-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2011.0564.2
   Cisco RVS4000 and WRVS4400N Web Management Interface Vulnerabilities
                                26 May 2011

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco RVS4000 and WRVS4400N
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Administrator Compromise -- Remote/Unauthenticated
                   Root Compromise          -- Existing Account      
                   Access Privileged Data   -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2011-1647 CVE-2011-1646 CVE-2011-1645

Original Bulletin: 
   http://www.cisco.com/warp/public/707/cisco-sa-20110525-rvs4000.shtml

Revision History:  May 26 2011: Minor correction
                   May 26 2011: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Cisco Security Advisory: Cisco RVS4000 and WRVS4400N Web Management
Interface Vulnerabilities

Advisory ID: cisco-sa-20110525-rvs4000

Revision 1.0

For Public Release 2011 May 25 1600 UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

Cisco RVS4000 4-port Gigabit Security Routers and Cisco WRVS4400N
Wireless-N Gigabit Security Routers have several web interface
vulnerabilities that can be exploited by a remote, unauthenticated
user.

Cisco has released free software updates that address these
vulnerabilities.

Workarounds that mitigate these vulnerabilities are available.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20110525-rvs4000.shtml

Affected Products
=================

Vulnerable Products
- - -------------------

These vulnerabilities affect the following devices running firmware
prior to the first fixed release documented in the Software Versions
and Fixes section of this advisory:

  * Cisco RVS4000 Gigabit Security Router (v1 and v2)
  * Cisco WRVS4400N Wireless-N Gigabit Security Router (V1.0, V1.1,
    and V2)
    Note: The Cisco WRVS4400N Wireless-N Gigabit Security Router V1.0
    and V1.1 have reached end of life, and no further firmware
    updates are being made available.

To check the version of system firmware that is running on the device,
log into the device with the web management interface, and navigate to
the screen: Setup --> Summary. Under "System Information" is a field
labeled "Firmware Version:". The number directly beside this field label
is the system firmware version. An example would be V1.3.0.3.

Products Confirmed Not Vulnerable
- - ---------------------------------

No other Cisco products are currently known to be affected by these
vulnerabilities.

Details
=======

The Cisco RVS4000 and WRVS4400N Gigabit Security Routers deliver
high-speed network access and IPsec VPN capabilities for small
businesses. They also provides firewall and intrusion prevention
capabilities.

The Cisco RVS4000 and WRVS4400N Gigabit Security Routers contain
three web management interface vulnerabilities:

  * Retrieval of the configuration file
    If an administrator of the device has previously created a backup
    of the configuration, using Administration --> Backup & Restore
    --> Backup, it is possible for a remote unauthenticated user to
    access the backup configuration file. This file contains all
    configuration parameters of the device, including the HTTP
    authentication password and VPN pre-shared-keys (PSKs).

  * Root operating system arbitrary command injection by an
    authenticated attacker
    A user who is authenticated to the device can inject arbitrary
    commands into the underlying operating system with root
    privileges, via the ping test and traceroute test parameters.

  * Retrieval of admin SSL certificate private key
    The admin SSL certificate private and public keys can be
    retrieved (used for Quick VPN) by a remote unauthenticated user.

These vulnerabilities are documented in Cisco bug ID CSCtn23871 and has
been assigned Common Vulnerabilities and Exposures (CVE) IDs:

  * CVE-2011-1645: Retrieval of the configuration file
  * CVE-2011-1646: Root operating system arbitrary command injection
    by an authenticated attacker
  * CVE-2011-1647: Retrieval of admin SSL certificate private key

Vulnerability Scoring Details
=============================

Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding
CVSS at:

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:

http://intellishield.cisco.com/security/alertmanager/cvss

* Retrieval of the configuration file

CVSS Base Score - 9.3
    Access Vector -            Network
    Access Complexity -        Medium
    Authentication -           None
    Confidentiality Impact -   Complete
    Integrity Impact -         Complete
    Availability Impact -      Complete

CVSS Temporal Score - 7.7
    Exploitability -           Functional
    Remediation Level -        Official-Fix
    Report Confidence -        Confirmed

* Root operating system arbitrary command injection by an authenticated
attacker

CVSS Base Score - 9.0
    Access Vector -            Network
    Access Complexity -        Low
    Authentication -           Single
    Confidentiality Impact -   Complete
    Integrity Impact -         Complete
    Availability Impact -      Complete

CVSS Temporal Score - 7.4
    Exploitability -           Functional
    Remediation Level -        Official-Fix
    Report Confidence -        Confirmed

* Retrieval of admin SSL certificate private key

CVSS Base Score - 5.0
    Access Vector -            Network
    Access Complexity -        Low
    Authentication -           None
    Confidentiality Impact -   Partial
    Integrity Impact -         None
    Availability Impact -      None

CVSS Temporal Score - 4.1
    Exploitability -           Functional
    Remediation Level -        Official-Fix
    Report Confidence -        Confirmed


Impact
======

Successful exploitation of the vulnerabilities may result in
execution of arbitrary commands on the device by an authenticated
user or retrieval of configuration files and private keys by an
unauthenticated user.

