From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 26 Apr 2007 10:43:03 +0200
Subject: [NEWS] Default Passwords in Cisco NetFlow Collection Engine
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20070426074911.9DA355901@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Default Passwords in Cisco NetFlow Collection Engine
------------------------------------------------------------------------
SUMMARY
Versions of Cisco Network Services (CNS) NetFlow Collection Engine (NFC)
prior to 6.0 create and use default accounts with identical usernames and
passwords. An attacker with knowledge of these accounts can modify the
application configuration and, in certain instances, gain user access to
the host operating system.
The upgrade to NFC version 6.0 is not a free upgrade. This default
password issue does not require a software upgrade and can be changed by a
configuration command for all affected customers. The workaround detailed
in this document demonstrates how to change the passwords in 5.0.
DETAILS
Affected Products
Vulnerable Products
This vulnerability affects Cisco NetFlow Collection Engine running
software versions prior to 6.0.0. The software version of the Cisco
NetFlow Collection Engine can be determined by either logging into the
web-based user interface (UI) or using the show-tech parameter of the
nfcollector command from the host operating system. For customers running
version 6.0 or later, the nfcollector command uses the version parameter
to determine the software level.
Users can determine the NFC version by using a web browser to navigate to
http://<nfc-hostname>:8080/nfc in a web browser and selecting About in the
upper left-hand corner. The browser displays the NFC version in a new
window.
The NFC version can be determined from the host operating system by using
the show-tech parameter of the /opt/CSCOnfc/nfcollector command. On
systems running NFC version 5.0.3, the output from
/opt/CSCOnfc/bin/nfcollector show-tech should display a result similar to
the following:
$ /opt/CSCOnfc/nfcollector show-tech
********** pkginfo/swlist **********
Name : CSCOnfc Relocations: /opt/CSCOnfc
Version : 5.0.3 Vendor: Cisco Systems,
Inc
Release : 2 Build Date: Wed 06 Sep
2006 11:19:59 AM EDT
Install Date: Mon 12 Feb 2007 04:26:54 PM EST Build Host:
nfc-hpux.cisco.com
Group : Applications/Network Source RPM:
CSCOnfc-5.0.3-2.src.rpm
Size : 109385602 License: Copyright (c)
2002-2003 by Cisco Systems, Inc.
Signature : (none)
URL : http://www.cisco.com
Summary : Cisco NetFlow Collector
Description :
Cisco CNS NetFlow Collection Engine receives, filters, and aggregates
NetFlow
traffic data generated by Cisco routers and switches.
Products Confirmed Not Vulnerable
No other Cisco products are known to be vulnerable to the issues described
in this advisory.
Details
Cisco CNS NetFlow Collection Engine is used to collect and monitor NetFlow
accounting data for devices that support NetFlow, such as routers and
switches. This data can be used to provide a network baseline, against
which irregular activities like denial of service (DoS) attacks, worms,
and other malicious activity can be more easily detected.
NFC is installed on a supported UNIX platform. The installation creates a
default web based user account, nfcuser, which is required to perform
application maintenance, configuration, and troubleshooting with a
password of nfcuser. In versions prior to 6.0, the Linux installer will
also create a local user, also nfcuser, on the operating system with a
default password also identical to the username. If the user already
exists, the Linux installer will change the password to be the same as the
username.
This issue is documented in Cisco Bug ID
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsh75038>;
CSCsh75038 ( registered customers only)
Impact
Successful exploitation of the vulnerability may result in full
administrative control of the NetFlow Collection Engine and user-level
access to the host operating system.
Workarounds
This issue has been addressed starting in release 6.0 by prompting the
user to change the password for the web based nfcuser account during the
application installation or during an upgrade to a version later than 6.0
as shown in the following example. This only applies to the web user and
password, on Linux hosts, the nfcuser on the host operating system needs
to be manually changed as shown at the end of the workarounds section.
Installations on Solaris have always required the local nfcuser to be
created before the installation and therefore only the web based user
account is affected by this advisory. NFC installations for version 6.0
and later on Solaris and Linux require the nfcuser account to be created
on the host operating system before the installer is run.
For all installations of NFC versions prior to 6.0, the web user can be
changed using the following procedure:
Edit the file authentication parameters stored in
${NFC_DIR}/config/auth.config, as shown below. The nfc-user field can be
changed and a strong password should be chosen for the nfc-password.
NFC {
com.cisco.nfc.collector.web.auth.SimpleLoginModule required
nfc-user="nfcuser" nfc-password="nfcuser";
};
Then as the nfcuser, stop and restart the NFC applications. This is done
using the nfcollector command, as shown in the following example:
# su - nfcuser
$ /opt/CSCOnfc/bin/nfcollector stop all
nfcxml: Not Running
collection: Not Running
re: Not Running; autostart not configured
web: Not Running
$ /opt/CSCOnfc/bin/nfcollector start all
This product contains cryptographic features and is subject to
United States and local country laws governing import, export,
transfer and use. Delivery of Cisco cryptographic products does
not imply third-party authority to import, export, distribute
or use encryption. Importers, exporters, distributors and users
are responsible for compliance with U.S. and local country laws.
By using this product you agree to comply with applicable laws
and regulations. If you are unable to comply with U.S. and local
laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be
found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email
to [email protected].
nfcxml: Running (pid: 6598)
collection: Running (pid: 6606)
re: Not Running; autostart not configured
web: Running (pid: 6618)
Additionally, on Linux installations of NFC prior to version 6.0, use the
passwd command to change the nfcuser password, as shown in the following
example:
# passwd nfcuser
Changing password for user nfcuser.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
Please note that the local user password does not have to match the
password of the web user account. Upgrading to version 6.0 will
automatically prompt the administrator for a new nfcuser password to be
used in the UI. The nfcuser password for the host operating system should
still be changed as described above.
ADDITIONAL INFORMATION
The information has been provided by <mailto:psirt@cisco.com.> Cisco
Systems Product Security Incident Response Team.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20070425-nfc.shtml>;
http://www.cisco.com/warp/public/707/cisco-sa-20070425-nfc.shtml
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
