|
|
ESB-2013.0581 - [Win][Cisco] Cisco Device Manager: Execute arbitrary code/commands - Remote/unauthenticated |
|
Date: 26 April 2013 Original URL: http://www.auscert.org.au/render.html?cid=1980&it=17429 Click here for PGP verifiable version -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0581
Cisco Device Manager Command Execution Vulnerability
26 April 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Device Manager
Publisher: Cisco Systems
Operating System: Cisco
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
Original Bulletin:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130424-fmdm
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Cisco Device Manager Command Execution Vulnerability
Advisory ID: cisco-sa-20130424-fmdm
Revision 1.0
For Public Release 2013 April 24 16:00 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
Cisco Device Manager contains a vulnerability that could allow an
unauthenticated, remote attacker to execute arbitrary commands on a client host
with the privileges of the user. This vulnerability affects Cisco Device
Manager for the Cisco MDS 9000 Family and Cisco Nexus 5000 Series Switches
when it is installed or launched via the Java Network Launch Protocol (JNLP) on
a host running Microsoft Windows.
Cisco Device Manager installed or launched from Cisco Prime Data Center Network
Manager (DCNM) or Cisco Fabric Manager is not affected. This vulnerability can
only be exploited if the JNLP file is executed on systems running Microsoft
Windows. The vulnerability affects the confidentiality, integrity, and
availability of the client host performing the installation or execution of
Cisco Device Manager via JNLP file. There is no impact on the Cisco MDS 9000
Family or Cisco Nexus 5000 Series Switches.
Cisco has released free software updates that address this vulnerability in
the Cisco Device Manager for Cisco MDS 9000 Family Switches. Cisco Nexus 5000
Series Switches have discontinued the support of the Cisco Device Manager
installation via JNLP and updates are not available.
Workarounds that mitigate this vulnerability are available. This advisory is
available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130424-fmdm
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
iF4EAREKAAYFAlF30BoACgkQUddfH3/BbTqARAD/efkFacOaSLxRk1eDkaVfrALV
AzYT3xCcMQuWgc/OracA/01zIEtNJKdRu3tCK010hX7w2fdPH/D/RdUF7TFo885Z
=u8iM
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUXn/7+4yVqjM2NGpAQK7gQ//c9A+L57HnlPbJdjVnmAkTSB4CrzC8nbv
S1LwJWQ29/90/gNJOcECg6BckYJrT70Y6+v+Qfm/x7U5TTYh+nWlmzctZGkOZOYz
Efn4Evys7IS4FhdIKuudXYCQcsSvEJcRHB+EoINbwBkVZ/UXjx6M4AajBPLDyjhI
YIKZFjxDBJe82arSGcPTcbkyi7GkPIGxNXDiQZfpUVmJBul2A7d3t53Ierply/3B
GAPPTHRlhDYaMzzfqhuH+9Ddv0LZiFyzcS+IGIlb/QWJTbeXUzlTFvycpbsjuLIq
CxEyRCYh0at0S12kiMhApm7F/KMA4bV/VWtzF5JI+rDuDz+MBk4+aaQyDLx6Hh93
64ex0AQ0QJoO9Bmg3mhnHnhD8Wpr6fhz97CaEs78fMq6CRo5wljRY/YZitL3giV3
5V3LmIxlFThlItQV1YVOCSrrg/763SVPMrjBAo17v7neFFbnZlHO0/a6gdc2gs6X
6Ldio7y+0r1ZA/tzWHjDj750v7rrLSRLC2hasHewY8uJ4qoVqM6tchoIem+g1Rq/
SiYDoNAkhLKRC/KBewGmV5wKpw09GVelYFWulDmWVGILmOJqxkZSQYFQU0eiI9Mp
xnx22tTSiIU5iyri1YRAdR3O15RM1zHVk2n6ypIVMcfNw7bhO+3VngzSGq2/hUuO
399A19sBOrU=
=FzCB
-----END PGP SIGNATURE-----
|