[NEWS] Unity Vulnerabilities on IBM-based Servers

From: SecuriTeam (support_at_securiteam.com)
Date: 12/11/03

  • Next message: SecuriTeam: "[UNIX] sipD gethostbyname_r DoS" 
    To: list@securiteam.com
Date: 11 Dec 2003 14:34:10 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Unity Vulnerabilities on IBM-based Servers
    ------------------------------------------------------------------------

    SUMMARY

    Recent installations of Cisco Unity running on IBM servers contain default
    user accounts and default IP addresses which should be removed or disabled
    immediately. Vulnerable systems can be identified by the part number on
    the installation disk or by following directions in the Workarounds
    section. Each vulnerability can be verified and removed manually without
    requiring an upgrade to new software or reinstallation. This vulnerability
    only applies to IBM-based Cisco Unity systems installed with specific part
    numbers on the installation disks. No other platforms running Cisco Unity
    are vulnerable.

    DETAILS

    Affected Products:
    IBM-based Cisco Unity servers purchased either as an MCS server or with
    direct IBM branding and installed with the Cisco Unity Server image disk
    supplied may be affected. Cisco Unity servers with the unintended local
    user account "bubba", default RAID Manager address, and default DHCP
    server address are affected. Following directions in the Workarounds
    section below, existence of each account or address can be verified.

    Part numbers imprinted on the installation disks with a local user account
    "bubba", default RAID Manager Address, and DHCP server address:
     * 80-7111-01 for the UNITY-SVRX255-1A
     * 80-7112-01 for the UNITY-SVRX255-2A

    Part numbers imprinted on the installation disks with default RAID Manager
    Address and DHCP server address (no local user account "bubba"):
     * 80-6750-01 for the Unity SVRX232-1A
     * 80-6765-01 for the UNITY-SVRX232-2A
     * 80-7108-01 and 80-7108-02 for the UNITY-SVRX205-1A
     * 80-7109-01 and 80-7109-02 for the UNITY-SVRX345-1A
     * 80-7110-01 and 80-7110-02 for the UNITY-SVRX345-2A
     * 80-7002-01 and 80-7003-01 for the UNITY-SVRX255-1A and UNITY-SVRX255-2A
     * 80-7243-01 for the MCS-7815i-2.0-ECS1
     * 80-7242-01 for the MCS-7835i-2.4-ECS1
     * 80-7241-01 for the MCS-7845i-2.4-ECS1
     * 80-7240-01 for the MCS-7845i-2.4-ECS2
     * 80-7237-01 plus 80-7239-01 for the MCS-7855i-1.5-ECS1
     * 80-7236-01 plus 80-7238-01 for the MCS-7855i-1.5-ECS2
     * 80-7237-01 plus 80-7239-01 for the MCS-7865i-1.5-ECS1
     * 80-7236-01 plus 80-7238-01 for the MCS-7865i-1.5-ECS2

    Details:
    Local User Account Issue
    A local user account "bubba" with log on locally rights was created during
    manufacturing testing.

    RAID Manager Issue
    After installation, if the RAID (Redundant Array of Inexpensive Disks)
    Management service is configured to start automatically and not restricted
    to local-only, the service tries to establish a TCP session with a RAID
    server address which was used during testing at the manufacturer and
    leaves the TCP port 34571 open listening for remote contact. The TCP
    connection attempt is directed to an IP address embedded in the
    RaidNLst.ser file within the C:\Program Files\RaidMan directory. This is a
    configuration file which directs how and to whom Notification messages are
    sent for the RAID Management service (RaidServ.exe).

    DHCP Issue
    After installation, if the Cisco Unity Server is configured to get an IP
    address from a DHCP server and no local server exists, it will repeatedly
    send packets attempting to get an IP address from the DHCP server on the
    manufacturer's test network. The manufacturer's DHCP server IP address
    will remain in the registry until a local DHCP server is identified or a
    static entry is made for a local DHCP server.
    Impact

    Local User Account Issue
    An unplanned local user account with log on locally rights leaves the
    system open to remote login, which may increase the risk of system
    compromise and unauthorized administrative access.

    RAID Manager Issue
    The RAID Management service attempts to connect to a RAID server on the
    manufacturer's test network and leaves the Cisco Unity Server listening on
    port 34571 to incoming TCP connections. The Cisco Unity Server is
    attempting to connect to a RAID server with a routable TCP/IP address
    that, as of the initial publication of this advisory, does not respond to
    pings or connection requests on the Internet, but good security practices
    suggest limiting connection attempts to known servers. No known exploits
    related to port 34571 are known as of the initial publication of this
    advisory, but good security practices suggest closing all unutilized
    ports.

    DHCP Issue
    If no local DHCP server exists or no static entry is made for a local DHCP
    server, the Cisco Unity Server will repeatedly send packets requesting an
    address from the DHCP server on the manufacturer's test network. Once the
    DHCP server address has been resolved locally, the Cisco Unity Server
    registry key will be updated with the DHCP server IP address and host
    name, and no further impact is expected.

    Software Versions and Fixes:
    The vulnerabilities are specific to the IBM-based Unity servers and all
    vulnerabilities listed in this advisory can be removed with specific
    actions to eliminate the account or addresses, so no software is required.

    Workarounds:
    Local User Account Issue
    Remove the "bubba" local user account. Open Computer Management, click
    Start, point to Settings, and then click Control Panel. Double-click
    Administrative Tools, and then double-click Computer Management. Click the
    Local Users and Group folder. Double-click the Users folder. Right-click
    on the "bubba" user and select Delete. The vulnerability is not present if
    the user "bubba" does not exist.

    RAID Manager Issue
    Remove all entries in the RAID Manager program for unwanted notification
    servers in the RaidNLst.ser file. Go to the Start menu and select
    Programs. Launch the ServeRAID Manager. Go to the Actions menu, select
    Configure ServeRAID Agent, and select Notifications. In the new window,
    right click the row for each undesired RAID Management server and select
    Delete System. Close the application. There is no need to reboot. Upon
    exiting the program, a new RaidNLst.ser file is created with no references
    to any IP addresses. Do not simply delete the file without modifying the
    configuration via the program, as a new RaidNLst.ser file is created which
    contains the reference to the manufacturer's address again. The
    vulnerability is not present if unwanted notification servers are not
    present in the RaidNLst.ser file.

    Set the RAID Management service to local to turn off listening on port
    34571. Go to the Start menu, point to Settings, move the cursor to Control
    Panel, and select Services. Select ServeRAID Management Service and change
    the properties to Disabled. Then go to the Start menu and select Programs.
    Launch the ServeRAID Manager and go to the File menu tab. Select User
    Preferences and click on the Remote Access Settings tab. Under Startup
    Mode, check the Local Only checkbox. Click OK, and then at the resulting
    dialog box, click OK again. Close the application. There is no need to
    reboot. The vulnerability is not present if the RAID Management service is
    set to local.

    DHCP Issue
    After initial installation, to ensure the Cisco Unity Server does not send
    multiple DHCP requests and properly resolves its IP Address, either assign
    a static IP address or local address for the DHCP server. Cisco Unity
    server documentation discourages using DHCP for the server, recommending
    Cisco Unity Servers always uses static IP addresses. Multiple DHCP
    requests will not be sent to the manufacturer's server if the Cisco Unity
    server is functioning with an IP address.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:psirt@cisco.com> Cisco
    Systems Product Security Incident Response Team.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] sipD gethostbyname_r DoS"

    Relevant Pages