what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Cisco Security Advisory 20040630-CCS

Cisco Security Advisory 20040630-CCS
Posted Jun 30, 2004
Authored by Cisco Systems | Site cisco.com

Cisco Security Advisory: Cisco Collaboration Server (CCS) versions earlier than 5.0 ship with ServletExec versions that are vulnerable to attack where unauthorized users can upload any file and gain administrative privileges.

tags | advisory
systems | cisco
SHA-256 | c27435809679f62f710dbc1cabebb748075a1a39b8ec098aa8b1b57ef052d7c0

Cisco Security Advisory 20040630-CCS

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: Cisco Collaboration Server Vulnerability

Revision 1.0

For Public Release 2004 June 30 1600 UTC (GMT)
========================================================================


Contents
========
Summary
Affected Products
Details
Impact
Software Versions and Fixes
Obtaining Fixed Software
Workarounds
Exploitation and Public Announcements
Status of This Notice: FINAL
Distribution
Revision History
Cisco Security Procedures

========================================================================


Summary
=======
Cisco Collaboration Server (CCS) versions earlier than 5.0 ship with
ServletExec versions that are vulnerable to attack where unauthorized
users can upload any file and gain administrative privileges. The
workaround is documented in the Workaround section below. Cisco has
provided an automated script to remove this vulnerability from the CCS
4.x versions

This advisory is posted on Cisco's worldwide website at
http://www.cisco.com/warp/public/707/cisco-sa-20040630-CCS.shtml


Affected Products
=================

Vulnerable Products
- -----------------
CCS using an unpatched ServletExec version earlier than 3.0E is vulnerable.

* CCS 4.x ships with ServletExec 3.0 which is vulnerable until
patched. CCS 4.0 customers can patch the software with an
automated script or upgrade to CCS 5.x.
* CCS 3.x ships with ServletExec 2.2 which is vulnerable until
patched. An automated script is not available for CCS 3.0.
Customers can patch the software by following the manual
instructions in the Workaround section, upgrade to CCS 4.x and
patch the software with an automated script, or upgrade to CCS 5.x.

Products Confirmed Not Vulnerable
- -------------------------------
CCS 5.x ships with ServletExec 4.1 and is not vulnerable.


Details
=======
Cisco Collaboration Server utilizes the ServletExec subcomponent
provided by New Atlanta for Microsoft Windows 2000 and Windows NT.
ServletExec versions prior to SE 3.0E allow for an attacker to upload
files to the Web server and invoke them. Cisco bug id CSCed49648. Users
should either upgrade to CCS 5.x which ships with ServletExec 4.1,
download the automated script for CCS 4.x, or follow the manual
instructions in the Workaround section.

Patching ServletExec either with the automated script or manual
instructions removes the UploadServlet from the ServletExec30.jar file
but does not alter the version number. The best way to test if the CCS
is vulnerable is to attempt to load the
http://<ccsservername>/servlet/UploadServlet URL when CCS is up and
running. If this attempt results in a NullPointerException, the
vulnerability is present. If this results in a Page Not Found error,
then the CCS is not vulnerable.

Customers can continue to obtain and apply the most current patches for
ServletExec by following the instructions on the New Atlanta website:
http://www.newatlanta.com/biz/c/products/servletexec/self_help/faq/detail?faqId=195
. Additionally, customers are encouraged to go to the following Cisco
web pages for tips on increasing security on their CCS:
http://www.cisco.com/application/pdf/en/us/guest/products/ps1001/c1067/ccmigration_09186a008020f9b4.pdf
Refer to page 38 for ServletExec notes and refer to page 71 for notes on
Collaboration Option.

Cisco Collaboration Server (CCS) has been sold as a standalone product
or as part of Cisco Web Collaboration Option where it is integrated with
the Cisco Intelligent Contact Management (ICM) software. A user can
determine their version level by using the *http:///<ccs
server>//version* command, where /<ccs server>/ is the hostname or IP
address.


Impact
======
Cisco Collaboration Server (CCS) versions earlier than 5.0 ship with
ServletExec versions that are vulnerable to attack where unauthorized
users can upload any file and gain administrative privileges.

*CSCed49648


Software Versions and Fixes
===========================
Cisco Collaboration Server 4.x users can patch the software with an
automated script available at
http://www.cisco.com/cgi-bin/tablebuild.pl/ccs40, or patch the software
by following the manual instructions in the Workaround section, or
upgrade to CCS 5.x.

Cisco Collaboration Server 3.x users can patch the software by following
the manual instructions in the Workaround section, or upgrade to CCS 4.x
and patch the software with an automated script, or upgrade to CCS 5.x.


Obtaining Fixed Software
========================
As the fix for this vulnerability is a default configuration change, and
a workaround is available, a software upgrade is not required to address
this vulnerability. However, if you have a service contract, and wish to
upgrade to unaffected code, you may obtain upgraded software through
your regular update channels once that software is available. For most
customers, this means that upgrades should be obtained through the
Software Center on Cisco's Worldwide Web site at http://www.cisco.com.

If you need assistance with the implementation of the workarounds, or
have questions on the workarounds, please contact the Cisco Technical
Assistance Center (TAC).

* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com <mailto:tac@cisco.com>

See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for
additional TAC contact information, including special localized
telephone numbers and instructions and e-mail addresses for use in
various languages.

Customers may only install and expect support for the feature sets they
have purchased. By installing, downloading, accessing or otherwise using
such software upgrades, customers agree to be bound by the terms of
Cisco's software license terms found at
http://www.cisco.com/public/sw-license-agreement.html, or as otherwise
set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.


Workarounds
===========

Manual Instructions to Patch CCS 3.x
- ----------------------------------
Complete these steps to patch CCS 3.x:

1. Stop Internet Information Server (IIS).

2. Run Winzip or your favorite zip utility and open ServletExec22.jar
in the C:\Program Files\new atlanta\servletexec ISAPI\lib directory.

3. Delete UploadServlet.class.

4. Save ServletExec22.jar back to its original location and exit Winzip.

5. Restart IIS.


Manual Instructions to Patch CCS 4.x
- ----------------------------------
Complete these steps to patch CCS 4.x:

1. Stop Internet Information Server (IIS).

2. Run Winzip or your favorite zip utility and open ServletExec30.jar
in the C:\Program Files\new atlanta\servletexec ISAPI\lib directory.

3. Delete UploadServlet.class.

4. Save ServletExec30.jar back to its original location and exit Winzip.

5. Restart IIS.


CCS 5.x is not vulnerable and these manual instructions do not apply.


Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory. We would like to
thank Matt Moore of Pentest Limited for finding and reporting this
vulnerability to us.


Status of This Notice: FINAL
============================
This Advisory is provided on an "as is" basis and does not imply any
kind of guarantee or warranty of any kind. Your use of the information
on the Advisory or materials linked from the Advisory is at your own
risk. Cisco reserves the right to change or update this notice at anytime.


Distribution
============
This advisory is posted on Cisco's worldwide website at
http://www.cisco.com/warp/public/707/cisco-sa-20040630-CCS.shtml.

In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.

* cust-security-announce@cisco.com
* first-teams@first.org (includes CERT/CC)
* bugtraq@securityfocus.com
* vulnwatch@wulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.netsys.com
* comp.dcom.sys.cisco@newsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.


Revision History
================
Revision 1.0 2004-June-30 Initial public release.


Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering
to receive security information from Cisco, is available on Cisco's
worldwide website at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This
includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.

========================================================================
All contents are Copyright © 1992-2004 Cisco Systems, Inc. All rights
reserved. Important Notices <http://www.cisco.com/public/copyright.html>
and Privacy Statement <http://www.cisco.com/public/privacy.html>.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBQOLlCnsxqM8ytrWQEQJ+5wCeN1ivRkc4vhtAMpRRUGsaIcmth+EAnjEO
JcSZ+EqDWryx+ZiRsaPmlaCR
=FVFo
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close