The Management Center for Cisco Security Agent is affected by a vulnerability that may allow an unauthenticated attacker to perform remote code execution on the affected device. Cisco has released software updates that address this vulnerability. A workaround is available to mitigate this vulnerability. This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110216-csa.
The Management Center for Cisco Security Agent is affected by a vulnerability that may allow an unauthenticated attacker to perform remote code execution on the affected device.
Cisco has released software updates that address this vulnerability.
A workaround is available to mitigate this vulnerability.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110216-csa.
Cisco Security Agent software releases 5.1, 5.2, and 6.0 are affected by this vulnerability.
Note: Only the Management Center for Cisco Security Agent is affected by this vulnerability. Cisco Security Agent installations on end-point workstations or servers are not affected by this vulnerability.
No other Cisco products are currently known to be affected by this vulnerability.
Cisco Security Agent provides threat protection for server and desktop computing systems. Cisco Security Agent can function in a standalone manner or can be managed by the Management Center for Cisco Security Agent.
The Management Center for Cisco Security Agent is affected by a vulnerability that could allow an unauthenticated attacker to perform remote code execution on the affected device. A successful exploit could allow the attacker to modify agent policies and system configuration and perform other administrative tasks.
Note: This vulnerability can be exploited only by sending certain packets to the web management interface, which by default listens on TCP port 443.
This vulnerability is documented in Cisco Bug ID CSCtj51216 ( registered customers only) and has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2011-0364.
The following policy can be configured as a workaround to mitigate this vulnerability. Complete the following steps to deploy this policy for the Cisco Security Agent running on the Management Center for Cisco Security Agent server.
Create a New Application Class
Step 1. Specify the name of the application class as 'CSA MC - all applications but not its descendants'.
Step 2. Select when created from one of the following executables in the Add Process to application class area and specify @(regpath HKLM\SOFTWARE\Cisco\CSAMC60\ProductRootDir default=**\CSAMC*)\**\*.exe as the value.
Step 3. Ensure that the Only this process option is selected.
Step 4. Click Save.
Create a priority deny Application Control Rule
Step 1. Name the APCR as CSAMC applications invoking non-CSAMC applications for better readability.
Step 2. Enable logging.
Step 3. For Current applications
in any of the following selected classes select the application class
created under "Create a New Application Class." For the But
not option, select
Step 4. For New applications in
any of the following selected classes select
Step 5. Click Save.
When considering software upgrades, consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
The vulnerability is corrected in Cisco Security Agent software versions 6.0.2.145 and later.
Cisco Security Agent software can be downloaded from the following link:
http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=278065206
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
This vulnerability was found by Gerry Eisenhaur and reported to Cisco by ZDI.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
|
Revision 1.0 |
2011-Feb-16 |
Initial public release. |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.
Vulmon