var-200902-0536
Vulnerability from variot
Cisco ACE Application Control Engine Module for Catalyst 6500 Switches and 7600 Routers before A2(1.1) uses default (1) usernames and (2) passwords for (a) the administrator and (b) web management, which makes it easier for remote attackers to perform configuration changes or obtain operating-system access. Other attacks are also possible. Workarounds that mitigate some of the vulnerabilities are available.
Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090225-ace.shtml
Note: This advisory is being released simultaneously with a multiple vulnerability disclosure advisory that impacts the Cisco 4700 Series Application Control Engine Device Manager and Application Networking Manager module software.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml
Affected Products
Vulnerable Products +------------------
The following table displays the products that are affected by each vulnerability that is described within this advisory.
+-------------------------------------------------------------------+ | | Products and Versions | | | Affected | |Vulnerability |-----------------------------| | | Cisco ACE | Cisco ACE | | | 4710 | Module | | | Appliance | | |-------------------------------------+--------------+--------------| | | All versions | All versions | | Default Usernames and Passwords | prior to A1 | prior to A2 | | | (8a) | (1.1) | |-------------------------------------+--------------+--------------| | | All versions | All versions | | Privilege Escalation Vulnerability | prior to A1 | prior to A2 | | | (8a) | (1.2) | |-------------------------------------+--------------+--------------| | | All versions | All versions | | Crafted SSH Packet Vulnerability | prior to A3 | prior to A2 | | | (2.1) | (1.3) | |-------------------------------------+--------------+--------------| | Crafted Simple Network Management | All versions | All versions | | Protocol version 2 (SNMPv2) Packet | prior to A3 | prior to A2 | | Vulnerability | (2.1) | (1.3) | |-------------------------------------+--------------+--------------| | | All versions | All versions | | Crafted SNMPv3 Packet Vulnerability | prior to A1 | prior to A2 | | | (8.0) | (1.2) | +-------------------------------------------------------------------+
Determining Software Versions +----------------------------
To display the version of system software that is currently running on Cisco ACE Application Control Engine, use the show version command. The following example displays the output of the show version command on the Cisco ACE Application Control Engine software version A3(1.0):
ACE-4710/Admin# show version
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2008 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html
Software
loader: Version 0.95
system: Version A3(1.0) [build 3.0(0)A3(0.0.148) adbuild_03:31:25-2008/08/06_/auto/adbure_nightly2/nightly_rel_a3_1_0_throttle/REL_3_0_0_A3_0_0
system image file: (nd)/192.168.65.31/scimitar.bin
Device Manager version 1.1 (0) 20080805:0415
...
<output truncated>
The following example displays the output of the show version command on a Cisco ACE Application Control Engine module software version A1(1):
ACE-mod/Admin# show version
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2006, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html
Software
loader: Version 12.2[117]
system: Version 3.0(0)A1(1) [build 3.0(0)A1(1) _01:26:21-2006/03/13_/auto/adbu-rel/ws/REL_3_0_0_A1_1]
system image file: [LCP] disk0:c6ace-t1k9-mzg.3.0.0_A1_1.bin
licensed features: no feature license is installed
...
<output truncated>
Products Confirmed Not Vulnerable +--------------------------------
The Cisco ACE XML Gateway, the Cisco ACE Web Application Firewall, and the Cisco ACE GSS 4400 Series Global Site Selector Appliances are not affected by any of the vulnerabilities that are described in this advisory. No other Cisco products are currently known to be affected by these vulnerabilities. Multiple vulnerabilities exist in both products. The following information provides the details about each of the vulnerabilities that are addressed in this advisory. The appliance and module do not prompt users to modify system account passwords during the initial configuration process. An attacker with knowledge of these accounts could modify the application configuration and, in certain instances, gain user access to the host operating system. This vulnerability is documented in Cisco Bug ID CSCsq32379 ( registered customers only) and has also been assigned the Common Vulnerability and Exposures (CVE) ID CVE-2009-0621. An authenticated user could exploit this vulnerability to invoke administrative commands via the device command line interface (CLI). An attacker could exploit this vulnerability to cause the device to reload by sending a crafted SSH packet to it.
Note: SSH access must be configured on the affected device for it to be vulnerable. SSH access is not enabled by default. A full TCP three-way handshake is not necessary to trigger the effects of this vulnerability. An authenticated attacker could send a crafted SNMPv1 packet to an affected device to cause it to reload.
Note: SNMPv2c must be explicitly configured in an affected device in order to process any SNMPv2c transactions. SNMPv2c is not enabled by default. An where an attacker may could cause the a device to reload by sending a crafted SNMPv3 packet to it.
Note: SNMPv3 must be explicitly configured in an affected device in order to process any SNMPv3 transactions. SNMPv3 is not enabled by default.
Vulnerability Scoring Details
Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsq43828 and CSCsq43229 - Default users and passwords on ACE module and appliance
CVSS Base Score - 10
Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete
CVSS Temporal Score - 8.7
Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed
CSCsq32379 - DM Default Account Credentials
CVSS Base Score - 10
Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete
CVSS Temporal Score - 8.7
Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed
CSCsq48546 and CSCsq09839 - Privilege escalation issue on ACE Module and ACE Appliance
CVSS Base Score - 9
Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed
CSCsv01877 and CSCsv01738 - Crafted SSH packet may cause ACE module or appliance to reload
CVSS Base Score - 7.8
Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed
CSCsu36038 and CSCsu47876 - Crafted SNMPv2c packet may crash ACE module and appliance
CVSS Base Score - 6.8
Access Vector - Network Access Complexity - Single Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete
CVSS Temporal Score - 5.6
Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed
CSCso83126 and CSCsq45432 - Crafted SNMPv3 packet may crash ACE appliance
CVSS Base Score - 7.8
Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed
Impact
An attacker with knowledge of the Default Usernames and Passwords Vulnerability accounts could modify the device configuration and, in certain instances, gain user access to the host operating system.
