-
Versions 1.0 and 1.1 of the Cisco Resource Manager (CRM) create log files and temporary files on the management station which contain potentially sensitive information. These files are not protected using operating system mechanisms, and are therefore readable by all users of the system on which CRM is installed. The information exposed includes the usernames, passwords, and SNMP community strings used by CRM to gain access to the devices being managed.
Users who have access to the computer on which CRM is installed may gain access to information which gives them unauthorized access to the managed routers and switches. This affects both Solaris and Windows NT systems.
There are workarounds for this problem, and a patch is available for CRM 1.1. There is no patch for CRM 1.0. Other than to install the patch, the most effective solution for most installations is simply to deny untrusted users any access to the computer on which CRM is installed or to its file systems.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-19980813-crmtmp.
-
This section provides details on affected products.
Vulnerable Products
All customers who run Cisco Resource Manager 1.1 or 1.0, and who allow untrusted users access to the computer on which CRM is run or to its file systems, are affected by these vulnerabilities.
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
Several different unprotected files may contain sensitive information. Applicable Cisco bug IDs include:
-
CSCdk13298
-
CSCdk13579
-
CSCdk14992
-
CSCdk14993
These issues are described in this section.
Remote Access Logs (CSCdk13298)
Cisco Resource Manager is capable of logging a great deal of detailed information for debugging purposes. Debugging is ordinarily under control of the administrator. However, a software error in CRM 1.0 and 1.1 causes debugging to be enabled at all times. The debugging information collected may include usernames and passwords used to log into managed devices, SNMP community strings, and enable passwords. The files containing this information are readable by any user of the computer on which CRM is run.
The log files containing the offending data are:
-
/var/adm/CSCOpx/files/schedule/job-id/swim_swd.log (Solaris)
C:\Program Files\CSCOpx\files\schedule\job-id\swim_swd.log (Windows NT).
These files are created by software distribution jobs scheduled with "Distribute Images". Each job has its own subdirectory (designated by "job-id" above) and its own log file.
-
/tmp/swim_debug.log (Solaris) C:\Program
Files\CSCOpx\temp\swim_debug.log (Windows NT).
This file is used for logging debugging information from Software Image Manager functions, such as "Import image from File System/Device", Job administration and History administration.
This file is used for logging debugging information from Software Image Manager functions, such as "Import image from File System/Device", Job administration and History administration.
Database Update Logs (CSCdk13579)
The "Local/Remote Import", "Import from File", "Add Devices", and "Change Device Attributes" functions all record debugging information in files readable to any user of the computer on which CRM is run. This information may include usernames, login passwords, SNMP community strings, and/or enable passwords.
The offending information is recorded in a log file named "dbi_debug.log", which is located in /tmp on Solaris systems and in C:\Program Files\CSCOpx\temp on Windows NT systems.
Import Temporary Files (CSCdk14992, CSCdk14993)
The "Local/Remote Import" functions, which are used to load data into the CRM database from databases maintained by other network management tools, create temporary files containing usernames, login passwords, community strings, and enable passwords. The files are readable to any user of the computer on which CRM is run. The files exist only for a short time during the information gathering phase of an import operation, and are automatically deleted upon successful completion of the operation. However, should the information gathering phase of the operation fail because of some system error, the files would not be deleted.
The offending files have names beginning with "DPR_", and are stored in "/tmp" on Solaris systems and in "C:\Program Files\CSCOpx\temp" on Windows NT systems.
-
CSCdk13298
-
This section describes workarounds for these issues:
-
CSCdk13298
-
CSCdk13579
-
CSCdk14992
-
CSCdk14993
Workarounds for CSCdk13298
The simplest and most effective workaround for this vulnerability is to prevent untrusted users from having access to the computer on which CRM is being run or to the file systems on which the log files are stored. The file systems in question should not be shared over a network of any kind.
If the computer on which CRM is being run must be shared, then the files in question must be protected from access by untrusted users. This may be done by issuing the following Solaris commands while running as "root" or "bin":
chmod 700 /var/adm/CSCOpx/files/schedule chmod 700 /tmp/swim_debug.log
Note: Each time your system is rebooted, you will need to change the permissions on /tmp/swim_debug.log.
Note: There is no analogous workaround for Windows NT systems.
Workaround for CSCdk13579
The simplest and most effective workaround for this vulnerability is to prevent untrusted users from having access to the computer on which CRM is being run or to the file systems on which the log files are stored. The file systems in question should not be shared over a network of any kind.
If the computer on which CRM is run must be shared, the file "/tmp/dbi_debug.log" or "C:\Program Files\CSCOpx\temp\dbi_debug.log" should be deleted after any change to device attributes. Note that a window of vulnerability will exist between the time at which the database update is performed and the time at which the file is deleted. It may be desirable to deny access to untrusted users during this window, even though they may be given access to the system at other times.
Workaround for CSCdk14992/CSCdk14993
The only effective workaround for CSCdk14992 and CSCdk14993 is to deny untrusted users access to the system on which CRM is run during any import operation. Cisco believes that such operations are sufficiently uncommon to make this a viable option.
-
CSCdk13298
-
Cisco has modified the CRM software to eliminate all of the vulnerabilities described in this notice. The first regular release containing the modifications will be CRM version 2.0, which is tentatively scheduled for release in early October, 1998. This schedule is subject to change.
Customers who do not wish to wait for CRM version 2.0 may install the CRM SWIM package version 1.1.1. The CRM SWIM package version 1.1.1 is a patched version, identical to the SWIM package in CRM version 1.1, but containing a fix for bug ID CSCdk13298, which Cisco believes to be the vulnerability most disruptive to day-to-day system operation. The other vulnerabilities listed in this notice are not addressed by the CRM SWIM package 1.1.1.
Customers with service contracts may obtain updates through their usual channels; those who are registered users of CCO (Cisco's Worldwide Web site) may download the CRM SWIM package version 1.1.1 update from CCO. Go to http://www.cisco.com/pcgi-bin/tablebuild.pl/crm-packages. You must be a registered Cisco customer and logged into CCO to obtain this update via the web.
Customers without service contracts should contact the Cisco TAC for assistance. The CRM SWIM package 1.1.1 patch (but not the CRM 2.0 upgrade) will be made available free of charge to all CRM customers, regardless of service contract status. Please reference the URL of this notice as evidence of your entitlement to the patch.
There will be no patched version of CRM 1.0. CRM 1.0 customers are eligible for free upgrades to CRM 1.1 and the CRM SWIM package version 1.1.1. Customers who wish to continue to use CRM 1.0 are strongly encouraged to prevent all access by untrusted users to the computers on which they run CRM or to those computers' file systems.
-
Cisco has had no reports of malicious exploitation of the vulnerabilities listed in this notice.
Cisco knows of no public announcements of these vulnerabilities before the date of this notice.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.