Guest

Product Support

Response to DoS in Cisco Clean Access

Document ID: 615

http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20051221-CCA.shtml

Revision 1.1

For Public Release 2005 December 21 22:00  UTC (GMT)


Contents

Response
Additional Information
Status of this Notice: Final
Revision History
Cisco Security Procedures

Cisco Response

This is Cisco PSIRT's response to the statements made by Alex Lanstein in his message: DoS in Cisco Clean Access, posted on 2005-Dec-16, to the Bugtraq mailing list. An archived version of the report can be found here:

http://www.securityfocus.com/archive/1/419645/30/0/threaded

We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in product reports.

Additional Information

This issue is being tracked by Cisco bug ID:

CSCsc85405 ( registered customers only) — Obsolete JSPs can cause a DoS attack on CAM

This DDTS has been resolved and the fix is available.

It was discovered that certain obsolete JSP files may be leveraged to leave the Cisco Clean Access Manager (CAM) open to a denial of service (DoS) attack.

The patch is available to customers for download from:

http://www.cisco.com/pcgi-bin/tablebuild.pl/cca-patches?psrtdcat20e2

The following information is from the README file that accompanies the patch for CSCsc85405. For more complete information on the issue, please consult the README.

To address and fix this vulnerability, you must remove the obsolete
JSP files from your CAM as they are no longer needed. You can either:

1. Install the patch on your CAM, as described in "Patch Installation Intructions" below, or

2. Apply the workaround, as described in "Workaround Solution" below.

Caveat CSCsc85405 will be resolved in the following future releases:

  * Cisco Clean Access release 3.5(9) and above
  * Cisco Clean Access release 3.6.0.1 and above

===============================
Patch Installation Instructions
===============================

To install this patch:

1. Download the Patch-CSCsc85405.tar.gz file from the Cisco Clean
Access Patches folder
(http://www.cisco.com/pcgi-bin/tablebuild.pl/cca-patches) under Cisco
Secure Software
(http://www.cisco.com/public/sw-center/ciscosecure/cleanaccess.shtml).

2.  Open an SSH terminal and copy the patch file into your Clean
Access Manager (CAM) using WinSCP, SSH File Transfer or PSCP, as
described below.

  If using WinSCP or SSH File Transfer: 

        a. Copy Patch-CSCsc85405.tar.gz to the /store directory
           on the Clean Access Manager. 

  If using PSCP: 

        a. Open a command prompt on your Windows computer. 

        b. Cd to the path where your PSCP resides 
            (e.g, C:\Documents and Settings\desktop). 

        c. Enter the following command to copy the file to the CAM:

           pscp Patch-CSCsc85405.tar.gz root@ipaddress_manager:/store


3. From the SSH terminal, untar the patch file on the CAM:

        cd /store
        tar xzvf Patch-CSCsc85405.tar.gz

4. Cd to the Patch-CSCsc85405 directory:

        cd Patch-CSCsc85405

5. Execute the patch file upgrade on the CAM:

         ./patch.sh


=========================
Workaround Solution
=========================

The following workaround steps remove the affected .jsp files from the
CAM, as they are no longer needed.

1. Open an SSH terminal, and login to the CAM shell.

2. Change directory as follows:

        cd /perfigo/control/tomcat/webapps/admin/

3. Remove the uploadclient.jsp and ieee8021x.jsp files:

        rm -f uploadclient.jsp ieee8021x.jsp

4. Change directory as follows:

        cd /perfigo/control/tomcat/work/Standalone/localhost/admin

5. Remove the cached jsp sources:

        rm -f uploadclient_jsp.* ieee8021x_jsp.*

6. Remove any file in the "installer/window" directory, this will be
useful for any exploited machine.

        rm -f /perfigo/control/tomcat/normal-webapps/installer/windows/*

Status of this Notice: Final

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.


Revision History

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.