Summary

• Multiple vulnerabilities exist in the Cisco Application Networking Manager (ANM) and Cisco Application Control Engine (ACE) Device Manager applications. These vulnerabilities are independent of each other. Successful exploitation of these vulnerabilities may result in unauthorized system or host operating system access.

  This security advisory identifies the following vulnerabilities:

  • ACE Device Manager and ANM invalid directory permissions vulnerability
    
  • ANM default user credentials vulnerability
    
  • ANM MySQL default credentials vulnerability
    
  • ANM Java agent privilege escalation
    

  Cisco has released software updates that address these vulnerabilities. A workaround that mitigates one of the issues is available.

  This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090225-anm.

  Note: This advisory is being released simultaneously with a multiple vulnerabilities advisory impacting the ACE appliance and module software, which is posted at

  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090225-ace.

Affected Products

• Vulnerable Products

  The following are the products and versions affected by each vulnerability described within this advisory.

  Vulnerability	Product Affected	Version Affected
  Invalid Directory Permissions	ACE Device Manager	All versions prior to A3(2.1)
  Invalid Directory Permissions	ANM	All versions prior to ANM 2.0
  Default User Credentials	ANM	All versions prior to ANM 2.0
  MySQL Default Credentials	ANM	All versions prior to ANM 2.0
  Java Agent Privilege Escalation	ANM	All versions prior to ANM 2.0 Update A

  Determining ACE Device Manager Software Version

  The ACE Device Manager is embedded with the ACE appliance software.

  To display the version of system software that is currently running on the device, use the show version command. The following example includes the output of the show version command on a Cisco ACE appliance running software version A3(2.1):

  ACE-4710/Admin# show version
  Cisco Application Control Software (ACSW)
  TAC support: http://www.cisco.com/tac
  Copyright (c) 1985-2008 by Cisco Systems, Inc. All rights reserved.
  The copyrights to certain works contained herein are owned by
  other third parties and are used and distributed under license.
  Some parts of this software are covered under the GNU Public
  License. A copy of the license is available at
  http://www.gnu.org/licenses/gpl.html.
  
  Software
    loader:    Version 0.95
    system:    Version A3(2.1) [build 3.0(0)A3(2.1) adbuild_14:33:29-2008/11/19_/auto/adbu-rel4/rel_a3_2_1_throttle_build/REL_3_0_0_A3_2_1]
    system image file: (nd)/192.168.65.32/scimitar.bin
    Device Manager version 1.1 (0) 20081113:2052
  ---

  Determining ANM Software Version

  To display the version of ANM software that is currently installed, login to the ANM server and select the About keyword in the upper right. An informational pop up window will be displayed. ANM Version 2.0 Update A is indicated in the example output below.

      Version: 2.0(0), Update: A 
      Build Number: 709 
      Build Timestamp: 20081031:1226 

  Products Confirmed Not Vulnerable

  The Cisco ACE XML Gateway, Cisco ACE GSS (Global Site Selector) 4400 Series and Cisco ACE Web Application Firewall are not affected by any of these vulnerabilities.

  No other Cisco products are currently known to be affected by these vulnerabilities.

Details

• ANM is a network management application that manages Cisco ACE modules or appliances. ANM is installed on customer provided servers with a Red Hat Enterprise Linux operating system. The ACE Device Manager provides a browser-based interface for configuring and managing a single ACE appliance. The ACE Device Manager resides in flash memory on the ACE appliance. Multiple vulnerabilities exist in ANM and one in the ACE Device Manager products. The following details are provided for each vulnerability addressed in this security advisory.

  Invalid Directory Permissions

  Versions of the Cisco ACE Device Manager prior to software version A3(2.1) and Cisco ANM prior software version ANM 2.0 contain directory traversal vulnerabilities. These vulnerabilities could allow unauthorized access to ACE operating system and host operating system files. To exploit these vulnerabilities authentication is required to initially access either product.

  This vulnerability is documented in the following Cisco Bug IDs:

  • CSCsv66063 ( registered customers only)
    
  • CSCsv70130 ( registered customers only)
    

  This vulnerability has been assigned the Common Vulnerability and Exposures (CVE) ID CVE-2009-0615.

  Default User Credentials

  Versions of Cisco ANM prior to software version ANM 2.0 do not force credential changes during installation. If these credentials are left unchanged, this could allow unauthorized access to the ANM application with default user credentials.

  This vulnerability is documented in the following Cisco Bug ID:

  • CSCsu52724 ( registered customers only)
    

  This vulnerability has been assigned the Common Vulnerability and Exposures (CVE) ID CVE-2009-0616.

  MySQL Default Credentials

  ANM versions prior to ANM 2.0 use a default MySQL root user password during installation. The MySQL database is installed by default when ANM is initially installed. This vulnerability can be exploited remotely with default credential authentication and without end-user interaction. Unauthorized access to the database may allow modification of system files that could impact the function of ANM or allow execution of commands on the underlying host operating system. The ACE appliance and module device configuration files in the MySQL database are encrypted.

  This vulnerability is documented in the following Cisco Bug ID:

  • CSCsu52632 ( registered customers only)
    

  This vulnerability has been assigned the Common Vulnerability and Exposures (CVE) ID CVE-2009-0617.

  Java Agent Privilege Escalation

  ANM versions prior to ANM 2.0 Update A contain a remotely exploitable vulnerability that could allow an attacker to view configuration files and modify ANM processes including the capability to stop services. Exploitation of this issue could result in system information disclosure or denial of services.

  This vulnerability is documented in the following Cisco Bug ID:

  • CSCsu73001 ( registered customers only)
    

  This vulnerability has been assigned the Common Vulnerability and Exposures (CVE) ID CVE-2009-0618.

Workarounds

• While this Security Advisory describes multiple distinct vulnerabilities, a workaround exists for only the following vulnerability.

  ANM Default User Credentials

  The ANM user admin account password may be modified after installation by following the procedures documented for Changing the Admin Password located in the ANM User Guide.

  Applied Mitigation Bulletin

  Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory:

  https://sec.cloudapps.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20090225-anm

Fixed Software

• When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.

  In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.

  Each row of the following software table identifies the earliest possible software release that contains the fix listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the release which have fixes for all the published vulnerabilities at the time of this Advisory.

  Vulnerability	First Fixed Release	Recommended Release
  ACE Device Manager Invalid Directory Permissions	A3(2.1)	A3(2.1)
  ANM Invalid Directory Permissions	ANM 2.0	ANM 2.0 Update A
  ANM Default User Credentials	ANM 2.0	ANM 2.0 Update A
  ANM MySQL Default Credentials	ANM 2.0	ANM 2.0 Update A
  ANM Java Agent Privilege Escalation	ANM 2.0 Update A	ANM 2.0 Update A

  ANM 2.0 Update A can be downloaded from ANM 2.0 UPDATE A.

  ACE Device Manager A3(2.1) can be downloaded from ACE A3(2.1).

Exploitation and Public Announcements

• The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory.

  Acknowledgement to the National Australia Bank's Security Assurance team for the discovery and reporting of the ACE Device Manager directory permissions vulnerability.

  The remaining vulnerabilities were identified through internal testing.

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090225-anm

Revision History

• Revision 1.0

  2009-February-25

  Initial public release

  Show Less