-
A vulnerability exists that could allow an unauthorized person to substitute arbitrary material in place of legitimate content for a specified website. This arbitrary content would be viewable only by users of the affected (or "polluted") Cache Engine. This vulnerability has Cisco bug ID CSCdm63310
A second vulnerability exists that could allow unauthorized persons to view performance information via the web interface of the Cache Engine. This vulnerability has Cisco bug ID CSCdp20180
A third vulnerability existed that allowed a null username and password pair to be accepted as valid authentication credentials. This vulnerability has Cisco bug ID CSCdj56294.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-19991216-cache-auth.
-
This section provides details on affected products.
Vulnerable Products
If you are using a Cisco Cache Engine that has not been upgraded to version 2.0.3, you are vulnerable to the first two issues (CSCdm63310 and CSCdp20180). If you are running a Cache Engine that has not been upgraded to version 1.5, you are vulnerable to all three issues (CSCdm63310, CSCdp20180, and CSCdj56294).
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
This section details these vulnerabilities.
-
CSCdm63310 -- Allows an unauthorized person to
substitute arbitrary material in place of legitimate content for a specified
website. This arbitrary content would be viewable only by users of the affected
(or "polluted") Cache Engine.
-
CSCdp20180 -- Allows unauthorized persons to view
performance information via the web interface of the Cache Engine.
-
CSCdj56294 -- Allowed a null username and password
pair to be accepted as valid authentication credentials.
-
CSCdm63310 -- Allows an unauthorized person to
substitute arbitrary material in place of legitimate content for a specified
website. This arbitrary content would be viewable only by users of the affected
(or "polluted") Cache Engine.
-
Workarounds to prevent an attacker from taking advantage of the vulnerability described in CSCdm63310 include disabling the Cisco Cache Engine or specifying a strict list of permitted sites that would restrict clients to a list of known, valid websites. The procedure for enabling URL restriction is detailed in Cache Engine documentation version 1.7 at the following link:
http://www.cisco.com/univercd/cc/td/doc/product/webscale/webcache/ce17/wc173rn.htm
Workarounds for both CSCdp20180 and CSCdj56294 include other means of limiting access to both web based management and FTP ports on the Cache Engine, such as firewalls or access lists on routers to limit traffic to those ports.
It is strongly recommended to upgrade to version 2.0.3 of the Cisco Cache Engine.
-
Cisco Cache Engine 2050, Release 1.0 through 1.7.6.
Cisco Cache Engine 500, Release 2.0.1 through 2.0.2.
All issues are fixed in the Cisco Cache Engine 500, Release 2.0.3 or later.
All issues are fixed in Cisco Cache Engine version 2.0.3. CSCdj56294 is resolved in Cisco Cache Engine version 1.5, and higher. However, due to issues CSCdp20180 and CSCdm63310, it is strongly recommended that customers upgrade to Cisco Cache Engine version 2.0.3.
Software version 2.0.3 will only apply to the following Cisco Cache Engine Hardware platforms: CE-550, CE-505, and CE-550-DS3. The CE-2050 chassis cannot be upgraded to version 2.0.3, and you will need to contact the Cisco TAC for assistance as detailed in the "Getting Fixed Software" section of this notice. If you do not know which hardware chassis of the Cisco Cache Engine you have, please contact the Cisco TAC at one of the telephone numbers listed in the "Cisco Security Procedures" section of this notice.
-
These vulnerabilities were all originally reported to Cisco by separate customers. Cisco knows of no public announcements of these vulnerabilities, nor have any malicious uses been reported to Cisco.
A simple HTML script is needed to effectively exploit CSCdp20180. Although Cisco knows of no program available to the public specifically for this purpose, writing such a script would require little effort, and a basic understanding of HTML and Java code.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.2
1999-December-16
Various content fixes.
Revision 1.1
1999-December-16
Various punctuation fixes.
Revision 1.0
1999-December-16
Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.