SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Embedded Server/Appliance)  >   Cisco Clean Access Vendors:   Cisco
(Cisco Issues Fix) Cisco Clean Access Lack of Authentication in Secure Smart Manager Lets Remote Users Deny Service
SecurityTracker Alert ID:  1015398
SecurityTracker URL:  http://securitytracker.com/id/1015398
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 22 2005
Impact:   Denial of service via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.5.5
Description:   A vulnerability was reported in Cisco Clean Access. A remote user can cause denial of service conditions.

Several scripts on the Secure Smart Manager do not properly authenticate users. A remote user can upload arbitrary files to the '/installer/windows' directory on the target system. This can be exploited to consume all available disk space on the target system and cause the system to lock up.

The '/admin/uploadclient.jsp' is affected.

Similar vulnerabilities exist in the 'apply_firmware_action.jsp' and 'file.jsp' scripts.

Alex Lanstein discovered this vulnerability.

The original advisory is available at:

http://www.awarenetwork.org/forum/viewtopic.php?p=2236

Impact:   A remote user can upload arbitrary files to the target system to consume all available disk space on the target system.
Solution:   The vendor has released a patch, available at:

http://www.cisco.com/pcgi-bin/tablebuild.pl/cca-patches?psrtdcat20e2

Cisco assigned Cisco Bug ID CSCsc85405 to this vulnerability.

Future versions 3.5(9) and 3.6.0.1 will include the fix.

The vendor's response (which also describes a workaround) is available at:

http://www.cisco.com/warp/public/707/cisco-response-20051221-CCA.shtml

Vendor URL:  www.cisco.com/warp/public/707/cisco-response-20051221-CCA.shtml (Links to External Site)
Cause:   Authentication error

Message History:   This archive entry is a follow-up to the message listed below.
Dec 16 2005 Cisco Clean Access Lack of Authentication in Secure Smart Manager Lets Remote Users Deny Service



 Source Message Contents

Subject:  Cisco Security Response: DoS in Cisco Clean Access


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Cisco Response
==============

This is Cisco PSIRT's response to the statements made by Alex Lanstein
in his message: <DoS in Cisco Clean Access>, posted on 2005-Dec-16, to
the Bugtraq mailing list. An archived version of the report can be
found here:

http://www.securityfocus.com/archive/1/419645/30/0/threaded

We greatly appreciate the opportunity to work with researchers on
security vulnerabilities, and welcome the opportunity to review and
assist in product reports.

Additional Information
======================

This issue is being tracked by Cisco bug ID:


  * CSCsc85405 -- Obsolete JSPs can cause a DoS attack on CAM


This DDTS has been resolved and the fix is available.

It was discovered that certain obsolete JSP files may be leveraged to
leave the Cisco Clean Access Manager (CAM) open to a denial of service
(DoS) attack.

The patch is available to customers for download from:

http://www.cisco.com/cgi-bin/tablebuild.pl/cca-patches

The following information is from the README file that accompanies the
patch for CSCsc85405. For more complete information on the issue,
please consult the README.

To address and fix this vulnerability, you must remove the obsolete
JSP files from your CAM as they are no longer needed. You can either:

1. Install the patch on your CAM, as described in "Patch Installation Intructions" below, or

2. Apply the workaround, as described in "Workaround Solution" below.

Caveat CSCsc85405 will be resolved in the following future releases:

  * Cisco Clean Access release 3.5(9) and above
  * Cisco Clean Access release 3.6.0.1 and above

===============================
Patch Installation Instructions
===============================

To install this patch:

1. Download the Patch-CSCsc85405.tar.gz file from the Cisco Clean
Access Patches folder
(http://www.cisco.com/cgi-bin/tablebuild.pl/cca-patches) under Cisco
Secure Software
(http://www.cisco.com/kobayashi/sw-center/ciscosecure/cleanaccess.shtml).

2.  Open an SSH terminal and copy the patch file into your Clean
Access Manager (CAM) using WinSCP, SSH File Transfer or PSCP, as
described below.

  If using WinSCP or SSH File Transfer: 

        a. Copy Patch-CSCsc85405.tar.gz to the /store directory
           on the Clean Access Manager. 

  If using PSCP: 

        a. Open a command prompt on your Windows computer. 

        b. Cd to the path where your PSCP resides 
            (e.g, C:\Documents and Settings\desktop). 

        c. Enter the following command to copy the file to the CAM:

           pscp Patch-CSCsc85405.tar.gz root@ipaddress_manager:/store


3. From the SSH terminal, untar the patch file on the CAM:

        cd /store
        tar xzvf Patch-CSCsc85405.tar.gz

4. Cd to the Patch-CSCsc85405 directory:

        cd Patch-CSCsc85405

5. Execute the patch file upgrade on the CAM:

         ./patch.sh


=========================
Workaround Solution
=========================

The following workaround steps remove the affected .jsp files from the
CAM, as they are no longer needed.

1. Open an SSH terminal, and login to the CAM shell.

2. Change directory as follows:

        cd /perfigo/control/tomcat/webapps/admin/

3. Remove the uploadclient.jsp and ieee8021x.jsp files:

        rm -f uploadclient.jsp ieee8021x.jsp

4. Change directory as follows:

        cd /perfigo/control/tomcat/work/Standalone/localhost/admin

5. Remove the cached jsp sources:

        rm -f uploadclient_jsp.* ieee8021x_jsp.*

6. Remove any file in the "installer/window" directory, this will be
useful for any exploited machine.

        rm -f /perfigo/control/tomcat/normal-webapps/installer/windows/*

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering
to receive security information from Cisco, is available on Cisco's
worldwide website at http://www.cisco.com/en/US/products/
products_security_vulnerability_policy.html. This includes instructions
for press inquiries regarding Cisco security notices. All Cisco
security advisories are available at http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (SunOS)

iD8DBQFDqbqrezGozzK2tZARAg5oAKDFImK6FyCWQQhNKaSXGt+8QlqkAwCfcrei
5rYuJ/Qlpqun2NgSd1jTqtI=
=d4PN
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC