AusCERT - ESB-2013.0581 - [Win][Cisco] Cisco Device Manager: Execute arbitrary code/commands

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
ESB-2013.0581 - [Win][Cisco] Cisco Device Manager: Execute arbitrary code/commands - Remote/unauthenticated
Date: 26 April 2013

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.0581
           Cisco Device Manager Command Execution Vulnerability
                               26 April 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Device Manager
Publisher:         Cisco Systems
Operating System:  Cisco
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Patch/Upgrade

Original Bulletin: 
   http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130424-fmdm

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Cisco Device Manager Command Execution Vulnerability

Advisory ID: cisco-sa-20130424-fmdm

Revision 1.0

For Public Release 2013 April 24 16:00  UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

Cisco Device Manager contains a vulnerability that could allow an 
unauthenticated, remote attacker to execute arbitrary commands on a client host 
with the privileges of the user. This vulnerability affects Cisco Device 
Manager for the Cisco MDS 9000 Family and Cisco Nexus 5000 Series Switches 
when it is installed or launched via the Java Network Launch Protocol (JNLP) on 
a host running Microsoft Windows.

Cisco Device Manager installed or launched from Cisco Prime Data Center Network
Manager (DCNM) or Cisco Fabric Manager is not affected. This vulnerability can
only be exploited if the JNLP file is executed on systems running Microsoft 
Windows. The vulnerability affects the confidentiality, integrity, and 
availability of the client host performing the installation or execution of 
Cisco Device Manager via JNLP file. There is no impact on the Cisco MDS 9000 
Family or Cisco Nexus 5000 Series Switches.

Cisco has released free software updates that address this vulnerability in 
the Cisco Device Manager for Cisco MDS 9000 Family Switches. Cisco Nexus 5000 
Series Switches have discontinued the support of the Cisco Device Manager 
installation via JNLP and updates are not available.

Workarounds that mitigate this vulnerability are available. This advisory is 
available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130424-fmdm

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)

iF4EAREKAAYFAlF30BoACgkQUddfH3/BbTqARAD/efkFacOaSLxRk1eDkaVfrALV
AzYT3xCcMQuWgc/OracA/01zIEtNJKdRu3tCK010hX7w2fdPH/D/RdUF7TFo885Z
=u8iM
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUXn/7+4yVqjM2NGpAQK7gQ//c9A+L57HnlPbJdjVnmAkTSB4CrzC8nbv
S1LwJWQ29/90/gNJOcECg6BckYJrT70Y6+v+Qfm/x7U5TTYh+nWlmzctZGkOZOYz
Efn4Evys7IS4FhdIKuudXYCQcsSvEJcRHB+EoINbwBkVZ/UXjx6M4AajBPLDyjhI
YIKZFjxDBJe82arSGcPTcbkyi7GkPIGxNXDiQZfpUVmJBul2A7d3t53Ierply/3B
GAPPTHRlhDYaMzzfqhuH+9Ddv0LZiFyzcS+IGIlb/QWJTbeXUzlTFvycpbsjuLIq
CxEyRCYh0at0S12kiMhApm7F/KMA4bV/VWtzF5JI+rDuDz+MBk4+aaQyDLx6Hh93
64ex0AQ0QJoO9Bmg3mhnHnhD8Wpr6fhz97CaEs78fMq6CRo5wljRY/YZitL3giV3
5V3LmIxlFThlItQV1YVOCSrrg/763SVPMrjBAo17v7neFFbnZlHO0/a6gdc2gs6X
6Ldio7y+0r1ZA/tzWHjDj750v7rrLSRLC2hasHewY8uJ4qoVqM6tchoIem+g1Rq/
SiYDoNAkhLKRC/KBewGmV5wKpw09GVelYFWulDmWVGILmOJqxkZSQYFQU0eiI9Mp
xnx22tTSiIU5iyri1YRAdR3O15RM1zHVk2n6ypIVMcfNw7bhO+3VngzSGq2/hUuO
399A19sBOrU=
=FzCB
-----END PGP SIGNATURE-----