Cisco AsyncOS Software for Cisco Web Security Appliance (WSA), Cisco Email Security Appliance (ESA), and Cisco Content Security Management Appliance (SMA) contain a vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code with elevated privileges. Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. Note: This security advisory has been updated to include important information about Cisco WSA This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120126-ironport
Note: The Cisco AsyncOS Software for Cisco WSA is affected by this vulnerability only if the System Setup Wizard (SSW) has not been performed as the Telnet access is disabled after the setup is completed.
Cisco WSA will not fully operate unless the SSW has completed; this limits the scope of the vulnerability on Cisco WSA.
This vulnerability can only be exploited if Telnet is enabled on the affected system for remote access. To determine whether the system has Telnet enabled, administrators can use the netstat command and verify that the default Telnet TCP port 23 is in listening state. The following example shows a Cisco ESA with telnet enabled:
ciscoesa> netstat
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
[...]
tcp4 0 0 172.18.254.80.21 *.* LISTEN
tcp4 0 0 172.18.254.80.22 *.* LISTEN
tcp4 0 0 172.18.254.80.23 *.* LISTEN
[...]
To determine whether a vulnerable version of Cisco AsyncOS Software is running on an appliance, administrators can issue the version command. The following example shows a device running Cisco AsyncOS Software for Cisco ESA Software version 7.6.2-201:
ciscoesa> version
Current Version
===============
Product: Cisco IronPort X1070 Messaging Gateway(tm) Appliance
Model: X1070
Version: 7.6.2-201
[...]
No other Cisco products are currently known to be affected by this vulnerability.
A vulnerability in telnet code of Cisco AsyncOS could allow an
unauthenticated, remote attacker to to execute arbitrary code on the
affected system.
The vulnerability is due to insufficient boundary
checks when processing telnet encryption keys. An unauthenticated,
remote attacker could exploit this vulnerability by sending malicious
requests to a targeted system. If successful, the attacker could
execute arbitrary code on the system with elevated privileges.
For some versions of Cisco AsyncOS Software for Cisco ESA and Cisco SMA, Telnet is configured on the Management port. Telnet services can be disabled to mitigate this vulnerability. Administrators can disable Telnet by using the administration graphical user interface (GUI) or by using the interfaceconfig command in the command-line interface (CLI). As a security best practice, customers should use Secure Shell (SSH) instead of Telnet.
Complete the following steps to disable Telnet via the GUI:
Step 1: Navigate to Network > IP Interfaces > interface_name.
Step 2: Remove the check from the box next to the Telnet service.
Step 3: Click on the Submit button to submit the change.
Step 4: Click the Commit Change button for these changes to take effect.
Use the interfaceconfig command, as shown in the example below to disable Telnet via the CLI.
ciscoesa> interfaceconfig
Currently configured interfaces:
1. Data 1 (192.168.1.1/24 on Data1: mail3.example.com)
2. Data 2 (192.168.2.1/24 on Data2: mail3.example.com)
3. Management (192.168.42.42/24 on Management: mail3.example.com)
Choose the operation you want to perform:
- NEW - Create a new interface.
- EDIT - Modify an interface.
- GROUPS - Define interface groups.
- DELETE - Remove an interface.
[]> edit
Enter the number of the interface you wish to edit.
[]> 3
<..output omitted>
Do you want to enable Telnet on this interface? [N]> N
Do you want to enable SSH on this interface? [N]> Y
Note: The interfaceconfig command is described in detail in the section Other Tasks in the GUI in the Cisco AsyncOS Daily Management Guide available at the following link:
http://www.cisco.com/en/US/docs/security/esa/esa7.5/ESA_7.5_Daily_Management_Guide.pdf
Cisco AsyncOS Software for Cisco WSA has Telnet enabled by default; however once SSW is completed, telnet will be automatically disabled.
The Cisco Applied Mitigation Bulletin (AMB) "Identifying and Mitigating Exploitation of the Cisco IronPort Appliances Telnet Remote Code Execution Vulnerability", is available at http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20120126-ironport
When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
The following tables include the first fixed releases for Cisco AsyncOS Software for Cisco ESA: Major Release |
First Fixed In |
7.1 and prior |
7.1.5-101 |
7.3 | 7.3.1-101 |
7.5 | 7.5.1-102 |
7.6 | 7.6.1-022 |
8.0 | Not Affected |
8.5 | Not Affected |
8.6 | Not Affected |
Major Release |
First Fixed In |
7.2 and prior |
7.2.2-106 |
7.7 | 7.7.0-206 |
7.8 | Not Available - Upgrade to 7.9 or later |
7.9 | 7.9.0-107 |
8.0 | Not Affected |
8.1 | Not Affected |
8.2 | Not Affected |
8.3 | Not Affected |
Major Release |
First Fixed In |
7.1 and prior |
Not Available - Upgrade to 7.7 or later |
7.5 | Not Available - Upgrade to 7.7 or later |
7.7 | 7.7.0-757 |
8.0 | 8.0.6-073 |
8.1 | 8.1.0-235 |
The vulnerability in the telnetd service that affects Cisco AsyncOS Software for Cisco ESA, Cisco SMA, and Cisco WSA was publicly disclosed by the FreeBSD Project on December 23rd, 2011. The FreeBSD Project advisory is available at:
http://security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc
The vulnerability on Cisco WSA was reported to Cisco by Glafkos Charalambous
The Cisco Product Security Incident Response Team (PSIRT) is aware of exploit modules for the Metasploit Framework that can exploit this vulnerability on affected Cisco AsyncOS Software versions.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Revision 2.0 | 2014-October-16 | Added important information about Cisco WSA. |
Revision 1.4 | 2012-July-14 | Updated meta-tags for Affected Products. |
Revision 1.3 | 2012-February-08 | Updated advisory to fix minor HTML formatting issue. |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.