Cisco IronPort Vulnerability

Advisory ID: cisco-sa-20120126-ironport

Cisco IronPort Email Security and IronPort Security Management Appliances contain a vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code with elevated privileges.  Fixed software versions or patches are not yet available.  Configuration workarounds that mitigate this vulnerability are available.

Cisco IronPort Email Security Appliance (C-Series and X-Series) versions prior to 7.6.0 and IronPort Security Management Appliance (M-Series) versions prior to 7.8.0 are affected by the FreeBSD telnetd remote code execution vulnerability documented by Common Vulnerabilities and Exposures (CVE) identifier CVE-2011-4862.  This one scores a 19 out of 20 on the CVSS score (BASE & TEMPORAL), so you may want to exercise the workaround on this one.



Cisco Q4-11 Global Threat Report

‘Tis the season for 2011 threat reports to start emerging, and here is Cisco’s contribution.  The Q4-11 report covers the period from 1 October 2011 through 31 December 2011.  This quarter’s contributors were Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco Security Research and Operations (SR&O), and Cisco ScanSafe.



Highlights from the Cisco 4Q11 Global Threat Report include:

  • An overall average of 362 Web malware encounters per month occurred throughout 2011.
  • Enterprise users experienced an average of 339 Web malware encounters per month in the quarter.
  • The highest average rate of encounters occurred during September and October (698 and 697).
  • An average of 20,141 unique Web malware hosts were encountered per month in 2011, compared to 14,217/month in 2010
  • During 4Q11, 33% of Web malware was zero-day, not detectable by traditional signature-based methodologies.
  • The rate of SQL injection signature events remained steady, with a slight decrease observed as the quarter progressed.
  • Denial-of-service events increased slightly over the course of 4Q11.
  • Global spam volumes continued to decline throughout 2011. Continue reading

Cisco Network Registrar Vulnerability

Cisco Network Registrar (CNR) provides highly scalable and reliable DNS, DHCP, and TFTP services, simplifying administrative tasks associated with network and device configuration by centralizing management.

CNR contains a default password for the administrative account.  An attacker could use this knowledge to authenticate with administrative privileges and arbitrarily change the configuration of CNR. This vulnerability is documented in Cisco bug ID CSCsm50627  (registered customers only) and has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2011-2024.  Due to the nature of the vulnerability and its potential impact this vulnerability is rated HIGH.  No known attacks have been noted in the wild, but this one is simple.  All you need is the knowledge.

If you are not a registered Cisco customer, you can implement a simple workaround.  CHANGE THE DEFAULT PASSWORD!

  • To change the password using the web interface, select Advanced -> Administrators -> Admin from the menu.
  • Execute the following command to change the administrator’s password using the command-line interface:
  • admin <admin-name> enterPassword

Access to CNR (TCP ports 8080, 8090, 8443, and 8453) and the host on which it is running should be limited to legitimate IP addresses using Access Control Lists or other means.

It is always a good practice to change default passwords during installation, and user selected passwords periodically.  The change interval should comply with an organization’s security policy but, as a guideline, all passwords should be changed two or three times a year.  This practice applies equally to all products regardless of when they are installed, and to all users, administrators and non-administrators.

Cisco Management Center for Security Agent Remote Code Execution Vulnerability

The Management Center for Cisco Security Agent is affected by a vulnerability that may allow an unauthenticated attacker to perform remote code execution on the affected device.  Cisco Security Agent provides threat protection for server and desktop computing systems. Cisco Security Agent can function in a standalone manner or can be managed by the Management Center for Cisco Security Agent.  The Management Center for Cisco Security Agent is affected by a vulnerability that could allow an unauthenticated attacker to perform remote code execution on the affected device.  A successful exploit could allow the attacker to modify agent policies and system configuration and perform other administrative tasks.

Cisco has released free software updates and a workaround is also available to mitigate this vulnerability.  Cisco Security Agent installations on end-point workstations or servers are not affected by this vulnerability.

 The full advisory is posted at

There is also a FAQ:

Cisco Compacts Catalyst Switches

This is just too cool.  I originally pased over this article from ComputerWorld today, thinking Cisco had just shrunk the size of their unwieldly sized box again.  Good for them.  Seems this is a little more than Cisco on Weight Watchers.  Cisco is looking to pursue the SMB and low-end commodity switch market, competing with HP, Adtran, Netgear, D-Link, and others.  A Billion Dollar market!

There will be five models available in March, sporting 8 to 12 Fast Ethernet and Gigabit Ethernet ports, and 2 Gigabit Ethernet uplinks.  They will also include hardware acceleration for IPv6, IP multicast and access control lists.  The switches feature Power over Ethernet (PoE) pass-through, allowing them to draw 30 watts/port from PoE switches in the closet or the core, eliminating the requirement for dedicated power supplies or extra outlets.  They can be deployed up to 100 meters away from the wiring closet, and are fanless, meaning that they can be placed on or mounted under desktops and countertops, or even on a wall in your favorite home-office (note to loving wife).

Freak-me-out security features abound!   The C-Series switches support Cisco’s TrustSec technology, which determines  the role of users and devices in the network before granting resource access through defined policies.  These switches are also PCI compliant for regulatory compliance of payment transactions.  They encrypt all packets between the switch and the end device, blocking malicious snoops from eavesdropping between two endpoints.  Optional security lock and cable guards to prevent theft of the switch and unauthorized access to the cables area also available. 

Tools for simplified configuration and management, and QoS implementation for IP telephony and video are available, but I’m not sure if they are built-in or add-ons.  The switches can also be remotely managed, and support Cisco’s EnergyWise software for monitoring and managing energy consumption of attached devices.  EnergyWise turns off or powers down devices when they are not needed.

What will all this cost?  Pricing for the C-series ranges from $745 to $1,995.  I want one!!


Multiple Vulnerabilities in Cisco UVC

Cisco is reporting multiple vulnerabilities in its Unified Video Conferencing (Cisco UVC) 5100, 5200 and 3500 Series products.  There is currently no fix for these vulnerabilities and Cisco recommends limiting access to Cisco UVC web server to trusted hosts, disabling FTP, SSH, and Telnet services, and setting the Security Mode in the UVC web GUI to Maximum.

The complete list of affected products/versions, including detailed information about the vulnerabilities can be found here.

6 Cisco IOS Patches

Cisco has released a set of security updates for its switches and routers.  There are 6 advisories in all, fixing 12 vulnerabilities, each patch covers a different component of the Cisco IOS, including components such as Cisco’s VPN software, the Session Initiation Protocol (SIP), Internet Group Management Protocol, and Network Address Translation (NAT) software.