NY.gov Portal State Agency Listing
The following cyber advisory was issued by the New York State Office of Information Technology Services and is intended for State government entities. The information may or may not be applicable to the general public and, accordingly, the State does not warrant its use for any specific purposes.

ITS ADVISORY NUMBER:
2010-005

DATE(S) ISSUED:
1/20/2010

SUBJECT:
Vulnerability in CiscoWorks Internetwork Performance Monitor Could Allow Remote Code Execution

OVERVIEW:

A vulnerability has been discovered in CiscoWorks Internetwork Performance Monitor (IPM) which could allow remote code execution. CiscoWorks IPM is a troubleshooting component used within the management solutions for CiscoWorks products which are used to configure, administer and monitor networks. Successful exploitation could result in an attacker gaining the same privileges as the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed attacks will likely cause denial-of-service conditions.

SYSTEMS AFFECTED:

  • CiscoWorks IPM 2.6 and earlier for Windows operating systems

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: Low

DESCRIPTION:
CiscoWorks Internetwork Performance Monitor (IPM) is prone to a remote buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data. Specifically, the issue is triggered when processing Common Object Request Broker Architecture (CORBA) GIOP requests. Attackers can exploit this issue to execute arbitrary code with SYSTEM-level privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed attacks will likely cause denial-of-service conditions.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Restrict access to only trusted computers and networks to reduce the likelihood of a successful exploit.
  • Deploy network intrusion detection systems to monitor network traffic for malicious activity.
  • Customers with active software licenses for the IPM component of CiscoWorks versions 2.6 and earlier should send email to ipm-corba-fix@cisco.com for instructions on migrating to non-vulnerable software.

REFERENCES:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20100120-ipm.shtml
http://www.cisco.com/en/US/products/sw/cscowork/ps1008/

SecurityFocus:
http://www.securityfocus.com/bid/37879