[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Cisco Security Advisory: Cisco Show and Share Security Vulnerabilities



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Cisco Security Advisory: Cisco Show and Share Security Vulnerabilities

Advisory ID: cisco-sa-20111019-sns

Revision 1.0

For Public Release 2011 October 19 16:00  UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

The Cisco Show and Share webcasting and video sharing application
contains two vulnerabilities.

The first vulnerability allows an unauthenticated user to access
several administrative web pages.

The second vulnerability permits an authenticated user to execute
arbitrary code on the device under the privileges of the web server
user account.

Cisco has released free software updates that address these
vulnerabilities.

There are no workarounds available for these vulnerabilities.

This advisory is posted at:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111019-sns

Note:Effective October 18, 2011, Cisco moved the current list of
Cisco Security Advisories and Responses published by Cisco PSIRT. The
new location is:
http://tools.cisco.com/security/center/publicationListing 
You can also navigate to this page from the CiscoProducts and Services
menu of the Cisco Security Intelligence Operations (SIO) Portal.
Following this transition, new Cisco Security Advisories and Responses
will be published to the new location. Although the URL has changed,
the content of security documents and the vulnerability policy are not
impacted. Cisco will continue to disclose security vulnerabilities in
accordance with the published Security Vulnerability Policy.

Affected Products
=================

Vulnerable Products
+------------------

These vulnerabilities affect all versions of Cisco Show and Share
prior to the first fixed releases as indicated in the Software
Version and Fixes section of this Cisco Security Advisory.

To determine the Cisco Show and Share Software release that an
appliance is running, administrators can log in to the Appliance
Administrative Interface (AAI), and access the main menu. The
software version is identified next to the Cisco Show and Share
field. The following example identifies a Cisco Show and Share
appliance running version 5.2.2

     Cisco Show and Share Application Administration Interface
                                     Main Menu
       IP: 192.168.0.1

       Cisco Show and Share 5.2.2
       http://sns.example.com/vportal



            SHOW_INFO               Show system information.
            BACKUP_AND_RESTORE      Back up and restore.
            APPLIANCE_CONTROL       Configure advance options
            NETWORK_SETTINGS        Configure network parameters.
            DATE_TIME_SETTINGS      Configure date and time
            CERTIFICATE_MANAGEMENT  Manage all certificates in the system




                           <  OK   >           <LOG OUT>


Products Confirmed Not Vulnerable
+--------------------------------

The following products are confirmed not vulnerable:

  * Cisco Video Portal

No other Cisco products are currently known to be affected by these
vulnerabilities.

Details
=======

Cisco Show and Share is a webcasting and video sharing application
that helps organizations create secure video communities to share
ideas and expertise, optimize global video collaboration, and
personalize the connection between customers, employees, and students
with user-generated content.

Cisco Show and Share provides the ability to create live and
on-demand video content, and define who can watch specific content.
It offers viewer collaboration tools such as commenting, rating, and
word tagging, and provides comprehensive access reporting.

Cisco Show and Share contains the following vulnerabilities:

  * Anonymous users can access some administration pages

    Several administrative web pages of the Cisco Show and Share can
    be accessed without prior user authentication. These include
    pages for accessing Encoders and Pull Configurations, Push
    Configurations, Video Encoding Formats, and Transcoding. 

    This vulnerability is documented in Cisco Bug ID CSCto73758, and has
    been assigned CVE identifier CVE-2011-2584.

  * Cisco Show and Share arbitrary code execution vulnerability

    An authenticated user with privileges to upload videos could
    upload code that could then be executed under the privileges of
    the web server.
    Note: The web server runs as a non-root user.  Details regarding
    the impact of accessing each one of these administrative pages
    are included in the Impact section of this Cisco Security
    Advisory.

    This vulnerability is documented in Cisco Bug ID CSCto69857, and has
    been assigned CVE identifier CVE-2011-2585.

Vulnerability Scoring Details
=============================

Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html


Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss 



* CSCto73758 - Anonymous users can access some administration pages 

CVSS Base Score - 7.5
    Access Vector -            Network
    Access Complexity -        Low
    Authentication -           None
    Confidentiality Impact -   Partial
    Integrity Impact -         Partial
    Availability Impact -      Partial

CVSS Temporal Score - 6.2
    Exploitability -           Functional
    Remediation Level -        Official-Fix
    Report Confidence -        Confirmed



* CSCto69857 - Cisco Show and Share arbitrary code execution 

CVSS Base Score - 6.5
    Access Vector -            Network
    Access Complexity -        Low
    Authentication -           Single
    Confidentiality Impact -   Partial
    Integrity Impact -         Partial
    Availability Impact -      Partial

CVSS Temporal Score - 5.4
    Exploitability -           Functional
    Remediation Level -        Official-Fix
    Report Confidence -        Confirmed


Impact
======

These vulnerabilities have the following impact on Cisco Show and
Share:

  * CSCto73758: Anonymous users can access some administration pages
    Several administrative web pages of the Cisco Show and Share can
    be accessed without prior user authentication. The impact of the
    different administrative web pages include:

    Encoders Configurations
    +----------------------
    The Encoders Configuration pages have a direct impact on live
    events. If all of the encoders from the encoders' configurations
    are removed, then a live event cannot be created. An encoder or a
    push configuration is required in order for a live event to be
    created. This page also reveals information about the encoders,
    such as Encoder IP Address and associated username.

    Push Configurations
    +------------------
    The Push Configurations and Encoders Configuration pages have a
    direct impact on live events. If all of the encoders of push
    configurations are removed, then a live event cannot be created.
    An encoder or a push configuration is required in order for a
    live event to be created.

