Cisco Security Advisory
Multiple Vulnerabilities in the Cisco ACE Application Control Engine Module and Cisco ACE 4710 Application Control Engine
AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C
-
The Cisco ACE Application Control Engine Module and Cisco ACE 4710 Application Control Engine contain multiple vulnerabilities that, if exploited, can result in any of the following impacts:
-
Administrative level access via default user names and
passwords
-
Privilege escalation
-
A denial of service (DoS) condition
Cisco has released free software updates available for affected customers. Workarounds that mitigate some of the vulnerabilities are available.
Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090225-ace.
Note: This advisory is being released simultaneously with a multiple vulnerability disclosure advisory that impacts the Cisco 4700 Series Application Control Engine Device Manager and Application Networking Manager module software.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090225-anm
-
Administrative level access via default user names and
passwords
-
Vulnerable Products
The following table displays the products that are affected by each vulnerability that is described within this advisory.
Vulnerability
Products and Versions Affected
Cisco ACE 4710 Appliance
Cisco ACE Module
Default Usernames and Passwords
All versions prior to A1(8a)
All versions prior to A2(1.1)
Privilege Escalation Vulnerability
All versions prior to A1(8a)
All versions prior to A2(1.2)
Crafted SSH Packet Vulnerability
All versions prior to A3(2.1)
All versions prior to A2(1.3)
Crafted Simple Network Management Protocol version 2 (SNMPv2) Packet Vulnerability
All versions prior to A3(2.1)
All versions prior to A2(1.3)
Crafted SNMPv3 Packet Vulnerability
All versions prior to A1(8.0)
All versions prior to A2(1.2)
Determining Software Versions
To display the version of system software that is currently running on Cisco ACE Application Control Engine, use the show version command. The following example displays the output of the show version command on the Cisco ACE Application Control Engine software version A3(1.0):
ACE-4710/Admin# show version Cisco Application Control Software (ACSW) TAC support: http://www.cisco.com/tac Copyright (c) 1985-2008 by Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license. Some parts of this software are covered under the GNU Public License. A copy of the license is available at http://www.gnu.org/licenses/gpl.html. Software loader: Version 0.95 system: Version A3(1.0) [build 3.0(0)A3(0.0.148) adbuild_03:31:25-2008/08/06_/auto/adbure_nightly2/nightly_rel_a3_1_0_throttle/REL_3_0_0_A3_0_0 system image file: (nd)/192.168.65.31/scimitar.bin Device Manager version 1.1 (0) 20080805:0415 ...
The following example displays the output of the show version command on a Cisco ACE Application Control Engine module software version A1(1):
ACE-mod/Admin# show version Cisco Application Control Software (ACSW) TAC support: http://www.cisco.com/tac Copyright (c) 2002-2006, Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license. Some parts of this software are covered under the GNU Public License. A copy of the license is available at http://www.gnu.org/licenses/gpl.html. Software loader: Version 12.2[117] system: Version 3.0(0)A1(1) [build 3.0(0)A1(1) _01:26:21-2006/03/13_/auto/adbu-rel/ws/REL_3_0_0_A1_1] system image file: [LCP] disk0:c6ace-t1k9-mzg.3.0.0_A1_1.bin licensed features: no feature license is installed ...
Products Confirmed Not Vulnerable
The Cisco ACE XML Gateway, the Cisco ACE Web Application Firewall, and the Cisco ACE GSS 4400 Series Global Site Selector Appliances are not affected by any of the vulnerabilities that are described in this advisory. No other Cisco products are currently known to be affected by these vulnerabilities.
-
The Cisco ACE 4710 Application Control Engine appliance and the Cisco ACE Application Control Engine Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers are a load-balancing and application-delivery solution for data centers. Multiple vulnerabilities exist in both products. The following information provides the details about each of the vulnerabilities that are addressed in this advisory.
Default Usernames and Passwords
Versions of the Cisco ACE 4710 Application Control Engine appliance prior to software version A1(8a) use default administrator, web management, and device management account credentials. Similarly, software versions of the Cisco ACE Application Control Engine Module prior to software version A2(1.1) use default administrator and web management credentials. The appliance and module do not prompt users to modify system account passwords during the initial configuration process. An attacker with knowledge of these accounts could modify the application configuration and, in certain instances, gain user access to the host operating system.
This vulnerability is documented in the following Cisco Bug IDs and have been assigned the following Common Vulnerability and Exposures (CVE) IDs:
-
Cisco ACE Application Control Engine Module:
CSCsq43828
(
registered customers only)
- CVE-2009-0620
-
Cisco ACE Application Control Engine Appliance:
CSCsq43229
(
registered customers only)
- CVE-2009-0621
A third account is used for the Cisco 4700 Series Application Control Engine Appliance Device Manager also uses default credentials. Only the Cisco ACE 4710 Application Control Engine appliance is affected by this vulnerability. This vulnerability is documented in Cisco Bug ID CSCsq32379 ( registered customers only) and has also been assigned the Common Vulnerability and Exposures (CVE) ID CVE-2009-0621.
Privilege Escalation Vulnerability
A vulnerability exists in versions of the Cisco ACE 4710 Application Control Engine appliance prior to A1(8a) and the Cisco ACE Application Control Engine Module prior to version A2(1.2). An authenticated user could exploit this vulnerability to invoke administrative commands via the device command line interface (CLI).
This vulnerability is documented in the following Cisco Bug IDs:
-
Cisco ACE Application Control Engine Module:
CSCsq48546
(
registered customers only)
-
Cisco ACE 4710 Application Control Engine Appliance:
CSCsq09839
(
registered customers only)
This vulnerability has been assigned the Common Vulnerability and Exposures (CVE) ID CVE-2009-0622.
Crafted SSH Packet Vulnerability
A vulnerability exists in the Cisco ACE 4710 Application Control Engine appliance prior to software version A3(2.1) and the Cisco ACE Application Control Engine Module prior to software version A2(1.3). An attacker could exploit this vulnerability to cause the device to reload by sending a crafted SSH packet to it.
Note: SSH access must be configured on the affected device for it to be vulnerable. SSH access is not enabled by default. A full TCP three-way handshake is not necessary to trigger the effects of this vulnerability.
This vulnerability is documented in the following Cisco Bug IDs:
-
Cisco ACE Application Control Engine Module:
CSCsv01877
(
registered customers only)
-
Cisco ACE 4710 Application Control Engine Appliance:
CSCsv01738
(
registered customers only)
This vulnerability has been assigned the Common Vulnerability and Exposures (CVE) ID CVE-2009-0623.
Crafted SNMPv2c Packet Vulnerability
A vulnerability exists in the Cisco ACE 4710 Application Control Engine appliance prior to software version A3(2.1) and the Cisco ACE Application Control Engine Module prior to software version A2(1.3). An authenticated attacker could send a crafted SNMPv1 packet to an affected device to cause it to reload. Although, this vulnerability is triggered by an SNMPv1 packet, the device must be configured for SNMPv2c.
Note: SNMPv2c must be explicitly configured in an affected device in order to process any SNMPv2c transactions. SNMPv2c is not enabled by default.
This vulnerability is documented in the following Cisco Bug IDs:
-
Cisco ACE Application Control Engine Module:
CSCsu36038
(
registered customers only)
-
Cisco ACE 4710 Application Control Engine Appliance:
CSCsu47876
(
registered customers only)
This vulnerability has been assigned the Common Vulnerability and Exposures (CVE) ID CVE-2009-0624.
Crafted SNMPv3 Packet Vulnerability
A vulnerability exists in the Cisco ACE 4710 Application Control Engine appliance prior to software version A1(8.0) and the Cisco ACE Application Control Engine Module prior to software version A2(1.2) where an attacker might cause the device to reload by sending a crafted SNMPv3 packet to it.
Note: SNMPv3 must be explicitly configured in an affected device in order to process any SNMPv3 transactions. SNMPv3 is not enabled by default.
This vulnerability is documented in the following Cisco Bug IDs:
-
Cisco ACE Application Control Engine Module:
CSCsq45432
(
registered customers only)
-
Cisco ACE 4710 Application Control Engine Appliance:
CSCso83126
(
registered customers only)
This vulnerability has been assigned the Common Vulnerability and Exposures (CVE) ID CVE-2009-0625.
-
Cisco ACE Application Control Engine Module:
CSCsq43828
(
registered customers only)
- CVE-2009-0620
-
This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities and their respective workarounds are independent of each other.
Default Usernames and Passwords
To change the default administrative password, use the username command in configuration mode. The syntax of this command is as follows:
username admin [password [0 | 5] {password}]
The keywords, arguments, and options are:
admin--Specifies the default administrative user name.
password--(Optional) Keyword that indicates that a password follows.
0--(Optional) Specifies a clear text password.
5--(Optional) Specifies an MD5-hashed strong encryption password.
password--The password in clear text, encrypted text, or MD5 strong encryption, depending on the numbered option (0 or 5) that you enter. Enter a password as an unquoted text string with a maximum of 64 characters.
