Date: 4 Jul 2004 18:59:18 +0200
From: SecuriTeam <support@securiteam.com.>
To: [email protected]Subject: [NT] Cisco Collaboration Server Vulnerability
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Cisco Collaboration Server Vulnerability
------------------------------------------------------------------------
SUMMARY
Cisco Collaboration Server (CCS) versions earlier than 5.0 ship with
ServletExec versions that are vulnerable to attack where unauthorized
users can upload any file and gain administrative privileges. The
workaround is documented in the Workaround section below. Cisco has
provided an automated script to remove this vulnerability from the CCS 4.x
versions
DETAILS
Vulnerable products:
CCS using an unpatched ServletExec version earlier than 3.0E is
vulnerable.
* CCS 4.x ships with ServletExec 3.0 which is vulnerable until patched.
CCS 4.0 customers can patch the software with an automated script or
upgrade to CCS 5.x
* CCS 3.x ships with ServletExec 2.2 which is vulnerable until patched.
An automated script is not available for CCS 3.0. Customers can patch the
software by following the manual instructions in the Workaround section,
upgrade to CCS 4.x and patch the software with an automated script, or
upgrade to CCS 5.x.
Products confirmed not vulnerable:
* CCS 5.x ships with ServletExec 4.1 and is not vulnerable
Details:
Cisco Collaboration Server utilizes the ServletExec subcomponent provided
by New Atlanta for Microsoft Windows 2000 and Windows NT. ServletExec
versions prior to SE 3.0E allow for an attacker to upload files to the Web
server and invoke them. Cisco bug id CSCed49648. Users should upgrade to
CCS 5.x that ships with ServletExec 4.1, download the automated script for
CCS 4.x, or follow the manual instructions in the Workaround section.
Patching ServletExec either with the automated script or manual
instructions removes the UploadServlet from the ServletExec30.jar file but
does not alter the version number. The best way to test if the CCS is
vulnerable is to attempt to load the
http://<ccsservername>/servlet/UploadServlet URL when CCS is up and
running. If this attempt results in a NullPointerException, the
vulnerability is present. If this results in a Page Not Found error, then
the CCS is not vulnerable.
Customers can continue to obtain and apply the most current patches for
ServletExec by following the instructions on the New Atlanta website:
<http://www.newatlanta.com/biz/c/products/servletexec/self_help/faq/detail?faqId=195>; http://www.newatlanta.com/biz/c/products/servletexec/self_help/faq/detail?faqId=195 . Additionally, customers are encouraged to go to the following Cisco web pages for tips on increasing security on their CCS: <http://www.cisco.com/application/pdf/en/us/guest/products/ps1001/c1067/ccmigration_09186a008020f9b4.pdf>; http://www.cisco.com/application/pdf/en/us/guest/products/ps1001/c1067/ccmigration_09186a008020f9b4.pdf Refe
r to page 38 for ServletExec notes and refer to page 71 for notes on Collaboration Option.
Cisco Collaboration Server (CCS) has been sold as a standalone product or
as part of Cisco Web Collaboration Option where it is integrated with the
Cisco Intelligent Contact Management (ICM) software. A user can determine
their version level by using the http://<;ccs server>/version command,
where <ccs server> is the hostname or IP address.
Impact:
Cisco Collaboration Server (CCS) versions earlier than 5.0 ship with
ServletExec versions that are vulnerable to attack where unauthorized
users can upload any file and gain administrative privileges.
*
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCed49648
> CSCed49648
Software Versions and Fixes:
Cisco Collaboration Server 4.x users can patch the software with an
automated script available at
<http://www.cisco.com/pcgi-bin/tablebuild.pl/ccs40>;
http://www.cisco.com/pcgi-bin/tablebuild.pl/ccs40, or patch the software
by following the manual instructions in the Workaround section, or upgrade
to CCS 5.x.
Cisco Collaboration Server 3.x users can patch the software by following
the manual instructions in the Workaround section, or upgrade to CCS 4.x
and patch the software with an automated script, or upgrade to CCS 5.x.
Workarounds:
Manual Instructions to Patch CCS 3.x
Complete these steps to patch CCS 3.x:
1. Stop Internet Information Server (IIS).
2. Run Winzip or your favorite zip utility and open ServletExec22.jar in
the C:\Program Files\new atlanta\servletexec ISAPI\lib directory.
3. Delete UploadServlet.class.
4. Save ServletExec22.jar back to its original location and exit Winzip.
5. Restart IIS.
Manual Instructions to Patch CCS 4.x
Complete these steps to patch CCS 4.x:
1. Stop Internet Information Server (IIS).
2. Run Winzip or your favorite zip utility and open ServletExec30.jar in
the C:\Program Files\new atlanta\servletexec ISAPI\lib directory.
3. Delete UploadServlet.class.
4. Save ServletExec30.jar back to its original location and exit Winzip.
5. Restart IIS.
CCS 5.x is not vulnerable and these manual instructions do not apply.
ADDITIONAL INFORMATION
The information has been provided by <mailto:psirt@cisco.com.> Cisco
Systems Product Security Incident Response Team.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20040630-CCS.shtml>;
http://www.cisco.com/warp/public/707/cisco-sa-20040630-CCS.shtml
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
