Security Bytes: Cisco and Metasploit fix flaws

Cisco patches CS-MARS flaws and Metasploit creator H.D. Moore warns of a serious Internet Explorer flaw

Cisco patches CS-MARS flaws
Attackers could exploit several security holes in Cisco's Security Monitoring, Analysis and Response System (CS-MARS) to take complete control of an affected system or gain knowledge of sensitive information. A fixed version of the program is now available.

The San Jose, Calif.-based networking giant said in an advisory that version 4.2.1 of CS-MARS -- a security system that receives and analyzes event logs from various network devices and reports any security issues -- fixes the following problems:

  • CS-MARS uses an Oracle database to store sensitive network event and configuration data. The information contained in the database potentially includes authentication credentials for network devices, such as firewalls, routers and IPS devices, and the details of network security events, Cisco said. By default, Oracle databases contain several built-in accounts with well-known passwords and, if access can be gained to the database, the accounts could potentially be used to compromise the information stored in the database.

  • CS-MARS contains an installation of the JBoss Web application server. It may be possible for a remote, unauthenticated user to create a specially-crafted HTTP request that executes arbitrary shell commands on the CS-MARS appliance with the privileges of the CS-MARS administrator via the optional JBoss JMX console. Cisco said.

  • The CS-MARS CLI -- a restricted shell environment that allows authenticated administrators to perform system maintenance tasks -- contains several privilege escalation vulnerabilities that may allow shell commands to be executed on the underlying appliance operating system with root privileges, Cisco said.

    Metasploit creator warns of serious IE flaw
    Metasploit Framework creator H.D. Moore has outlined a serious vulnerability in Microsoft Internet Explorer (IE) as part of his Month of Browser Bugs campaign.

    Moore has been posting at least one new browser flaw a day in his Browser Fun blog as part of the effort, which he has said will continue through the month of July. One of the latest postings for IE caught the attention of the French Security Incident Response Team (FrSIRT), which labeled the flaw critical in an advisory.

    Remote attackers could exploit the flaw to crash a vulnerable browser or potentially take complete control of an affected system, FrSIRT warned. "This flaw is due to an integer overflow error in the Common Controls library 'comctl32.dll' when processing a 'WebViewFolderIcon' object with a specially crafted 'setSlice()' method, which could be exploited by attackers to cause a denial of service or execute arbitrary commands by convincing a user to visit a specially crafted Web page," FrSIRT said.

    Cisco may get more unwanted attention at Black Hat
    Last year's Black Hat Briefings conference in Las Vegas was dominated by the controversy caused by researcher Michael Lynn's demonstration of a Cisco router exploit. Lynn isn't scheduled as a presenter at this year's Black Hat proceedings, which take place Aug. 2 and 3, but Cisco's products may be under the microscope again.

    Fifteen new exploits will be detailed at this year's conference and two of them target NAC (Network Admission Control) and VoIP vulnerabilities in products from Cisco and other vendors. Black Hat Director Jeff Moss told the IDG News Service that vulnerability researchers are shifting focus from Windows flaws to other areas like NAC and VoIP.

    Black Hat and Cisco settled a lawsuit over the Lynn affair after conference organizers promised not to proliferate Lynn's findings. The IDG News Service noted that a Cisco lawsuit regarding any potential disclosures at the upcoming conference is unlikely because the exploits are related to underlying technologies used in many products, not just those produced by Cisco.

  • Read more on IT risk management