Cisco Security Advisory
Cisco IronPort Appliances Telnet Remote Code Execution Vulnerability
AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:W/RC:C
-
Cisco AsyncOS Software for Cisco Web Security Appliance (WSA), Cisco Email Security Appliance (ESA), and Cisco Content Security Management Appliance (SMA) contain a vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code with elevated privileges.
Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.
Note: This security advisory has been updated to include important information about Cisco WSA
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120126-ironport
-
Vulnerable Products
The following products running an affected version of Cisco AsyncOS Software are affected:
- All models of Cisco ESA hardware appliances
- All models of Cisco SMA hardware appliances
- All models of Cisco WSA both hardware and virtual appliances
Note: The Cisco AsyncOS Software for Cisco WSA is affected by this vulnerability only if the System Setup Wizard (SSW) has not been performed as the Telnet access is disabled after the setup is completed.
Cisco WSA will not fully operate unless the SSW has completed; this limits the scope of the vulnerability on Cisco WSA.
This vulnerability can only be exploited if Telnet is enabled on the affected system for remote access. To determine whether the system has Telnet enabled, administrators can use the netstat command and verify that the default Telnet TCP port 23 is in listening state. The following example shows a Cisco ESA with telnet enabled:
ciscoesa> netstat
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
[...]
tcp4 0 0 172.18.254.80.21 *.* LISTEN
tcp4 0 0 172.18.254.80.22 *.* LISTEN
tcp4 0 0 172.18.254.80.23 *.* LISTEN
[...]Determining the Running Software Version
To determine whether a vulnerable version of Cisco AsyncOS Software is running on an appliance, administrators can issue the version command. The following example shows a device running Cisco AsyncOS Software for Cisco ESA Software version 7.6.2-201:
ciscoesa> version
Current Version
===============
Product: Cisco IronPort X1070 Messaging Gateway(tm) Appliance
Model: X1070
Version: 7.6.2-201
[...]Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by this vulnerability.
-
The Cisco ESA provides email management and protection combining antispam, antivirus, encryption, digital rights management, and archiving technologies. The Cisco SMA is a flexible management tool designed to centralize and consolidate policy and runtime data, providing a single management interface for multiple Cisco IronPort security appliances.
The Cisco WSA is a secure web gateway that combines advanced malware protection, application visibility and control (AVC), acceptable use policy controls, reporting, and secure mobility on a single platform.
A vulnerability in telnet code of Cisco AsyncOS could allow an unauthenticated, remote attacker to to execute arbitrary code on the affected system.
The vulnerability is due to insufficient boundary checks when processing telnet encryption keys. An unauthenticated, remote attacker could exploit this vulnerability by sending malicious requests to a targeted system. If successful, the attacker could execute arbitrary code on the system with elevated privileges.
Note: The Cisco AsyncOS Software for Cisco WSA is affected by this vulnerability only if the System Setup Wizard (SSW) has not been performed as the Telnet access is disabled after the setup is completed.
Cisco WSA will not fully operate unless the SSW has completed; this limits the scope of the vulnerability on Cisco WSA.
This vulnerability is documented by Cisco bug IDs CSCzv32432 (registered customers only) for Cisco ESA, CSCzv44580 (registered customers only) for Cisco SMA, and CSCuo90523 (registered customers only) for Cisco WSA.
The vulnerability was previously documented in Cisco IronPort bug 83262. Cisco IronPort tracks bugs using an internal system that is not available to customers. The Cisco IronPort bug tracking identifiers are provided for reference only.
This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2011-4862.
-
For some versions of Cisco AsyncOS Software for Cisco ESA and Cisco SMA, Telnet is configured on the Management port. Telnet services can be disabled to mitigate this vulnerability. Administrators can disable Telnet by using the administration graphical user interface (GUI) or by using the interfaceconfig command in the command-line interface (CLI). As a security best practice, customers should use Secure Shell (SSH) instead of Telnet.
Complete the following steps to disable Telnet via the GUI:
Step 1: Navigate to Network > IP Interfaces > interface_name.
Step 2: Remove the check from the box next to the Telnet service.
Step 3: Click on the Submit button to submit the change.
Step 4: Click the Commit Change button for these changes to take effect.
Use the interfaceconfig command, as shown in the example below to disable Telnet via the CLI.ciscoesa> interfaceconfig
Currently configured interfaces:
1. Data 1 (192.168.1.1/24 on Data1: mail3.example.com)
2. Data 2 (192.168.2.1/24 on Data2: mail3.example.com)
3. Management (192.168.42.42/24 on Management: mail3.example.com)
Choose the operation you want to perform:
- NEW - Create a new interface.
- EDIT - Modify an interface.
- GROUPS - Define interface groups.
- DELETE - Remove an interface.
[]> edit
Enter the number of the interface you wish to edit.
[]> 3
<..output omitted>
Do you want to enable Telnet on this interface? [N]> N
Do you want to enable SSH on this interface? [N]> YNote: The interfaceconfig command is described in detail in the section Other Tasks in the GUI in the Cisco AsyncOS Daily Management Guide available at the following link:
http://www.cisco.com/en/US/docs/security/esa/esa7.5/ESA_7.5_Daily_Management_Guide.pdf
Cisco AsyncOS Software for Cisco WSA has Telnet enabled by default; however once SSW is completed, telnet will be automatically disabled.The Cisco Applied Mitigation Bulletin (AMB) "Identifying and Mitigating Exploitation of the Cisco IronPort Appliances Telnet Remote Code Execution Vulnerability", is available at https://sec.cloudapps.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20120126-ironport
-
When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
The following tables include the first fixed releases for Cisco AsyncOS Software for Cisco ESA:
Major Release
First Fixed In
7.1 and prior
7.1.5-101 7.3 7.3.1-101
7.5 7.5.1-102 7.6 7.6.1-022 8.0 Not Affected
8.5 Not Affected 8.6 Not Affected
The following tables include the first fixed releases for Cisco AsyncOS Software for Cisco SMA:
Major Release
First Fixed In
7.2 and prior
7.2.2-106
7.7 7.7.0-206
7.8 Not Available - Upgrade to 7.9 or later
7.9 7.9.0-107
8.0 Not Affected
8.1 Not Affected
8.2 Not Affected
8.3 Not Affected
The following tables include the first fixed releases for Cisco AsyncOS Software for Cisco WSA:
Major Release
First Fixed In
7.1 and prior
Not Available - Upgrade to 7.7 or later
7.5 Not Available - Upgrade to 7.7 or later
7.7 7.7.0-757
8.0 8.0.6-073 8.1 8.1.0-235
-
The vulnerability in the telnetd service that affects Cisco AsyncOS Software for Cisco ESA, Cisco SMA, and Cisco WSA was publicly disclosed by the FreeBSD Project on December 23rd, 2011. The FreeBSD Project advisory is available at:
http://security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc
The vulnerability on Cisco WSA was reported to Cisco by Glafkos Charalambous
The Cisco Product Security Incident Response Team (PSIRT) is aware of exploit modules for the Metasploit Framework that can exploit this vulnerability on affected Cisco AsyncOS Software versions.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 2.0 2014-October-16 Added important information about Cisco WSA. Revision 1.4 2012-July-14 Updated meta-tags for Affected Products. Revision 1.3 2012-February-08 Updated advisory to fix minor HTML formatting issue. Revision 1.2 2012-February-07 Updated advisory to include the availability of IronPort software updates. Revision 1.1 2012-January-26 Updated advisory to include the availability of a Cisco Applied Mitigation Bulletin. Revision 1.0 2012-January-26 Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.