[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Cisco Security Advisory: Cisco Device Manager Command Execution Vulnerability

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Cisco Security Advisory: Cisco Device Manager Command Execution Vulnerability
From: Cisco Systems Product Security Incident Response Team <psirt@xxxxxxxxx>
Date: Wed, 24 Apr 2013 12:00:58 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Cisco Device Manager Command Execution Vulnerability

Advisory ID: cisco-sa-20130424-fmdm

Revision 1.0

For Public Release 2013 April 24 16:00  UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

Cisco Device Manager contains a vulnerability that could allow an 
unauthenticated, remote attacker to execute arbitrary commands on a client host 
with the privileges of the user. This vulnerability affects Cisco Device 
Manager for the Cisco MDS 9000 Family and Cisco Nexus 5000 Series Switches when 
it is installed or launched via the Java Network Launch Protocol (JNLP) on a 
host running Microsoft Windows.

Cisco Device Manager installed or launched from Cisco Prime Data Center Network 
Manager (DCNM) or Cisco Fabric Manager is not affected. This vulnerability can 
only be exploited if the JNLP file is executed on systems running Microsoft 
Windows. The vulnerability affects the confidentiality, integrity, and 
availability of the client host performing the installation or execution of 
Cisco Device Manager via JNLP file. There is no impact on the Cisco MDS 9000 
Family or Cisco Nexus 5000 Series Switches.

Cisco has released free software updates that address this vulnerability in the 
Cisco Device Manager for Cisco MDS 9000 Family Switches. Cisco Nexus 5000 
Series Switches have discontinued the support of the Cisco Device Manager 
installation via JNLP and updates are not available.

Workarounds that mitigate this vulnerability are available. This advisory is 
available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130424-fmdm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)

iF4EAREKAAYFAlF30BoACgkQUddfH3/BbTqARAD/efkFacOaSLxRk1eDkaVfrALV
AzYT3xCcMQuWgc/OracA/01zIEtNJKdRu3tCK010hX7w2fdPH/D/RdUF7TFo885Z
=u8iM
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] 0day Vulnerability in VLC (this is my first release of the vuln anywhere)
Next by Date: [Full-disclosure] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Unified Computing System
Previous by thread: [Full-disclosure] hornbill supportworks sql injection
Next by thread: [Full-disclosure] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Unified Computing System
Index(es):
- Date
- Thread