Cisco's Sad Thursday: Phone Flaws and 802.1X Hiccups
Cisco yesterday posted two security advisories: one on certain Cisco Unified IP Conference Station and IP Phone devices that contain vulnerabilities that may allow unauthorized users to gain administrative access to vulnerable devices, and another about multiple vulnerabilities, including privilege escalations and information disclosure, in the 802.1X authentication standard.
The IP phone and Conference Station vulnerabilities could lead to privilege escalation, with the phone flaw concerning a default user account with a default password accessible by a Secure Shell server that's been enabled on the phone.
The default account can be used to gain administrative access to a vulnerable phone via privilege escalation. This default account may also execute commands, which could cause a phone to become unstable and result in a denial of service. There are mitigations for the vulnerabilities, but the default user account can't be disabled, removed, or have its password changed.
The phone problem concerns these Cisco Unified IP Phone devices:
7906G 8.0(4)SR1 and earlier 7911G 8.0(4)SR1 and earlier 7941G 8.0(4)SR1 and earlier 7961G 8.0(4)SR1 and earlier 7970G 8.0(4)SR1 and earlier 7971G 8.0(4)SR1 and earlier
To determine the firmware version running on a phone, check the Settings menu. Also, in most cases, CUCM (Cisco Unified CallManager) will tell you the firmware version, although it's possible that a user might have gone in and changed the firmware version.
You're OK if you have any of Cisco Unified IP Phone 7902G, 7905, 7905G, 7910, 7912, 7912G, 7920, 7921G, 7940, 7960 and 7985 devices, since they aren't affected by the privilege escalation and default account vulnerabilities.
The problem with Unified IP Conference Station 7935 and 7936 devices is that they don't require a password when a URL is accessed directly via the administrator HTTP interface. The firmware affected is 7935 3.3(12) and earlier and 7936 3.2(15) and earlier.
The devices in question provide integrated speaker phone services for a networked environment. 7935/7936 devices can be managed via an administrative HTTP interface and/or with a CUCM system. Although the administrative HTTP interface is protected by a user-configurable password, a user who knows the direct path to a management URL could access the administrative HTTP interface without being prompted for authentication.
The flaw is due to the devices' incorrect maintenance of the state of administrator login sessions. Administrator's credentials are cached when logging in through a vulnerable device via the HTTP interface, even after logging off. It's that window of opportunity that unauthorized users can use to get complete administrative access.
Cisco says it's possible to reset an IP Conference Station to a non-vulnerable state by power-cycling the device or performing a reboot, not a reload, operation using the CUCM system.
As for the 802.1X problem, the flaws concern the CSSC (Cisco Secure Services Client), a software client that enables customers to deploy a single authentication framework using the 802.1X authentication standard across multiple device types to access both wired and wireless networks. This product was initially marketed as the Meetinghouse AEGIS SecureConnect client.
The flaws also concern Cisco Trust Agent (CTA) installed on end-hosts. The CTA is a core component of the Cisco NAC (Network Admission Control) Framework solution. CTA optionally includes a lightweight version of CSSC to provide authentication as part of the NAC Framework solution, using the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources.
There are four privilege escalation vulnerabilities associated with the products:
â¢ An unprivileged user who is logged into the computer may increase their privileges to the local system user via the help facility within the supplicant GUI.
â¢ Unprivileged users logged in may launch any program on a system to run with SYSTEM privileges from within the supplicant application.
â¢ Insecure default DACL (Discretionary Access Control Lists) for the connection client GUI (ConnectionClient.exe) allow an unprivileged user to inject a thread under ConnectionClient.exe running with SYSTEM level privileges.
â¢ Due to the method used in parsing commands, it is possible that an unprivileged user who is logged into the computer could launch a process as the local system user.
These software clients may be vulnerable: Cisco Secure Services Client 4.x versions
Cisco Trust Agent 1.x and 2.x versions
Meetinghouse AEGIS SecureConnect Client (Windows platform versions)
Cisco Security Agent (CSA) bundle versions 5.0 and 5.1
The Cisco advisory says: "To determine the version of the Cisco Trust Agent installed, the ctastat command found in the \Program Files\Cisco Systems\CiscoTrustAgent directory will provide output similar to:
Cisco Trust Agent Statistics Current Time: Tue Sep 27 19:11:18 2005 CTA Version: 126.96.36.199 To determine the version of the Cisco Secure Services Client installed, the software version information may be found in "About" dialog window which may be launched underneath the Help tab within the client.
Cisco Security Agent bundle versions 5.0 and 5.1 included Cisco Trust Agent software within the bundle. Customers who have deployed CTA as part of their CSA client package may be vulnerable if the version of CTA included is a version which is affected."
Cisco is providing free software to handle all the vulnerabilities listed in both advisories.