Next Page >>
deploys
Summary
=======
Cisco Intrusion Prevention System (IPS) platforms that have gigabit
network interfaces installed and are deployed in inline mode contain
a denial of service vulnerability in the handling of jumbo Ethernet
frames. This vulnerability may lead to a kernel panic that requires a
power cycle to recover platform operation. Platforms deployed in
promiscuous mode only or that do not contain gigabit network
interfaces are not vulnerable.
following vulnerabilities:
Arbitrary Program Execution Vulnerability
+----------------------------------------
The Cisco AnyConnect Secure Mobility Client can be deployed to remote
users from the VPN headend, or it can be installed before the
endpoint connects to the VPN headend, a process known as
pre-deployment. When the Cisco AnyConnect Secure Mobility Client is
pre-deployed, the client software is installed and run like any other
application.
allow access to the Administration Workstation only from trusted
hosts. This mitigation limits the attack surface of the
vulnerability.
Filters that deny HTTPS packets using TCP port 443 and TCP port 1741
should be deployed throughout the network as part of a tACL policy to
protect the network from traffic that enters at ingress access
points. This policy should be configured to protect the network
device where the filter is applied and other devices that are behind
it. Filters for HTTPS packets that use TCP port 443 and TCP port 1741
should also be deployed in front of vulnerable network devices so
Workarounds
===========
There are no workarounds for this vulnerability. Access control lists
(ACLs) that are deployed on the FWSM itself to block through-the-device
or to-the-device ICMP messages are not effective to prevent this
vulnerability. However, blocking unnecessary ICMP messages on screening
devices or on devices in the path to the FWSM will prevent the FWSM
from triggering the vulnerability. For example, the following ACL,
when deployed on a Cisco IOS device in front of the FWSM, will prevent
Router#show processes | include L2TP
158 Mwe 62590FE4 4 3 133322900/24000 0 L2TP mgmt daemon
Router#
The L2TP mgmt daemon is started by several different types of
configurations that may be deployed in networks that leverage the
L2TP protocol. If any of the following commands appear within a
device's configuration, show running-config, then the device will
have started the L2TP mgmt daemon and is vulnerable.
* Device is configured with Virtual Private Dial-Up Networks
allowed to target infrastructure devices and block that traffic at
the border of networks. Infrastructure Access Control Lists (iACLs)
are a network security best practice and should be considered as a
long-term addition to good network security as well as a workaround
for these specific vulnerabilities. The iACL example below should be
included as part of the deployed infrastructure access-list which
will protect all devices with IP addresses in the infrastructure IP
address range:
Note: UDP port 161 is applicable for all versions of SNMP.
General Considerations
+---------------------
Filters that deny TLS packets using TCP port 443 and MGCP packets on UDP
port 2427 should be deployed throughout the network as part of a transit
ACL (tACL) policy for protection of traffic which enters the network at
ingress access points. This policy should be configured to protect the
network device where the filter is applied and other devices behind it.
Filters for TLS packets using TCP port 443 and MGCP packets on UDP port
2427 should also be deployed in front of vulnerable network devices so
As a workaround and best practice allow Telnet, SSH, and ASDM
connections from only trusted hosts in your network.
Additionally, filters that deny TCP ports 22, 23, 80, and 443 packets
may be deployed throughout the network as part of a transit ACL
(tACL) policy for protection of traffic which enters the network at
ingress access points. This policy should be configured to protect
the network device where the filter is applied and other devices
behind it. Filters for packets using TCP ports 22, 23, 80, and 443
should also be deployed in front of vulnerable network devices so
General Considerations
+---------------------
Filters that deny SMB protocol packets using TCP ports 139 and 445
should be deployed as part of a transit access control list (tACL)
policy for protection from traffic that enters the network at ingress
access points. This policy should be configured to protect the network
device where the filter is applied and other devices behind it. Filters
for SMB protocol packets using TCP ports 139 and 445 should also be
deployed in front of vulnerable hosts so that traffic is allowed only
allowed to target infrastructure devices and block that traffic at
the border of networks. Infrastructure Access Control Lists (iACLs)
are a network security best practice and should be considered as a
long-term addition to good network security as well as a workaround
for these specific vulnerabilities. The iACL example below should be
included as part of the deployed infrastructure access-list which
will protect all devices with IP addresses in the infrastructure IP
address range:
!---
General Considerations
+---------------------
Filters that deny HTTPS packets using TCP port 443 and MGCP packets on
UDP port 2427 should be deployed throughout the network as part of a
transit ACL (tACL) policy for protection of traffic which enters the
network at ingress access points. This policy should be configured to
protect the network device where the filter is applied and other devices
behind it. Filters for HTTPS packets using TCP port 443 and MGCP packets
on UDP port 2427 should also be deployed in front of vulnerable network
The following workarounds can be implemented.
