AV:R/AC:L/Au:NR/C:P/I:P/A:N/B:N/E:F/RL:O/RC:C
-
Cisco Security Monitoring, Analysis and Response System versions prior to 4.2.3 and Cisco Adaptive Security Device Manager versions prior to 5.2(2.1) contain a vulnerability that could allow an unauthenticated, remote attacker to impersonate a device managed by the system.
The vulnerability exists because the devices to not properly validate SSL/TLS certificates or SSH public keys from managed devices. An unauthenticated, remote attacker could exploit this vulnerability to impersonate devices managed by the system. An attacker could leverage this to gain access to sensitive information, such as authentication credentials, or submit false data to the system.
Exploit code is not required to exploit this vulnerability.
Cisco confirmed the vulnerability with a security advisory and released updated software.
Because the affected applications do not validate the SSL/TLS certificates or SSH public keys presented by their managed devices, an attacker could set up a system with the same IP address as a vulnerable system and hope that a connection will be mistakenly made to the impersonating device rather than the legitimate one. This is a possibility, given the nature of IP routing, when there is more than one system on the network with the same IP address. However, erratic routing behavior is likely to result under these circumstances. Some packets may be sent to the legitimate system while others may be sent to the impersonator, making it harder for the attacker to obtain authentication credentials or to send misleading information.
-
Cisco has released a security advisory to address Cisco bug IDs CSCsf95930 and CSCsg78595 at the following link: cisco-sa-20070118-certs
Vulnerable Products
The following Cisco products are vulnerable:
Cisco Security Monitoring, Analysis and Response System versions prior to 4.2.3
Cisco Adaptive Security Device Manager versions prior to 5.2(2.1)Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
Administrators are advised to apply the appropriate update.
Administrators of Cisco Adaptive Security Device Manager systems are advised to launch ASDM services using a web browser as opposed to the stand-alone ASDM Launcher.
Administrators are advised to configure IP-based ACLs on both affected systems and their managed systems to restrict connectivity to those systems from which connectivity is needed.
-
Cisco customers with active contracts can obtain updates for Cisco Security Monitoring, Analysis and Response System through the Software Center at the following link: CS-MARS4.2.3(2403). Cisco customers without contracts can obtain upgrades by contacting the Cisco Technical Assistance Center at 1-800-553-2447 or 1-408-526-7209 or via e-mail at tac@cisco.com.
Cisco is scheduled to release an update for Adaptive Security Device Manager on January 22 at the following link: ASDM 5.2(2.1)
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Version Description Section Status Date 1.0 Initial Release NA Final 2007-Jan-18
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.