-
Cisco Security Monitoring, Analysis and Response System (CS-MARS) software contains vulnerabilities related to third-party software and the command line interface (CLI).
-
CS-MARS ships with an Oracle database. The database contains several
default Oracle accounts which have well-known passwords. If access to the
database is obtained, the default accounts may be used to access sensitive
information contained in the database.
-
CS-MARS ships with the JBoss web application server. A component of
the JBoss installation may allow a remote, unauthenticated user to execute
arbitrary shell commands with the privileges of the CS-MARS
administrator.
-
The CS-MARS CLI contains several vulnerabilities which may allow
authenticated administrators to execute arbitrary shell commands with root
privileges.
All vulnerabilities addressed in this advisory have been corrected in CS-MARS software version 4.2.1.
Cisco has made free software available to address these vulnerabilities for affected customers. There are no workarounds.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20060719-mars.
-
CS-MARS ships with an Oracle database. The database contains several
default Oracle accounts which have well-known passwords. If access to the
database is obtained, the default accounts may be used to access sensitive
information contained in the database.
-
This section provides details on affected products.
Vulnerable Products
CS-MARS software versions prior to 4.2.1 are affected by vulnerabilities addressed in this advisory.
To verify the version of CS-MARS software, use an SSH client to login into the system administration command line interface with the pnadmin account and execute the version command.
prompt$ ssh pnadmin@10.0.0.1 pnadmin@10.0.0.1's password: Last login: Tue Jun 20 16:22:34 2006 from 10.0.0.2 CS MARS - Mitigation and Response System ? for list of commands [pnadmin]$ version 4.1.5 (2198)
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected these vulnerabilities.
-
Cisco Security Monitoring, Analysis and Response System (CS-MARS) is a security system that receives event logs from various network devices, correlates and analyzes the received data for security problems, and reports the findings. In addition, CS-MARS can perform automated tasks to mitigate security problems.
-
CS-MARS utilizes an Oracle database to store sensitive network event
and configuration data. The information contained in the database potentially
includes authentication credentials for network devices such as firewalls,
routers and IPS devices and the details of network security events. By default,
Oracle databases contain several built-in accounts with well-known passwords.
If access can be gained to the database, the accounts could potentially be used
to compromise the information stored in the database. The CS-MARS appliance is
hardened to prevent local and remote unauthorized access to the database. As a
precaution, the database accounts have been disabled by Cisco to prevent abuse
should a method to access the database be discovered. The CS-MARS application
does not use the default Oracle database accounts. This vulnerability is
documented by Cisco bug ID
CSCsd16256
(
registered customers only)
.
-
CS-MARS contains an installation of the JBoss web application server.
It may be possible for a remote, unauthenticated user to create a
specially-crafted HTTP request which executes arbitrary shell commands on the
CS-MARS appliance with the privileges of the CS-MARS administrator via the
optional JBoss JMX console. This vulnerability is documented by Cisco bug ID
CSCse47646
(
registered customers only)
.
-
The CS-MARS CLI is a restricted shell environment which allows
authenticated administrators to perform system maintenance tasks. The CLI
contains several privilege escalation vulnerabilities which may allow shell
commands to be executed on the underlying appliance operating system with root
privileges. These vulnerabilities are documented by Cisco bug IDs
CSCsd29111
(
registered customers only)
,
CSCsd31371
(
registered customers only)
,
CSCsd31377
(
registered customers only)
,
CSCsd31392
(
registered customers only)
and
CSCsd31972
(
registered customers only)
.
-
CS-MARS utilizes an Oracle database to store sensitive network event
and configuration data. The information contained in the database potentially
includes authentication credentials for network devices such as firewalls,
routers and IPS devices and the details of network security events. By default,
Oracle databases contain several built-in accounts with well-known passwords.
If access can be gained to the database, the accounts could potentially be used
to compromise the information stored in the database. The CS-MARS appliance is
hardened to prevent local and remote unauthorized access to the database. As a
precaution, the database accounts have been disabled by Cisco to prevent abuse
should a method to access the database be discovered. The CS-MARS application
does not use the default Oracle database accounts. This vulnerability is
documented by Cisco bug ID
CSCsd16256
(
registered customers only)
.
-
There are no workarounds for these vulnerabilities.
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.
CS-MARS versions 4.2.1 and later contain the fixes for all vulnerabilities referenced in this advisory.
CS-MARS upgrades are incremental. All available updates must be applied in order to reach the most recent version. The upgrade path is documented at:
http://www.cisco.com/cisco/web/download/index.html
CS-MARS software updates can be obtained at the following site:
http://www.cisco.com/pcgi-bin/tablebuild.pl/cs-mars?psrtdcat20e2
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
The JBoss vulnerability (CSCse47646 ( registered customers only) ) was reported to Cisco by Jon Hart.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.