An exploit of the Privilege Escalation Vulnerability could allow an authenticated attacker to execute host operating system administrative commands.
Successful exploitation of the Crafted SSH Packet Vulnerability, Crafted SNMPv2 Packet Vulnerability, and Crafted SNMPv3 Packet Vulnerability may cause a reload of the affected device. Repeated exploitation could result in a sustained DoS condition.
Software Versions and Fixes
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
Each row of the software table (below) describes the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table.
+----------------------------------------------------------------------------------------------------------+ | | Products and Versions Affected | | |---------------------------------------------------------------------| | | Cisco ACE 4710 Appliance | Cisco ACE Module | |Vulnerability |----------------------------------+----------------------------------| | | First Fixed | Recommended | First | | | | Release | Release | Fixed | Recommended Release | | | | | Release | | |------------------------------------+---------------+------------------+------------+---------------------| | Default Usernames and Passwords | A1(8a) | A3(2.1) | A2(1.1) | A2(1.3) | |------------------------------------+---------------+------------------+------------+---------------------| | Privilege Escalation Vulnerability | A1(8a) | A3(2.1) | A2(1.2) | A2(1.3) | |------------------------------------+---------------+------------------+------------+---------------------| | Crafted SSH Packet Vulnerability | A3(2.1) | A3(2.1) | A2(1.3) | A2(1.3) | |------------------------------------+---------------+------------------+------------+---------------------| | Crafted SNMPv2 Packet | A3(2.1) | A3(2.1) | A2(1.3) | A2(1.3) | | Vulnerability | | | | | |------------------------------------+---------------+------------------+------------+---------------------| | Crafted SNMPv2 Packet | A1(8.0) | A3(2.1) | A2(1.2) | A2(1.3) | | Vulnerability | | | | | +----------------------------------------------------------------------------------------------------------+
Cisco ACE module software can be downloaded from:
http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=280557289
Cisco ACE 4710 Application Control Engine appliance software can be downloaded from:
http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=281222179
Workarounds
This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities and their respective workarounds are independent of each other.
Default Usernames and Passwords +------------------------------
To change the default administrative password, use the username command in configuration mode. The syntax of this command is as follows:
username admin [password [0 | 5] {password}]
The keywords, arguments, and options are:
admin--Specifies the default administrative user name.
password--(Optional) Keyword that indicates that a password follows.
0--(Optional) Specifies a clear text password.
5--(Optional) Specifies an MD5-hashed strong encryption password.
password--The password in clear text, encrypted text, or MD5 strong encryption, depending on the numbered option (0 or 5) that you enter. If you do not enter a numbered option, the password is in clear text by default. Enter a password as an unquoted text string with a maximum of 64 characters.
For example, to create a user named admin that uses the clear text password my_super_secret_88312, enter the following command:
ACE(config)# username admin password 0 my_super_secret_88312
Note: This process can also be followed to change the www user account credentials. The dm user is for accessing the Device Manager GUI and cannot be modified or deleted. The dm user is an internal user required by the Device Manager GUI; it is hidden on the ACE CLI. For more information refer to: http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/virtualization/guide/config.html
Privilege Escalation Vulnerability +---------------------------------
There are no workarounds for this vulnerability.
Crafted SSH Packet Vulnerability +-------------------------------
SSH management traffic that can be received by the ACE is controlled through the use of class maps, policy maps, and service policies.
This Management Traffic Service example denies unauthorized SSH packets that are sent to an affected device. In the following example, 192.168.100.1 is considered a trusted source that requires SSH access to the affected device. Care should be taken to allow all required management access to the affected device. An attacker could exploit this vulnerability using spoofed packets. This workaround cannot provide complete protection against this vulnerability when the attack comes from a trusted source address.
The following example demonstrates how SSH access to the ACE is only allowed from the 192.168.100.1 host:
!-- Configure a class to allow SSH from the trusted source
!
class-map type management match-all Permit_SSH_Class
description Allow SSH from trusted sources Class
match protocol ssh source-address 192.168.100.1 255.255.255.255
!
!-- Configure a management policy that allows ssh from the
!--trusted source configured in the above class
!
policy-map type management first-match Permit_SSH_Policy
description Allow SSH from trusted sources Policy
class Permit_SSH_Class
permit
!
!-- Apply the management policy globally
!
service-policy input Permit_SSH_Policy
Additional information about "Configuring SSH Management Sessions" is available at:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/access.html#wp1049450
Additional information about "Configuring Class Maps and Policy Maps" is available at:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/mapolcy.html
warning Warning: It is possible to easily spoof the sender's IP address, which may defeat class maps and access control lists (ACLs) that permit communication to the device from trusted IP addresses.
Crafted SNMPv2 and SNMPv3 Packet Vulnerabilities +-----------------------------------------------
SNMP management traffic that can be received by the ACE is controlled through the use of class maps, policy maps, and service policies.
