************************************************************************** Security Bulletin 9822 DISA Defense Communications System August 17, 1998 Published by: DISN Security Coordination Center (SCC@NIC.MIL) 1-(800) 365-3642 DEFENSE INFORMATION SYSTEM NETWORK SECURITY BULLETIN The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP from NIC.MIL [207.132.116.5] using login= "anonymous" and password="guest". The bulletin pathname is scc/sec-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9705.txt). These are also available at our WWW site, http://nic.mil. ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Computer ! ! Emergency Response Team (CERT) and is being relayed unedited ! ! via the Defense Information Systems Agency's Security ! ! Coordination Center distribution system as a means of ! ! providing DISN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ============================================================================= -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= CERT* Vendor-Initiated Bulletin VB-98.09 August 14, 1998 Topic: CRM Temporary File Vulnerability Source: Cisco To aid in the wide distribution of essential security information, the CERT Coordination Center is forwarding the following information from Cisco. Cisco urges you to act on this information as soon as possible. Cisco contact information is included in the forwarded text below; please contact them if you have any questions or need further information. =======================FORWARDED TEXT STARTS HERE============================ - -----BEGIN PGP SIGNED MESSAGE----- Field Notice: CRM Temporary File Vulnerability ================================ For release 09:00 AM US/Pacific, Thursday, August 13, 1998 Contents ======== * Summary * Who is Affected * Impact * Details o Remote Access Logs (CSCdk13298) + Workarounds for CSCdk13298 o Database Update Logs (CSCdk13579) + Workaround for CSCdk13579 o Import Temporary Files (CSCdk14992, CSCdk14993) + Workaround for CSCdk14992/CSCdk14993 o Planned Software Fixes o Exploitation and Public Announcements * Status of This Notice o Distribution o Revision History * Cisco Security Procedures Summary ======= Versions 1.0 and 1.1 of the Cisco Resource Manager (CRM) create log files and temporary files on the management station which contain potentially sensitive information. These files are not protected using operating system mechanisms, and are therefore readable by all users of the system on which CRM is installed. The information exposed includes the usernames, passwords, and SNMP community strings used by CRM to gain access to the devices being managed. Users who have access to the computer on which CRM is installed may gain access to information which gives them unauthorized access to the managed routers and switches. This affects both Solaris and Windows NT systems. There are workarounds for this problem, and a patch is available for CRM 1.1. There is no patch for CRM 1.0. Other than to install the patch, the most effective solution for most installations is simply to deny untrusted users any access to the computer on which CRM is installed or to its file systems. Who is Affected =============== All customers who run Cisco Resource Manager 1.1 or 1.0, and who allow untrusted users access to the computer on which CRM is run or to its file systems, are affected by these vulnerabilities. Impact ====== Users who have direct access to the machine on which CRM is installed, or who have network access to the files specified in the "Details" section of this document, may gain unauthorized access to the managed devices. The unauthorized access gained may include administrative access and the ability to modify device configurations. Details ======= Several different unprotected files may contain sensitive information. Applicable Cisco bug IDs include CSCdk13298, CSCdk14992, CSCdk14993, and CSCdk13579. Remote Access Logs (CSCdk13298) - - ----------------------------- Cisco Resource Manager is capable of logging a great deal of detailed information for debugging purposes. Debugging is ordinarily under control of the administrator. However, a software error in CRM 1.0 and 1.1 causes debugging to be enabled at all times. The debugging information collected may include usernames and passwords used to log into managed devices, SNMP community strings, and enable passwords. The files containing this information are readable by any user of the computer on which CRM is run. The log files containing the offending data are: * /var/adm/CSCOpx/files/schedule/job-id/swim_swd.log (Solaris) C:\Program Files\CSCOpx\files\schedule\job-id\swim_swd.log (Windows NT) These files are created by software distribution jobs scheduled with "Distribute Images". Each job has its own subdirectory (designated by "job-id" above) and its own log file. * /tmp/swim_debug.log (Solaris) C:\Program Files\CSCOpx\temp\swim_debug.log (Windows NT) This file is used for logging debugging information from Software Image Manager functions, such as "Import image from File System/Device", Job administration and History administration. Workarounds for CSCdk13298 - - ---- The simplest and most effective workaround for this