa16a.shtml
and http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a008052446b.html
Access Control List (ACL)
+------------------------
An Access Control List (ACL) can be used to help mitigate attacks
that target this vulnerability. ACLs can specify that only packets
from legitimate sources are permitted to reach a device, and all
Workarounds
===========
There are no workarounds for this vulnerability.
Using Infrastructure Access Control Lists (iACLs) may help limit the
attack surface of this vulnerability. Although it is often difficult
to block traffic that transits a network, it is possible to identify
traffic that should never be allowed to target infrastructure devices
and block that traffic at the border of networks. iACLs are a network
security best practice and should be considered as a long-term
* Isolate DCN:
Ensuring the DCN is physically or logically separated from the
customer network and isolated from the Internet will limit the
exposure to the exploitation of these vulnerabilities from the
Internet or customer networks.
* Apply Transit Access Control Lists:
Apply access control lists (ACLs) on routers / switches /
firewalls installed in front of the vulnerable network devices
such that TCP/IP traffic destined for the CTX, CTX2500, XTC, TCC2
/TCC2+/TCC2P, or TSC control cards on the ONS is allowed only
from the network management workstations.
NTP Access Group
+---------------
Warning: Because the feature in this vulnerability utilizes
UDP as a transport, it is possible to spoof the sender's IP address,
which may defeat access control lists (ACLs) that permit
communication to these ports from trusted IP addresses. Unicast
Reverse Path Forwarding (Unicast RPF) should be considered to be used
in conjunction to offer a better mitigation solution.
full mitigation as the source addresses may be spoofed.
Note: L2TPv3 over IP only implementations need to deny all UDP 1701
from anywhere to the infrastructure addresses.
* Infrastructure Access Control Lists
Although it is often difficult to block traffic that transits a
network, it is possible to identify traffic that should never be
allowed to target infrastructure devices and block that traffic
at the border of networks. Infrastructure Access Control Lists
(iACLs) are a network security best practice and should be
Management Configuration Guide - Embedded Event Manager Overview at
the following link:
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_overview_ps6441_TSD_Products_Configuration_Guide_Chapter.html
Infrastructure Access Control Lists
+----------------------------------
Although it is often difficult to block traffic that transits a
network, it is possible to identify traffic that should never be
allowed to target infrastructure devices and block that traffic at
+-------------------------------------------------------------------+
Workarounds
===========
The workaround consists of adding an Access Control List (ACL) to
every Cisco IOS IPS policy configured on the device so that traffic
destined to ports 53/udp or 53/tcp is not inspected by the Cisco IOS
IPS feature. The following ACL would need to be added to the device
configuration:
control restrictions that only permit authorized devices SNMP access
to the device.
The following configuration example provides operators with
information on changing the community string and adding SNMP access
control restrictions using an access control list (ACL).
access-list 90 permit host <RF-Switch-IP-1>
access-list 90 permit host <RF-Switch-IP-2>
access-list 90 permit host <up-converter-IP-if-exists>
access-list 90 deny any
===========
Workarounds consist of filtering packets that are sent to 127.0.0.0/8
range and UDP packets that are sent to port 1975.
Using Interface Access Control Lists
+-----------------------------------
Access lists that filter UDP packets destined to port 1975 can be
used to mitigate this vulnerability. UDP port 1975 is a registered
port number that can be used by certain applications. However,
No official response is available at the time of release.
Remediation Steps:
No patch currently exists for this issue. To limit exposure,
network access to these devices should be limited to authorized
personnel through the use of Access Control Lists and proper
network segmentation.
Vendor Communication Timeline:
8/26/10 - Vendor contact initiated.
9/30/10 - Vulnerability details provided to vendor.
Cisco PSIRT recommends limiting access to the network with
Infrastructure Acess Control Lists (iACLs). Although it is often
difficult to block traffic that transits a network, it is possible to
identify traffic that should never be allowed to target
infrastructure devices and block that traffic at the border of
networks. Infrastructure Access Control Lists (iACLs) are a network
security best practice and should be considered as a long-term
addition to good network security.
The white paper entitled "Protecting Your Core: Infrastructure
Protection Access Control Lists" presents guidelines and recommended
value used. The value of the port can be viewed in CUCM
Administration interface by following the System > Service Parameters
menu and selecting the CTL Provider service.
Filters blocking access to TCP port 2444 should be deployed at the
network edge as part of a transit access control list (tACL). Further
information about transit access control lists is available in the
white paper "Transit Access Control Lists: Filtering at Your Edge,"
which is available at the following link:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml
Services Module (FWSM) that may result in a reload of the FWSM. These
vulnerabilities can be triggered during the processing of HTTPS
requests, or during the processing of Media Gateway Control Protocol
(MGCP) packets.
A third vulnerability may cause access control list (ACL) entries to not
be evaluated after the access list has been manipulated.
Note: These vulnerabilities are independent of each other; a device may
be affected by one and not by the others.
General Considerations
+---------------------
Filters that deny SMB protocol packets using TCP ports 139 and 445
should be deployed as part of a transit access control list (tACL)
policy for protection from traffic that enters the network at ingress
access points. This policy should be configured to protect the network
device where the filter is applied and other devices behind it. Filters
for SMB protocol packets using TCP ports 139 and 445 should also be
deployed in front of vulnerable hosts so that traffic is allowed only
tries to locate the icabar.exe file in the directories listed in its
PATH environment variable. If the attacker is able to write in any of
this directories listed in its PATH before the Citrix Metaframe PATH
entry, so the attacker can escalate privilege.
The standard file ACL (Access Control List) of Windows NT and 2000
Operating Systems is weak and allow any user to create files in the
SystemDrive (in general c:\) and in many directorys listed in its
PATH, which allow an attacker to create a fake icabar.exe and
consequently escalate privilege.
Router(config-sip-ua)#no transport tcp
If IPv4 UDP-based Services Are Required
+---------------------------------------
By deploying IPv6 Access Control List (ACL) it is possible to prevent
offending IPv6 packets reaching vulnerable UDP services. The ACL in
the following example will block all IPv6 traffic from reaching
vulnerable services.
Router(config)#ipv6 access-list protect_IPv4_services
maintenance provider for assistance.
Workarounds
===========
Filters such as transit access control lists (tACLs) can be used to
allow access to the Administration Workstation only from trusted
hosts. This mitigation limits the attack surface of the
vulnerability.
Filters that deny HTTPS packets using TCP port 443 and TCP port 1741
Next Page>>
|