    Video Encoding Formats
    +---------------------
    Video encoding formats have a direct impact on the encoders. Even
    with an encoder or a push configuration configured, if no video
    format is specified then the encoder cannot encode the video
    stream for the live event.


    Transcoding
    +----------
    This page does not have a direct impact on live events or the
    encoders. This page will only set a task to be executed for
    transcoding. Transcoding is a process of deriving digital media
    files that use one codec from digital media files that use a
    different codec; the source file is not changed or destroyed. If
    all tasks are removed the set task for transcoding will not be
    executed.

  * CSCto69857: Cisco Show and Share arbitrary code execution
    vulnerability
    An authenticated user may upload arbitrary code that can be
    executed on the appliance with the same privileges as the web
    server.

Software Versions and Fixes
===========================

When considering software upgrades, also consult:
http://www.cisco.com/go/psirt 
And any subsequent advisories to determine exposure and a complete
upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.

Each row of the software table (below) names a Cisco SnS release
train. If a given release train is vulnerable, then the earliest
possible releases that contains the fix (along with the anticipated
date of availability for each, if applicable) are listed in the
"First Fixed Release" column of the table. The "Recommended Release"
column indicates the releases which have fixes for all the published
vulnerabilities at the time of this Advisory. A device running a
release in the given train that is earlier than the release in a
specific column (less than the First Fixed Release) is known to be
vulnerable. Cisco recommends upgrading to a release equal to or later
than the release in the "Recommended Releases" column of the table.

Each row of the software table (below) names a Cisco Show and Share
release train. If a given release train is vulnerable, then the
earliest possible releases that contains the fix are listed in the
"First Fixed Release" column of the table. A device running a release
in the given train that is earlier than the "First Fixed Release" is
known to be vulnerable. Cisco recommends upgrading to a release equal
to or later than the release in the "First Fixed Release" column of
the table.

WARNING: Please read the release notes on Cisco Show and Share
version 5.2(3) regarding MCS Server Appliance support.

The following MCS Server Appliances are not supported in Cisco Show
and Share version 5.2(3), and administrators should use a recommended
release of 5.2(2.1) or later:

  * MCS 7825-H2
  * MCS 7825-H3
  * MCS 7835-H1
  * MCS 7835-H2

For further information for support MCS Server Appliances consult the
release notes for Cisco Digital Media Suite 5.2.x at the following
link: 
http://www.cisco.com/en/US/docs/video/digital_media_systems/5_x/5_2/dms/release/notes/dms52rn.html#wp232018

+-------------------------------------------------------------------+
| Cisco Show and Share Release  |        First Fixed Release        |
|-------------------------------+-----------------------------------|
| 5(2)                          | Vulnerable; migrate to 5.2(2.1)   |
|-------------------------------+-----------------------------------|
| 5.2(1)                        | Vulnerable; migrate to 5.2(2.1)   |
|-------------------------------+-----------------------------------|
| 5.2(2)                        | 5.2(2.1)                          |
|-------------------------------+-----------------------------------|
| 5.2(3)                        | Not Vulnerable                    |
+-------------------------------------------------------------------+

Note: Read the WARNING provided above regarding Cisco Show and Share
version 5.2(3).

Cisco Show and Share software upgrades, can be download from: 
http://www.cisco.com/cisco/software/type.html?mdfid=280171242&catid=268438145

Workarounds
===========

There are no workarounds for these vulnerabilities.

Obtaining Fixed Software
========================

Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
Or as otherwise set forth at Cisco.com Downloads at:
 http://www.cisco.com/public/sw-center/sw-usingswc.shtml

Do not contact psirt@xxxxxxxxx or security-alert@xxxxxxxxx for
software upgrades

Customers with Service Contracts
+-------------------------------

Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at:
http://www.cisco.com.

Customers using Third Party Support Organizations
+------------------------------------------------

Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.

Customers without Service Contracts
+----------------------------------

Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.

  * +1 800 553 2447 (toll free from within North America)
  * +1 408 526 7209 (toll call from anywhere in the world)
  * e-mail: tac@xxxxxxxxx

Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.

Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
Additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.

Exploitation and Public Announcements
=====================================

The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.

These vulnerabilities were discovered and reported to Cisco Systems
by Andy Yang and Mehdi Kiani of stratsec.

Status of this Notice: Final
============================

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.


Distribution
============

This advisory is posted on Cisco's worldwide website at:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111019-sns

In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.

  * cust-security-announce@xxxxxxxxx
  * first-teams@xxxxxxxxx
  * bugtraq@xxxxxxxxxxxxxxxxx
  * vulnwatch@xxxxxxxxxxxxx
  * cisco@xxxxxxxxxxxxxxxxx
  * cisco-nsp@xxxxxxxxxxxxxxx
  * full-disclosure@xxxxxxxxxxxxxxxxx
  * comp.dcom.sys.cisco@xxxxxxxxxxxxxxxxxx

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.


Revision History
================

+-------------------------------------------------------------------+
| Revision 1.0   | 2011-October-19    | Initial public release.     |
+-------------------------------------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at:
http://www.cisco.com/go/psirt

+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iF4EAREIAAYFAk6ezG8ACgkQQXnnBKKRMNBC+wEAgw1X2jVS3rGMxCoAV7aZT2c/
V8mwj1IYOTyc++V/D4gA/jhvG+FAUN0Uh2j3wKuBhiM+djeLpfjpzRgkErdiM0zj
=isVi
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/