Cisco Security Advisory
Hardening of Solaris OS for MGC
-
The Media Gateway Controller (MGC) product is installed on top of Solaris operating system. In the default installation Solaris has several know security vulnerabilities. In order to prevent them from being exploited customers must install updated packages CSCOh007 and CSCOh013. These packages contain the latest Solaris patches and additional hardening of the Solaris OS.
These vulnerabilities have been exploited and PSIRT knows of a few cases where customer's systems running SC2200 have been compromised.
We are investigating other products that are based on Solaris.
There is no workaround.
This advisory is available at the https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020807-solaris-mgc.
-
This section provides details on affected products.
Vulnerable Products
The following products are affected:
SC2200
All systems running Solaris 2.6 (Through release 7.4(x))
VSC3000
All systems running Solaris 2.6 (Through release 9.1(x))
PGW 2200
All systems running Solaris 2.6 (Through release 9.1(x))
Billing and Management Server (BAMS)
All systems running Solaris 2.6
Voice Services Provisioning Tool (VSPT)
All systems running Solaris 2.6
We are investigating other Solaris based products.
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
The following issues are covered by this advisory:
-
Installing the latest verified patches for the Solaris OS
-
Securing the default Solaris OS installation
-
Detecting the signs of a computer compromise
In order to guarantee the stability of the application Cisco must perform regression testing with all new patches installed. We evaluate every new Solaris patch and, depending on its severity on the overall system, new patches are provided either periodically or as soon as testing is finished.
Depending on the Solaris version Cisco provides a different patch bundle. Patches for Solaris 2.6 are provided in the package CSCOh007.pkg.
The second issue is the security of the default Solaris installation. By default, Solaris is installed with many services installed. Some of the services are known to have security issues. In order to minimize security exposure we strongly advise that you disable these services using the CSCOh013.pkg package.
The provided patches and the script will not help you if the computer was already compromised. In order to establish if your computer has been compromised or not consult the document at http://www.cert.org/security-improvement/modules/m09.html. If you are in doubt regarding this issue you may open a case with TAC and ask for further clarification of your results. The only way to guarantee that you computer is not compromised is to reinstall Solaris and the application from the scratch.
-
Installing the latest verified patches for the Solaris OS
-
There is no workaround. Although the user may perform all steps that are automated in packages CSCOh007.pkg and CSCOh013.pkg Cisco strongly discourages that. In order to guarantee the stability of the solution Cisco must perform regression testing. By removing a subsystem or installing a patch the customer may render the system unstable or inoperative.
-
The issues are fixed with the following packages:
SC2200
All release up to and including 7.4(x)
MGCSOL-h007.bin and MGCSOL-h013.bin
VSC3000
All releases up to and including release 9.1(x)
MGCSOL-h007.bin and MGCSOL-h013.bin
PGW 2200
All releases up to and including release 9.1(x)
MGCSOL-h007.bin and MGCSOL-h013.bin
Billing and Management Server (BAMS)
All systems running Solaris 2.6
MGCSOL-h007.bin only
Voice Services Provisioning Tool (VSPT)
All systems running Solaris 2.6
MGCSOL-h007.bin only
To follow the software links below, you must be a registered user and you must be logged in.
Since vulnerabilities are in the underlying Operating System customers do not have to change or upgrade their application. The updated packages are MGCSOL-h007.bin (CSCOh007.pkg) and MGCSOL-h013.bin (CSCOh013.pkg). Their version is 1.0.7.
To follow the link below, you must be a registered user and you must be logged in.
Customers of the products listed above should check http://www.cisco.com/pcgi-bin/tablebuild.pl/mgc-sol periodically for updates that apply to the Solaris OS used in the listed products. Instructions on the application of these Solaris packages are covered in the Cisco MGC Software Release (7 or 9) Installation & Configuration Guide. See the section entitled "Installing the Operating System Software."
To make these Solaris software packages easier to find, the information has also been linked to the Voice Software Center under each applicable software release of the Media Gateway Controller, BAMS and VSPT. This information can be located at http://www.cisco.com/public/sw-center/sw-voice.shtml.
The Release Notes for the Solaris 2.6 packages are at http://www.cisco.com/univercd/cc/td/doc/product/access/sc/rel9/relnote/sol26rn.htm.
-
By exploiting some of known vulnerabilities in Solaris a few customers had their computers compromised. PSIRT has no evidence that these computers had been targeted because of the role they are playing. Intrudes seems to be oblivious of the computer's real purpose.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.