This Management Traffic Service example denies unauthorized SNMP packets on UDP port 161 that are sent to an affected device. In the following example, 192.168.100.1 is considered a trusted source that requires SNMP access to the affected device. Care should be taken to allow all required management access to the affected device. An attacker could exploit this vulnerability using spoofed packets. This workaround cannot provide complete protection against this vulnerability when the attack comes from a trusted source address.
!-- Configure a class to allow SNMP from the trusted source
!
class-map type management match-all Permit_SNMP_Class
description Allow SNMP from trusted sources Class
2 match protocol snmp source-address 192.168.100.1 255.255.255.255
!
!-- Configure a management policy that allows snmp from the
!--trusted source configured in the above class
!
policy-map type management first-match Permit_SNMP_Policy
description Allow SNMP from trusted sources Policy
class Permit_SNMP_Class
permit
!-- Apply the management policy globally
!
service-policy input Permit_SNMP_Policy
Additional information about "SNMP Management Traffic Services" is available at:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/snmp.html#wp1034011
Additional information about "Configuring Class Maps and Policy Maps" is available at:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/mapolcy.html
Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20090225-ace.shtml
Obtaining Fixed Software
Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades.
Customers with Service Contracts +-------------------------------
Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations +------------------------------------------------
Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed.
Customers without Service Contracts +----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows.
- +1 800 553 2447 (toll free from within North America)
- +1 408 526 7209 (toll call from anywhere in the world)
- e-mail: tac@cisco.com
Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages.
Exploitation and Public Announcements
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
These vulnerabilities were found during internal testing.
Status of this Notice: FINAL
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.
Distribution
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090225-ace.shtml
In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients.
- cust-security-announce@cisco.com
- first-bulletins@lists.first.org
- bugtraq@securityfocus.com
- vulnwatch@vulnwatch.org
- cisco@spot.colorado.edu
- cisco-nsp@puck.nether.net
- full-disclosure@lists.grok.org.uk
- comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.
Revision History
+-------------------------------------------------------------------+ | Revision 1.0 | 2009-February-25 | Initial public release | +-------------------------------------------------------------------+
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkmlbsoACgkQ86n/Gc8U/uA9egCgiM1YYI9hZhS8iZ5kbEw6vxaq gM8AnjpFAJaZ/RK593w/5j/mRHxjkLVo =rWBu -----END PGP SIGNATURE-----
Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200902-0536",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "application control engine module",
"scope": "lte",
"trust": 1.0,
"vendor": "cisco",
"version": "0"
},
{
"model": "ace module a2",
"scope": "ne",
"trust": 0.9,
"vendor": "cisco",
"version": null
},
{
"model": "ace application control engine module",
"scope": "lt",
"trust": 0.8,
"vendor": "cisco",
"version": "a2(1.1)"
},
{
"model": "ace appliance a1",
"scope": "ne",
"trust": 0.6,
"vendor": "cisco",
"version": "4710"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.6,
"vendor": "cisco",
"version": "6500"
},
{
"model": "application control engine module",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"model": "ace module",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"model": "ace appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "47100"
},
{
"model": "ace appliance a3",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "4710"
}
],
"sources": [
{
"db": "BID",
"id": "33900"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-001384"
},
{
"db": "NVD",
"id": "CVE-2009-0620"
},
{
"db": "CNNVD",
"id": "CNNVD-200902-611"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:cisco:catalyst:6500:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:cisco:catalyst:7600:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:cisco:application_control_engine_module:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "0",
"vulnerable": true
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2009-0620"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Cisco Security bulletin",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200902-611"
}
],
"trust": 0.6
},
"cve": "CVE-2009-0620",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": true,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 10.0,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2009-0620",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "VHN-38066",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2009-0620",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-200902-611",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-38066",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-38066"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-001384"
},
{
"db": "NVD",
"id": "CVE-2009-0620"
},
{
"db": "CNNVD",