For example, to create a user named admin that uses the clear text password my_super_secret_88312, enter the following command:
ACE(config)# username admin password 0 my_super_secret_88312
Note: This process can also be followed to change the www user account credentials. The dm user is for accessing the Device Manager GUI and cannot be modified or deleted. The dm user is an internal user required by the Device Manager GUI; it is hidden on the ACE CLI. For more information refer to: http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/virtualization/guide/config.html
Privilege Escalation Vulnerability
There are no workarounds for this vulnerability.
Crafted SSH Packet Vulnerability
SSH management traffic that can be received by the ACE is controlled through the use of class maps, policy maps, and service policies.
This Management Traffic Service example denies unauthorized SSH packets that are sent to an affected device. In the following example, 192.168.100.1 is considered a trusted source that requires SSH access to the affected device. Care should be taken to allow all required management access to the affected device. An attacker could exploit this vulnerability using spoofed packets. This workaround cannot provide complete protection against this vulnerability when the attack comes from a trusted source address.
The following example demonstrates how SSH access to the ACE is only allowed from the 192.168.100.1 host:
!-- Configure a class to allow SSH from the trusted source ! class-map type management match-all Permit_SSH_Class description Allow SSH from trusted sources Class match protocol ssh source-address 192.168.100.1 255.255.255.255 ! !-- Configure a management policy that allows ssh from the !--trusted source configured in the above class ! policy-map type management first-match Permit_SSH_Policy description Allow SSH from trusted sources Policy class Permit_SSH_Class permit ! !-- Apply the management policy globally ! service-policy input Permit_SSH_Policy
Additional information about "Configuring SSH Management Sessions" is available at:
Additional information about "Configuring Class Maps and Policy Maps" is available at:
Warning: It is possible to easily spoof the sender's IP address, which may defeat class maps and access control lists (ACLs) that permit communication to the device from trusted IP addresses.
Crafted SNMPv2 and SNMPv3 Packet Vulnerabilities
SNMP management traffic that can be received by the ACE is controlled through the use of class maps, policy maps, and service policies.
This Management Traffic Service example denies unauthorized SNMP packets on UDP port 161 that are sent to an affected device. In the following example, 192.168.100.1 is considered a trusted source that requires SNMP access to the affected device. Care should be taken to allow all required management access to the affected device. An attacker could exploit this vulnerability using spoofed packets. This workaround cannot provide complete protection against this vulnerability when the attack comes from a trusted source address.
!-- Configure a class to allow SNMP from the trusted source ! class-map type management match-all Permit_SNMP_Class description Allow SNMP from trusted sources Class 2 match protocol snmp source-address 192.168.100.1 255.255.255.255 ! !-- Configure a management policy that allows snmp from the !--trusted source configured in the above class ! policy-map type management first-match Permit_SNMP_Policy description Allow SNMP from trusted sources Policy class Permit_SNMP_Class permit !-- Apply the management policy globally ! service-policy input Permit_SNMP_Policy
Additional information about "SNMP Management Traffic Services" is available at:
Additional information about "Configuring Class Maps and Policy Maps" is available at:
Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory:
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
Each row of the software table (below) describes the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table.
Vulnerability
Products and Versions Affected
Cisco ACE 4710 Appliance
Cisco ACE Module
First Fixed Release
Recommended Release
First Fixed Release
Recommended Release
Default Usernames and Passwords
A1(8a)
A3(2.1)
A2(1.1)
A2(1.3)
Privilege Escalation Vulnerability
A1(8a)
A3(2.1)
A2(1.2)
A2(1.3)
Crafted SSH Packet Vulnerability
A3(2.1)
A3(2.1)
A2(1.3)
A2(1.3)
Crafted SNMPv2 Packet Vulnerability
A3(2.1)
A3(2.1)
A2(1.3)
A2(1.3)
Crafted SNMPv2 Packet Vulnerability
A1(8.0)
A3(2.1)
A2(1.2)
A2(1.3)
Cisco ACE module software can be downloaded from:
https://sec.cloudapps.cisco.com/support/downloads/go/Redirect.x?mdfid=280557289
Cisco ACE 4710 Application Control Engine appliance software can be downloaded from:
https://sec.cloudapps.cisco.com/support/downloads/go/Redirect.x?mdfid=281222179
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory.
These vulnerabilities were found during internal testing.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.1
2009-March-09
Clarified information about SNMPv2c packets in the Crafted SNMPv2c Packet Vulnerability section.
Revised information about the password argument in the Default Usernames and Passwords section.
Revision 1.0
2009-February-25
Initial public release
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.