332 replies to this topic

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Cisco ASA 1000V Cloud Firewall - DoS vuln
- http://tools.cisco.c...130116-asa1000v
2013 Jan 16 - "Summary: A vulnerability in Cisco Adaptive Security Appliance (ASA) Software for the Cisco ASA 1000V Cloud Firewall may cause the Cisco ASA 1000V to reload after processing a malformed H.323 message. Cisco ASA 1000V Cloud Firewall is affected when H.323 inspection is enabled. Cisco has released free software updates that address this vulnerability...
Note: Only Cisco ASA Software for the Cisco ASA 1000V Cloud Firewall is affected by the vulnerability described in this advisory. Cisco ASA 5500 Series Adaptive Security Appliances, Cisco Catalyst 6500 Series ASA Services Module or Cisco Catalyst 6500 Series Firewall Services Module (FWSM) are not affected by this vulnerability...

- https://secunia.com/advisories/51897/
Release Date: 2013-01-16
Criticality level: Moderately critical
Impact: DoS
Where: From remote...
Solution: Update to version 8.7.1.3.

[AplusWebMaster]

FYI...

> http://tools.cisco.c...cationListing.x

Cisco IOS Software Tunneled Traffic Queue Wedge vuln
- http://tools.cisco.c...26-c10k-tunnels
Last Updated: 2013 Jan 18 - "... Cisco has released free software updates that address the vulnerability described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments..."

Cisco Unified IP Phone - vuln
- http://tools.cisco.c...130109-uipphone
Last Updated: 2013 Jan 17 - "Update: An Engineering Special release has been made available for affected Cisco Customers that includes hardening measures to mitigate the known attack vectors for the vulnerability described in this advisory. This release is available upon request from the Cisco TAC. The release name is 9.3(1)-ES11..."

[AplusWebMaster]

FYI...

> http://tools.cisco.c...cationListing.x

Multiple Vulnerabilities in Cisco Wireless LAN Controllers
- http://tools.cisco.c...sa-20130123-wlc
Last Updated: 2013 Jan 30 - "Summary: The Cisco Wireless LAN Controller (Cisco WLC) product family is affected by the following four vulnerabilities:
• Cisco Wireless LAN Controllers Wireless Intrusion Prevention System (wIPS) Denial of Service Vulnerability
• Cisco Wireless LAN Controllers Session Initiation Protocol Denial of Service Vulnerability
• Cisco Wireless LAN Controllers HTTP Profiling Remote Code Execution Vulnerability
• Cisco Wireless LAN Controllers SNMP Unauthorized Access Vulnerability
Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available..."
- http://www.securityt....com/id/1028027
CVE Reference:
- http://web.nvd.nist....d=CVE-2013-1102 - 7.8 (HIGH)
- http://web.nvd.nist....d=CVE-2013-1103 - 7.8 (HIGH)
- http://web.nvd.nist....d=CVE-2013-1104 - 9.0 (HIGH)
- http://web.nvd.nist....d=CVE-2013-1105 - 9.0 (HIGH)
Jan 23 2013
Impact: Denial of service via network, Disclosure of system information, Execution of arbitrary code via network, Modification of system information, User access via network
Solution: The vendor has issued a fix (7.0.240.0, 7.2.111.3, 7.3.110.0).

Cisco Prime LAN Management Solution Command Execution vuln
- http://tools.cisco.c...sa-20130109-lms
Last Updated: 2013 Jan 23 - "Summary: Cisco Prime LAN Management Solution (LMS) Virtual Appliance contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands with the privileges of the root user. The vulnerability is due to improper validation of authentication and authorization commands sent to certain TCP ports. An attacker could exploit this vulnerability by connecting to the affected system and sending arbitrary commands. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate these vulnerabilities are available..."

Edited by AplusWebMaster, 06 February 2013 - 12:44 PM.

[AplusWebMaster]

FYI...

