Summary

• Cisco Device Manager contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on a client host with the privileges of the user. This vulnerability affects Cisco Device Manager for the Cisco MDS 9000 Family and Cisco Nexus 5000 Series Switches when it is installed or launched via the Java Network Launch Protocol (JNLP) on a host running Microsoft Windows.
  
  Cisco Device Manager installed or launched from Cisco Prime Data Center Network Manager (DCNM) or Cisco Fabric Manager is not affected. This vulnerability can only be exploited if the JNLP file is executed on systems running Microsoft Windows. The vulnerability affects the confidentiality, integrity, and availability of the client host performing the installation or execution of Cisco Device Manager via JNLP file. There is no impact on the Cisco MDS 9000 Family or Cisco Nexus 5000 Series Switches.
  
  Cisco has released software updates that address this vulnerability in the Cisco Device Manager for Cisco MDS 9000 Family Switches. Cisco Nexus 5000 Series Switches have discontinued the support of the Cisco Device Manager installation via JNLP and updates are not available.
  
  Workarounds that mitigate this vulnerability are available. This advisory is available at the following link:
  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130424-fmdm

Affected Products

• Vulnerable Products

  This vulnerability affects the following versions of Cisco Device Manager for the Cisco MDS 9000 Family or Cisco Nexus 5000 Series Switches:
  

  • Cisco Device Manager versions 5.x and earlier

  Note: Only Cisco Device Manager software installed or launched via JNLP file on Microsoft Windows is affected by this vulnerability.

  Products Confirmed Not Vulnerable

  No other Cisco products are currently known to be affected by this vulnerability.

Details

• Cisco Device Manager can be used for detailed switch provisioning and provides a graphical representation of the Cisco MDS 9000 Family or Cisco Nexus 5000 Series Switches chassis.
  
  The Device Manager could be installed either from the Cisco Prime Data Center Network Manager (DCNM) previously called Cisco Fabric Manager server, or via JNLP file downloaded from the switch web interface.
  
  A vulnerability in the Java Archive (JAR) executable files that are downloaded via JNLP from the Cisco MDS 9000 Series or Cisco Nexus 5000 Series Switches could allow an unauthenticated, remote attacker to execute arbitrary commands on the client host that is executing the JNLP file. Command execution would occur with the privileges of the user.
  
  The vulnerability is due to insufficient validation of certain parameters passed by the element-manager.jnlp file and executed by the affected JAR files. An attacker may exploit this vulnerability by redirecting the user to download a crafted version of the element-manager.jnlp file and execute the file.
  
  Note: This vulnerability affects Cisco Device Manager installed or launched via the JNLP method. Cisco Device Manager installed or launched from Cisco Prime DCNM or Cisco Fabric Manager is not affected. This vulnerability can only be exploited if the JNLP file is executed on systems running Microsoft Windows. The vulnerability affects the confidentiality, integrity and availability of the client host performing the installation of Cisco Device Manager. There is no impact on the Cisco MDS 9000 Family or Cisco Nexus 5000 Series Switches.
  
  This vulnerability is documented in Cisco bug IDs CSCty17417 (registered customers only) for Cisco MDS 9000 Family Switches and CSCty10802 (registered customers only) for Cisco Nexus 5000 Series Switches.
  
  This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2013-1192.

Workarounds

• Installing Cisco Device Manager from Cisco Prime DCNM or Fabric Manager may provide a workaround for this issue.

Fixed Software

• When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
  
  In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
  
  This vulnerability has been resolved in Cisco Device Manager for Cisco MDS 9000 Family Switches versions 5.2.8 and above.
  
  Cisco Nexus 5000 Series Switches have discontinued the support for Cisco Device Manager installation via JNLP file. No updates are available. Customers should use Cisco Prime DCNM to manage the switch instead.

Exploitation and Public Announcements

• The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
  
  This vulnerability was reported to Cisco by Jurgens Van Der Merwe from SensePost Information Security.

URL

• http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130424-fmdm

Revision History

• Revision 1.0

  2013-April-24

  Initial public release.

  Show Less