Transit ACLs (tACL)
+------------------
Filters that deny HTTPS packets using TCP port 443 should be deployed
throughout the network as part of a tACL policy for protection of
traffic which enters the network at ingress access points. This policy
should be configured to protect the network device where the filter is
applied and other devices behind it. Filters for HTTPS packets using
TCP port 443 should also be deployed in front of vulnerable network
1.11.0 and earlier
* Cisco Video Surveillance SP/ISP firmware version 1.23.7 and
earlier
Users should consult their Stream Manager configuration management
tool to determine the versions of firmware installed on deployed video
surveillance devices.
Products Confirmed Not Vulnerable
+--------------------------------
component of the Cisco IP telephony solution that extends enterprise
telephony features and functions to packet telephony network devices,
such as IP phones, media processing devices, voice-over-IP (VoIP)
gateways, and multimedia applications.
When a CUCM server is deployed in secure mode, a Certificate Trust
List (CTL) is used by Cisco Unified IP Phone devices to verify the
identity of CUCM servers. The CTL contains public keys and other
information to allow the Cisco IP Phone devices to establish a
trusted relationship with a CUCM server. The CTL is provisioned using
the CTL Provider service on a CUCM server and with the CTL Provider
hierarchy will have correct permissions. Filters such as Transit ACLs
can then be used to allow access to the Administration Workstation
from only the trusted hosts.
Filters that deny HTTP packets using TCP port 80 and HTTPS packets
using TCP port 443 should be deployed throughout the network as part
of a tACL policy for protection of traffic that enters the network at
ingress access points. This policy should be configured to protect
the network device where the filter is applied and other devices
behind it. Filters for HTTP packets using TCP port 80 and HTTPS
packets using TCP port 443 should also be deployed in front of
Step 4. Click the "Stop" button to stop the TFTP service.
Note: Disabling TFTP services may impact the functionality of some of
the CiscoWorks components.
Additional mitigations that can be deployed on Cisco devices within the
network are available in the Cisco Applied Mitigation Bulletin companion
document for this advisory, which is available at the following link:
http://www.cisco.com/warp/public/707/cisco-amb-20090520-cw.shtml.
the intercepted credentials.
By default, Cisco Unified Communications Manager software version 4.x
administrator accounts are created as part of an underlying Microsoft
Windows operating system. Cisco Unified Communications Manager is
commonly deployed using the Multi-Level Administration (MLA) feature
to ease the integration of Cisco Unified Communications Manager into
enterprise environments. If MLA is enabled, Cisco Unified
Communications Manager stores administrator accounts in the Cisco
Unified Communications Manager DC Directory service. If an attacker
obtains the DC Directory credentials and MLA is enabled, the attacker
used to create the online help and HTML documentation for older CA
SiteMinder releases (6.0 SP4 and earlier). This vulnerability
affects CA SiteMinder in the following ways:
* HTML versions of the product documentation for SiteMinder can
be deployed on an individual system or through a web server. If
product documentation has been deployed on a web server the
SiteMinder 6.0 installation is vulnerable.
* Online help systems for SiteMinder are deployed and accessible
through a web server. This vulnerability applies to help systems.
# of 192.0.2.2 to access the Cisco NBM
iptables -I INPUT 2 --source 192.0.2.2 -j ACCEPT
When applying rules form the above example care must be taken to
allow access to ports or protocols that are used by sensors and other
devices deployed in the system that are monitored and controlled by
the Cisco Network Building Mediator. Failure to do so will break
connectivity to these sensors and devices.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
vulnerability.
