Vulnslist

find the latest Cisco vulnerabilities

Cisco IronPort Appliances Telnet Remote Code Execution Vulnerability

cisco-sa-20120126-ironport · Critical · Published · Updated

Cisco AsyncOS Software for Cisco Web Security Appliance (WSA), Cisco Email Security Appliance (ESA), and Cisco Content Security Management Appliance (SMA) contain a vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code with elevated privileges. Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. Note: This security advisory has been updated to include important information about Cisco WSA This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120126-ironport

Cisco advisory ·CSAF JSON

Workarounds

For some versions of Cisco AsyncOS Software for Cisco ESA and Cisco SMA, Telnet is configured on the Management port. Telnet services can be disabled to mitigate this vulnerability. Administrators can disable Telnet by using the administration graphical user interface (GUI) or by using the interfaceconfig command in the command-line interface (CLI). As a security best practice, customers should use Secure Shell (SSH) instead of Telnet.

Complete the following steps to disable Telnet via the GUI:

Step 1: Navigate to Network > IP Interfaces > interface_name.

Step 2: Remove the check from the box next to the Telnet service.

Step 3: Click on the Submit button to submit the change.

Step 4: Click the Commit Change button for these changes to take effect.

Use the interfaceconfig command, as shown in the example below to disable Telnet via the CLI.

ciscoesa> interfaceconfig

Currently configured interfaces:
1. Data 1 (192.168.1.1/24 on Data1: mail3.example.com)
2. Data 2 (192.168.2.1/24 on Data2: mail3.example.com)
3. Management (192.168.42.42/24 on Management: mail3.example.com)

Choose the operation you want to perform:
- NEW - Create a new interface.
- EDIT - Modify an interface.
- GROUPS - Define interface groups.
- DELETE - Remove an interface.

[]> edit
Enter the number of the interface you wish to edit.
[]> 3

<..output omitted>

Do you want to enable Telnet on this interface? [N]> N
Do you want to enable SSH on this interface? [N]> Y

Note: The interfaceconfig command is described in detail in the section Other Tasks in the GUI in the Cisco AsyncOS Daily Management Guide available at the following link:

http://www.cisco.com/en/US/docs/security/esa/esa7.5/ESA_7.5_Daily_Management_Guide.pdf

Cisco AsyncOS Software for Cisco WSA has Telnet enabled by default; however once SSW is completed, telnet will be automatically disabled.

The Cisco Applied Mitigation Bulletin (AMB) "Identifying and Mitigating Exploitation of the Cisco IronPort Appliances Telnet Remote Code Execution Vulnerability", is available at http://www.cisco.com/en/US/docs/security/esa/esa7.5/ESA_7.5_Daily_Management_Guide.pdfhttp://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20120126-ironporthttp://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20120126-ironport

CVEsCVE-2011-4862
Cisco Bug IDsCSCuo90523, CSCzv32432, CSCzv44580
CVSS ScoreBase 10.0
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:W/RC:C
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
Base 7.6 AV:N/AC:H/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
Product Names From Source
Cisco IronPort Security Management Appliance, Cisco IronPort Email Security Appliance, Cisco Web Security Appliance (WSA), Cisco Content Security Management Appliance (SMA)

Related Products

Product CVE Evidence
Cisco Web Security Appliance (WSA) CVE-2011-4862 Cisco OpenVuln
Cisco IronPort Security Management Appliance CVE-2011-4862 Cisco OpenVuln
Cisco IronPort Email Security Appliance CVE-2011-4862 Cisco OpenVuln
Cisco Email Security Appliance (ESA) CVE-2011-4862 Cisco OpenVuln
Cisco Content Security Management Appliance (SMA) CVE-2011-4862 Cisco OpenVuln