The configuration files contain sensitive information in text, such
as the HTTP passwords and PSKs. The retrieval of the certificates may
aid in further attacks.

Software Versions and Fixes
===========================

When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Small Business Support Center or your contracted
maintenance provider for assistance.

These vulnerabilities have been fixed in the following firmware
versions:

+------------------------------------------------------------+
|    Affected    |    Availability of First Fixed Release    |
|    Product     |                                           |
|----------------+-------------------------------------------|
| RVS4000v1      | 1.3.3.4; available for download June 19,  |
|                | 2011.                                     |
|----------------+-------------------------------------------|
| RVS4000v2      | 2.0.2.7; available for download June 19,  |
|                | 2011.                                     |
|----------------+-------------------------------------------|
| WRVS4400Nv2    | 2.0.2.1; available for download June 10,  |
|                | 2011.                                     |
+------------------------------------------------------------+

The latest Cisco RVS4000 Gigabit Security Router software can be
downloaded at:

http://www.cisco.com/cisco/software/type.html?mdfid=282414013&flowid=787

The latest Cisco WRVS4400N V2 Gigabit Security Router software can be
downloaded at:

http://www.cisco.com/cisco/software/type.html?mdfid=282414016

Workarounds
===========

The following mitigations help limit the exposure to these
vulnerabilities.

  * Disable remote management
    Caution: Do not disable remote management if you manage the
    device via the WAN connection. Doing so will result in loss of
    management connectivity to the device.

    Remote Management is disabled by default. If it is enabled,
    administrators can disable it using the Firewall > Basic Settings
    screen. Change the setting for the field "Remote Management" to
    "Disabled".

    Disabling remote management limits the exposure of the
    vulnerabilities to those on the local LAN.

  * Limit remote management access to specific IP addresses
    If remote management is required, harden the device so that it
    can be accessed only by certain IP addresses, rather than the
    default setting of "any". By entering the configuration screen at
    Firewall --> Basic Settings, an administrator can change the
    "Remote IP address" field to ensure only devices with the specified
    IP addresses can access the device.

The following mitigation can help limit the exposure to the
vulnerability "Retrieval of the configuration file".

  * Remove all backup configuration files from the device
    Rebooting the device after performing a configuration backup,
    will remove the configuration file from the system so that it can
    not be retrieved by an unauthenticated user.

Obtaining Fixed Software
========================

Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.

Customers should obtain upgraded software through their regular
update channels. For most customers, this means that upgrades should
be obtained through the Software Center on Cisco's worldwide website
at http://www.cisco.com.

If the information is not clear, please contact the Cisco Small
Business Support Center or your contracted maintenance provider for
assistance. Small Business Support Center contacts are as follows.

+1 866 606 1866 (toll free from within North America)

+1 408 418 1866 (toll call from anywhere in the world)

Customers should have their product serial number available.

Refer to
http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
for additional support contact information, including
localized telephone numbers, and instructions and e-mail addresses for
use in various languages.

Exploitation and Public Announcements
=====================================

The Cisco PSIRT is aware that these vulnerabilities have been made
public at a conference on May 25th, 2011. The Cisco PSIRT is not
aware of any malicious use of the vulnerabilities described in this
advisory.

This vulnerability was reported to Cisco by Michal Sajdak of
Securitum, Poland.

Status of this Notice: INTERIM
==============================

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW
INFORMATION BECOMES AVAILABLE.

A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.

Distribution
============

This advisory is posted on Cisco's worldwide website at:

http://www.cisco.com/warp/public/707/cisco-sa-20110525-rvs4000.shtml

In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.

  * cust-security-announce@cisco.com
  * first-bulletins@lists.first.org
  * bugtraq@securityfocus.com
  * vulnwatch@vulnwatch.org
  * cisco@spot.colorado.edu
  * cisco-nsp@puck.nether.net
  * full-disclosure@lists.grok.org.uk
  * comp.dcom.sys.cisco@newsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.

Revision History
================

+------------------------------------------------------------+
| Revision 1.0   | 2011-May-25  | Initial public release.    |
+------------------------------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.

+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------

Updated: May 25, 2011                             Document ID: 112995

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iF4EAREIAAYFAk3dF9sACgkQQXnnBKKRMNCtvgD/WliT5CEqHynyZ8bVdkwfTb3d
A4MUS8GpetJD57prToMA/2ejzsbK27ZbJ/bIS7yV+LZvHKfdA+g++YPf/5MTBKGx
=wuTD
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFN3bEy/iFOrG6YcBERAogeAJ4layQfTPWalna6KHIa5ZcEZx6wiACfc5Ui
kCk+9xEJsoPLvywWH3pZaeE=
=T79S
-----END PGP SIGNATURE-----