[NT] Cisco Collaboration Server Vulnerability
From: SecuriTeam (support_at_securiteam.com)
Date: 07/04/04
- Previous message: SecuriTeam: "[NT] WinGate Information Disclosure Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 4 Jul 2004 18:59:18 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Cisco Collaboration Server Vulnerability
------------------------------------------------------------------------
SUMMARY
Cisco Collaboration Server (CCS) versions earlier than 5.0 ship with
ServletExec versions that are vulnerable to attack where unauthorized
users can upload any file and gain administrative privileges. The
workaround is documented in the Workaround section below. Cisco has
provided an automated script to remove this vulnerability from the CCS 4.x
versions
DETAILS
Vulnerable products:
CCS using an unpatched ServletExec version earlier than 3.0E is
vulnerable.
* CCS 4.x ships with ServletExec 3.0 which is vulnerable until patched.
CCS 4.0 customers can patch the software with an automated script or
upgrade to CCS 5.x
* CCS 3.x ships with ServletExec 2.2 which is vulnerable until patched.
An automated script is not available for CCS 3.0. Customers can patch the
software by following the manual instructions in the Workaround section,
upgrade to CCS 4.x and patch the software with an automated script, or
upgrade to CCS 5.x.
Products confirmed not vulnerable:
* CCS 5.x ships with ServletExec 4.1 and is not vulnerable
Details:
Cisco Collaboration Server utilizes the ServletExec subcomponent provided
by New Atlanta for Microsoft Windows 2000 and Windows NT. ServletExec
versions prior to SE 3.0E allow for an attacker to upload files to the Web
server and invoke them. Cisco bug id CSCed49648. Users should upgrade to
CCS 5.x that ships with ServletExec 4.1, download the automated script for
CCS 4.x, or follow the manual instructions in the Workaround section.
Patching ServletExec either with the automated script or manual
Customers can continue to obtain and apply the most current patches for
Cisco Collaboration Server (CCS) has been sold as a standalone product or
Impact:
*
Software Versions and Fixes:
Cisco Collaboration Server 3.x users can patch the software by following
Workarounds:
1. Stop Internet Information Server (IIS).
Manual Instructions to Patch CCS 4.x
1. Stop Internet Information Server (IIS).
CCS 5.x is not vulnerable and these manual instructions do not apply.
ADDITIONAL INFORMATION
The information has been provided by <mailto:psirt@cisco.com> Cisco
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
====================
DISCLAIMER:
instructions removes the UploadServlet from the ServletExec30.jar file but
does not alter the version number. The best way to test if the CCS is
vulnerable is to attempt to load the
http://
running. If this attempt results in a NullPointerException, the
vulnerability is present. If this results in a Page Not Found error, then
the CCS is not vulnerable.
ServletExec by following the instructions on the New Atlanta website:
<http://www.newatlanta.com/biz/c/products/servletexec/self_help/faq/detail?faqId=195> http://www.newatlanta.com/biz/c/products/servletexec/self_help/faq/detail?faqId=195 . Additionally, customers are encouraged to go to the following Cisco web pages for tips on increasing security on their CCS: <http://www.cisco.com/application/pdf/en/us/guest/products/ps1001/c1067/ccmigration_09186a008020f9b4.pdf> http://www.cisco.com/application/pdf/en/us/guest/products/ps1001/c1067/ccmigration_09186a008020f9b4.pdf Refer to page 38 for ServletExec notes and refer to page 71 for notes on Collaboration Option.
as part of Cisco Web Collaboration Option where it is integrated with the
Cisco Intelligent Contact Management (ICM) software. A user can determine
their version level by using the http://
where <ccs server> is the hostname or IP address.
Cisco Collaboration Server (CCS) versions earlier than 5.0 ship with
ServletExec versions that are vulnerable to attack where unauthorized
users can upload any file and gain administrative privileges.
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCed49648
> CSCed49648
Cisco Collaboration Server 4.x users can patch the software with an
automated script available at
<http://www.cisco.com/pcgi-bin/tablebuild.pl/ccs40>
http://www.cisco.com/pcgi-bin/tablebuild.pl/ccs40, or patch the software
by following the manual instructions in the Workaround section, or upgrade
to CCS 5.x.
the manual instructions in the Workaround section, or upgrade to CCS 4.x
and patch the software with an automated script, or upgrade to CCS 5.x.
Manual Instructions to Patch CCS 3.x
Complete these steps to patch CCS 3.x:
2. Run Winzip or your favorite zip utility and open ServletExec22.jar in
the C:\Program Files\new atlanta\servletexec ISAPI\lib directory.
3. Delete UploadServlet.class.
4. Save ServletExec22.jar back to its original location and exit Winzip.
5. Restart IIS.
Complete these steps to patch CCS 4.x:
2. Run Winzip or your favorite zip utility and open ServletExec30.jar in
the C:\Program Files\new atlanta\servletexec ISAPI\lib directory.
3. Delete UploadServlet.class.
4. Save ServletExec30.jar back to its original location and exit Winzip.
5. Restart IIS.
Systems Product Security Incident Response Team.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20040630-CCS.shtml>
http://www.cisco.com/warp/public/707/cisco-sa-20040630-CCS.shtml
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
Relevant Pages
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... There is an heap overflow vulnerability
discovered in Internet Explorer ... Internet Explorer 6 SP1 with the MS06-042 patch applied
are vulnerable. ... (Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... TrendMicro AntiVirus UUE Processing
Vulnerability ... TrendMicro has made a patch for the vulnerability, ... (Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Vulnerable Systems: ...
The impact of such a vulnerability is that any movie file ... Patch Availability:
... (Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Pivot is easy to setup,
... Pivot version 1.14 has been released to mitigate this vulnerability. ... Unofficial
Patch: ... (Securiteam)
... i'm using matlab r2006b and want to make it work with code composer ... studio
v3.0. ... patch or something)??? ... I'm running R2006b with CCS 3.3; your
problem is probably that CCS 3.0 ... (comp.soft-sys.matlab)
