This advisory describes a vulnerability that affects Cisco products and applications that are installed on the Solaris operating system, and is based on the vulnerability of an common service within the Solaris operating system, not due to a defect of the Cisco product or application. A vulnerability in the "/bin/login" program was discovered that enables an attacker to execute arbitrary code under Solaris OS. This vulnerability was discovered and publicly announced by Internet Security Systems Inc. All Cisco products and applications that are installed on Solaris OS are considered vulnerable to the underlying operating system vulnerability, unless steps have been taken to disable access services such as "bin/login." We are investigating other Solaris-based products. This vulnerability can be mitigated in many cases (not all), by limiting interactive logins to trusted hosts using access control list (ACL) or other mechanisms such as firewalls. This advisory is available at the http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020410-solaris-bin-login.
This advisory describes a vulnerability that affects Cisco products and applications that are installed on the Solaris operating system, and is based on the vulnerability of an common service within the Solaris operating system, not due to a defect of the Cisco product or application. A vulnerability in the "/bin/login" program was discovered that enables an attacker to execute arbitrary code under Solaris OS. This vulnerability was discovered and publicly announced by Internet Security Systems Inc. All Cisco products and applications that are installed on Solaris OS are considered vulnerable to the underlying operating system vulnerability, unless steps have been taken to disable access services such as "bin/login."
We are investigating other Solaris-based products.
This vulnerability can be mitigated in many cases (not all), by limiting interactive logins to trusted hosts using access control list (ACL) or other mechanisms such as firewalls.
This advisory is available at the http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020410-solaris-bin-login.
This section provides details on affected products.
All products and all releases that are running on top of Solaris OS are vulnerable because the vulnerability is within Solaris and not within the other applications.
The following products are affected:
Media Gateway Controller (MGC) and Related Products
Cisco IDS
Other Cisco software applications may run on Solaris platforms and where those products have not specifically been identified, customers should install security patches regularly in accordance with their normal maintenance procedures.
We are investigating other Solaris-based products.
PGW2200 release 9.2(2) running on Solaris 2.8 is not affected. The installation CD set contains the package CSCOh015, version 2.0.1, that includes the patch for this issue.
No other Cisco products are currently known to be affected by these vulnerabilities.
All implementations of the "login" program (also known as "/bin/login" due to its location on the file system) derived from the SysV implementation are vulnerable to a buffer overflow. This vulnerability can be exploited to gain unauthorized access to a computer system without possessing legitimate credentials. The only prerequisite for exploiting this vulnerability is to have Telnet or other remote login access to the computer because there are multiple ways to access a computer remotely. Telnet, rlogin, rsh, SSH, and X term are the most commonly known methods. This vulnerability can be exploited locally and remotely.
There is no workaround for MGC and related products.
For IDS, it is possible to mitigate the exposure by limiting hosts that can Telnet to IDS. This procedure is described at:
In short, the user must login to the IDS machine as root, type sysconfig-sensor at the prompt, select option 5, and enter the hosts allowed to Telnet to the sensor.
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.
MGC and Related Products
Both packages are available at http://www.cisco.com/pcgi-bin/tablebuild.pl/mgc-sol .
For all MGC and related products, you may also consult "Cisco Security Advisory: Hardening of Solaris OS for MGC" located at http://www.cisco.com/warp/public/707/Solaris-for-MGC-pub.shtml.
Cisco IDS
For IDS, release 3.0(5) is the first fixed release. The fixed software can be downloaded from http://www.cisco.com/pcgi-bin/tablebuild.pl/ids-appsens.
This vulnerability has been discovered by ISS Inc. and has been disclosed publicly. The advisories are published at:
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
|
Revision 1.0 |
2002-April-10 |
Initial public release |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.
Vulmon