Cisco Security Advisory
Click Icon to Copy Verbose Score
AV:N/AC:M/Au:N/C:C/I:C/A:N/E:F/RL:OF/RC:C
-
Cisco Security Manager contains a vulnerability when it is used with Cisco IPS Event Viewer (IEV) that results in open TCP ports on both the Cisco Security Manager server and IEV client. An unauthenticated, remote attacker could leverage this vulnerability to access the MySQL databases or IEV server.
Cisco has released software updates that address this vulnerability. A workaround is also available to mitigate this vulnerability.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090121-csm.
-
Vulnerable Products
All 3.1 and 3.2 versions prior to 3.2.2 of Cisco Security Manager are affected by this vulnerability. Cisco IEV is installed with Cisco Security Manager by default, but the vulnerability is not exposed until IEV has been launched.
Products Confirmed Not Vulnerable
The following products have been confirmed not vulnerable:
-
Cisco Security Manager 3.2.2
-
Cisco Security Manager 3.0.x and earlier
-
Standalone implementations of Cisco IEV
-
Cisco IPS Manager Express
No other Cisco products are currently known to be affected by this vulnerability.
-
Cisco Security Manager 3.2.2
-
Cisco Security Manager is an enterprise-class management application that is designed to configure firewall, VPN, and intrusion prevention security services on Cisco network and security devices. As part of Cisco Security Manager installation, the Cisco IEV is installed by default. The IEV is a Java-based application that allows users to view and manage alerts for up to five sensors, including the ability to report top alerts, attackers, and victims over a specified number of hours or days. Users can connect to and view alerts in real time or via imported log files, configure filters and views to help manage alerts, and import and export event data for further analysis.
A vulnerability exists in the Cisco Security Manager server. When the IEV is launched, it opens several remotely available TCP ports on the Cisco Security Manager server and client. These ports could allow remote, unauthenticated root access to the IEV database and server. When IEV is closed, it closes open ports on the Cisco Security Manager client that launched the IEV but fails to close open ports on the server. If the IEV has never been used on the system, the Cisco Security Manager server is not vulnerable.
The IEV database contains events that are collected from Cisco Intrusion Prevention System (IPS) devices. The IEV server allows an unauthenticated user to add, delete, or modify the devices that are added into the IEV.
This vulnerability is documented in Cisco Bug ID: CSCsv66897 ( registered customers only)
This vulnerability have been assigned the Common Vulnerabilities and Exposures (CVE) identifiers CVE-2008-3820.
-
In the event that Cisco IEV is not being used, administrators are advised to disable the functionality until a patch is applied. To disable IEV on Cisco Security Manager, perform the following steps:
-
Access the Microsoft Windows Server that Cisco Security Manager is installed on.
-
Open the Services dialog box (Choose Start > Administrative Tools > Services).
-
Locate the Cisco IPS Event Viewer service and open Properties.
-
Change Startup Type: to Disabled and click Ok.
-
Stop the Cisco IPS Event Viewer service.
-
Stop and Restart the Cisco Security Manager Daemon Manager service.
-
Confirm that the Cisco IPS Event Viewer service has not restarted.
Upon disabling the Cisco IPS Event Viewer service, the open ports on the Cisco Security Manager server will be closed.
Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20090121-csm
-
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
A software patch for Cisco Security Manager versions 3.1, 3.1.1, 3.2 and 3.2.1 is available for download at: http://www.cisco.com/pcgi-bin/tablebuild.pl/csm-app?psrtdcat20e2
The patch file names by Cisco Security Manager version follow:
Cisco Security Manager version
Patch Filename
3.0.x and earlier
Not Vulnerable
3.1
CSM310PatchCSCsv66897.zip
3.1.1.SP3
CSM311SP3PatchCSCsv66897.zip
3.2.SP2
CSM320SP2PatchCSCsv66897.zip
3.2.1.SP1
CSM321SP1PatchCSCsv66897.zip
3.2.2
Not Vulnerable
Please read the corresponding readme files for installation instructions.
-
Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
This vulnerability was discovered through internal Cisco testing.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show Less
Revision 1.0
2009-January-21
Initial public release
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.