vulnerability is to prevent untrusted users from having access to the computer on which CRM is being run or to the file systems on which the log files are stored. The file systems in question should not be shared over a network of any kind. If the computer on which CRM is being run must be shared, then the files in question must be protected from access by untrusted users. This may be done by issuing the following Solaris commands while running as "root" or "bin": chmod 700 /var/adm/CSCOpx/files/schedule chmod 700 /tmp/swim_debug.log Note: Each time your system is rebooted, you will need to change the permissions on /tmp/swim_debug.log. There is no analogous workaround for Windows NT systems. Database Update Logs (CSCdk13579) - - ------------------------------- The "Local/Remote Import", "Import from File", "Add Devices", and "Change Device Attributes" functions all record debugging information in files readable to any user of the computer on which CRM is run. This information may include usernames, login passwords, SNMP community strings, and/or enable passwords. The offending information is recorded in a log file named "dbi_debug.log", which is located in /tmp on Solaris systems and in C:\Program Files\CSCOpx\temp on Windows NT systems. Workaround for CSCdk13579 - - ---- The simplest and most effective workaround for this vulnerability is to prevent untrusted users from having access to the computer on which CRM is being run or to the file systems on which the log files are stored. The file systems in question should not be shared over a network of any kind. If the computer on which CRM is run must be shared, the file "/tmp/dbi_debug.log" or "C:\Program Files\CSCOpx\temp\dbi_debug.log" should be deleted after any change to device attributes. Note that a window of vulnerability will exist between the time at which the database update is performed and the time at which the file is deleted. It may be desirable to deny access to untrusted users during this window, even though they may be given access to the system at other times. Import Temporary Files (CSCdk14992, CSCdk14993) - - --------------------------------------------- The "Local/Remote Import" functions, which are used to load data into the CRM database from databases maintained by other network management tools, create temporary files containing usernames, login passwords, community strings, and enable passwords. The files are readable to any user of the computer on which CRM is run. The files exist only for a short time during the information gathering phase of an import operation, and are automatically deleted upon successful completion of the operation. However, should the information gathering phase of the operation fail because of some system error, the files would not be deleted. The offending files have names beginning with "DPR_", and are stored in "/tmp" on Solaris systems and in "C:\Program Files\CSCOpx\temp" on Windows NT systems. Workaround for CSCdk14992/CSCdk14993 - - ---- The only effective workaround for CSCdk14992 and CSCdk14993 is to deny untrusted users access to the system on which CRM is run during any import operation. Cisco believes that such operations are sufficiently uncommon to make this a viable option. Planned Software Fixes - - -------------------- Cisco has modified the CRM software to eliminate all of the vulnerabilities described in this notice. The first regular release containing the modifications will be CRM version 2.0, which is tentatively scheduled for release in early October, 1998. This schedule is subject to change. Customers who do not wish to wait for CRM version 2.0 may install the CRM SWIM package version 1.1.1. The CRM SWIM package version 1.1.1 is a patched version, identical to the SWIM package in CRM version 1.1, but containing a fix for bug ID CSCdk13298, which Cisco believes to be the vulnerability most disruptive to day-to-day system operation. The other vulnerabilities listed in this notice are not addressed by the CRM SWIM package 1.1.1. Customers with service contracts may obtain updates through their usual channels; those who are registered users of CCO (Cisco's Worldwide Web site) may download the CRM SWIM package version 1.1.1 update from CCO site at http://www.cisco.com/pcgi-bin/tablebuild.pl/crm-packages. Customers without service contracts should contact the Cisco TAC for assistance. The CRM SWIM package 1.1.1 patch (but not the CRM 2.0 upgrade) will be made available free of charge to all CRM customers, regardless of service contract status. Please reference the URL of this notice as evidence of your entitlement to the patch. There will be no patched version of CRM 1.0. CRM 1.0 customers are eligible for free upgrades to CRM 1.1 and the CRM SWIM package version 1.1.1. Customers who wish to continue to use CRM 1.0 are strongly encouraged to prevent all access by untrusted users to the computers on which they run CRM or to those computers' file systems. Exploitation and Public Announcements ===================================== Cisco has had no reports of malicious exploitation of the vulnerabilities listed in this notice. Cisco knows of no public announcements of these vulnerabilities before the