SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Embedded Server/Appliance)  >   Cisco Clean Access Vendors:   Cisco
Cisco Clean Access Lack of Authentication in Secure Smart Manager Lets Remote Users Deny Service
SecurityTracker Alert ID:  1015375
SecurityTracker URL:  http://securitytracker.com/id/1015375
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 16 2005
Impact:   Denial of service via network, Modification of user information
Exploit Included:  Yes  
Version(s): 3.5.5
Description:   A vulnerability was reported in Cisco Clean Access. A remote user can cause denial of service conditions.

Several scripts on the Secure Smart Manager do not properly authenticate users. A remote user can upload arbitrary files to the '/installer/windows' directory on the target system. This can be exploited to consume all available disk space on the target system and cause the system to lock up.

The '/admin/uploadclient.jsp' is affected.

Similar vulnerabilities exist in the 'apply_firmware_action.jsp' and 'file.jsp' scripts.

Alex Lanstein discovered this vulnerability.

The original advisory is available at:

http://www.awarenetwork.org/forum/viewtopic.php?p=2236

Impact:   A remote user can upload arbitrary files to the target system to consume all available disk space on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.cisco.com/ (Links to External Site)
Cause:   Authentication error

Message History:   This archive entry has one or more follow-up message(s) listed below.
Dec 22 2005 (Cisco Issues Fix) Cisco Clean Access Lack of Authentication in Secure Smart Manager Lets Remote Users Deny Service
Cisco has released a patch.



 Source Message Contents

Subject:  DoS in Cisco Clean Access

Date of release: 16/12/2005
Software: Cisco Clean Access/Perfigo CleanMachines (http://www.cisco.com/en/US/products/ps6128/index.html)
Affected versions: Tested on 3.5.5, assumed all <=current.
Risk: Medium/High
Discovered by: Alex Lanstein 

Background
--------
Cisco Clean Access is an easily deployed Network Admission Control solution that can automatically detect, isolate, and clean infected
 or vulnerable devices that attempt to access your network - regardless of the access method. It identifies whether networked devices
 such as laptops, personal digital assistants, or even game consoles are compliant with your network's security policies, and repairs
 any vulnerabilities before permitting access to the network.

The software that is affected resides on the Secure Smart Manager, not the Secure Smart Server.  

Details
-------
The method below has the possibility to create a denial of service on a few layers.  One, a user without a username or password can
 use the vulnerability to upload files to a web visable folder for fun and profit.  The user could also fill up the drive as it seems,
 aside from /boot, the rest of the drive is one big partition.  Filling up the drive would most definately cause the system to lock
 up in its current configuration.  

In /admin/uploadclient.jsp there is a lack of authentication check so that anyone who browses to the page can upload files directly
 to the web visable folder /installer/windows.  This is clearly unacceptable.

Similar types of attacks can be launched from apply_firmware_action.jsp and file.jsp.  

Solution(s)
--------
The vendor, Cisco Systems, should prepend _all_ files, especially all .jsp files, with an authentication check.  This seems to be
 the case with most, but not all of the files.  

The vendor should also use a better partitioning scheme in its installs.

Managers of these systems should add some sort of overall .htaccess/.htpasswd system while they are waiting for the vendor patch,
 as I'm sure that under further investigation by the engineers many more files are affected than those listed above.

External discussion and developments:
be .aware | http://www.awarenetwork.org/forum/viewtopic.php?p=2236

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC