Security Alerts

Cisco Elastic Services Controller User Credentials Information Disclosure Vulnerability

Cisco Security Advisories - Wed, 2017-06-07 14:00
A vulnerability in the file system of Cisco Elastic Services Controllers could allow an authenticated, local attacker to gain access to sensitive credentials that are stored in an affected system.

The vulnerability exists because the affected software does not sufficiently control access to the credential repository on an affected system. An attacker could exploit this vulnerability by accessing certain files on an affected system via the command line. A successful exploit could allow the attacker to retrieve sensitive user credentials from the affected system.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-esc8 A vulnerability in the file system of Cisco Elastic Services Controllers could allow an authenticated, local attacker to gain access to sensitive credentials that are stored in an affected system.

The vulnerability exists because the affected software does not sufficiently control access to the credential repository on an affected system. An attacker could exploit this vulnerability by accessing certain files on an affected system via the command line. A successful exploit could allow the attacker to retrieve sensitive user credentials from the affected system.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-esc8
Security Impact Rating: Medium
CVE: CVE-2017-6696
Categories: Security Alerts

Cisco Elastic Services Controller Unauthorized Directory Access Vulnerability

Cisco Security Advisories - Wed, 2017-06-07 14:00
A vulnerability in the ConfD server component of Cisco Elastic Services Controllers could allow an authenticated, local attacker to access information stored in the file system of an affected system.

The vulnerability exists because the affected component does not sufficiently protect files that are stored in the file system. An attacker could exploit this vulnerability by accessing and modifying restricted files. A successful exploit could allow the attacker to access and manipulate files on the affected system.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-esc7 A vulnerability in the ConfD server component of Cisco Elastic Services Controllers could allow an authenticated, local attacker to access information stored in the file system of an affected system.

The vulnerability exists because the affected component does not sufficiently protect files that are stored in the file system. An attacker could exploit this vulnerability by accessing and modifying restricted files. A successful exploit could allow the attacker to access and manipulate files on the affected system.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-esc7
Security Impact Rating: Medium
CVE: CVE-2017-6693
Categories: Security Alerts

Cisco Elastic Services Controller Information Disclosure Vulnerability

Cisco Security Advisories - Wed, 2017-06-07 14:00
A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to access sensitive information on an affected system.

The vulnerability is due to improper permissions that are set for certain files by the affected service. An attacker could exploit this vulnerability to gain access to sensitive information on an affected system, which could lead to further attacks.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-esc6 A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to access sensitive information on an affected system.

The vulnerability is due to improper permissions that are set for certain files by the affected service. An attacker could exploit this vulnerability to gain access to sensitive information on an affected system, which could lead to further attacks.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-esc6
Security Impact Rating: Medium
CVE: CVE-2017-6691
Categories: Security Alerts

Cisco Elastic Services Controller Insecure Default Administrator Credentials Vulnerability

Cisco Security Advisories - Wed, 2017-06-07 14:00
A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to log in to an affected system as the admin user.

The vulnerability is due to the existence of a default, weak, hard-coded password for the admin user of an affected system. An attacker could exploit this vulnerability by logging in to an affected system via Secure Shell (SSH) on TCP port 2024 and using the default password to authenticate to the system as the admin user. A successful exploit could allow the attacker to log in to the affected system as the admin user and perform actions associated with the privileges of the admin user.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-esc5 A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to log in to an affected system as the admin user.

The vulnerability is due to the existence of a default, weak, hard-coded password for the admin user of an affected system. An attacker could exploit this vulnerability by logging in to an affected system via Secure Shell (SSH) on TCP port 2024 and using the default password to authenticate to the system as the admin user. A successful exploit could allow the attacker to log in to the affected system as the admin user and perform actions associated with the privileges of the admin user.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-esc5
Security Impact Rating: Medium
CVE: CVE-2017-6689
Categories: Security Alerts

Cisco Elastic Services Controller Insecure Default Password Vulnerability

Cisco Security Advisories - Wed, 2017-06-07 14:00
A vulnerability in Cisco Elastic Services Controllers could allow an authenticated, remote attacker to log in to an affected system as the Linux root user.

The vulnerability is due to the existence of a default, weak, hard-coded password for the Linux root user of an affected system. A successful exploit could allow the attacker to log in to the affected system as the Linux root user and perform actions associated with the privileges of the root user.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-esc4 A vulnerability in Cisco Elastic Services Controllers could allow an authenticated, remote attacker to log in to an affected system as the Linux root user.

The vulnerability is due to the existence of a default, weak, hard-coded password for the Linux root user of an affected system. A successful exploit could allow the attacker to log in to the affected system as the Linux root user and perform actions associated with the privileges of the root user.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-esc4
Security Impact Rating: Medium
CVE: CVE-2017-6688
Categories: Security Alerts

Cisco Elastic Services Controller Insecure Default Credentials Vulnerability

Cisco Security Advisories - Wed, 2017-06-07 14:00
A vulnerability in Cisco Elastic Services Controllers could allow an authenticated, remote attacker to log in to an affected system as the Linux admin user.

The vulnerability is due to the existence of a default, weak, hard-coded password for the Linux admin user of an affected system. A successful exploit could allow the attacker to log in to the affected system as the Linux admin user and perform actions associated with the privileges of the admin user.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-esc3 A vulnerability in Cisco Elastic Services Controllers could allow an authenticated, remote attacker to log in to an affected system as the Linux admin user.

The vulnerability is due to the existence of a default, weak, hard-coded password for the Linux admin user of an affected system. A successful exploit could allow the attacker to log in to the affected system as the Linux admin user and perform actions associated with the privileges of the admin user.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-esc3
Security Impact Rating: Medium
CVE: CVE-2017-6684
Categories: Security Alerts

Cisco Elastic Services Controller Authentication Request Processing Arbitrary Command Execution Vulnerability

Cisco Security Advisories - Wed, 2017-06-07 14:00
A vulnerability in the esc_listener.py script of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to execute arbitrary commands as the tomcat user on an affected system.

The vulnerability is due to insufficient sanitization of arguments that are passed while authenticating to the monitoring daemon on an affected system. An attacker could exploit this vulnerability by sending a crafted request to the monitoring daemon via TCP port 6000 on an affected system. A successful exploit could allow the attacker to execute arbitrary commands as the tomcat user on the affected system.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-esc2 A vulnerability in the esc_listener.py script of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to execute arbitrary commands as the tomcat user on an affected system.

The vulnerability is due to insufficient sanitization of arguments that are passed while authenticating to the monitoring daemon on an affected system. An attacker could exploit this vulnerability by sending a crafted request to the monitoring daemon via TCP port 6000 on an affected system. A successful exploit could allow the attacker to execute arbitrary commands as the tomcat user on the affected system.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-esc2
Security Impact Rating: Medium
CVE: CVE-2017-6683
Categories: Security Alerts

Cisco Elastic Services Controller Arbitrary Command Execution Vulnerability

Cisco Security Advisories - Wed, 2017-06-07 14:00
A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to run arbitrary commands as the Linux tomcat user on an affected system.

The vulnerability is due to insufficient sanitization of commands that are permitted to run from the ConfD CLI of an affected system. An attacker could exploit this vulnerability by breaking from the restricted shell of the ConfD CLI of an affected system and running arbitrary commands as the Linux tomcat user on the affected system.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-esc1 A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to run arbitrary commands as the Linux tomcat user on an affected system.

The vulnerability is due to insufficient sanitization of commands that are permitted to run from the ConfD CLI of an affected system. An attacker could exploit this vulnerability by breaking from the restricted shell of the ConfD CLI of an affected system and running arbitrary commands as the Linux tomcat user on the affected system.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-esc1
Security Impact Rating: Medium
CVE: CVE-2017-6682
Categories: Security Alerts

Cisco Email Security Appliance Attachment Filter Bypass Vulnerability

Cisco Security Advisories - Wed, 2017-06-07 14:00
A vulnerability in the email message scanning of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass configured filters on the device.

The vulnerability is due to improper input validation of an email with an attachment and modified Multipurpose Internet Mail Extensions (MIME) header. An attacker could exploit this vulnerability by sending a malformed email message with an attachment. A successful exploit could allow the attacker to bypass configured message filters to drop the email. The email may not be RFC compliant. However, some mail clients could still allow users to read the email, which may not have been properly filtered by the device.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-esa1 A vulnerability in the email message scanning of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass configured filters on the device.

The vulnerability is due to improper input validation of an email with an attachment and modified Multipurpose Internet Mail Extensions (MIME) header. An attacker could exploit this vulnerability by sending a malformed email message with an attachment. A successful exploit could allow the attacker to bypass configured message filters to drop the email. The email may not be RFC compliant. However, some mail clients could still allow users to read the email, which may not have been properly filtered by the device.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-esa1
Security Impact Rating: Medium
CVE: CVE-2017-6671
Categories: Security Alerts

Cisco Email Security and Content Security Management Appliance Message Tracking Cross-Site Scripting Vulnerability

Cisco Security Advisories - Wed, 2017-06-07 14:00
A vulnerability in the web-based management interface of Cisco Email Security Appliance (ESA) and Cisco Content Security Management Appliance (SMA) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information.

Additional information about XSS attacks and potential mitigations can be found at:
http://www.cisco.com/en/US/products/cmb/cisco-amb-20060922-understanding-xss.html
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-esa A vulnerability in the web-based management interface of Cisco Email Security Appliance (ESA) and Cisco Content Security Management Appliance (SMA) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information.

Additional information about XSS attacks and potential mitigations can be found at:
http://www.cisco.com/en/US/products/cmb/cisco-amb-20060922-understanding-xss.html
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-esa
Security Impact Rating: Medium
CVE: CVE-2017-6661
Categories: Security Alerts

Cisco Prime Data Center Network Manager Server Static Credential Vulnerability

Cisco Security Advisories - Wed, 2017-06-07 14:00
A vulnerability in Cisco Prime Data Center Network Manager (DCNM) Software could allow an unauthenticated, remote attacker to log in to the administrative console of a DCNM server by using an account that has a default, static password. The account could be granted root- or system-level privileges.

The vulnerability exists because the affected software has a default user account that has a default, static password. The user account is created automatically when the software is installed. An attacker could exploit this vulnerability by connecting remotely to an affected system and logging in to the affected software by using the credentials for this default user account. A successful exploit could allow the attacker to use this default user account to log in to the affected software and gain access to the administrative console of a DCNM server.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-dcnm2 A vulnerability in Cisco Prime Data Center Network Manager (DCNM) Software could allow an unauthenticated, remote attacker to log in to the administrative console of a DCNM server by using an account that has a default, static password. The account could be granted root- or system-level privileges.

The vulnerability exists because the affected software has a default user account that has a default, static password. The user account is created automatically when the software is installed. An attacker could exploit this vulnerability by connecting remotely to an affected system and logging in to the affected software by using the credentials for this default user account. A successful exploit could allow the attacker to use this default user account to log in to the affected software and gain access to the administrative console of a DCNM server.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-dcnm2
Security Impact Rating: Critical
CVE: CVE-2017-6640
Categories: Security Alerts

Cisco Prime Data Center Network Manager Debug Remote Code Execution Vulnerability

Cisco Security Advisories - Wed, 2017-06-07 14:00
A vulnerability in the role-based access control (RBAC) functionality of Cisco Prime Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to access sensitive information or execute arbitrary code with root privileges on an affected system.

The vulnerability is due to the lack of authentication and authorization mechanisms for a debugging tool that was inadvertently enabled in the affected software. An attacker could exploit this vulnerability by remotely connecting to the debugging tool via TCP. A successful exploit could allow the attacker to access sensitive information about the affected software or execute arbitrary code with root privileges on the affected system.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-dcnm1 A vulnerability in the role-based access control (RBAC) functionality of Cisco Prime Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to access sensitive information or execute arbitrary code with root privileges on an affected system.

The vulnerability is due to the lack of authentication and authorization mechanisms for a debugging tool that was inadvertently enabled in the affected software. An attacker could exploit this vulnerability by remotely connecting to the debugging tool via TCP. A successful exploit could allow the attacker to access sensitive information about the affected software or execute arbitrary code with root privileges on the affected system.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-dcnm1
Security Impact Rating: Critical
CVE: CVE-2017-6639
Categories: Security Alerts

Cisco Unified Communications Domain Manager SQL Injection Vulnerabilities

Cisco Security Advisories - Wed, 2017-06-07 14:00
Vulnerabilities in the web-based GUI of Cisco Unified Communications Domain Manager (CUCDM) could allow an authenticated, remote attacker to impact the confidentiality of the system by executing arbitrary SQL queries.

The vulnerabilities are due to insufficient validation of user-supplied input in HTTP request parameters. An attacker could exploit these vulnerabilities by submitting a crafted HTTP request that contains a malicious SQL statement to the web interface of the affected software. An exploit could allow the attacker to retrieve certain data from the SQL database used by CUCDM. Modifying data in the SQL database is not possible.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-cucm2 Vulnerabilities in the web-based GUI of Cisco Unified Communications Domain Manager (CUCDM) could allow an authenticated, remote attacker to impact the confidentiality of the system by executing arbitrary SQL queries.

The vulnerabilities are due to insufficient validation of user-supplied input in HTTP request parameters. An attacker could exploit these vulnerabilities by submitting a crafted HTTP request that contains a malicious SQL statement to the web interface of the affected software. An exploit could allow the attacker to retrieve certain data from the SQL database used by CUCDM. Modifying data in the SQL database is not possible.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-cucm2
Security Impact Rating: Medium
CVE: CVE-2017-6668
Categories: Security Alerts

Cisco Unified Communications Domain Manager Open Redirect Vulnerability

Cisco Security Advisories - Wed, 2017-06-07 14:00
A vulnerability in the web-based GUI of Cisco Unified Communications Domain Manager could allow an unauthenticated, remote attacker to redirect a user to a malicious web page.

The vulnerability is due to improper input validation of HTTP request parameters by the affected software. An attacker could exploit this vulnerability by submitting a crafted HTTP request to the web interface of the affected software, which could cause the web interface to redirect the request to a malicious web page at a specified URL. This vulnerability is referred to as an open redirect attack and is used in phishing attacks that cause users to unknowingly visit malicious sites.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-cucm1 A vulnerability in the web-based GUI of Cisco Unified Communications Domain Manager could allow an unauthenticated, remote attacker to redirect a user to a malicious web page.

The vulnerability is due to improper input validation of HTTP request parameters by the affected software. An attacker could exploit this vulnerability by submitting a crafted HTTP request to the web interface of the affected software, which could cause the web interface to redirect the request to a malicious web page at a specified URL. This vulnerability is referred to as an open redirect attack and is used in phishing attacks that cause users to unknowingly visit malicious sites.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-cucm1
Security Impact Rating: Medium
CVE: CVE-2017-6670
Categories: Security Alerts

Cisco Context Service SDK Arbitrary Code Execution Vulnerability

Cisco Security Advisories - Wed, 2017-06-07 14:00
A vulnerability in the update process for the dynamic JAR file of the Cisco Context Service software development kit (SDK) could allow an unauthenticated, remote attacker to execute arbitrary code on the affected device with the privileges of the web server.

The vulnerability is due to insufficient validation of the update JAR file's signature. An attacker could exploit this vulnerability by performing a man-in-the-middle attack during the update process. At the same time, the attacker must poison a name service or control it and must also control a trusted signing certificate. An exploit could allow the attacker to replace the original JAR file with an altered version, which could then be used to execute arbitrary code.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-ccs A vulnerability in the update process for the dynamic JAR file of the Cisco Context Service software development kit (SDK) could allow an unauthenticated, remote attacker to execute arbitrary code on the affected device with the privileges of the web server.

The vulnerability is due to insufficient validation of the update JAR file's signature. An attacker could exploit this vulnerability by performing a man-in-the-middle attack during the update process. At the same time, the attacker must poison a name service or control it and must also control a trusted signing certificate. An exploit could allow the attacker to replace the original JAR file with an altered version, which could then be used to execute arbitrary code.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-ccs
Security Impact Rating: Medium
CVE: CVE-2017-6667
Categories: Security Alerts

TA17-156A: Reducing the Risk of SNMP Abuse

US-CERT - Mon, 2017-06-05 17:11
Original release date: June 05, 2017
Systems Affected

SNMP enabled devices

Overview

The Simple Network Management Protocol (SNMP) may be abused to gain unauthorized access to network devices. SNMP provides a standardized framework for a common language that is used for monitoring and managing devices in a network.

This Alert provides information on SNMP best practices, along with prevention and mitigation recommendations.

Description

SNMP depends on secure strings (or “community strings”) that grant access to portions of devices’ management planes. Abuse of SNMP could allow an unauthorized third party to gain access to a network device. 

SNMPv3 should be the only version of SNMP employed because SNMPv3 has the ability to authenticate and encrypt payloads. When either SNMPv1 or SNMPv2 are employed, an adversary could sniff network traffic to determine the community string. This compromise could enable a man-in-the-middle or replay attack.

Although SNMPv1 and SNMPv2 have similar characteristics, 64-bit counters were added to SNMPv2 so it could support faster interfaces. SNMPv3 replaces the simple/clear text password sharing used in SNMPv2 with more securely encoded parameters. All versions run over the User Datagram Protocol (UDP).

Simply using SNMPv3 is not enough to prevent abuse of the protocol. A safer approach is to combine SNMPv3 with management information base (MIB) whitelisting using SNMP views. This technique ensures that even with exposed credentials, information cannot be read from or written to the device unless the information is needed for monitoring or normal device re-configuration. The majority of devices that support SNMP contain a generic set of MIBs that are vendor agnostic. This approach allows the object identifier (OID) to be applied to devices regardless of manufacturer.

Impact

A remote attacker may abuse SNMP-enabled network devices to access an organization’s network infrastructure.

Solution

A fundamental way to enhance network infrastructure security is to safeguard networking devices with secure configurations. US-CERT recommends that administrators:

  • Configure SNMPv3 to use the highest level of security available on the device; this would be authPriv on most devices. authPriv includes authentication and encryption features, and employing both features enhances overall network security. Some older images may not contain the cryptographic feature set, in which case authNoPriv needs to be used. However, if the device does not support Version 3 authPriv, it should be upgraded.
  • Ensure administrative credentials are properly configured with different passwords for authentication and encryption. In configuring accounts, follow the principle of least privilege. Role separation between polling/receiving traps (reading) and configuring users or groups (writing) is imperative because many SNMP managers require login credentials to be stored on disk in order to receive traps.
  • Refer to your vendor’s guidance for implementing SNMP views. SNMP view is a command that can be used to limit the available OIDs. When OIDs are included in the view, all other MIB trees are inherently denied. The SNMP view command must be used in conjunction with a predefined list of MIB objects.
  • Apply extended access control lists (ACLs) to block unauthorized computers from accessing the device. Access to devices with read and/or write SNMP permission should be strictly controlled. If monitoring and change management are done through separate software, then they should be on separate devices.
  • Segregate SNMP traffic onto a separate management network. Management network traffic should be out-of-band; however, if device management must coincide with standard network activity, all communication occurring over that network should use some encryption capability. If the network device has a dedicated management port, it should be the sole link for services like SNMP, Secure Shell (SSH), etc.
  • Keep system images and software up-to-date.
References Revision History
  • June 5, 2017: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: Security Alerts

TA17-156A: Reducing the Risk of SNMP Abuse

US-CERT - Mon, 2017-06-05 17:11
Original release date: June 05, 2017
Systems Affected

SNMP enabled devices

Overview

The Simple Network Management Protocol (SNMP) may be abused to gain unauthorized access to network devices. SNMP provides a standardized framework for a common language that is used for monitoring and managing devices in a network.

This Alert provides information on SNMP best practices, along with prevention and mitigation recommendations.

Description

SNMP depends on secure strings (or “community strings”) that grant access to portions of devices’ management planes. Abuse of SNMP could allow an unauthorized third party to gain access to a network device. 

SNMPv3 should be the only version of SNMP employed because SNMPv3 has the ability to authenticate and encrypt payloads. When either SNMPv1 or SNMPv2 are employed, an adversary could sniff network traffic to determine the community string. This compromise could enable a man-in-the-middle or replay attack.

Although SNMPv1 and SNMPv2 have similar characteristics, 64-bit counters were added to SNMPv2 so it could support faster interfaces. SNMPv3 replaces the simple/clear text password sharing used in SNMPv2 with more securely encoded parameters. All versions run over the User Datagram Protocol (UDP).

Simply using SNMPv3 is not enough to prevent abuse of the protocol. A safer approach is to combine SNMPv3 with management information base (MIB) whitelisting using SNMP views. This technique ensures that even with exposed credentials, information cannot be read from or written to the device unless the information is needed for monitoring or normal device re-configuration. The majority of devices that support SNMP contain a generic set of MIBs that are vendor agnostic. This approach allows the object identifier (OID) to be applied to devices regardless of manufacturer.

Impact

A remote attacker may abuse SNMP-enabled network devices to access an organization’s network infrastructure.

Solution

A fundamental way to enhance network infrastructure security is to safeguard networking devices with secure configurations. US-CERT recommends that administrators:

  • Configure SNMPv3 to use the highest level of security available on the device; this would be authPriv on most devices. authPriv includes authentication and encryption features, and employing both features enhances overall network security. Some older images may not contain the cryptographic feature set, in which case authNoPriv needs to be used. However, if the device does not support Version 3 authPriv, it should be upgraded.
  • Ensure administrative credentials are properly configured with different passwords for authentication and encryption. In configuring accounts, follow the principle of least privilege. Role separation between polling/receiving traps (reading) and configuring users or groups (writing) is imperative because many SNMP managers require login credentials to be stored on disk in order to receive traps.
  • Refer to your vendor’s guidance for implementing SNMP views. SNMP view is a command that can be used to limit the available OIDs. When OIDs are included in the view, all other MIB trees are inherently denied. The SNMP view command must be used in conjunction with a predefined list of MIB objects.
  • Apply extended access control lists (ACLs) to block unauthorized computers from accessing the device. Access to devices with read and/or write SNMP permission should be strictly controlled. If monitoring and change management are done through separate software, then they should be on separate devices.
  • Segregate SNMP traffic onto a separate management network. Management network traffic should be out-of-band; however, if device management must coincide with standard network activity, all communication occurring over that network should use some encryption capability. If the network device has a dedicated management port, it should be the sole link for services like SNMP, Secure Shell (SSH), etc.
  • Keep system images and software up-to-date.
References Revision History
  • June 5, 2017: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: Security Alerts

Vulnerability in Linux Kernel Affecting Cisco Products: October 2016

Cisco Security Advisories - Wed, 2017-05-31 18:56
On October 19, 2016, a new vulnerability related to a race condition in the memory manager of the Linux Kernel was disclosed. This vulnerability could allow unprivileged, local users to gain write access to otherwise read-only memory mappings to increase their privileges on the system.

Cisco has released software updates that address this vulnerability. For information about affected and fixed software releases, consult the Cisco bug IDs in the Vulnerable Products table.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-linux On October 19, 2016, a new vulnerability related to a race condition in the memory manager of the Linux Kernel was disclosed. This vulnerability could allow unprivileged, local users to gain write access to otherwise read-only memory mappings to increase their privileges on the system.

Cisco has released software updates that address this vulnerability. For information about affected and fixed software releases, consult the Cisco bug IDs in the Vulnerable Products table.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-linux
Security Impact Rating: Medium
CVE: CVE-2016-5195
Categories: Security Alerts

Vulnerability in Samba Affecting Cisco Products: May 2017

Cisco Security Advisories - Tue, 2017-05-30 17:30
On May 24, 2017, the Samba team disclosed a vulnerability in Samba server software that could allow an authenticated attacker to execute arbitrary code remotely on a targeted system.

This vulnerability has been assigned CVE ID CVE-2017-7494

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170530-samba On May 24, 2017, the Samba team disclosed a vulnerability in Samba server software that could allow an authenticated attacker to execute arbitrary code remotely on a targeted system.

This vulnerability has been assigned CVE ID CVE-2017-7494

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170530-samba
Security Impact Rating: High
CVE: CVE-2017-7494
Categories: Security Alerts

Cisco Firepower System Software URL Filtering Bypass Vulnerability

Cisco Security Advisories - Wed, 2017-05-24 19:30
A vulnerability in the feature-license management functionality of Cisco Firepower System Software could allow an unauthenticated, remote attacker to bypass URL filters that have been configured for an affected device.

The vulnerability exists because the URL Filtering license for the affected software could be disabled unexpectedly, which could disable the URL filtering functionality of the affected software. An attacker could exploit this vulnerability by sending traffic, which should have matched a configured URL filter, through an affected device. A successful exploit could allow the attacker to bypass URL filters that were configured for the affected device.

There is a workaround that addresses this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170524-fmc A vulnerability in the feature-license management functionality of Cisco Firepower System Software could allow an unauthenticated, remote attacker to bypass URL filters that have been configured for an affected device.

The vulnerability exists because the URL Filtering license for the affected software could be disabled unexpectedly, which could disable the URL filtering functionality of the affected software. An attacker could exploit this vulnerability by sending traffic, which should have matched a configured URL filter, through an affected device. A successful exploit could allow the attacker to bypass URL filters that were configured for the affected device.

There is a workaround that addresses this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170524-fmc
Security Impact Rating: Medium
CVE: CVE-2017-6674
Categories: Security Alerts

Pages

Subscribe to Willing Minds aggregator - Security Alerts