-
This advisory describes a vulnerability that affects Cisco products and applications running on Microsoft Windows 2000.
A vulnerability has been discovered that enables an attacker to execute arbitrary code or perform a denial of service (DoS) against the server. These vulnerabilities were discovered and publicly announced by Microsoft in their Microsoft Security Bulletin MS03-049. More information about the vulnerability can be found at the following URL:
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
All Cisco products and applications that are using unpatched Microsoft Windows 2000 are vulnerable.
This advisory is available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20040129-ms03-049.
-
This section provides details on affected products.
Vulnerable Products
To determine if a product is vulnerable, review the list below. If the software versions or configuration information are provided, then only those combinations are vulnerable. This is a list of appliance software which needs patches downloaded from Cisco.
-
Cisco CallManager
-
Cisco Building Broadband Service Manager (BBSM)
- BBSM Version 5.2
- HotSpot 1.0
-
Cisco Customer Response Application Server (CRA)
-
Cisco Personal Assistant (PA)
-
Cisco Conference Connection (CCC)
-
Cisco Emergency Responder (CER)
-
Cisco IP Call Center Express (IPCC Express)
-
Cisco Internet Service Node (ISN)
Other Cisco products which run on a Microsoft based operating system should strongly consider loading the patch from Microsoft at the following URL:
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
This list is not all inclusive. Please refer to Microsoft's bulletin if you think you have an affected Microsoft platform.
-
Cisco Unity
-
Cisco Building Broadband Service Manager (BBSM) versions 5.1 and
prior
-
Cisco uOne Enterprise Edition
-
Cisco Latitude products
-
Cisco Network Registrar (CNR)
-
Cisco Internet Service Node (ISN)
-
Cisco Intelligent Contact Manager (ICM) (Hosted and
Enterprise)
-
Cisco IP Contact Center (IPCC) (Express and Enterprise)
-
Cisco E-mail Manager (CEM)
-
Cisco Collaboration Server (CCS)
-
Cisco Dynamic Content Adapter (DCA)
-
Cisco Media Blender (CMB)
-
TrailHead (Part of the Web Gateway solution)
-
Cisco Networking Services for Active Directory (CNS/AD)
-
Cisco SN 5400 Series Storage Routers (driver to interface to Windows
server)
-
CiscoWorks
- CiscoWorks VPN/Security Management Solution (CWVMS)
- User Registration Tool
- Lan Management Solution
- Routed WAN Management
- Service Management
- VPN/Security Management Solution
- IP Telephony Environment Monitor
- Small Network Management Solution
- QoS Policy Manager
- Voice Manager
-
Cisco Transport Manager (CTM)
-
Cisco Broadband Troubleshooter (CBT)
-
DOCSIS CPE Configurator
-
Cisco Secure Applications
- Cisco Secure Scanner
- Cisco Secure Policy Manager (CSPM)
- Access Control Server (ACS)
-
Videoconferencing Applications
- IP/VC 3540 Video Rate Matching Module
- IP/VC 3540 Application Server
-
Cisco IP/TV Server
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
Cisco CallManager
-
Default installations of Microsoft Windows 2000 Server automatically enable the Workstation service. This vulnerability is not isolated to Microsoft Windows 2000 Workstation edition.
The Microsoft Windows 2000 Workstation service is vulnerable to buffer overflows and denial of service (DoS) attacks. This vulnerability can be exploited to execute arbitrary code on a computer system or to disrupt normal operation of the server.
The vulnerability has been described in more detail at the following URL:
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
-
Currently there are no known active worms exploiting this vulnerability. However, users can protect themselves from the potential infection by applying access control lists (ACLs).
The Workstation service receives packets on UDP and TCP ports 138, 139 and 445. Restricting traffic to these ports may help mitigate the spread of any worm that exploits this vulnerability. Restricting traffic to these ports may also help prevent improper access, DoS, and other non-worm related exploitation.
Please also reference the Microsoft posting for additional workarounds:
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
Customers who have firewalls, or have deployed Network Intrusion Detection Systems (NIDS) and/or Host Intrusion Detection Systems (HIDS) in their network may be able to use these devices to detect attempted exploitation or protect themselves from exploitation of this vulnerability. Customers with these products should refer to their product documentation from their vendor for information on how to properly configure these devices.
-
Affected Cisco IP Telephony Applications: for all versions of Cisco CallManager and all compatible versions of Cisco IP Interactive Voice Response (IP IVR), Cisco IP Call Center Express (IPCC Express), Cisco Personal Assistant (PA), Cisco Emergency Responder (CER), Cisco Conference Connection (CCC), and Cisco Internet Service Node (ISN).
Customers should apply the win-OS-Upgrade-k9.2000-2-5sr4.exe or later package located at the following URL: http://www.cisco.com/pcgi-bin/tablebuild.pl/cmva-3des?psrtdcat20e2
Cisco Building Broadband Service Manager
For BBSM Version 5.2, apply BBSM52SP2.exe found at the following URL: http://www.cisco.com/pcgi-bin/tablebuild.pl/bbsm52
Instructions for installing service patches on BBSM can be found at the following URL: http://www.cisco.com/en/US/docs/net_mgmt/cisco_building_broadband_service_manager/5.3/operations/guide/ops53_05.html
Cisco HotSpot 1.0
For HotSpot1.0, apply Service Pack 1 available at the following URL: http://www.cisco.com/pcgi-bin/tablebuild.pl/bbsmhs10
-
The Cisco PSIRT is not aware of any active exploitation of this vulnerability.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.0
2004-January-29
Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.