-
CiscoWorks Common Management Foundation (CMF), also packaged as part of CiscoWorks CD One, provides an application infrastructure foundation, allowing all CiscoWorks applications to share a common model for data storage, login, user role definitions, access privileges, and security protocols, as well as for navigation and launch management.
Two vulnerabilities exist in CiscoWorks CMF versions prior to and including 2.1. The first vulnerability is a privilege escalation vulnerability where a guest user may obtain administrative privileges within the application via a specially crafted URL. The second vulnerability is an ability to run arbitrary commands on the CiscoWorks server due to an error in processing user input.
Cisco is making patches available for CMF versions 2.0 and 2.1, free of charge, to correct the problem.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20030813-cmf.
-
Vulnerable Products
The following products are affected:
- All versions of CiscoWorks CD One (1st through 5th editions)
- Resource Manager Essentials (RME) versions 2.0, 2.1, and 2.2
- Cisco Resource Manager (CRM) versions 1.0 and 1.1
CiscoWorks CD One is included as the base for all CiscoWorks management solutions, such as the LAN Management Solution, Routed WAN Management Solution, Small Network Management Solution, and VPN/Security Management Solution.
To determine the version of the Common Management Foundation which is installed, navigate through the menus within CiscoWorks starting with the tab on the left titled "Server Configuration" and locate the screen titled "Applications and Versions" under the folder named "About the Server". Look for the entry in the table labeled "Common Management Foundation" and the corresponding version.
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
The first vulnerability allows a non-privileged user of the CiscoWorks application, including the guest account if enabled, to send a specially crafted URL to the CiscoWorks server to acquire administrative privileges without authentication. Cisco Bug ID CSCdy33916 describes this vulnerability.
The second vulnerability permits an authenticated user of the CiscoWorks application to run arbitrary commands on the CiscoWorks server as "casuser", the username under which the application runs. Cisco Bug ID CSCea15281 describes this vulnerability.
-
- CSCdy33916— The guest user account may be disabled, limiting the exposure to only the trusted users of the CiscoWorks server. However, a software upgrade or patch is required to completely resolve the vulnerability.
- CSCea15281—There is no workaround. A software upgrade or patch is required.
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
Both vulnerabilities have been resolved in CiscoWorks Common Services 2.2.
Patches for CMF versions 2.0 and 2.1 are available from the Software Center on Cisco's worldwide website.
-
The Cisco PSIRT is not aware of any malicious use of the vulnerability described in this advisory.
The vulnerabilities described in this advisory were both originally found by internal testing. Prior to disclosure, the bug described by CSCdy33916 was also reported by Omicron from Portcullis Computer Security Ltd. Their report can be found at http://archives.neohapsis.com/archives/bugtraq/2003-08/0130.html
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.0
2003-August-13
Initial Public Release
Revision 1.1
2003-August-29
Added link for patch download; changed status to FINAL.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.