<<< Date Index >>>     <<< Thread Index >>>

Cisco Security Advisory: Cisco Collaboration Server Vulnerability



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: Cisco Collaboration Server Vulnerability

Revision 1.0

For Public Release 2004 June 30 1600 UTC (GMT)
========================================================================


Contents
========
Summary
Affected Products
Details
Impact
Software Versions and Fixes
Obtaining Fixed Software
Workarounds
Exploitation and Public Announcements
Status of This Notice: FINAL
Distribution
Revision History
Cisco Security Procedures

========================================================================


Summary
=======
Cisco Collaboration Server (CCS) versions earlier than 5.0 ship with
ServletExec versions that are vulnerable to attack where unauthorized
users can upload any file and gain administrative privileges. The
workaround is documented in the Workaround section below. Cisco has
provided an automated script to remove this vulnerability from the CCS
4.x versions

This advisory is posted on Cisco's worldwide website at
http://www.cisco.com/warp/public/707/cisco-sa-20040630-CCS.shtml


Affected Products
=================

Vulnerable Products
- -----------------
CCS using an unpatched ServletExec version earlier than 3.0E is vulnerable.

    * CCS 4.x ships with ServletExec 3.0 which is vulnerable until
      patched. CCS 4.0 customers can patch the software with an
      automated script or upgrade to CCS 5.x.
    * CCS 3.x ships with ServletExec 2.2 which is vulnerable until
      patched. An automated script is not available for CCS 3.0.
      Customers can patch the software by following the manual
      instructions in the Workaround section, upgrade to CCS 4.x and
      patch the software with an automated script, or upgrade to CCS 5.x.

Products Confirmed Not Vulnerable
- -------------------------------
CCS 5.x ships with ServletExec 4.1 and is not vulnerable.


Details
=======
Cisco Collaboration Server utilizes the ServletExec subcomponent
provided by New Atlanta for Microsoft Windows 2000 and Windows NT.
ServletExec versions prior to SE 3.0E allow for an attacker to upload
files to the Web server and invoke them. Cisco bug id CSCed49648. Users
should either upgrade to CCS 5.x which ships with ServletExec 4.1,
download the automated script for CCS 4.x, or follow the manual
instructions in the Workaround section.

Patching ServletExec either with the automated script or manual
instructions removes the UploadServlet from the ServletExec30.jar file
but does not alter the version number. The best way to test if the CCS
is vulnerable is to attempt to load the
http://<ccsservername>/servlet/UploadServlet URL when CCS is up and
running. If this attempt results in a NullPointerException, the
vulnerability is present. If this results in a Page Not Found error,
then the CCS is not vulnerable.

Customers can continue to obtain and apply the most current patches for
ServletExec by following the instructions on the New Atlanta website:
http://www.newatlanta.com/biz/c/products/servletexec/self_help/faq/detail?faqId=195
. Additionally, customers are encouraged to go to the following Cisco
web pages for tips on increasing security on their CCS:
http://www.cisco.com/application/pdf/en/us/guest/products/ps1001/c1067/ccmigration_09186a008020f9b4.pdf
Refer to page 38 for ServletExec notes and refer to page 71 for notes on
Collaboration Option.

Cisco Collaboration Server (CCS) has been sold as a standalone product
or as part of Cisco Web Collaboration Option where it is integrated with
the Cisco Intelligent Contact Management (ICM) software. A user can
determine their version level by using the *http:///<ccs
server>//version* command, where /<ccs server>/ is the hostname or IP
address.


Impact
======
Cisco Collaboration Server (CCS) versions earlier than 5.0 ship with
ServletExec versions that are vulnerable to attack where unauthorized
users can upload any file and gain administrative privileges.

    *CSCed49648


Software Versions and Fixes
===========================
Cisco Collaboration Server 4.x users can patch the software with an
automated script available at
http://www.cisco.com/cgi-bin/tablebuild.pl/ccs40, or patch the software
by following the manual instructions in the Workaround section, or
upgrade to CCS 5.x.

Cisco Collaboration Server 3.x users can patch the software by following
the manual instructions in the Workaround section, or upgrade to CCS 4.x
and patch the software with an automated script, or upgrade to CCS 5.x.


Obtaining Fixed Software
========================
As the fix for this vulnerability is a default configuration change, and
a workaround is available, a software upgrade is not required to address
this vulnerability. However, if you have a service contract, and wish to
upgrade to unaffected code, you may obtain upgraded software through
your regular update channels once that software is available. For most
customers, this means that upgrades should be obtained through the
Software Center on Cisco's Worldwide Web site at http://www.cisco.com.

If you need assistance with the implementation of the workarounds, or
have questions on the workarounds, please contact the Cisco Technical
Assistance Center (TAC).

    * +1 800 553 2447 (toll free from within North America)
    * +1 408 526 7209 (toll call from anywhere in the world)
    * e-mail: tac@xxxxxxxxx <mailto:tac@xxxxxxxxx>

See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for
additional TAC contact information, including special localized
telephone numbers and instructions and e-mail addresses for use in
various languages.

Customers may only install and expect support for the feature sets they
have purchased. By installing, downloading, accessing or otherwise using
such software upgrades, customers agree to be bound by the terms of
Cisco's software license terms found at
http://www.cisco.com/public/sw-license-agreement.html, or as otherwise
set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.


Workarounds
===========

Manual Instructions to Patch CCS 3.x
- ----------------------------------
Complete these steps to patch CCS 3.x:

   1. Stop Internet Information Server (IIS).

   2. Run Winzip or your favorite zip utility and open ServletExec22.jar
      in the C:\Program Files\new atlanta\servletexec ISAPI\lib directory.

   3. Delete UploadServlet.class.

   4. Save ServletExec22.jar back to its original location and exit Winzip.

   5. Restart IIS.


Manual Instructions to Patch CCS 4.x
- ----------------------------------
Complete these steps to patch CCS 4.x:

   1. Stop Internet Information Server (IIS).

   2. Run Winzip or your favorite zip utility and open ServletExec30.jar
      in the C:\Program Files\new atlanta\servletexec ISAPI\lib directory.

   3. Delete UploadServlet.class.

   4. Save ServletExec30.jar back to its original location and exit Winzip.

   5. Restart IIS.


CCS 5.x is not vulnerable and these manual instructions do not apply.


Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory. We would like to
thank Matt Moore of Pentest Limited for finding and reporting this
vulnerability to us.


Status of This Notice: FINAL
============================
This Advisory is provided on an "as is" basis and does not imply any
kind of guarantee or warranty of any kind. Your use of the information
on the Advisory or materials linked from the Advisory is at your own
risk. Cisco reserves the right to change or update this notice at anytime.


Distribution
============
This advisory is posted on Cisco's worldwide website at
http://www.cisco.com/warp/public/707/cisco-sa-20040630-CCS.shtml.

In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.

    * cust-security-announce@xxxxxxxxx
    * first-teams@xxxxxxxxx (includes CERT/CC)
    * bugtraq@xxxxxxxxxxxxxxxxx
    * vulnwatch@xxxxxxxxxxxxx
    * cisco@xxxxxxxxxxxxxxxxx
    * cisco-nsp@xxxxxxxxxxxxxxx
    * full-disclosure@xxxxxxxxxxxxxxxx
    * comp.dcom.sys.cisco@xxxxxxxxxxxxxxxxxx

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.


Revision History
================
Revision 1.0    2004-June-30    Initial public release.


Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering
to receive security information from Cisco, is available on Cisco's
worldwide website at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This
includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.

========================================================================
All contents are Copyright © 1992-2004 Cisco Systems, Inc. All rights
reserved. Important Notices <http://www.cisco.com/public/copyright.html>
and Privacy Statement <http://www.cisco.com/public/privacy.html>.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBQOLlCnsxqM8ytrWQEQJ+5wCeN1ivRkc4vhtAMpRRUGsaIcmth+EAnjEO
JcSZ+EqDWryx+ZiRsaPmlaCR
=FVFo
-----END PGP SIGNATURE-----