Next Page >>
infrastructure
SUPPORT COMMUNICATION - SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01205079
Version: 1
HPSBMA02279 SSRT071298 rev.1 - HP OpenView Configuration Management (CM) Infrastructure (Radia) and Client Configuration Manager (CCM) Running httpd.tkd, Remote Unauthorized Access to Data
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2007-10-23
Last Updated: 2007-10-23
Workarounds
===========
The following mitigations have been identified for this
vulnerability, which may help protect an infrastructure until an
upgrade to a fixed version of Cisco IOS software can be scheduled:
Infrastructure Access Control Lists
+----------------------------------
The following workarounds have been identified for this
vulnerability.
Note: L2TP implementations will need to allow UDP 1701, from trusted
addresses to infrastructure addresses. This does not provide for a
full mitigation as the source addresses may be spoofed.
Note: L2TPv3 over IP only implementations need to deny all UDP 1701
from anywhere to the infrastructure addresses.
document titled "Performing Basic System Management" at the following
link:
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_basic_sys_manage.html#wp1034942
Infrastructure Access Control Lists
+----------------------------------
warning Warning: Because the feature in this vulnerability utilizes
UDP as a transport, it is possible to spoof the sender's IP address,
which may defeat ACLs that permit communication to these ports from
packets via UDP port 2067, both of the following actions must be
taken:
1. Disable UDP outgoing packets with the "dlsw udp-disable" command,
AND
2. Filter UDP 2067 in the vulnerable device using infrastructure
ACL.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
===========
The following workarounds have been identified for these
vulnerabilities.
Infrastructure Access Control Lists
+----------------------------------
Although it is often difficult to block traffic that transits a
network, it is possible to identify traffic that should never be
allowed to target infrastructure devices and block that traffic at
Control Plane Policing (CoPP) can be used to block untrusted UDP port
1975 access to the affected device. Cisco IOS software releases
12.2BC and 12.2SCA support the CoPP feature. CoPP may be configured
on a device to protect the management and control planes to minimize
the risk and effectiveness of direct infrastructure attacks by
explicitly permitting only authorized traffic sent to infrastructure
devices in accordance with existing security policies and
configurations. The following example can be adapted to your network.
Note: CoPP is not supported on uBR10012 series devices.
===========
The following mitigation and identification methods have been
identified for these vulnerabilities:
Infrastructure Access Control Lists
+----------------------------------
Although it is often difficult to block traffic that transits a
network, it is possible to identify traffic that should never be
allowed to target infrastructure devices and block that traffic at
Different Cisco platforms support different numbers of terminal
lines. Check your device's configuration to determine the correct
number of terminal lines for your platform.
Infrastructure ACLs (iACL)
+-------------------------
Although it is often difficult to block traffic transiting your
network, it is possible to identify traffic that should never be
allowed to target your infrastructure devices and block that traffic
disable the specific features that make a device vulnerable, if this
action is feasible.
Allowing only legitimate devices to connect to affected devices will
help limit exposure to this vulnerability. Refer to the following
Control Plane Policing and Configuring Infrastructure Access Lists
subsections for further details. Because a TCP three-way handshake
is not required, the mitigation must be combined with anti-spoofing
measures on the network edge to increase effectiveness.
Additional mitigations that can be deployed on Cisco devices within the
access-list 90 permit host <up-converter-IP-if-exists>
access-list 90 deny any
snmp-server community private rw 90
Using Infrastructure ACLs at Network Boundary
+--------------------------------------------
Although it is often difficult to block traffic transiting your
network, it is possible to identify traffic which should never be
allowed to target your infrastructure devices and block that traffic
McKesson Horizon Clinical Infrastructure, also known as McKesson HCI, utilizes hardcoded passwords
for Oracle database access. HCI serves as the patient record datastore for the majority of McKesson applications. There are two components to an HCI implementation: the Infrastructure (or Master) server
and the database back-end. The HCI Infrastructure Server has an Oracle client installed that initializes
OCI/sqlplus connections to the Oracle database back-end. A file on each HCI Infrastructure server
contains the database account usernames and their respective passwords, /usr/local/bin/password. Content from /usr/local/bin/password is shown:
# cat /usr/local/bin/password
AMBU:hacschema
QUEUE_USER:qmanager
SYS:alLp0ver2
Note: The vulnerabilities described in this document can be exploited
by spoofed IP packets if the attacker knows the IP address of the
trusted PIM neighbors listed in the ip pim neighbor-filter
implementation.
