Cisco patches security-monitoring system
Flaws in product meant to keep eye on networks could let intruders get into a system--and get sensitive information.
The company outlined the vulnerabilities in its Cisco Security Monitoring Analysis and Response System in an advisory Wednesday. The three vulnerabilities could allow intruders to gain remote access to systems and to glean sensitive information, Cisco said. They relate to the CS-MARS system itself and to the way it interacts with software from Oracle and JBoss.
Cisco said it has patched CS-MARS version 4.2.1 and later, and urged customers to apply all available updates. All previous CS-MARS versions, however, are affected by the flaws.
CS-MARS, which monitors network devices and reports security problems, uses Oracle databases to store sensitive network information, such as authentication credentials for firewalls, routers and IPS devices. Cisco noted that Oracle databases have several built-in default accounts that use well-known passwords. As a result, a malicious attacker could potentially gain access to the information stored in the database.
A malicious attacker could also execute remote code on a CS-MARS appliance and gain administrator privileges via an optional JBoss JMX console. JBoss Web application servers can be used with CS-MARS.
In CS-MARS itself, the problem lies in the command line interface, or CLI, which is designed to allow authenticated administrators to conduct maintenance on their systems. However, several flaws in the CLI could allow an attacker to escalate their privileges to gain root access to a machine, according to a a posting from the SANS Institute's Internet Storm Center.