Cisco Security Advisory
Cisco ACE Application Control Engine Device Manager and Application Networking Manager Vulnerabilities
AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C
-
Multiple vulnerabilities exist in the Cisco Application Networking Manager (ANM) and Cisco Application Control Engine (ACE) Device Manager applications. These vulnerabilities are independent of each other. Successful exploitation of these vulnerabilities may result in unauthorized system or host operating system access.
This security advisory identifies the following vulnerabilities:
-
ACE Device Manager and ANM invalid directory permissions
vulnerability
-
ANM default user credentials vulnerability
-
ANM MySQL default credentials vulnerability
-
ANM Java agent privilege escalation
Cisco has released software updates that address these vulnerabilities. A workaround that mitigates one of the issues is available.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090225-anm.
Note: This advisory is being released simultaneously with a multiple vulnerabilities advisory impacting the ACE appliance and module software, which is posted at
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090225-ace.
-
ACE Device Manager and ANM invalid directory permissions
vulnerability
-
Vulnerable Products
The following are the products and versions affected by each vulnerability described within this advisory.
Vulnerability
Product Affected
Version Affected
Invalid Directory Permissions
ACE Device Manager
All versions prior to A3(2.1)
Invalid Directory Permissions
ANM
All versions prior to ANM 2.0
Default User Credentials
ANM
All versions prior to ANM 2.0
MySQL Default Credentials
ANM
All versions prior to ANM 2.0
Java Agent Privilege Escalation
ANM
All versions prior to ANM 2.0 Update A
Determining ACE Device Manager Software Version
The ACE Device Manager is embedded with the ACE appliance software.
To display the version of system software that is currently running on the device, use the show version command. The following example includes the output of the show version command on a Cisco ACE appliance running software version A3(2.1):
ACE-4710/Admin# show version Cisco Application Control Software (ACSW) TAC support: http://www.cisco.com/tac Copyright (c) 1985-2008 by Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license. Some parts of this software are covered under the GNU Public License. A copy of the license is available at http://www.gnu.org/licenses/gpl.html. Software loader: Version 0.95 system: Version A3(2.1) [build 3.0(0)A3(2.1) adbuild_14:33:29-2008/11/19_/auto/adbu-rel4/rel_a3_2_1_throttle_build/REL_3_0_0_A3_2_1] system image file: (nd)/192.168.65.32/scimitar.bin Device Manager version 1.1 (0) 20081113:2052 ---
Determining ANM Software Version
To display the version of ANM software that is currently installed, login to the ANM server and select the About keyword in the upper right. An informational pop up window will be displayed. ANM Version 2.0 Update A is indicated in the example output below.
Version: 2.0(0), Update: A Build Number: 709 Build Timestamp: 20081031:1226
Products Confirmed Not Vulnerable
The Cisco ACE XML Gateway, Cisco ACE GSS (Global Site Selector) 4400 Series and Cisco ACE Web Application Firewall are not affected by any of these vulnerabilities.
No other Cisco products are currently known to be affected by these vulnerabilities.
-
ANM is a network management application that manages Cisco ACE modules or appliances. ANM is installed on customer provided servers with a Red Hat Enterprise Linux operating system. The ACE Device Manager provides a browser-based interface for configuring and managing a single ACE appliance. The ACE Device Manager resides in flash memory on the ACE appliance. Multiple vulnerabilities exist in ANM and one in the ACE Device Manager products. The following details are provided for each vulnerability addressed in this security advisory.
Invalid Directory Permissions
Versions of the Cisco ACE Device Manager prior to software version A3(2.1) and Cisco ANM prior software version ANM 2.0 contain directory traversal vulnerabilities. These vulnerabilities could allow unauthorized access to ACE operating system and host operating system files. To exploit these vulnerabilities authentication is required to initially access either product.
This vulnerability is documented in the following Cisco Bug IDs:
-
CSCsv66063
(
registered customers only)
-
CSCsv70130
(
registered customers only)
This vulnerability has been assigned the Common Vulnerability and Exposures (CVE) ID CVE-2009-0615.
Default User Credentials
Versions of Cisco ANM prior to software version ANM 2.0 do not force credential changes during installation. If these credentials are left unchanged, this could allow unauthorized access to the ANM application with default user credentials.
This vulnerability is documented in the following Cisco Bug ID:
-
CSCsu52724
(
registered customers only)
This vulnerability has been assigned the Common Vulnerability and Exposures (CVE) ID CVE-2009-0616.
MySQL Default Credentials
ANM versions prior to ANM 2.0 use a default MySQL root user password during installation. The MySQL database is installed by default when ANM is initially installed. This vulnerability can be exploited remotely with default credential authentication and without end-user interaction. Unauthorized access to the database may allow modification of system files that could impact the function of ANM or allow execution of commands on the underlying host operating system. The ACE appliance and module device configuration files in the MySQL database are encrypted.
This vulnerability is documented in the following Cisco Bug ID:
-
CSCsu52632
(
registered customers only)
This vulnerability has been assigned the Common Vulnerability and Exposures (CVE) ID CVE-2009-0617.
Java Agent Privilege Escalation
ANM versions prior to ANM 2.0 Update A contain a remotely exploitable vulnerability that could allow an attacker to view configuration files and modify ANM processes including the capability to stop services. Exploitation of this issue could result in system information disclosure or denial of services.
This vulnerability is documented in the following Cisco Bug ID:
-
CSCsu73001
(
registered customers only)
This vulnerability has been assigned the Common Vulnerability and Exposures (CVE) ID CVE-2009-0618.
-
CSCsv66063
(
registered customers only)
-
While this Security Advisory describes multiple distinct vulnerabilities, a workaround exists for only the following vulnerability.
ANM Default User Credentials
The ANM user admin account password may be modified after installation by following the procedures documented for Changing the Admin Password located in the ANM User Guide.
Applied Mitigation Bulletin
Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory:
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
Each row of the following software table identifies the earliest possible software release that contains the fix listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the release which have fixes for all the published vulnerabilities at the time of this Advisory.
Vulnerability
First Fixed Release
Recommended Release
ACE Device Manager Invalid Directory Permissions
A3(2.1)
A3(2.1)
ANM Invalid Directory Permissions
ANM 2.0
ANM 2.0 Update A
ANM Default User Credentials
ANM 2.0
ANM 2.0 Update A
ANM MySQL Default Credentials
ANM 2.0
ANM 2.0 Update A
ANM Java Agent Privilege Escalation
ANM 2.0 Update A
ANM 2.0 Update A
ANM 2.0 Update A can be downloaded from ANM 2.0 UPDATE A.
ACE Device Manager A3(2.1) can be downloaded from ACE A3(2.1).
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory.
Acknowledgement to the National Australia Bank's Security Assurance team for the discovery and reporting of the ACE Device Manager directory permissions vulnerability.
The remaining vulnerabilities were identified through internal testing.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.0
2009-February-25
Initial public release
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.