Cisco IronPort Encryption Appliance devices contain two vulnerabilities that allow remote, unauthenticated access to any file on the device and one vulnerability that allows remote, unauthenticated users to execute arbitrary code with elevated privileges. There are workarounds available to mitigate these vulnerabilities. This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20100210-ironport. Recently it was brought to Cisco's attention that additional methods to exploit these vulnerabilities could be used. Because of the lifecycle of this product, no more software versions will be published. Please refer to the End-of-Sale and End-of-Life Announcement for the Cisco IronPort Encryption Appliance and the Cisco End-of-Life Policy. However, the workarounds explained in this advisory are applicable and are addressing those vulnerabilities.
The following Cisco IronPort Encryption Appliance versions are affected by these vulnerabilities:
The version of software that is running on a Cisco IronPort Encryption Appliance is located on the About page of the Cisco IronPort Encryption Appliance administration interface.
Note: IronPort tracks bugs using an internal system that is not available to customers. The IronPort bug tracking identifiers are provided for reference only.
The Cisco IronPort Encryption Appliance contains two information disclosure vulnerabilities that allow remote, unauthenticated access to arbitrary files on vulnerable devices via the embedded HTTPS server. The first vulnerability affecting the Cisco IronPort Encryption Appliance administration interface is documented in IronPort bug 65921 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0143. The second vulnerability affecting the WebSafe servlet is documented in IronPort bug 65922 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0144.
The Cisco IronPort Encryption Appliance contains a remote code execution vulnerability that allows an unauthenticated attacker to run arbitrary code with elevated privileges on vulnerable devices via the embedded HTTPS server. The vulnerability is documented in IronPort bug 65923 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0145.
It is possible to mitigate the administration interface file access vulnerability (IronPort Bug 65921) by using the IP address restriction feature of the administration interface to limit access to trusted hosts. Access to the administration interface is not restricted by default. To configure access limits, an administrator should navigate to Configuration -> Web Services -> Admin -> Console Security area in the Cisco IronPort Encryption Appliance administration interface.
It is possible to workaround the remote code execution vulnerability (IronPort Bug 65923) by disabling HTTP Invoker in the Cisco IronPort Encryption Appliance configuration files. To disable the HTTP Invoker, an administrator must delete several files in the PostX application home directory and remove a directive from the web server configuration. The following files must be deleted:
jboss/server/postx/deploy/http-invoker.sar
jboss/server/postx/deploy/jms/jbossmq-httpil.sar
The following directive must be removed from the jboss/server/postx/conf/jboss-service.xml web server configuration file.
The JMXConsole and WebConsole should be removed as well. This is done by carrying out the following commands as an administrator:
cd /usr/local/postx/server/jboss/server/postx/deploy
mv jmx-console.war jmx-console-disabled.war
cd management
mv web-console.war web-console-disabled.war
After deleting the files and removing the directive from the
configuration file, the PostX application service must be restarted.
Additional mitigation techniques that can be deployed on Cisco devices
within the network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory:
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered and reported to Cisco by Jesse Michael and Alexander Senkevitch. Cisco would like to thank Jesse and Alexander for reporting these vulnerabilities to us and for working with us on a coordinated disclosure.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Revision 1.2 | 2015-October-03 | Updated the advisory to reflect that no software fixes are available to address all the known ways to exploit these vulnerabilities. |
Revision 1.1 | 2014-July-30 | Updated the Workarounds section with additional details. |
Revision 1.0 | 2010-February-10 | Initial public release. |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.