From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 25 Oct 2006 21:12:41 +0200
Subject: [UNIX] Cisco Security Agent for Linux Port Scan DoS
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20061025183807.8764D57EA@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Cisco Security Agent for Linux Port Scan DoS
------------------------------------------------------------------------
SUMMARY
Cisco Security Agent (CSA) for Linux contains a denial of service
vulnerability involving port scans. By performing a port scan against a
system running a vulnerable version of CSA, it is possible to cause the
system to become unresponsive. Cisco Unified CallManager (CUCM) and Cisco
Unified Presence Server (CUPS) ship with a vulnerable CSA version.
There are workarounds for this vulnerability. Cisco has made free software
available to address this vulnerability for affected customers.
DETAILS
Vulnerable Products:
The following CSA versions are vulnerable to the port scanning issue:
* CSA version 4.5 for Linux (standalone and managed) prior to Hotfix
4.5.1.657
* CSA version 5.0 for Linux (standalone and managed) prior to Hotfix
5.0.0.193
The following Cisco products include a standalone CSA for Linux version
which are also vulnerable to this issue:
* Cisco Unified CallManager (CUCM) 5.0 versions including 5.0(4)
* Cisco Unified Presence Server (CUPS) 1.0 versions including 1.0(2)
Products Confirmed Not Vulnerable:
The following CSA Agent versions are not vulnerable to the port scanning
issue:
* CSA version 5.1 (standalone and managed) for Linux
* All CSA versions (standalone and managed) for Windows
* All CSA versions (standalone and managed) for Solaris
No other Cisco products are currently known to be affected by this
vulnerability.
Details:
Cisco Security Agent (CSA) provides threat protection for server and
desktop computing systems. CSA for Linux is vulnerable to a denial of
service attack that may be triggered during the identification of network
port scans. By running a port scan with specific options, it is possible
to cause excessive system resource consumption resulting in a denial of
service. It is possible to mitigate this vulnerability by restricting
network access to vulnerable systems to trusted networks. This issue is
not a Linux operating system issue. CSA versions for other operating
systems (Windows, Solaris) are not affected by this vulnerability. This
issue is documented in Cisco Bug ID CSCse98684 ( registered customers
only) .
Cisco Unified CallManager 5.0 versions, including 5.0(4), ship with a
vulnerable version of CSA. A new CallManager Options Package (COP) file is
available to update the CSA version on CallManager 5.0(4). Future versions
of CallManager will include the updated CSA version. This issue is
documented in Cisco Bug ID CSCse97601 ( registered customers only) .
Cisco Unified Presence Server 1.0 versions, including 1.0(2), ship with a
vulnerable version of CSA. A new COP file is available to update the CSA
version on CUPS 1.0(2). Future versions of CUPS will include the updated
CSA version. This issue is documented in Cisco Bug ID CSCsg40052 (
registered customers only) .
Impact:
Successful exploitation of the port scan vulnerability against a Linux
system running a vulnerable version of CSA may cause the system to become
unresponsive due to resource exhaustion while a port scan is underway.
This may result in the failure of critical processes and remote network
connectivity. Repeated port scans may result in a prolonged denial of
service. If a CUCM or CUPS system running a vulnerable CSA version is
scanned, voice operations may become unavailable for the duration of the
port scan.
Workarounds:
It is possible to workaround the Linux port scan vulnerability by
disabling the Netshield rule in managed agents via the CSA Management
Center (CSAMC) console (not possible for standalone and CUCM/CUPS agents).
Administrators should exercise caution when employing this workaround
because it may open a system to additional network denial of service
attacks. With the Netshield rule disabled, CSA will still provide
protection against buffer overflows and other malicious activities.
ADDITIONAL INFORMATION
The information has been provided by <mailto:psirt@cisco.com.> Cisco
Systems Product Security Incident Response Team.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20061025-csa.shtml>;
http://www.cisco.com/warp/public/707/cisco-sa-20061025-csa.shtml
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
