The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
None
C
There is no impact on the confidentiality of the system; the attacker does not gain the ability to read any data.
Integrity
None
I
There is no impact on the integrity of the system; the attacker does not gain the ability to modify any files or information on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Date of release: 16/12/2005
Software: Cisco Clean Access/Perfigo CleanMachines (http://www.cisco.com/en/US/products/ps6128/index.html)
Affected versions: Tested on 3.5.5, assumed all <=current.
Risk: Medium/High
Discovered by: Alex Lanstein
Background
--------
Cisco Clean Access is an easily deployed Network Admission Control solution that can automatically detect, isolate, and clean infected or vulnerable devices that attempt to access your network - regardless of the access method. It identifies whether networked devices such as laptops, personal digital assistants, or even game consoles are compliant with your network's security policies, and repairs any vulnerabilities before permitting access to the network.
The software that is affected resides on the Secure Smart Manager, not the Secure Smart Server.
Details
-------
The method below has the possibility to create a denial of service on a few layers. One, a user without a username or password can use the vulnerability to upload files to a web visable folder for fun and profit. The user could also fill up the drive as it seems, aside from /boot, the rest of the drive is one big partition. Filling up the drive would most definately cause the system to lock up in its current configuration.
In /admin/uploadclient.jsp there is a lack of authentication check so that anyone who browses to the page can upload files directly to the web visable folder /installer/windows. This is clearly unacceptable.
Similar types of attacks can be launched from apply_firmware_action.jsp and file.jsp.
Solution(s)
--------
The vendor, Cisco Systems, should prepend _all_ files, especially all .jsp files, with an authentication check. This seems to be the case with most, but not all of the files.
The vendor should also use a better partitioning scheme in its installs.
Managers of these systems should add some sort of overall .htaccess/.htpasswd system while they are waiting for the vendor patch, as I'm sure that under further investigation by the engineers many more files are affected than those listed above.
External discussion and developments:
be .aware | http://www.awarenetwork.org/forum/viewtopic.php?p=2236