Even if only one PE router in the network runs an unfixed version of
IOS code, it is vulnerable to packets that come from systems that are
connected to remote PE routers. In such a case, workarounds need to
be deployed on all PE routers to successfully mitigate this
vulnerability.
The "mdt data <group> <mask>" or "mdt data <group> <mask> threshold
<n> list <acl>" commands do not mitigate this vulnerability.
allowed to target your infrastructure devices and block that traffic
at the border of your network. iACLs are a network security best
practice and should be considered as a long-term addition to good
network security as well as a workaround for this specific
vulnerability. The iACL example shown below should be included as
part of the deployed infrastructure access-list which will protect
all devices with IP addresses in the infrastructure IP address range:
!-- Note: IPC packets sent to UDP destination port 1975 must not
!-- be permitted from any trusted source as this traffic
allowed to target your infrastructure devices and block that traffic
at the border of your network. iACLs are a network security best
practice and should be considered as a long-term addition to good
network security as well as a workaround for this specific
vulnerability. The iACL example shown below should be included as
part of the deployed infrastructure access-list which will protect
all devices with IP addresses in the infrastructure IP address range:
!-- Permit SNMP (UDP port 161) packets from trusted hosts
!-- destined to infrastructure addresses.
1. Disable UDP outgoing packets with the "dlsw udp-disable" command,
AND
2. Filter UDP 2067 in the vulnerable device using infrastructure
ACL.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20080326-dlsw.shtml
Filters such as Transit ACLs (tACLs) can be used to allow access to
the Administration Workstation from only trusted hosts.
Filters that deny HTTP packets using HTTPS packets using TCP port 443
and TCP port 1741 should be deployed throughout the network as part
of a tACL policy to protect the network from traffic that enters the
network at ingress access points. This policy should be configured to
protect the network device where the filter is applied and other
devices that are behind it. Filters for HTTPS packets that use TCP
port 443 and TCP port 1741 should also be deployed in front of
Cisco Unified MeetingPlace versions 5, 6, and 7 are each affected by
at least one of the vulnerabilities described in this document.
The Cisco Unified MeetingPlace conferencing solution provides
functionality that allows organizations to host integrated voice,
video, and web conferencing. The solution is deployed on-network and
integrated directly into an organization's private voice/data
networks and enterprise applications. Cisco Unified MeetingPlace
servers can be deployed so that the server is accessible from the
Internet, allowing external parties to participate in meetings.
vulnerabilities.
It is possible to mitigate these vulnerabilities with access control
lists (ACL). Filters that deny ICMP Echo Request, TCP port 22 (SSH),
TCP port 23 (Telnet), TCP port 80 (HTTP), TCP/UDP port 53 (DNS) and
TCP/UDP port 5060 (SIP) should be deployed at voice/data network
boundaries as part of a tACL policy for protection of traffic which
enters the network at ingress access points. This policy should be
configured to protect the network device and other devices behind it
where the filter is applied.
!
Router(config)#interface FastEthernet0/1
Router(config-if)#ipv6 traffic-filter protect_IPv4_services in
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20080326-IPv4IPv6.shtml
Affected Products
=================
Cisco Unified MeetingPlace conferencing solution provides
functionality that allows organizations to host integrated voice,
video, and web conferencing. The solution is deployed on-network,
behind the firewall and integrated directly into an organization's
private voice/data networks and enterprise applications. Cisco
Unified MeetingPlace servers can be deployed so that the server is
accessible from the Internet, allowing external parties to
participate in meetings.
allowed to target infrastructure devices and block that traffic at
the border of networks. Infrastructure ACLs (iACLs) are a network
security best practice and should be considered as a long-term
addition to good network security as well as a workaround for this
specific vulnerability. The iACL example below should be included as
part of the deployed infrastructure access-list, which will help
protect all devices with IP addresses in the infrastructure IP
address range:
!---
asa(config)# http server enable
asa(config)# http 192.168.1.0 255.255.255.0 inside
asa(config)# telnet 192.168.1.0 255.255.255.0 inside
asa(config)# ssh 192.168.1.0 255.255.255.0 inside
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20100804-fwsm.shtml
Next Page>>
|