"id": "CNNVD-200902-611"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Cisco ACE Application Control Engine Module for Catalyst 6500 Switches and 7600 Routers before A2(1.1) uses default (1) usernames and (2) passwords for (a) the administrator and (b) web management, which makes it easier for remote attackers to perform configuration changes or obtain operating-system access. Other attacks are also possible. Workarounds that mitigate some of the vulnerabilities are\navailable. \n\nNote: These vulnerabilities are independent of each other. A device\nmay be affected by one vulnerability and not affected by another. \n\nThis advisory is posted at \nhttp://www.cisco.com/warp/public/707/cisco-sa-20090225-ace.shtml\n\nNote: This advisory is being released simultaneously with a multiple\nvulnerability disclosure advisory that impacts the Cisco 4700 Series\nApplication Control Engine Device Manager and Application Networking\nManager module software. \n\nThis advisory is posted at \nhttp://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml\n\nAffected Products\n=================\n\nVulnerable Products\n+------------------\n\nThe following table displays the products that are affected by each\nvulnerability that is described within this advisory. \n\n+-------------------------------------------------------------------+\n| | Products and Versions |\n| | Affected |\n|Vulnerability |-----------------------------|\n| | Cisco ACE | Cisco ACE |\n| | 4710 | Module |\n| | Appliance | |\n|-------------------------------------+--------------+--------------|\n| | All versions | All versions |\n| Default Usernames and Passwords | prior to A1 | prior to A2 |\n| | (8a) | (1.1) |\n|-------------------------------------+--------------+--------------|\n| | All versions | All versions |\n| Privilege Escalation Vulnerability | prior to A1 | prior to A2 |\n| | (8a) | (1.2) |\n|-------------------------------------+--------------+--------------|\n| | All versions | All versions |\n| Crafted SSH Packet Vulnerability | prior to A3 | prior to A2 |\n| | (2.1) | (1.3) |\n|-------------------------------------+--------------+--------------|\n| Crafted Simple Network Management | All versions | All versions |\n| Protocol version 2 (SNMPv2) Packet | prior to A3 | prior to A2 |\n| Vulnerability | (2.1) | (1.3) |\n|-------------------------------------+--------------+--------------|\n| | All versions | All versions |\n| Crafted SNMPv3 Packet Vulnerability | prior to A1 | prior to A2 |\n| | (8.0) | (1.2) |\n+-------------------------------------------------------------------+\n\nDetermining Software Versions\n+----------------------------\n\nTo display the version of system software that is currently running\non Cisco ACE Application Control Engine, use the show version\ncommand. The following example displays the output of the show\nversion command on the Cisco ACE Application Control Engine software\nversion A3(1.0):\n\n ACE-4710/Admin# show version\n Cisco Application Control Software (ACSW)\n TAC support: http://www.cisco.com/tac\n Copyright (c) 1985-2008 by Cisco Systems, Inc. All rights reserved. \n The copyrights to certain works contained herein are owned by\n other third parties and are used and distributed under license. \n Some parts of this software are covered under the GNU Public\n License. A copy of the license is available at\n http://www.gnu.org/licenses/gpl.html\n\n Software\n loader: Version 0.95\n system: Version A3(1.0) [build 3.0(0)A3(0.0.148) adbuild_03:31:25-2008/08/06_/auto/adbure_nightly2/nightly_rel_a3_1_0_throttle/REL_3_0_0_A3_0_0\n system image file: (nd)/192.168.65.31/scimitar.bin\n\n Device Manager version 1.1 (0) 20080805:0415\n\n ... \n \u003coutput truncated\u003e\n\nThe following example displays the output of the show version command\non a Cisco ACE Application Control Engine module software version A1(1):\n\n ACE-mod/Admin# show version\n Cisco Application Control Software (ACSW)\n TAC support: http://www.cisco.com/tac\n Copyright (c) 2002-2006, Cisco Systems, Inc. All rights reserved. \n The copyrights to certain works contained herein are owned by\n other third parties and are used and distributed under license. \n Some parts of this software are covered under the GNU Public\n License. A copy of the license is available at\n http://www.gnu.org/licenses/gpl.html\n\n Software\n loader: Version 12.2[117]\n system: Version 3.0(0)A1(1) [build 3.0(0)A1(1) _01:26:21-2006/03/13_/auto/adbu-rel/ws/REL_3_0_0_A1_1]\n\n system image file: [LCP] disk0:c6ace-t1k9-mzg.3.0.0_A1_1.bin\n licensed features: no feature license is installed\n ... \n \u003coutput truncated\u003e\n\nProducts Confirmed Not Vulnerable\n+--------------------------------\n\nThe Cisco ACE XML Gateway, the Cisco ACE Web Application Firewall,\nand the Cisco ACE GSS 4400 Series Global Site Selector Appliances are\nnot affected by any of the vulnerabilities that are described in this\nadvisory. No other Cisco products are currently known to be affected\nby these vulnerabilities. Multiple\nvulnerabilities exist in both products. The following information\nprovides the details about each of the vulnerabilities that are\naddressed in this advisory. The appliance and module do not prompt users\nto modify system account passwords during the initial configuration\nprocess. An attacker with knowledge of these accounts could modify\nthe application configuration and, in certain instances, gain user\naccess to the host operating system. This vulnerability is documented in Cisco Bug\nID CSCsq32379 ( registered customers only) and has also been assigned\nthe Common Vulnerability and Exposures (CVE) ID CVE-2009-0621. An\nauthenticated user could exploit this vulnerability to invoke\nadministrative commands via the device command line interface (CLI). \nAn attacker could exploit this vulnerability to cause the device to\nreload by sending a crafted SSH packet to it. \n\nNote: SSH access must be configured on the affected device for it to\nbe vulnerable. SSH access is not enabled by default. A full TCP\nthree-way handshake is not necessary to trigger the effects of this\nvulnerability. \nAn authenticated attacker could send a crafted SNMPv1 packet to an\naffected device to cause it to reload. \n\nNote: SNMPv2c must be explicitly configured in an affected device in\norder to process any SNMPv2c transactions. SNMPv2c is not enabled by\ndefault. \nAn where an attacker may could cause the a device to reload by\nsending a crafted SNMPv3 packet to it. \n\nNote: SNMPv3 must be explicitly configured in an affected device in\norder to process any SNMPv3 transactions. SNMPv3 is not enabled by\ndefault. \n\nVulnerability Scoring Details\n=============================\n\nCisco has provided scores for the vulnerabilities in this advisory\nbased on the Common Vulnerability Scoring System (CVSS). The CVSS\nscoring in this Security Advisory is done in accordance with CVSS\nversion 2.0. \n\nCVSS is a standards-based scoring method that conveys