date of this notice. Status of This Notice ===================== This is a final field notice. Although Cisco cannot guarantee the accuracy of all statements in this notice, all the facts have been checked to the best of our ability. Cisco does not anticipate issuing updated versions of this notice unless there is some material change in the facts. Should there be a significant change in the facts, Cisco may update this notice. Distribution - - ---------- This notice will be posted on Cisco's Worldwide Web site at http://www.cisco.com/warp/public/770/crmtmp-pub.shtml. In addition to Worldwide Web posting, the initial version of this notice is being sent to the following e-mail recipients: * cust-security-announce@cisco.com * Various internal Cisco mailing lists Future updates to this notice, if any, will be placed on Cisco's Worldwide Web server, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the URL given above for any updates. Revision History Revision 1.1, Initial released version 11:50 AM US/Pacific, 11-AUG-1998 Cisco Security Procedures ========================= Please report security issues with Cisco products, and/or sensitive security intrusion emergencies involving Cisco products, to security-alert@cisco.com. Reports may be encrypted using PGP; public RSA and DSS keys for "security-alert@cisco.com" are on the public PGP keyservers. The alias "security-alert@cisco.com" is used only for reports incoming to Cisco. Mail sent to the list goes only to a very small group of users within Cisco. Neither outside users nor unauthorized Cisco employees may subscribe to "security-alert@cisco.com". Please do not use "security-alert@cisco.com" for configuration questions, for security intrusions that you do not consider to be sensitive emergencies, or for general, non-security-related support requests. We do not have the capacity to handle such requests through this channel, and will refer them to the TAC, delaying response to your questions. We advise contacting the TAC directly with these requests. TAC contact information is as follows: * Voice telephone: +1 800 553 2447 (toll-free from within North America) * Voice telephone: +1 408 526 7209 (toll call from anywhere in the world) * Electronic mail: tac@cisco.com All formal public security notices generated by Cisco are sent to the public mailing list "cust-security-announce@cisco.com". For information on subscribing to this mailing list, send a message containing the single line "info cust-security-announce" to "majordomo@cisco.com". An analogous list, "cust-security-discuss@cisco.com" is available for public discussion of the notices and of other Cisco security issues. ====================================================================== This notice is copyright 1998 by Cisco Systems, Inc. This notice may be redistributed freely after the release date given at the top of the notice, provided that redistributed copies are complete and unmodified, including all date and version information. - -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQEVAwUBNdMM/3LSeEveylnrAQFO1gf+MjnkjFNxGjDvUMHR2V3fogt0gnVYKmAa wix+igZ2LWEWNlAljmHMOxVBSTYRv6o/r3B6PPohMt3nz3xO+DuWbOTpZ8997K7N XqZIz+Bg2fPCA/fK0o0dAMwIJLJ9vO+xky39lvQ4EQ/OFSpf/cLheBNeGN9tUPkO Ab8cv9MjkA5jkrPrU/in0HqXtAmVHzcfuJspOLG7Ly7GJvhd+J+AqCyZfKGkq61O IthCknKlYtStSq/5ilteoK13/nHaQFq+X5QMyVfXbn6v9Q5bk+u83NJbzcG/tprj ChlznIvzvRyxFQCa10aQMBbUaLSibjnXSibeMeloehp77qdaQBFkeA== =mWgZ - -----END PGP SIGNATURE----- ========================FORWARDED TEXT ENDS HERE============================= If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (FIRST). See http://www.first.org/team-info/. We strongly urge you to encrypt any sensitive information you send by email. The CERT Coordination Center can support a shared DES key and PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://ftp.cert.org/pub/CERT_PGP.key CERT Contact Information - ------------------------ Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA CERT publications, information about FIRST representatives, and other security-related information are available from http://www.cert.org/ ftp://ftp.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org In the subject line, type SUBSCRIBE your-email-address * Registered U.S. Patent and Trademark Office. The CERT Coordination Center is part of the Software Engineering Institute (SEI). The SEI is sponsored by the U. S. Department of Defense. This file: ftp://ftp.cert.org/pub/cert_bulletins/VB-98.09.Cisco_CRM -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNdRFQ3VP+x0t4w7BAQHnLQP9EY9+aiBpIDZJfJ2v9ny9pxIH3AneH3na Fph+vu1AR3pVsf+vxXppoLt1NsH73RbvpuQFN1NhkU9Y+lifb9IKkJZZ+OVNsMIi PUKvLIxKd+57025CtBnXce6pTXGuTM0QN5Ic89BQLUZ+Q5SffLsbD1hN4sx+edgQ DfuI7w0dt3A= =afdO -----END PGP SIGNATURE----- **************************************************************************** * * * The point of contact for NIPRNET security-related incidents is the * * ASSIST: * * * * E-mail address: ASSIST@ASSIST.MIL * * * * Telephone: 1-(800)-357-4231 (24 hours/day) * * * * You may also contact the Security Coordination Center (SCC) at the * * NIC: * * * * E-mail address: SCC@NIC.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.