Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-140: CiscoWorks Common Services TFTP Server Directory Traversal Vulnerability

[CVE-2009-1161]

May 21, 2009 14:00 GMT
PROBLEM: CiscoWorks Common Services TFTP Server is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input
PLATFORM: CiscoWorks Common Services 3.0.x, 3.1.x and 3.2.x running on Microsoft Windows are vulnerable. CiscoWorks running on Solaris is not vulnerable.
ABSTRACT: CiscoWorks Common Services TFTP Server is prone to a directory-traversal vulnerability. Successful exploit would allow attacker to access or write files outside the tftp directory.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-140.shtml
  OTHER LINKS: Cisco Website
http://www.cisco.com/en/US/products/products_security_advisory09186a0080ab7b56.shtml
Security Focus Website
http://www.securityfocus.com/bid/35040/info
CVE: CVE-2009-1161
IMPACT ASSESSMENT The risk is high. Network exploit does not require authentication and difficulty of exploit is low. A successful exploitation of this vulnerability may allow an attacker unauthorized access to view or modify application and host operating system files. Replacement of system files could result in denial of service or complete compromise of system. 
[***** Start CVE-2009-1161 *****]

Discussion:
CiscoWorks Common Services TFTP Server is prone to a directory-traversal vulnerability because it fails to sufficiently
sanitize user-supplied input.

Exploiting this issue can allow an attacker to upload and download arbitrary files outside of the TFTP server root
directory. This may result in a denial-of-service condition or lead to a complete compromise of the affected computer.

This issue is tracked by Cisco Bug ID CSCsx07107.


Workaround: TFTP is enabled by default on CiscoWorks. TFTP should be disabled unless absolutely required to support legacy
devices. More secure protocols (FTP, scp) should be used wherever possible.

Vulnerable systems:

Cisco TelePresence Readiness Assessment Manager (CTRAM) 1.0
Cisco CiscoWorks Voice Manager 3.1
Cisco CiscoWorks Voice Manager 3.0
Cisco CiscoWorks QoS Policy Manager 4.1
Cisco CiscoWorks QoS Policy Manager 4.0
Cisco CiscoWorks LMS 3.0
Cisco CiscoWorks Health and Utilization Monitor 1.1
Cisco CiscoWorks Health and Utilization Monitor 1.0
Cisco CiscoWorks Common Services 3.1.1 
Cisco CiscoWorks Common Services 3.0.6 
Cisco CiscoWorks Common Services 3.0.5 
Cisco CiscoWorks Common Services 3.0.4 
Cisco CiscoWorks Common Services 3.0.3 
Cisco CiscoWorks Common Services 2.2 
Cisco CiscoWorks Common Services 3.2
Cisco CiscoWorks Common Services 3.1
Cisco CiscoWorks Common Services 3.0
Cisco CiscoWorks Common Service 3.0
Cisco Cisco Unified Service Monitor 2.1
Cisco Cisco Unified Service Monitor 2.0
Cisco Cisco Unified Service Monitor 1.1
Cisco Cisco Unified Service Monitor 1.0
Cisco Cisco Unified Provisioning Manager 1.3
Cisco Cisco Unified Provisioning Manager 1.2
Cisco Cisco Unified Provisioning Manager 1.1
Cisco Cisco Unified Provisioning Manager 1.0
Cisco Cisco Unified Operations Manager (CUOM) 2.0.3 
Cisco Cisco Unified Operations Manager (CUOM) 2.0.2 
Cisco Cisco Unified Operations Manager (CUOM) 2.0.1 
Cisco Cisco Unified Operations Manager (CUOM) 2.1
Cisco Cisco Unified Operations Manager (CUOM) 2.0
Cisco Cisco Unified Operations Manager (CUOM) 1.1
Cisco Cisco Unified Operations Manager (CUOM) 1.0
Cisco Cisco Security Manager (CSM) 3.2.2 
Cisco Cisco Security Manager (CSM) 3.1.1 
Cisco Cisco Security Manager (CSM) 3.0.2 
Cisco Cisco Security Manager (CSM) 3.0.1 
Cisco Cisco Security Manager (CSM) 3.2
Cisco Cisco Security Manager (CSM) 3.1
Cisco Cisco Security Manager (CSM) 3.0
Cisco CiscoSecure ACS for Windows and Unix 3.0
Cisco CiscoSecure ACS for Windows and Unix 2.6
Cisco CiscoSecure ACS for Windows and Unix 2.5

Solution:
Vendor patch is now available.

Cisco CiscoWorks Common Services 3.2
"	Cisco cwcs3.x-win-CSCsx07107-0.zip 
http://www.cisco.com/pcgi-bin/tablebuild.pl/cw2000-cd-one

Cisco CiscoWorks Common Service 3.0
"	Cisco cwcs3.x-win-CSCsx07107-0.zip 
http://www.cisco.com/pcgi-bin/tablebuild.pl/cw2000-cd-one

Cisco CiscoWorks Common Services 3.1
"	Cisco cwcs3.x-win-CSCsx07107-0.zip 
http://www.cisco.com/pcgi-bin/tablebuild.pl/cw2000-cd-one

Cisco CiscoWorks Common Services 3.0
"	Cisco cwcs3.x-win-CSCsx07107-0.zip 
http://www.cisco.com/pcgi-bin/tablebuild.pl/cw2000-cd-one

Cisco CiscoWorks Common Services 2.2 
"	Cisco cwcs3.x-win-CSCsx07107-0.zip 
http://www.cisco.com/pcgi-bin/tablebuild.pl/cw2000-cd-one

Cisco CiscoWorks Common Services 3.0.3 
"	Cisco cwcs3.x-win-CSCsx07107-0.zip 
http://www.cisco.com/pcgi-bin/tablebuild.pl/cw2000-cd-one

Cisco CiscoWorks Common Services 3.0.4 
"	Cisco cwcs3.x-win-CSCsx07107-0.zip 
http://www.cisco.com/pcgi-bin/tablebuild.pl/cw2000-cd-one

Cisco CiscoWorks Common Services 3.0.5 
"	Cisco cwcs3.x-win-CSCsx07107-0.zip 
http://www.cisco.com/pcgi-bin/tablebuild.pl/cw2000-cd-one

Cisco CiscoWorks Common Services 3.0.6 
"	Cisco cwcs3.x-win-CSCsx07107-0.zip 
http://www.cisco.com/pcgi-bin/tablebuild.pl/cw2000-cd-one

Cisco CiscoWorks Common Services 3.1.1 
"	Cisco cwcs3.x-win-CSCsx07107-0.zip 
http://www.cisco.com/pcgi-bin/tablebuild.pl/cw2000-cd-one


[***** End CVE-2009-1161 *****]
DOECIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788