vulnerability\nseverity and helps determine urgency and priority of response. \n\nCisco has provided a base and temporal score. Customers can then\ncompute environmental scores to assist in determining the impact of\nthe vulnerability in individual networks. \n\nCisco has provided an FAQ to answer additional questions regarding\nCVSS at\n\nhttp://www.cisco.com/web/about/security/intelligence/cvss-qandas.html\n\nCisco has also provided a CVSS calculator to help compute the\nenvironmental impact for individual networks at\n\nhttp://intellishield.cisco.com/security/alertmanager/cvss\n\nCSCsq43828 and CSCsq43229 - Default users and passwords on ACE module\n and appliance \n\nCVSS Base Score - 10\n\n Access Vector - Network\n Access Complexity - Low\n Authentication - None\n Confidentiality Impact - Complete\n Integrity Impact - Complete\n Availability Impact - Complete\n\nCVSS Temporal Score - 8.7\n\n Exploitability\t - High\n Remediation Level - Official-Fix\n Report Confidence - Confirmed\n\n\nCSCsq32379 - DM Default Account Credentials\n\nCVSS Base Score - 10 \n\n Access Vector - Network\n Access Complexity - Low\n Authentication - None\n Confidentiality Impact - Complete\n Integrity Impact - Complete\n Availability Impact - Complete\n\nCVSS Temporal Score - 8.7\n\n Exploitability - High\n Remediation Level - Official-Fix\n Report Confidence - Confirmed\n\n\nCSCsq48546 and CSCsq09839 - Privilege escalation issue on ACE Module\n and ACE Appliance\n\nCVSS Base Score - 9 \n\n Access Vector - Network\n Access Complexity - Low\n Authentication - Single\n Confidentiality Impact - Complete\n Integrity Impact - Complete\n Availability Impact - Complete\n\nCVSS Temporal Score - 7.4\n\n Exploitability - Functional\n Remediation Level - Official-Fix\n Report Confidence - Confirmed\n\n\nCSCsv01877 and CSCsv01738 - Crafted SSH packet may cause ACE module\n or appliance to reload\n\nCVSS Base Score - 7.8\n\n Access Vector - Network\n Access Complexity - Low\n Authentication - None\n Confidentiality Impact - None\n Integrity Impact - None\n Availability Impact - Complete\n\nCVSS Temporal Score - 6.4\n\n Exploitability - Functional\n Remediation Level - Official-Fix\n Report Confidence - Confirmed\n\n\nCSCsu36038 and CSCsu47876 - Crafted SNMPv2c packet may crash ACE\n module and appliance \n\nCVSS Base Score - 6.8\n\n Access Vector - Network\n Access Complexity - Single\n Authentication - None\n Confidentiality Impact - None\n Integrity Impact - None\n Availability Impact - Complete\n\nCVSS Temporal Score - 5.6\n\n Exploitability - Functional\n Remediation Level - Official-Fix \n Report Confidence - Confirmed\n\n\nCSCso83126 and CSCsq45432 - Crafted SNMPv3 packet may crash ACE\n appliance \n\nCVSS Base Score - 7.8\n\n Access Vector - Network\n Access Complexity - Low\n Authentication - None\n Confidentiality Impact - None\n Integrity Impact - None\n Availability Impact - Complete\n\nCVSS Temporal Score - 6.4\n\n Exploitability - Functional\n Remediation Level - Official-Fix\n Report Confidence - Confirmed\n\nImpact\n======\n\nAn attacker with knowledge of the Default Usernames and Passwords\nVulnerability accounts could modify the device configuration and, in\ncertain instances, gain user access to the host operating system. \n\nAn exploit of the Privilege Escalation Vulnerability could allow an\nauthenticated attacker to execute host operating system\nadministrative commands. \n\nSuccessful exploitation of the Crafted SSH Packet Vulnerability,\nCrafted SNMPv2 Packet Vulnerability, and Crafted SNMPv3 Packet\nVulnerability may cause a reload of the affected device. Repeated\nexploitation could result in a sustained DoS condition. \n\nSoftware Versions and Fixes\n===========================\n\nWhen considering software upgrades, also consult \nhttp://www.cisco.com/go/psirt and any subsequent advisories to \ndetermine exposure and a complete upgrade solution. \n\nIn all cases, customers should exercise caution to be certain the\ndevices to be upgraded contain sufficient memory and that current\nhardware and software configurations will continue to be supported\nproperly by the new release. If the information is not clear, contact\nthe Cisco Technical Assistance Center (TAC) or your contracted\nmaintenance provider for assistance. \n\nEach row of the software table (below) describes the earliest\npossible releases that contain the fix (along with the anticipated\ndate of availability for each, if applicable) are listed in the\n\"First Fixed Release\" column of the table. The \"Recommended Release\"\ncolumn indicates the releases which have fixes for all the published\nvulnerabilities at the time of this Advisory. A device running a\nrelease in the given train that is earlier than the release in a\nspecific column (less than the First Fixed Release) is known to be\nvulnerable. Cisco recommends upgrading to a release equal to or later\nthan the release in the \"Recommended Releases\" column of the table. \n\n+----------------------------------------------------------------------------------------------------------+\n| | Products and Versions Affected |\n| |---------------------------------------------------------------------|\n| | Cisco ACE 4710 Appliance | Cisco ACE Module |\n|Vulnerability |----------------------------------+----------------------------------|\n| | First Fixed | Recommended | First | |\n| | Release | Release | Fixed | Recommended Release |\n| | | | Release | |\n|------------------------------------+---------------+------------------+------------+---------------------|\n| Default Usernames and Passwords | A1(8a) | A3(2.1) | A2(1.1) | A2(1.3) |\n|------------------------------------+---------------+------------------+------------+---------------------|\n| Privilege Escalation Vulnerability | A1(8a) | A3(2.1) | A2(1.2) | A2(1.3) |\n|------------------------------------+---------------+------------------+------------+---------------------|\n| Crafted SSH Packet Vulnerability | A3(2.1) | A3(2.1) | A2(1.3) | A2(1.3) |\n|------------------------------------+---------------+------------------+------------+---------------------|\n| Crafted SNMPv2 Packet | A3(2.1) | A3(2.1) | A2(1.3) | A2(1.3) |\n| Vulnerability | | | | |\n|------------------------------------+---------------+------------------+------------+---------------------|\n| Crafted SNMPv2 Packet | A1(8.0) | A3(2.1) | A2(1.2) | A2(1.3) |\n| Vulnerability | | | | |\n+----------------------------------------------------------------------------------------------------------+\n\nCisco ACE module software can be downloaded from:\n\nhttp://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=280557289\n\nCisco ACE 4710 Application Control Engine appliance software can be\ndownloaded from:\n\nhttp://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=281222179\n\nWorkarounds\n===========\n\nThis Security Advisory describes multiple distinct vulnerabilities. \nThese vulnerabilities and their respective workarounds are\nindependent of each other. \n\nDefault Usernames and Passwords\n+------------------------------\n\nTo change the default administrative password, use the username\ncommand in configuration mode. The syntax of this command is as\nfollows:\n\n username admin [password [0 | 5] {password}]\n\nThe keywords, arguments, and options are:\n\nadmin--Specifies the default administrative user name. \n\npassword--(Optional) Keyword that indicates that a password follows. \n\n0--(Optional) Specifies a clear text password. \n\n5--(Optional) Specifies an MD5-hashed strong encryption password. \n\npassword--The password in clear text, encrypted text, or MD5 strong\nencryption, depending on the numbered option (0 or 5) that you enter. \nIf you do not enter a numbered option, the password is in clear text\nby default. Enter a password as an unquoted text string with a\nmaximum of 64 characters. \n\nFor example, to create a user named admin that uses the clear text\npassword my_super_secret_88312, enter the following command:\n\n ACE(config)# username admin password 0 my_super_secret_88312\n\nNote: This process can also be followed to change the www user\naccount credentials. The dm user is for accessing the Device Manager\nGUI and cannot be modified or deleted. The dm user is an internal\nuser required by the Device Manager GUI; it is hidden on the ACE CLI. \nFor more information refer to: \nhttp://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/virtualization/guide/config.html\n\nPrivilege Escalation Vulnerability\n+---------------------------------\n\nThere are no workarounds for this vulnerability. \n\nCrafted SSH Packet Vulnerability\n+-------------------------------\n\nSSH management traffic that can be received by the ACE is controlled\nthrough the use of class maps, policy maps, and service policies. \n\nThis Management Traffic Service example denies unauthorized SSH\npackets that are sent to an affected device. In the following\nexample, 192.168.100.1 is considered a trusted source that requires\nSSH access to the affected device. Care should be taken to allow all\nrequired management access to the affected device. An attacker could\nexploit this vulnerability using spoofed packets. This workaround\ncannot provide complete protection against this vulnerability when\nthe attack comes from a trusted source address. \n\nThe following example demonstrates how SSH access to the ACE is only\nallowed from the 192.168.100.1 host:\n\n\n !-- Configure a class to allow SSH from the trusted source\n !\n\n class-map type management match-all Permit_SSH_Class\n description Allow SSH from trusted sources Class\n match protocol ssh source-address 192.168.100.1 255.255.255.255\n\n !\n !-- Configure a management policy that allows ssh from the\n !--trusted source configured in the above class\n !\n\n policy-map type management first-match Permit_SSH_Policy\n description Allow SSH from trusted sources Policy\n class Permit_SSH_Class\n permit\n\n !\n !-- Apply the management policy globally\n !\n\n service-policy input Permit_SSH_Policy\n\nAdditional information about \"Configuring SSH Management Sessions\" is\navailable at:\n\nhttp://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/access.html#wp1049450\n\nAdditional information about \"Configuring Class Maps and Policy Maps\"\nis available at:\n\nhttp://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/mapolcy.html\n\nwarning Warning: It is possible to easily spoof the sender\u0027s IP\naddress, which may defeat class maps and access control lists (ACLs)\nthat permit communication to the device from trusted IP addresses. \n\nCrafted SNMPv2 and SNMPv3 Packet Vulnerabilities\n+-----------------------------------------------\n\nSNMP management traffic that can be received by the ACE is controlled\nthrough the use of class maps, policy maps, and service policies. \n\nThis Management Traffic Service example denies unauthorized SNMP\npackets on UDP port 161 that are sent to an affected device. In the\nfollowing example, 192.168.100.1 is considered a trusted source that\nrequires SNMP access to the affected device. Care should be taken to\nallow all required management access to the affected device. An\nattacker could exploit this vulnerability using spoofed packets. This\nworkaround cannot provide complete protection against this\nvulnerability when the attack comes from a trusted source address. \n\n\n !-- Configure a class to allow SNMP from the trusted source\n !\n\n class-map type management match-all Permit_SNMP_Class\n description Allow SNMP from trusted sources Class\n 2 match protocol snmp source-address 192.168.100.1 255.255.255.255\n\n\n !\n !-- Configure a management policy that allows snmp from the\n !--trusted source configured in the above class\n !\n\n policy-map type management first-match Permit_SNMP_Policy\n description Allow SNMP from trusted sources Policy\n class Permit_SNMP_Class\n permit\n\n !-- Apply the management policy globally\n !