SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (VoIP)  >   Cisco Personal Assistant Vendors:   Cisco
Cisco Personal Assistant Default Configuration on IBM Servers Grants Administrative Access to Remote Users
SecurityTracker Alert ID:  1008814
SecurityTracker URL:  http://securitytracker.com/id/1008814
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Jan 29 2004
Original Entry Date:  Jan 21 2004
Impact:   Denial of service via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): Systems on IBM Hardware with OS version prior to OS 2000.2.6
Description:   A vulnerability was reported in Cisco Personal Assistant (PA) when installed on IBM servers. A remote user can gain administrative access to the system. A remote user can also cause denial of service conditions on the target system.

Cisco reported that the default installation of several Cisco voice products on the IBM platform leaves the Director Agent configured in an unsecure state. As a result, a remote user can conduct denial of service attacks or gain administrative access.

The report indicates that a remote user can connect to port 14247 and gain administrative access without having to authenticate. Cisco has assigned Cisco Bug ID CSCed33037 to this flaw.

A remote user can also conduct a portscan against port 14247 to cause the IBM Director Agent process (twgipc.exe) to consume 100% of the CPU. A reboot is required to return the system to normal operations. Director Agent versions 2.2 and 3.11 are reportedly affected. Cisco has assigned Cisco Bug ID CSCed23357 to this flaw.

The following IBM server model numbers are reportedly affected: IBM X330 (8654 or 8674), IBM X340, IBM X342, IBM X345, MCS-7815-1000, MCS-7815I-2.0, MCS-7835I-2.4, and MCS-7835I-3.0. Operating system (OS) versions prior to OS 2000.2.6 on the IBM servers are vulnerable.

Impact:   A remote user can gain administrative access to the application.

A remote user can cause the CPU utilization to reach 100%.

Solution:   The vendor reports that this vulnerability can be resolved by making configuration changes. Cisco is providing a repair script to close the vulnerable ports and configure the Director Agent in a secure state. No upgrade is required.
Vendor URL:  www.cisco.com/warp/public/707/cisco-sa-20040121-voice.shtml (Links to External Site)
Cause:   Configuration error
Underlying OS:  

Message History:   None.


 Source Message Contents

Date:  Wed, 21 Jan 2004 09:00:00 -0800
Subject:  Cisco Security Advisory: Voice Product Vulnerabilities on IBM Servers



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Cisco Security Advisory: Voice Product Vulnerabilities on IBM Servers


Revision 1.0 - FINAL


For Public Release 2004 January 21 UTC 1700 (GMT)

========================================================================


Contents

Summary
Affected Products
Details
Impact
Software Versions and Fixes
Obtaining Fixed Software
Workarounds
Exploitation and Public Announcements
Status of This Notice: FINAL
Distribution
Revision History
Cisco Security Procedures

========================================================================


Summary
=======

The default installation of Cisco voice products on the IBM platform
will install the Director Agent in an unsecure state, leaving the
Director services vulnerable to remote administration control and/or
Denial of Service attacks. The vulnerabilities can be mitigated by
configuration changes and Cisco is providing a repair script that will
close the vulnerable ports and put the Director agent in secure state
without requiring an upgrade.

This advisory will be available at
http://www.cisco.com/warp/public/707/cisco-sa-20040121-voice.shtml.


Affected Products
=================

Cisco voice products running on IBM servers installed with the default
configurations are affected if they leave TCP or UDP port 14247 open. To
verify this vulnerability, the administrator may open a command window
on the server and type netstat -a. If port 14247 is listed, the server
is vulnerable to remote administrative control and Denial of Service
attacks.

Affected Cisco voice products:

   *   Cisco CallManager

   *   Cisco IP Interactive Voice Response (IP IVR)

   *   Cisco IP Call Center Express (IPCC Express)

   *   Cisco Personal Assistant (PA)

   *   Cisco Emergency Responder (CER)

   *   Cisco Conference Connection (CCC)

   *   Cisco Internet Service Node (ISN) running on an IBM with an
       affected OS version.

Affected IBM-based server model numbers:

   *   IBM X330 (8654 or 8674)

   *   IBM X340

   *   IBM X342

   *   IBM X345

   *   MCS-7815-1000

   *   MCS-7815I-2.0

   *   MCS-7835I-2.4

   *   MCS-7835I-3.0

Affected OS Versions:

   *   All operating system (OS) versions running on an IBM server prior 
       to OS 2000.2.6, which has not yet been released as of the date of 
       this notice.


