Cisco Clean Access多个JSP页面访问验证漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1196903 漏洞类型 访问验证错误
发布时间 2005-12-17 更新时间 2006-01-23
CVE编号 CVE-2005-4332 CNNVD-ID CNNVD-200512-366
漏洞平台 N/A CVSS评分 9.4
|漏洞来源
https://cxsecurity.com/issue/WLB-2005120045
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200512-366
|漏洞详情
CiscoCleanAccess(CCA)是可以自动检测、隔离和清除试图访问网络的感染或有漏洞设备的软件解决方案。CiscoCleanAccess(CCA)的访问认证存在漏洞,远程攻击者可能非授权访问服务器。CCA对/admin/uploadclient.jsp缺少认证检查,这样任何浏览页面的用户都可以直接向/installer/windows文件夹上传文件,导致拒绝服务或其他非授权访问。apply_firmware_action.jsp和file.jsp中也存在类似的问题。
|漏洞EXP
Date of release: 16/12/2005
Software: Cisco Clean Access/Perfigo CleanMachines (http://www.cisco.com/en/US/products/ps6128/index.html)
Affected versions: Tested on 3.5.5, assumed all <=current.
Risk: Medium/High
Discovered by: Alex Lanstein

Background
--------
Cisco Clean Access is an easily deployed Network Admission Control solution that can automatically detect, isolate, and clean infected or vulnerable devices that attempt to access your network - regardless of the access method. It identifies whether networked devices such as laptops, personal digital assistants, or even game consoles are compliant with your network's security policies, and repairs any vulnerabilities before permitting access to the network.

The software that is affected resides on the Secure Smart Manager, not the Secure Smart Server.

Details
-------
The method below has the possibility to create a denial of service on a few layers.  One, a user without a username or password can use the vulnerability to upload files to a web visable folder for fun and profit.  The user could also fill up the drive as it seems, aside from /boot, the rest of the drive is one big partition.  Filling up the drive would most definately cause the system to lock up in its current configuration.

In /admin/uploadclient.jsp there is a lack of authentication check so that anyone who browses to the page can upload files directly to the web visable folder /installer/windows.  This is clearly unacceptable.

Similar types of attacks can be launched from apply_firmware_action.jsp and file.jsp.

Solution(s)
--------
The vendor, Cisco Systems, should prepend _all_ files, especially all .jsp files, with an authentication check.  This seems to be the case with most, but not all of the files.

The vendor should also use a better partitioning scheme in its installs.

Managers of these systems should add some sort of overall .htaccess/.htpasswd system while they are waiting for the vendor patch, as I'm sure that under further investigation by the engineers many more files are affected than those listed above.

External discussion and developments:
be .aware | http://www.awarenetwork.org/forum/viewtopic.php?p=2236
|参考资料

来源:BID
名称:15909
链接:http://www.securityfocus.com/bid/15909
来源:BUGTRAQ
名称:20051221CiscoSecurityResponse:DoSinCiscoCleanAccess
链接:http://www.securityfocus.com/archive/1/archive/1/420008/100/0/threaded
来源:BUGTRAQ
名称:20051216DoSinCiscoCleanAccess
链接:http://www.securityfocus.com/archive/1/archive/1/419645/100/0/threaded
来源:VUPEN
名称:ADV-2005-3007
链接:http://www.frsirt.com/english/advisories/2005/3007
来源:CISCO
名称:20051221ResponsetoDoSinCiscoCleanAccess
链接:http://www.cisco.com/warp/public/707/cisco-response-20051221-CCA.shtml
来源:MISC
链接:http://www.awarenetwork.org/forum/viewtopic.php?p=2236
来源:SECTRACK
名称:1015375
链接:http://securitytracker.com/id?1015375
来源:SECUNIA
名称:18103
链接:http://secunia.com/advisories/18103
来源:OSVDB
名称:21958
链接:http://www.osvdb.org/21958
来源:OSVDB
名称:21957
链接:http://www.osvdb.org/21957
来源:OSVDB
名称:21956
链接:http://www.osvdb.org/21956
来源:SREASON
名称:265
链接:http://securityreason.com/securityalert/265