\n\n service-policy input Permit_SNMP_Policy\n\nAdditional information about \"SNMP Management Traffic Services\" is\navailable at:\n\nhttp://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/snmp.html#wp1034011\n\nAdditional information about \"Configuring Class Maps and Policy Maps\"\nis available at:\n\nhttp://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/mapolcy.html\n\nAdditional mitigation techniques that can be deployed on Cisco\ndevices within the network are available in the Cisco Applied\nMitigation Bulletin companion document for this advisory:\n\nhttp://www.cisco.com/warp/public/707/cisco-amb-20090225-ace.shtml\n\nObtaining Fixed Software\n========================\n\nCisco has released free software updates that address these\nvulnerabilities. Prior to deploying software, customers should\nconsult their maintenance provider or check the software for feature\nset compatibility and known issues specific to their environment. \n\nCustomers may only install and expect support for the feature sets\nthey have purchased. By installing, downloading, accessing or\notherwise using such software upgrades, customers agree to be bound\nby the terms of Cisco\u0027s software license terms found at \nhttp://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html\nor as otherwise set forth at Cisco.com Downloads at \nhttp://www.cisco.com/public/sw-center/sw-usingswc.shtml\n\nDo not contact psirt@cisco.com or security-alert@cisco.com for\nsoftware upgrades. \n\nCustomers with Service Contracts\n+-------------------------------\n\nCustomers with contracts should obtain upgraded software through\ntheir regular update channels. For most customers, this means that\nupgrades should be obtained through the Software Center on Cisco\u0027s\nworldwide website at http://www.cisco.com\n\nCustomers using Third Party Support Organizations\n+------------------------------------------------\n\nCustomers whose Cisco products are provided or maintained through\nprior or existing agreements with third-party support organizations,\nsuch as Cisco Partners, authorized resellers, or service providers\nshould contact that support organization for guidance and assistance\nwith the appropriate course of action in regards to this advisory. \n\nThe effectiveness of any workaround or fix is dependent on specific\ncustomer situations, such as product mix, network topology, traffic\nbehavior, and organizational mission. Due to the variety of affected\nproducts and releases, customers should consult with their service\nprovider or support organization to ensure any applied workaround or\nfix is the most appropriate for use in the intended network before it\nis deployed. \n\nCustomers without Service Contracts\n+----------------------------------\n\nCustomers who purchase direct from Cisco but do not hold a Cisco\nservice contract, and customers who purchase through third-party\nvendors but are unsuccessful in obtaining fixed software through\ntheir point of sale should acquire upgrades by contacting the Cisco\nTechnical Assistance Center (TAC). TAC contacts are as follows. \n\n * +1 800 553 2447 (toll free from within North America)\n * +1 408 526 7209 (toll call from anywhere in the world)\n * e-mail: tac@cisco.com\n\nCustomers should have their product serial number available and be\nprepared to give the URL of this notice as evidence of entitlement to\na free upgrade. Free upgrades for non-contract customers must be\nrequested through the TAC. \n\nRefer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html\nfor additional TAC contact information, including localized \ntelephone numbers, and instructions and e-mail addresses for use in \nvarious languages. \n\nExploitation and Public Announcements\n=====================================\n\nThe Cisco PSIRT is not aware of any public announcements or malicious\nuse of the vulnerability described in this advisory. \n\nThese vulnerabilities were found during internal testing. \n\nStatus of this Notice: FINAL\n\nTHIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY\nKIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF\nMERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE\nINFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS\nAT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS\nDOCUMENT AT ANY TIME. \n\nA stand-alone copy or Paraphrase of the text of this document that\nomits the distribution URL in the following section is an\nuncontrolled copy, and may lack important information or contain\nfactual errors. \n\nDistribution\n============\n\nThis advisory is posted on Cisco\u0027s worldwide website at :\n\nhttp://www.cisco.com/warp/public/707/cisco-sa-20090225-ace.shtml\n\nIn addition to worldwide web posting, a text version of this notice\nis clear-signed with the Cisco PSIRT PGP key and is posted to the\nfollowing e-mail and Usenet news recipients. \n\n * cust-security-announce@cisco.com\n * first-bulletins@lists.first.org\n * bugtraq@securityfocus.com\n * vulnwatch@vulnwatch.org\n * cisco@spot.colorado.edu\n * cisco-nsp@puck.nether.net\n * full-disclosure@lists.grok.org.uk\n * comp.dcom.sys.cisco@newsgate.cisco.com\n\nFuture updates of this advisory, if any, will be placed on Cisco\u0027s\nworldwide website, but may or may not be actively announced on\nmailing lists or newsgroups. Users concerned about this problem are\nencouraged to check the above URL for any updates. \n\nRevision History\n================\n\n+-------------------------------------------------------------------+\n| Revision 1.0 | 2009-February-25 | Initial public release |\n+-------------------------------------------------------------------+\n\nCisco Security Procedures\n=========================\n\nComplete information on reporting security vulnerabilities in Cisco\nproducts, obtaining assistance with security incidents, and\nregistering to receive security information from Cisco, is available\non Cisco\u0027s worldwide website at \nhttp://www.cisco.com/en/US/products/products_security_vulnerability_policy.html\nThis includes instructions for press inquiries regarding Cisco \nsecurity notices. All Cisco security advisories are available at \nhttp://www.cisco.com/go/psirt\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.8 (Darwin)\n\niEYEARECAAYFAkmlbsoACgkQ86n/Gc8U/uA9egCgiM1YYI9hZhS8iZ5kbEw6vxaq\ngM8AnjpFAJaZ/RK593w/5j/mRHxjkLVo\n=rWBu\n-----END PGP SIGNATURE-----\n\n_______________________________________________\nFull-Disclosure - We believe in it. \nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\nHosted and sponsored by Secunia - http://secunia.com/\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2009-0620"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-001384"
},
{
"db": "BID",
"id": "33900"
},
{
"db": "VULHUB",
"id": "VHN-38066"
},
{
"db": "PACKETSTORM",
"id": "75189"
}
],
"trust": 2.07
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-38066",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-38066"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2009-0620",
"trust": 2.9
},
{
"db": "BID",
"id": "33900",
"trust": 2.0
},
{
"db": "JVNDB",
"id": "JVNDB-2009-001384",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-200902-611",
"trust": 0.7
},
{
"db": "CISCO",
"id": "20090225 MULTIPLE VULNERABILITIES IN THE CISCO ACE APPLICATION CONTROL ENGINE MODULE AND CISCO ACE 4710 APPLICATION CONTROL ENGINE",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "75189",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-38066",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-38066"
},
{
"db": "BID",
"id": "33900"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-001384"
},
{
"db": "PACKETSTORM",
"id": "75189"
},
{
"db": "NVD",
"id": "CVE-2009-0620"
},
{
"db": "CNNVD",
"id": "CNNVD-200902-611"
}
]
},
"id": "VAR-200902-0536",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-38066"
}
],
"trust": 0.593716988
},
"last_update_date": "2023-12-18T12:11:46.027000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "cisco-sa-20090225-ace",
"trust": 0.8,
"url": "http://www.cisco.com/en/us/products/products_security_advisory09186a0080a7bc82.shtml"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2009-001384"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-255",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-38066"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-001384"
},
{
"db": "NVD",
"id": "CVE-2009-0620"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.0,
"url": "http://www.cisco.com/en/us/products/products_security_advisory09186a0080a7bc82.shtml"
},
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/33900"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-0620"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-0620"
},
{
"trust": 0.4,
"url": "http://www.cisco.com"
},
{
"trust": 0.3,
"url": "http://www.cisco.com/en/us/products/products_applied_mitigation_bulletin09186a0080a7bd0a.ht"
},
{
"trust": 0.3,
"url": "/archive/1/501237"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/en/us/docs/app_ntwk_services/data_center_app_services/ace_appliances/va3_1_0/configuration/virtualization/guide/config.html"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/go/psirt"
},
{
"trust": 0.1,
"url": "http://secunia.com/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2009-0620"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/en/us/docs/interfaces_modules/services_modules/ace/v3.00_a1/configuration/administration/guide/access.html#wp1049450"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/tac"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/en/us/products/prod_warranties_item09186a008088e31f.html"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/en/us/support/tsd_cisco_worldwide_contacts.html"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/en/us/docs/interfaces_modules/services_modules/ace/v3.00_a1/configuration/administration/guide/snmp.html#wp1034011"
},
{
"trust": 0.1,
"url": "http://www.gnu.org/licenses/gpl.html"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2009-0621"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/warp/public/707/cisco-amb-20090225-ace.shtml"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/warp/public/707/cisco-sa-20090225-ace.shtml"
},
{
"trust": 0.1,
"url": "http://tools.cisco.com/support/downloads/go/redirect.x?mdfid=281222179"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/public/sw-center/sw-usingswc.shtml"
},
{
"trust": 0.1,
"url": "http://lists.grok.org.uk/full-disclosure-charter.html"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/en/us/docs/interfaces_modules/services_modules/ace/v3.00_a1/configuration/administration/guide/mapolcy.html"
},
{
"trust": 0.1,
"url": "http://tools.cisco.com/support/downloads/go/redirect.x?mdfid=280557289"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/en/us/products/products_security_vulnerability_policy.html"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml"
},
{
"trust": 0.1,
"url": "http://intellishield.cisco.com/security/alertmanager/cvss"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-38066"
},
{
"db": "BID",
"id": "33900"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-001384"
},
{
"db": "PACKETSTORM",
"id": "75189"
},
{
"db": "NVD",
"id": "CVE-2009-0620"
},
{
"db": "CNNVD",
"id": "CNNVD-200902-611"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-38066"
},
{
"db": "BID",
"id": "33900"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-001384"
},
{
"db": "PACKETSTORM",
"id": "75189"
},
{
"db": "NVD",
"id": "CVE-2009-0620"
},
{
"db": "CNNVD",
"id": "CNNVD-200902-611"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2009-02-26T00:00:00",
"db": "VULHUB",
"id": "VHN-38066"
},
{
"date": "2009-02-25T00:00:00",
"db": "BID",
"id": "33900"
},
{
"date": "2009-06-30T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2009-001384"
},
{
"date": "2009-02-25T22:11:31",
"db": "PACKETSTORM",
"id": "75189"
},
{
"date": "2009-02-26T16:17:20.127000",
"db": "NVD",
"id": "CVE-2009-0620"
},
{
"date": "2009-02-26T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200902-611"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2009-02-27T00:00:00",
"db": "VULHUB",
"id": "VHN-38066"
},
{
"date": "2009-03-09T22:26:00",
"db": "BID",
"id": "33900"
},
{
"date": "2009-06-30T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2009-001384"
},
{
"date": "2009-02-27T05:00:00",
"db": "NVD",
"id": "CVE-2009-0620"
},
{
"date": "2009-02-27T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200902-611"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200902-611"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Catalyst 6500 Switch and 7600 For router Cisco ACE Application Control Engine Elevation of privilege vulnerability in module",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2009-001384"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "trust management",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200902-611"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.