To protect infrastructure devices and minimize the risk, impact, and
effectiveness of direct infrastructure attacks, administrators are
advised to deploy ACLs to perform policy enforcement of traffic sent
to core infrastructure equipment. PIM is IP protocol 103. As an
additional workaround, administrators can explicitly permit only
authorized PIM (IP protocol 103) traffic sent to infrastructure
Cisco Industrial Ethernet 3000 Series switches that are running
affected versions of Cisco IOS Software contain hard-coded SNMP
read-write community names.
The Cisco Industrial Ethernet 3000 Series is a family of switches
that provide a rugged, easy-to-use, secure infrastructure for harsh
environments.
SNMP is used for managing and monitoring the device and community
names are the equivalent to a password.
vulnerabilities in Cisco IOS Software based on the information that
is currently available. This Cisco Security Response will be updated
as new information becomes available.
Cisco PSIRT recommends limiting access to the network with
Infrastructure Acess Control Lists (iACLs). Although it is often
difficult to block traffic that transits a network, it is possible to
identify traffic that should never be allowed to target
infrastructure devices and block that traffic at the border of
networks. Infrastructure Access Control Lists (iACLs) are a network
security best practice and should be considered as a long-term
followed by two days of high-quality research papers whose topics include,
but are NOT limited to, the following:
* Privacy Preserving / Enhancing Technologies
* Trust Technologies, Technologies for Building Trust in e-Business Strategy
* Critical Infrastructure Protection
* Observations of PST in Practice, Society, Policy and Legislation
* Network and Wireless Security
* Digital Rights Management
* Operating Systems Security
* Identity and Trust management
-Otto
=============================================================================
Centre for the Protection of National
Infrastructure
Framework for Vulnerability Information
Sharing
Introduction
CPNI was formed from the merger of the National Infrastructure
followed by two days of high-quality research papers whose topics include,
but are NOT limited to, the following:
* Privacy Preserving / Enhancing Technologies
* Trust Technologies, Technologies for Building Trust in e-Business Strategy
* Critical Infrastructure Protection
* Observations of PST in Practice, Society, Policy and Legislation
* Network and Wireless Security
* Digital Rights Management
* Operating Systems Security
* Identity and Trust management
Workarounds
===========
There are no available workarounds to mitigate this vulnerability
other than applying infrastructure access control lists (iACLs) on
the Cisco 7600 router to block ICMP traffic destined to the IP
address of the Cisco CSG. Administrators can construct an iACL by
explicitly permitting only authorized traffic to enter the network at
ingress access points or permitting authorized traffic to transit the
network in accordance with existing security policies and
followed by two days of high-quality research papers whose topics include,
but are NOT limited to, the following:
* Privacy Preserving / Enhancing Technologies
* Trust Technologies, Technologies for Building Trust in e-Business Strategy
* Critical Infrastructure Protection
* Observations of PST in Practice, Society, Policy and Legislation
* Network and Wireless Security
* Digital Rights Management
* Operating Systems Security
* Identity and Trust management
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02286740
Version: 1
HPSBMA02555 SSRT100064 rev.1 - HP Client Automation Enterprise Infrastructure (Radia) Remote Disclosure of Information
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-07-12
Last Updated: 2010-07-12
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS MPLS Forwarding Infrastructure
Denial of Service Vulnerability
Advisory ID: cisco-sa-20080924-mfi
http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml
ISOTF Critical Internet Infrastructure WG is now open to public
participation.
