             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

          Cisco Security Notice: Response to DoS in Cisco Clean Access
                              [Document ID: 68479]

December 22, 2005 19:00 GMT                                       Number Q-084
______________________________________________________________________________
PROBLEM:       It was discovered that certain obsolete JSP files may be 
               leveraged to leave the Cisco Clean Access Manager (CAM) open to 
               a denial of service (DoS) attack. 
PLATFORM:      Cisco Clean Access release prior to 3.5(9) and 3.6.0.1.
DAMAGE:        A denial of service (DoS) attack. 
SOLUTION:      Install patch. 
______________________________________________________________________________
VULNERABILITY  The risk is LOW. A denial of service (DoS) attack. 
ASSESSMENT:                                                                   
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/q-084.shtml 
 ORIGINAL BULLETIN:                                                           
                     http://www.cisco.com/en/US/products/ps6128/products_security_notice09186a00805b87a7.html 
 CVE:                http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= 
______________________________________________________________________________
[***** Start Document ID: 68479 *****]
Cisco Security Notice: Response to DoS in Cisco Clean Access
Document ID: 68479
http://www.cisco.com/warp/public/707/cisco-response-20051221-CCA.shtml 
Revision 1.0
For Public Release 2005 December 21 2200 UTC (GMT)


Contents
Cisco Response
Additional Information
Cisco Security Procedures

Cisco Response
This is Cisco PSIRT's response to the statements made by Alex Lanstein in his message: DoS in Cisco Clean Access;, posted on 2005-Dec-16, to the Bugtraq mailing list. An archived version of the report can be found here:
http://www.securityfocus.com/archive/1/419645/30/0/threaded
We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in product reports.
Additional Information
This issue is being tracked by Cisco bug ID:
* CSCsc85405 (registered customers only) — Obsolete JSPs can cause a DoS attack on CAM
This DDTS has been resolved and the fix is available.
It was discovered that certain obsolete JSP files may be leveraged to leave the Cisco Clean Access Manager (CAM) open to a denial of service (DoS) attack.
The patch is available to customers for download from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/cca-patches?psrtdcat20e2
The following information is from the README file that accompanies the patch for CSCsc85405. For more complete information on the issue, please consult the README.
To address and fix this vulnerability, you must remove the obsolete
JSP files from your CAM as they are no longer needed. You can either:

1. Install the patch on your CAM, as described in "Patch Installation Intructions" below, or

2. Apply the workaround, as described in "Workaround Solution" below.

Caveat CSCsc85405 will be resolved in the following future releases:

  * Cisco Clean Access release 3.5(9) and above
  * Cisco Clean Access release 3.6.0.1 and above

===============================
Patch Installation Instructions
===============================

To install this patch:

1. Download the Patch-CSCsc85405.tar.gz file from the Cisco Clean
Access Patches folder
(http://www.cisco.com/pcgi-bin/tablebuild.pl/cca-patches) under Cisco
Secure Software
(http://www.cisco.com/public/sw-center/ciscosecure/cleanaccess.shtml).

2.  Open an SSH terminal and copy the patch file into your Clean
Access Manager (CAM) using WinSCP, SSH File Transfer or PSCP, as
described below.

  If using WinSCP or SSH File Transfer: 

        a. Copy Patch-CSCsc85405.tar.gz to the /store directory
           on the Clean Access Manager. 

  If using PSCP: 

        a. Open a command prompt on your Windows computer. 

        b. Cd to the path where your PSCP resides 
            (e.g, C:\Documents and Settings\desktop). 

        c. Enter the following command to copy the file to the CAM:

           pscp Patch-CSCsc85405.tar.gz root@ipaddress_manager:/store


3. From the SSH terminal, untar the patch file on the CAM:

        cd /store
        tar xzvf Patch-CSCsc85405.tar.gz

4. Cd to the Patch-CSCsc85405 directory:

        cd Patch-CSCsc85405

5. Execute the patch file upgrade on the CAM:

         ./patch.sh


=========================
Workaround Solution
=========================

The following workaround steps remove the affected .jsp files from the
CAM, as they are no longer needed.

1. Open an SSH terminal, and login to the CAM shell.

2. Change directory as follows:

        cd /perfigo/control/tomcat/webapps/admin/

3. Remove the uploadclient.jsp and ieee8021x.jsp files:

        rm -f uploadclient.jsp ieee8021x.jsp

4. Change directory as follows:

        cd /perfigo/control/tomcat/work/Standalone/localhost/admin

5. Remove the cached jsp sources:

        rm -f uploadclient_jsp.* ieee8021x_jsp.*

6. Remove any file in the "installer/window" directory, this will be
useful for any exploited machine.

        rm -f /perfigo/control/tomcat/normal-webapps/installer/windows/*
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.


Updated: Dec 21, 2005
Document ID: 68479

[***** End Document ID: 68479 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Cisco for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

Q-073: IBM Tivoli Directory Server Vulnerability
Q-074: Cumulative Security Update for Internet Explorer
Q-075: Vulnerability in Windows Kernel
Q-076: Sober.X (Y) To Download New Code On or After Jan. 6
Q-077: Citrix Vulnerability in Program Neighborhood Client
Q-078: cURL Security Update
Q-079: HP-UX Running Software Distributor Remote Unauthorized Access
Q-081: netpbm Security Update
Q-082: perl Security Update
Q-083: perl Security Update for Red Hat (v.3)