> http://tools.cisco.c...lnerabilityNote

Cisco IOS Software HTTP Server Denial of Service Vuln
- http://tools.cisco.c...e/CVE-2013-1100
2013 Jan 30 - " Summary: Cisco IOS Software contains a vulnerability in the HTTP server feature which could allow an unauthenticated, remote attacker to cause a denial of service attack if the HTTP server feature is enabled. The vulnerability is due to incorrect handling of TCP socket events. An attacker could exploit this vulnerability by sending a special combination of crafted packets to TCP port 80 or 443. A successful exploit could cause a Cisco Catalyst switch to crash, resulting in a denial of service...
Customers who wish to upgrade to a software version that includes fixes for these issues should contact their normal support channels. Free software updates will -not- be provided for issues that are disclosed through a Cisco Security Notice...

Cisco Carrier Routing System Small Packets DoS vuln
- http://tools.cisco.c...e/CVE-2013-1112
Last Updated: 2013 January 28 - "Summary: Cisco Carrier Routing System (CRS) contains a vulnerability that could allow an unauthenticated, remote attacker to cause a partial drop of legitimate traffic passing through the affected system. The vulnerability is due to inefficient handling of some malformed packets, which may slow down the processing of legitimate traffic. An attacker could exploit this vulnerability by sending malformed packets through the affected system.:
> http://tools.cisco.c...ugId=CSCud79136
... Customers who wish to upgrade to a software version that includes fixes for these issues should contact their normal support channels. Free software updates will -not- be provided for issues that are disclosed through a Cisco Security Notice..."

- https://secunia.com/advisories/51989/
Release Date: 2013-01-29
Criticality level: Moderately critical
Impact: DoS
Where: From remote...

Edited by AplusWebMaster, 06 February 2013 - 04:17 PM.

[AplusWebMaster]

FYI...

- http://tools.cisco.c...lnerabilityNote

Cisco Unity Express Cross Site Request Forgery Vuln
- http://tools.cisco.c...e/CVE-2013-1120
2013 Feb 1 - "Summary: Cisco Unity Express software prior to version 8.0 contains vulnerabilities that could allow an unauthenticated, remote attacker to conduct cross site request forgery attacks..."

- https://secunia.com/advisories/52045/
Release Date: 2013-02-04
Impact: Cross Site Scripting
Where: From remote...
CVE Reference(s): CVE-2013-1114, CVE-2013-1120
... vulnerabilities are reported in versions prior to 8.0.
Solution: Upgrade to version 8.0 or later

[AplusWebMaster]

FYI...

> http://tools.cisco.c...cationListing.x

Cisco ATA 187 Analog Telephone Adaptor Remote Access Vuln
- http://tools.cisco.c...20130206-ata187
2013 Feb 6 - Summary: Cisco ATA 187 Analog Telephone Adaptor firmware versions 9.2.1.0 and 9.2.3.1 contain a vulnerability that could allow an unauthenticated, remote attacker to access the operating system of the affected device.
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available...
Vulnerable Products: The Cisco ATA 187 Analog Telephone Adaptor is affected by this vulnerability when it is running firmware version 9.2.1.0 or 9.2.3.1.
To check the firmware version on the Cisco ATA 187 Analog Telephone Adaptor, an administrator can view the SW_Version ID field on the device web interface...
Fixes: This vulnerability is addressed in the Cisco ATA 187 Analog Telephone Adaptor firmware version 9.2.3.1 ES build 4 or later...
Workarounds: It is possible to terminate the listening Telnet process on the device by accessing the device remotely, listing the processes, and then terminating the Telnet process. This prevents further remote access to the device until the device is reloaded. Additional mitigations that can be deployed on Cisco devices within the network are available in the companion document "Identifying and Mitigating Exploitation of the Cisco ATA 187 Analog Telephone Adaptor Remote Access Vulnerability," which is available at the following
link: http://tools.cisco.c...x?alertId=27921

- http://tools.cisco.c...lnerabilityNote

Cisco Nexus 7000 M1-Series Modules Crafted Packet Vuln
- http://tools.cisco.c...e/CVE-2013-1122
2013 Feb 6 - Summary: Cisco Nexus 7000 contains a vulnerability that could allow an unauthenticated, remote attacker to cause an affected M1-Series module to reload.
The vulnerability is due to incorrect handling of crafted packets. An attacker could exploit this vulnerability by sending crafted packets to a device that is configured with Overlay Transport Virtualization (OTV), where the physical interface of the connection is over the M1-Series module. An exploit could allow the attacker to cause the M1-Series module to reload.
Customers who wish to upgrade to a software version that includes fixes for these issues should contact their normal support channels. Free software updates will -not- be provided for issues that are disclosed through a Cisco Security Notice...

Edited by AplusWebMaster, 06 February 2013 - 02:18 PM.

[AplusWebMaster]

FYI...

> http://tools.cisco.c...ecurityAdvisory

Cisco multiple product Root Shell Access vuln
- http://tools.cisco.c...e/CVE-2013-1125
2013 Feb 15 - "Summary: A vulnerability in the command-line interface of multiple Cisco products could allow an authenticated, local attacker to gain shell access with root privileges. The vulnerability is due to incorrect input validation...
Customers who wish to upgrade to a software version that includes fixes for these issues should contact their normal support channels. Free software updates will -not- be provided for issues that are disclosed through a Cisco Security Notice...

Cisco Unity Connection Memory Leak DoS vuln
- http://tools.cisco.c...e/CVE-2013-1129
2013 Feb 15 - " Summary: Cisco Unity Connection version 9.x contains a vulnerability that could allow an unauthenticated, remote attacker to trigger a memory leak that can result in the crash of a critical process. The vulnerability is due to incorrect handling of incoming TCP sessions...
Customers who wish to upgrade to a software version that includes fixes for these issues should contact their normal support channels. Free software updates will -not- be provided for issues that are disclosed through a Cisco Security Notice..."

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Cisco Unified Communications Manager Multiple DoS vulns
- http://tools.cisco.c...a-20130227-cucm
2013 Feb 27 - "Summary: Cisco Unified Communications Manager contains two vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. Exploitation of these vulnerabilities could cause an interruption of voice services. Cisco has released free software updates that address these vulnerabilities..."
- http://www.securityt....com/id/1028218
CVE Reference: CVE-2013-1133, CVE-2013-1134
Feb 28 2013
Solution: The vendor has issued a fix (8.6(4)BE3K, 8.6(2a)su2, 9.1(1)).

Cisco Prime Central - Hosted Collaboration Solution - Excessive CPU Utilization vuln
- http://tools.cisco.c...sa-20130227-hcs
2013 Feb 27 - "Summary: Cisco Prime Central for Hosted Collaboration Solution (HCS) Assurance contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. Exploitation of this vulnerability could interrupt the monitoring of voice services. Cisco has released free software updates that address this vulnerability..."
- http://www.securityt....com/id/1028220
CVE Reference: CVE-2013-1135
Date: Feb 28 2013
Solution: The vendor has issued a fix (9.1(1)).

Cisco Unified Presence Server DoS vuln
- http://tools.cisco.c...a-20130227-cups
2013 Feb 27 - "Summary: Cisco Unified Presence Server (CUPS) contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. Cisco has released free software updates that address this vulnerability. A workaround is available to mitigate this vulnerability... Fixes may be obtained from the software download center on cisco.com, which you can access at the following link:
> http://software.cisc.../navigator.html
Note: The upgrade path for version 9.0 is to version 9.1.1 which is available at the link above..."
- http://www.securityt....com/id/1028219
CVE Reference: CVE-2013-1137
Feb 28 2013

[AplusWebMaster]

FYI...

>> http://tools.cisco.c...oSecurityNotice

Cisco Small Business Switches - DoS vuln
- http://tools.cisco.c...x?alertId=27502
March 06, 2013
- https://cve.mitre.or...e=CVE-2013-1154
Summary: Cisco Small Business Switches contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition on a targeted device. Updates are available.
The following Cisco Small Business Series Switches are vulnerable:
- Cisco Small Business 200 Series Smart Switch versions 1.2.7.76 and prior
- Cisco Small Business 300 Series Managed Switch versions 1.2.7.76 and prior
- Cisco Small Business 500 Series Stackable Managed Switch version 1.2.7.76 and prior
> http://software.cisc...catid=268438038

Cisco Prime Infrastructure Cross-Site Request Forgery vuln
- http://tools.cisco.c...x?alertId=28502
March 06, 2013
- https://cve.mitre.or...e=CVE-2013-1153
Summary: Cisco Prime Infrastructure contains a vulnerability that could allow an unauthenticated, remote attacker to conduct cross-site request forgery attacks. Updates are not available... the code is not known to be publicly available.
Primary Products: Cisco Prime Infrastructure: 1.2 .0, .1 | 1.3 .0

Edited by AplusWebMaster, 17 March 2013 - 09:15 AM.

[AplusWebMaster]

FYI...

Cisco Video Surveillance Operations Manager - multiple vulns
- https://secunia.com/advisories/52611/
Release Date: 2013-03-15
Impact: Security Bypass, Cross Site Scripting, Exposure of sensitive information
Where: From remote
... vulnerabilities are reported in all 6.x versions.
Solution: Upgrade to a fixed 7.x version.

Release Notes for Cisco Video Surveillance Manager Release 7.0.1
> http://www.cisco.com..._1.html#wp23144
14 Mar 2013

[AplusWebMaster]

FYI...

Semiannual Cisco IOS Software Security Advisory Bundled Publication
> http://www.cisco.com..._ERP_mar13.html
March 27, 2013

Cisco IOS Software Network Address Translation Vulnerability
- http://tools.cisco.c...sa-20130327-nat

Cisco IOS Software Resource Reservation Protocol Denial of Service Vulnerability
http://tools.cisco.c...a-20130327-rsvp

Cisco IOS Software Internet Key Exchange Vulnerability
http://tools.cisco.c...sa-20130327-ike

Cisco IOS Software Zone-Based Policy Firewall Session Initiation Protocol Inspection Denial of Service Vulnerability
http://tools.cisco.c...sa-20130327-cce

Cisco IOS Software Smart Install Denial of Service Vulnerability
http://tools.cisco.c...27-smartinstall

Cisco IOS Software Protocol Translation Vulnerability
http://tools.cisco.c...-sa-20130327-pt

Cisco IOS Software IP Service Level Agreement Vulnerability
http://tools.cisco.c...-20130327-ipsla

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Multiple Vulnerabilities in Cisco ASA Software
- http://tools.cisco.c...sa-20130410-asa
2013 April 10 - "... Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of these vulnerabilities...
> https://secunia.com/advisories/53013/

Multiple Vulnerabilities in Cisco Firewall Services Module Software
- http://tools.cisco.c...a-20130410-fwsm
2013 April 10 - "... Cisco has released free software updates that address these vulnerabilities. A workaround is available for the IKE vulnerability...
> https://secunia.com/advisories/53012/

Multiple Vulnerabilities in Cisco Unified MeetingPlace Solution
- http://tools.cisco.c...-sa-20130410-mp
2013 April 10 - "... Cisco has released free software updates that address these vulnerabilities. A workaround is available for the Cisco Unified MeetingPlace Web Conferencing Server Arbitrary Login Vulnerability...
> https://secunia.com/advisories/53014/

Cisco Prime Network Control Systems Database Default Credentials Vulnerability
- http://tools.cisco.c...sa-20130410-ncs
2013 April 10 - "... Cisco has released free software updates that address this vulnerability. There is no workaround for this vulnerability...
> https://secunia.com/advisories/53010/

Multiple Vulnerabilities in Cisco IOS XE Software for 1000 Series Aggregation Services Routers
- http://tools.cisco.c...0130410-asr1000
2013 April 10 - "... Cisco has released free software updates that address these vulnerabilities...
> https://secunia.com/advisories/53011/

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Cisco IOS Software Resource Reservation Protocol DoS vuln
- http://tools.cisco.c...a-20130327-rsvp
2013 April 11 - Revision 1.2 - "... Cisco has released free software updates that address this vulnerability. There are no workarounds available to mitigate this vulnerability..."

Cisco IOS Software Protocol Translation vuln
- http://tools.cisco.c...-sa-20130327-pt
2013 April 11 - Revision 1.1 - "... Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available..."

Cisco IOS Software Internet Key Exchange vuln
- http://tools.cisco.c...sa-20130327-ike
2013 April 11 - Revision 1.1 - "... Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available..."

Cisco IOS Software Zone-Based Policy Firewall Session Initiation Protocol Inspection DoS vuln
- http://tools.cisco.c...sa-20130327-cce
2013 April 11 - Revision 1.1 - "... Cisco has released free software updates that address this vulnerability. There are no workarounds for devices that must run SIP inspection..."

Cisco IOS Software Smart Install DoS vuln
- http://tools.cisco.c...27-smartinstall
2013 April 11 - Revision 1.1 - "... Cisco has released free software updates that address this vulnerability. There are no workarounds for devices that have the Smart Install client feature enabled..."

Cisco IOS Software Network Address Translation vuln
- http://tools.cisco.c...sa-20130327-nat
2013 April 11 - Revision 1.3 - "... Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available..."

Cisco IOS Software IP Service Level Agreement vuln
- http://tools.cisco.c...-20130327-ipsla
2013 April 12 - Revision 1.3 - "... Cisco has released free software updates that address this vulnerability. Mitigations for this vulnerability are available..."

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Cisco IOS XE Software for 1000 Series Aggregation Services Routers - multiple vulns
- http://tools.cisco.c...0130410-asr1000
Last Updated: 2013 April 15 Revision 1.2 - "Summary: Cisco IOS XE Software for 1000 Series Aggregation Services Routers (ASR) contains the following denial of service (DoS) vulnerabilities:
- Cisco IOS XE Software IPv6 Multicast Traffic Denial of Service Vulnerability
- Cisco IOS XE Software MVPNv6 Traffic Denial of Service Vulnerability
- Cisco IOS XE Software L2TP Traffic Denial of Service Vulnerability
- Cisco IOS XE Software Bridge Domain Interface Denial of Service Vulnerability
- Cisco IOS XE Software SIP Traffic Denial of Service Vulnerability
These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others.
- Successful exploitation of any of these vulnerabilities could allow an unauthenticated remote attacker to trigger a reload of the Embedded Services Processors (ESP) card or the Route Processor (RP) card, causing an interruption of services. Repeated exploitation could result in a sustained DoS condition.
Note: Cisco IOS Software and Cisco IOS-XR Software are not affected by these vulnerabilities.
Cisco has released free software updates that address these vulnerabilities..."

- http://www.securityt....com/id/1028418
CVE Reference: CVE-2013-1164, CVE-2013-1165, CVE-2013-1166, CVE-2013-1167
Apr 10 2013
Impact: Denial of service via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): IOS XE 2.x - 3.7 ...

Edited by AplusWebMaster, 16 April 2013 - 04:07 AM.

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Cisco TelePresence Infrastructure Denial of Service Vuln
- http://tools.cisco.c...sa-20130417-tpi
2013 April 17 Revision 1.0 - "... Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available..."
CVE: CVE-2013-1164, CVE-2013-1165, CVE-2013-1166, CVE-2013-1167

Cisco Network Admission Control Manager SQL Injection Vuln
- http://tools.cisco.c...sa-20130417-nac
2013 April 17 Revision 1.0 - "... Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability..."
CVE: CVE-2013-1177

Multiple Vulnerabilities in Cisco IOS XE Software for 1000 Series Aggregation Services Routers
- http://tools.cisco.c...0130410-asr1000
2013 April 17 Revision 1.3 - "... Summary: Cisco IOS XE Software for 1000 Series Aggregation Services Routers (ASR) contains the following denial of service (DoS) vulnerabilities:
- Cisco IOS XE Software IPv6 Multicast Traffic Denial of Service Vulnerability
- Cisco IOS XE Software MVPNv6 Traffic Denial of Service Vulnerability
- Cisco IOS XE Software L2TP Traffic Denial of Service Vulnerability
- Cisco IOS XE Software Bridge Domain Interface Denial of Service Vulnerability
- Cisco IOS XE Software SIP Traffic Denial of Service Vulnerability
These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of any of these vulnerabilities could allow an unauthenticated remote attacker to trigger a reload of the Embedded Services Processors (ESP) card or the Route Processor (RP) card, causing an interruption of services. Repeated exploitation could result in a sustained DoS condition.
Note: Cisco IOS Software and Cisco IOS-XR Software are not affected by these vulnerabilities.
Cisco has released free software updates that address these vulnerabilities..."
CVE: CVE-2013-1177