The group holds top experts on internet technology, critical
infrastructure, and internet governance, from around the globe.
Together, we discuss definitions, problems, challenges and solutions in
securing and assuring the reliability of the global internet
infrastructure, which is critical infrastructure for a growing number of
nations, corporations and indeed, individuals -- world wide.
Securitybyte & OWASP AppSec Asia Conference is a forum where Ethical Hackers, Practitioners, Researchers, and Developers in Information Security field, gathers to showcase and exchange new Researches, Innovations, Practical ideas and Experiences. If you are developing, researching, or implementing practical solutions to protect Corporate or Government Information Infrastructures, please consider sharing your experience and expertise at this conference.
First round of CFP submission is July 30th, 2009.
Send your interest and submissions to cfp@securitybyte.org
For any Speaking query, please contact us at speakers@securitybyte.org
We are seeking submissions for both Two days Conference Track & Post conference two days Training workshops in the following areas:
Conference Tracks (17 – 18 Nov, 2009)
Details
=======
Cisco IOS XR Software, which is part of the Cisco IOS Software
family, uses a microkernel-based distributed operating system
infrastructure. Cisco IOS XR Software runs on the Cisco CRS, Cisco
12000 Series Routers, and Cisco ASR 9000 Series Aggregation Services
Routers.
More information on Cisco IOS XR Software is available at the
following link:
"Internet Group Management Protocol Version 3", indicate that every
IGMP message is sent with an IP TTL of 1.
CoPP may be configured on a device to protect the management and
control planes, and minimize the risk and effectiveness of direct
infrastructure attacks by explicitly permitting only authorized
traffic sent to infrastructure devices in accordance with existing
security policies and configurations. The following example can be
adapted to your network. Drop of IGMP packets with unicast IP
destination addresses can also be implemented with CoPP if the
network is using all multicast applications that utilize only
Details
=======
Cisco IOS XR Software, which is part of the Cisco IOS Software
family, uses a microkernel-based distributed operating system
infrastructure. Cisco IOS XR Software runs on the Cisco CRS, Cisco
12000 Series Routers, and Cisco ASR 9000 Series Aggregation Services
Routers. This vulnerability only affects the SPA interface processors
on the Cisco 12000 Series Routers that are running affected versions
of Cisco IOS XR Software.
For devices that need to offer SIP services it is possible to use
Control Plane Policing (CoPP) to block SIP traffic to the device from
untrusted sources. Cisco IOS Releases 12.0S, 12.2SX, 12.2S, 12.3T,
12.4, and 12.4T support the CoPP feature. CoPP may be configured on a
device to protect the management and control planes to minimize the
risk and effectiveness of direct infrastructure attacks by explicitly
permitting only authorized traffic sent to infrastructure devices in
accordance with existing security policies and configurations. The
following example can be adapted to specific network configurations:
!-- The 192.168.1.0/24 network and the 172.16.1.1 host are trusted.
Virtual Center 2.0.2 and Virtual Center 2.5:
Go to the Windows Services overview on the system that runs
Virtual Center.
To stop WebAccess without a reboot:
Change the status of the VMware Infrastructure Web Access
service to stop
To prevent WebAccess from starting after the next reboot:
Change the startup type of the VMware Infrastructure Web
Access service to disabled
For devices that need to offer SIP services, it is possible to use
Control Plane Policing (CoPP) to block SIP traffic to the device from
untrusted sources. Cisco IOS Releases 12.0S, 12.2SX, 12.2S, 12.3T,
12.4, and 12.4T support the CoPP feature. CoPP may be configured on a
device to protect the management and control planes to minimize the
risk and effectiveness of direct infrastructure attacks by explicitly
permitting only authorized traffic sent to infrastructure devices in
accordance with existing security policies and configurations. The
following example can be adapted to specific network configurations:
Next Page>>
|