Details
=======

The default installations of Cisco voice products on IBM servers will
install IBM Director in unsecure state leaving TCP and UDP ports 14247
open. Any Director Server/Console agent can connect over port 14247 to
gain administrative level control without requiring authentication.
Also, a network security scanner scanning port 14247 can trigger the IBM
Director agent process twgipc.exe to use 100% of the CPU until the
server is rebooted. These vulnerabilities are documented in the two
Cisco bug IDs:

   *   CSCed33037 - IBM Director agents default install allows remote
       access.

   *   CSCed23357 - IBM servers with Director agent 2.2 or 3.11 are
       vulnerable to a DoS.


Impact
======

A Cisco voice server with the IBM Director agent in unsecure state is
susceptible to administrative level control and Denial of Service attacks.

Administrative level control includes the following functionality:
shutdown/power off/restart, remote command shell, file transfer,
processes/services/device drivers stop and start, network configuration
modification (including domain/workgroup membership), Windows 2000 user
account creation, and SNMP configuration modification.

In a Denial of Service attack, an attacker can render the Cisco voice
server inoperative with CPU utilization spiking to 100%, and the IBM
server must be powered off or rebooted in order to regain control of the
machine.


Software Versions and Fixes
===========================

The vulnerabilities are specific to Cisco voice products on IBM servers
and all vulnerabilities listed in this advisory can be mitigated with
the repair script without requiring an upgrade.

The repair script is available at:

http://www.cisco.com/cgi-bin/tablebuild.pl/cmva-3des


Obtaining Fixed Software
========================

As the mitigation for the vulnerabilities is a repair script, a software
upgrade is not required to address the vulnerabilities. However, if you
have a service contract, and wish to upgrade to unaffected code, you may
obtain upgraded software through your regular update channels once that
software is available. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's Worldwide Web
site at http://www.cisco.com.

If you need assistance with the implementation of the workarounds, or
have questions on the workarounds, please contact the Cisco Technical
Assistance Center (TAC).

   *   +1 800 553 2447 (toll free from within North America)

   *   +1 408 526 7209 (toll call from anywhere in the world)

   *   e-mail: tac@cisco.com <mailto:tac@cisco.com>

See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for
additional TAC contact information, including special localized
telephone numbers and instructions and e-mail addresses for use in
various languages.

Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.


Workarounds
===========

Cisco's repair script adds 3 levels of improved security to the Director
agent:

   1. The Director agent no longer listens on TCP or UDP ports 14247 for
      remote connections from a Director Server. This change prevents
      the Denial of Service attacks described in the Impact section.

   2. The repair script secures the Director agent such that even if
      port 14247 is reenabled, the Director agent still would not accept
      connections from any Director Server.

   3. The Director Agent executable files which are not necessary to the
      functioning of the program, yet provide high levels of access or
      control, are completely disabled by this repair script.

Note: If you are using IBM Director Server and Console to monitor the
Cisco voice products, this repair script will disable the connection to
those IBM servers. The Director agents will still provide pop-up
warnings and Event Viewer messages in version 3.11, and SNMP traps to
network management software like CiscoWorks IP Telephony Monitor. To
regain IBM Director Server monitoring capabilities, IBM Director agent
4.11 will be released in OS Upgrade 2000.2.6 and support can be
re-enabled for Director Server after the upgrade to OS version 2000.2.6.


Exploitation and Public Announcements
=====================================

The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.


Status of This Notice: FINAL
============================

This is a FINAL notice. Although Cisco cannot guarantee the accuracy of
all statements in this notice, all of the facts have been checked to the
best of our ability. Cisco does not anticipate issuing updated versions
of this advisory unless there is some material change in the facts.
Should there be a significant change in the facts, Cisco will update
this advisory.


Distribution
============

This notice will be posted on Cisco's worldwide website at
http://www.cisco.com/warp/public/707/cisco-sa-20040121-voice.shtml. In
addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients:

   *   cust-security-announce@cisco.com
   *   first-teams@first.org (includes CERT/CC)
   *   bugtraq@securityfocus.com
   *   full-disclosure@lists.netsys.com
   *   vulnwatch@vulnwatch.org
   *   cisco@spot.colorado.edu
   *   cisco-nsp@puck.nether.net
   *   comp.dcom.sys.cisco
   *   Various internal Cisco mailing lists

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.


Revision History
================

Revision 1.0    2004-January-21    Initial public release.


Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering
to receive security information from Cisco, is available on Cisco's
worldwide website at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This
includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.

========================================================================

All contents are Copyright  1992-2004 Cisco Systems, Inc. All rights
reserved. Important Notices <http://www.cisco.com/public/copyright.html>
and Privacy Statement <http://www.cisco.com/public/privacy.html>.


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBQA6qHnsxqM8ytrWQEQK0wQCfZEb1OWciCHxyvIGWJCvYGFy+R44AnAq7
sMf6LqKMcYO/sFRnSQ4CBjNo
=n+LU
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC