AusCERT - Security Bulletins
Latest published security bulletins. See https://www.auscert.org.au/rss/ for feed information.
Frissítve: 12 perc 19 másodperc
ESB-2022.1614 - [Cisco] Cisco IOS XR Software: CVSS (Max): 6.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1614
Cisco IOS XR Software Border Gateway Protocol Ethernet VPN
Denial of Service Vulnerability
14 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco IOS XR Software
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Patch/Upgrade
CVE Names: CVE-2022-20758
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bgpevpn-zWTRtPBb
Comment: CVSS (Max): 6.8 CVE-2022-20758(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco IOS XR Software Border Gateway Protocol Ethernet VPN Denial of Service
Vulnerability
Priority: Medium
Advisory ID: cisco-sa-bgpevpn-zWTRtPBb
First Published: 2022 April 13 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvz26082
CVE Names: CVE-2022-20758
CWEs: CWE-399
Summary
o A vulnerability in the implementation of the Border Gateway Protocol (BGP)
Ethernet VPN (EVPN) functionality in Cisco IOS XR Software could allow an
unauthenticated, remote attacker to cause a denial of service (DoS)
condition.
This vulnerability is due to the incorrect processing of a BGP update
message that contains specific EVPN attributes. An attacker could exploit
this vulnerability by sending a BGP update message that contains specific
EVPN attributes. To exploit this vulnerability, an attacker must control a
BGP speaker that has an established trusted peer connection to an affected
device that is configured with the address family L2VPN EVPN to receive and
process the update message. This vulnerability cannot be exploited by any
data that is initiated by clients on the Layer 2 network or by peers that
are not configured to accept the L2VPN EVPN address family. A successful
exploit could allow the attacker to cause the BGP process to restart
unexpectedly, resulting in a DoS condition.
The Cisco implementation of BGP accepts incoming BGP updates only from
explicitly defined peers. For this vulnerability to be exploited, the
malicious BGP update message must either come from a configured, valid BGP
peer or be injected by the attacker into the affected BGP network on an
existing, valid TCP connection to a BGP peer.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bgpevpn-zWTRtPBb
This advisory is part of the April 2022 release of the Cisco IOS XR
Software Security Advisory Bundled Publication. For a complete list of the
advisories and links to them, see Cisco Event Response: April 2022 Cisco
IOS XR Software Security Advisory Bundled Publication .
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco devices if
they were running a vulnerable release of Cisco IOS XR Software and had BGP
configured with at least one peer that was configured with the address
family L2VPN EVPN.
For information about which Cisco software releases were vulnerable at the
time of publication, see the Fixed Software section of this advisory. See
the Details section in the bug ID(s) at the top of this advisory for the
most complete and current information.
Determine Whether the Device is Configured for BGP
To determine whether the device is configured for BGP, use the show
running-config router bgp EXEC CLI command. If the router is configured for
BGP, this command will return output, as shown in the following example:
# show running-config router bgp
router bgp 65536...
Determine Whether the Device has L2VPN EVPN Neighbors Configured
To determine whether the device has any neighbors that are configured for
the L2VPN EVPN address family, use the show running-config router bgp
AS-number EXEC CLI command. The following example shows the partial output
of the show running-config router bgp AS-number command on a device that
has the L2VPN EVPN address family configured:
# show running-config router bgp 65536
router bgp 65536address-family l2vpn evpn..
neighbor-group example
address-family l2vpn evpn.
neighbor 2001:DB8::1
use neighbor-group example
!
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
IOS Software
IOS XE Software
NX-OS Software
Details
o EVPN is a next-generation solution that provides Ethernet multipoint
services over MPLS networks. Customers can learn more about EVPN and
configuration options in guides, such as L2VPN and Ethernet Services
Configuration Guide for Cisco ASR 9000 Series Routers , and in guides for
other platforms that support this feature.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
At the time of publication, the release information in the following table
(s) was accurate. See the Details section in the bug ID(s) at the top of
this advisory for the most complete and current information.
The left column lists Cisco software releases, and the right column
indicates whether a release was affected by the vulnerability described in
this advisory and which release included the fix for this vulnerability.
Cisco IOS XR Software Release First Fixed Release
6.5 and earlier Not vulnerable.
6.6 Vulnerable; migrate to a fixed release.
6.7 Vulnerable; migrate to a fixed release.
6.8 Vulnerable; migrate to a fixed release.
7.0 Vulnerable; migrate to a fixed release.
7.1 Vulnerable; migrate to a fixed release.
7.2 Vulnerable; migrate to a fixed release.
7.3 7.3.2
7.4 7.4.2
7.5 and later Not affected.
At the time of publication, Cisco had released the following SMUs to
address this vulnerability. See the Details section in the bug ID(s) at the
top of this advisory for the most complete and current information,
including SMU availability. Customers who require SMUs for platforms or
releases that are not listed are advised to contact their support
organization.
Cisco IOS XR Software Release Platform SMU Name
7.1.2 NCS5500 ncs5500-7.1.2.CSCvz26082
7.4.15 IOSXRWBD iosxrwbd-7.4.15.CSCvz26082
7.4.16 IOSXRWBD iosxrwbd-7.4.16.CSCvz26082
The Cisco Product Security Incident Response Team (PSIRT) validates only
the affected and fixed release information that is documented in this
advisory.
Exploitation and Public Announcements
o The Cisco PSIRT is not aware of any public announcements or malicious use
of the vulnerability that is described in this advisory.
Source
o This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: April 2022 Cisco IOS XR Software Security Advisory
Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bgpevpn-zWTRtPBb
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2022-APR-13 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYldiWONLKJtyKPYoAQg8YBAAhF1FjbtezyXACWoWYi5ZImuwvM+/HY7F
I9BXxhCrroudWobjji9u2eF9nkEMi5N3mnMWhmk6eDAB3/xYyUOAcCYZc3nub+/k
o0s4rocRTvjQkEopB49xR0CYV2wlnICVe3CFVn+tUjpRi2A6r5KLIYbbdWksmTPA
qn8MXUpacaiBPXn5OdEnM2kn7lAO81gNeCt0Vz40YxJaec5UYgZRbYLeM8gfvSzD
yE6OFMAder5tQ9Ub1pkvAW3m2SYf80hgrh+Gk++mlw7dB/S1zAS4K+oBjUnAgPHc
9BSoZHYk3DEoVb+g/01uxGvaF7dCodBKCjej4dh0jScLiuRQwpulySRVwx8nTHGb
IlBsL1ElN8UxkDb0zgJwYOMiOLSYcj2UiopLhUhj9VITm4mX2aaA56wPlGvUVL3G
5DD6YYIvt2gw0VKYsMydBja43WzjtoqpKt/nBxgE0y2ofuGdXsG+W8bTro6CV1jx
kJL4To2huS4J5OjpzMErC9cAWYt+GsggueXY7s2IlMa0/aNF4NJRQOZusFbO5nGj
EaOWOCOa3NFkt7jQirnSzCLpkh0RXBUpdwtY1lvV672JP+DvADkkzawb8zgR0bqK
7sbjnChm+kfQA55a9aEzk+76OCz9wpRMTPyvy1vl7V8N7h0mmzcaFA/rdoicq+FX
ZTo/YrTUAuo=
=WePK
-----END PGP SIGNATURE-----
ESB-2022.1613 - [Cisco] Cisco IOS XE Wireless Controller Software: CVSS (Max): 7.4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1613
Cisco IOS XE Wireless Controller Software for the Catalyst
9000 Family SNMP Trap Denial of Service Vulnerability
14 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco IOS XE Wireless Controller Software
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Patch/Upgrade
CVE Names: CVE-2022-20684
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-snmp-trap-dos-mjent3Ey
Comment: CVSS (Max): 7.4 CVE-2022-20684 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family SNMP
Trap Denial of Service Vulnerability
Priority: High
Advisory ID: cisco-sa-c9800-snmp-trap-dos-mjent3Ey
First Published: 2022 April 13 16:00 GMT
Version 1.0: Final
Workarounds: Yes
Cisco Bug IDs: CSCvs71784
CVE Names: CVE-2022-20684
CWEs: CWE-190
Summary
o A vulnerability in Simple Network Management Protocol (SNMP) trap
generation for wireless clients of Cisco IOS XE Wireless Controller
Software for the Catalyst 9000 Family could allow an unauthenticated,
adjacent attacker to cause an affected device to unexpectedly reload,
resulting in a denial of service (DoS) condition on the device.
This vulnerability is due to a lack of input validation of the information
used to generate an SNMP trap related to a wireless client connection
event. An attacker could exploit this vulnerability by sending an 802.1x
packet with crafted parameters during the wireless authentication setup
phase of a connection. A successful exploit could allow the attacker to
cause the device to reload, resulting in a DoS condition.
Cisco has released software updates that address this vulnerability. There
are workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-snmp-trap-dos-mjent3Ey
This advisory is part of the April 2022 release of the Cisco IOS and IOS XE
Software Security Advisory Bundled Publication. For a complete list of the
advisories and links to them, see Cisco Event Response: April 2022
Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
Publication.
Affected Products
o Vulnerable Products
This vulnerability affects the following Cisco devices if they are running
a vulnerable release of Cisco IOS XE Wireless Controller Software for the
Catalyst 9000 Family and are configured to send SNMP traps for wireless
client exclusion events (disabled by default):
Catalyst 9800 Embedded Wireless Controllers for Catalyst 9300, 9400,
and 9500 Series Switches
Catalyst 9800 Series Wireless Controllers
Catalyst 9800-CL Wireless Controllers for Cloud
Embedded Wireless Controllers on Catalyst Access Points
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Determine the Device Configuration
To determine whether any SNMP trapflags for client exclusion events are
enabled on a device, log in to the device and run the show running-config |
include trapflags client excluded command on the CLI to check for the
presence of the trapflags client excluded command in the global
configuration. If any output is returned, then the device is considered
vulnerable.
The following example shows the output of the show running-config | include
trapflags client excluded command for a device that has SNMP client event
trapflags configured:
Router# show running-config | include trapflags client excluded
trapflags client excluded
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
IOS Software
IOS XR Software
Meraki products
NX-OS Software
Wireless LAN Controller (WLC) AireOS Software
Workarounds
o Customers who do not require SNMP traps for wireless-excluded clients can
disable them from the CLI with the global configuration command, as shown
in the following example:
WLC(config)#no trapflags client excluded
While this workaround has been deployed and was proven successful in a test
environment, customers should determine the applicability and effectiveness
in their own environment and under their own use conditions. Customers
should be aware that any workaround or mitigation that is implemented may
negatively impact the functionality or performance of their network based
on intrinsic customer deployment scenarios and limitations. Customers
should not deploy any workarounds or mitigations before first evaluating
the applicability to their own environment and any impact to such
environment.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers with service contracts that entitle
them to regular software updates should obtain security fixes through their
usual update channels.
Customers may only install and expect support for software versions and
feature sets for which they have purchased a license. By installing,
downloading, accessing, or otherwise using such software upgrades,
customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
The Cisco Support and Downloads page on Cisco.com provides information
about licensing and downloads. This page can also display customer device
support coverage for customers who use the My Devices tool.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides the Cisco Software Checker to identify
any Cisco Security Advisories that impact a specific software release and
the earliest release that fixes the vulnerabilities described in each
advisory ("First Fixed"). If applicable, the tool also returns the earliest
release that fixes all the vulnerabilities described in all the advisories
identified ("Combined First Fixed").
Customers can use the Cisco Software Checker to search advisories in the
following ways:
Choose the software and one or more releases
Upload a .txt file that includes a list of specific releases
Enter the output of the show version command
After initiating a search, customers can customize the search to include
all Cisco Security Advisories, a specific advisory, or all advisories in
the most recent bundled publication.
By default, the Cisco Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, customers can use the
Cisco Software Checker on Cisco.com and check the Medium check box in the
drop-down list under Impact Rating when customizing a search.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: April 2022 Semiannual Cisco IOS and IOS XE Software
Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-snmp-trap-dos-mjent3Ey
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2022-APR-13 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYldiS+NLKJtyKPYoAQiyaQ//ZBLp9yyHI5RKZJqTBsnAixuIYNsC2UBL
nzhMTgB3zr8ip2mPG5pQMWPGQ4UgnHfqUG2D8IdiesyMeLhB3Mw4P6rrVZ8yVOch
IwbNLCRqcGJkqgnVBHUeJ6oPIbGIoLpkpyIpemjfSQE18DB5JGIQyo1A3XtrKA7a
PSdeowN2tuJM63AXuBcbFRDpoDdOpV1WNGHC1pOtJzApZB6W9/ZtvI8g7ES9/Uwe
MFd2Pm8+pq4U8dHSDGVdkKX3fwkdyZ7fGyDf7d5QJSqH0GkqUe7RDX20GuhLlxf2
W5jvsHcc27F+52tMKJwWYQJQhKOzuz5bKnz5u8PHVnhCHVWK6sJwX/yJo1xkRhBL
5hWNaosMqfmU2QUuUmhFMCPpE66yXYhcZWti6K0Qhi7IcF4kI/yVg2gwqM8CDK7X
Qu2o6pH5i1F3SLPWILJhKD2oIeylOFIUSMQTdnHGnRxz3FfFpjaL3RWHGONs49ol
mNnvoD+6MB6CwZCo1miaqww4wJzxkstHoX8/V20YzFEyrCqbPEddbNfJlyPlstFA
GTwMN6IS8OqNL9DwKQiS21KEta2YihFqOwAg0gLNB1X+LXQh77CXHaAubBUMk6kx
Wj3apxU0rRSEIa6f7Rd93MMnghZafgV4WTC619Km34O7MIsJrtsSR/0nLLmTvLLm
7zQPDjQ8waI=
=2qLW
-----END PGP SIGNATURE-----
ESB-2022.1612 - [Cisco] Cisco IOS XE Wireless Controller Software: CVSS (Max): 8.6
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1612
Cisco IOS XE Wireless Controller Software for the Catalyst
9000 Family CAPWAP Denial of Service Vulnerability
14 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco IOS XE Wireless Controller Software
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Patch/Upgrade
CVE Names: CVE-2022-20682
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-capwap-mdns-6PSn7gKU
Comment: CVSS (Max): 8.6 CVE-2022-20682 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family CAPWAP
Denial of Service Vulnerability
Priority: High
Advisory ID: cisco-sa-c9800-capwap-mdns-6PSn7gKU
First Published: 2022 April 13 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvy07717
CVE Names: CVE-2022-20682
CWEs: CWE-690
Summary
o A vulnerability in the Control and Provisioning of Wireless Access Points
(CAPWAP) protocol processing of Cisco IOS XE Wireless Controller Software
for the Catalyst 9000 Family could allow an unauthenticated, remote
attacker to cause a denial of service (DoS) condition on an affected
device.
This vulnerability is due to inadequate input validation of incoming CAPWAP
packets encapsulating multicast DNS (mDNS) queries. An attacker could
exploit this vulnerability by connecting to a wireless network and sending
a crafted mDNS query, which would flow through and be processed by the
wireless controller. A successful exploit could allow the attacker to cause
the affected device to crash and reload, resulting in a DoS condition.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-capwap-mdns-6PSn7gKU
This advisory is part of the April 2022 release of the Cisco IOS and IOS XE
Software Security Advisory Bundled Publication. For a complete list of the
advisories and links to them, see Cisco Event Response: April 2022
Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
Publication.
Affected Products
o Vulnerable Products
This vulnerability affects the following Cisco devices if they are running
a vulnerable release of Cisco IOS XE Wireless Controller Software for the
Catalyst 9000 Family and have the mDNS gateway feature enabled (disabled by
default):
Catalyst 9800 Embedded Wireless Controllers for Catalyst 9300, 9400,
and 9500 Series Switches
Catalyst 9800 Series Wireless Controllers
Catalyst 9800-CL Wireless Controllers for Cloud
Embedded Wireless Controllers on Catalyst Access Points
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Determine the Device Configuration
To determine whether the mDNS gateway feature is enabled on a device, log
in to the device CLI and issue the command show mdns-sd summary . If the
mDNS gateway feature is enabled, then issue the command show run | section
wlan to verify whether any WLANs are configured to use the mDNS gateway. If
both conditions are true, the device is vulnerable.
The following example shows the output of the commands listed above for a
device that has the mDNS gateway feature globally enabled and active on a
WLAN:
WLC#show mdns-sd summary
mDNS Gateway: Enabled
Mode: Default
Active Query Periodicity (in minutes): 30
Transport Type: IPv4
mDNS AP service policy: default-mdns-service-policy
WLC#show run | section wlan
aaa attribute list wlan_lobby_access
wlan ssidname policy default-policy-profile
wlan ssidname 1 ssidname
mdns-sd-interface gateway
no shutdown
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
IOS Software
IOS XR Software
Meraki products
NX-OS Software
Wireless LAN Controller (WLC) AireOS Software
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers with service contracts that entitle
them to regular software updates should obtain security fixes through their
usual update channels.
Customers may only install and expect support for software versions and
feature sets for which they have purchased a license. By installing,
downloading, accessing, or otherwise using such software upgrades,
customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
The Cisco Support and Downloads page on Cisco.com provides information
about licensing and downloads. This page can also display customer device
support coverage for customers who use the My Devices tool.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides the Cisco Software Checker to identify
any Cisco Security Advisories that impact a specific software release and
the earliest release that fixes the vulnerabilities described in each
advisory ("First Fixed"). If applicable, the tool also returns the earliest
release that fixes all the vulnerabilities described in all the advisories
identified ("Combined First Fixed").
Customers can use the Cisco Software Checker to search advisories in the
following ways:
Choose the software and one or more releases
Upload a .txt file that includes a list of specific releases
Enter the output of the show version command
After initiating a search, customers can customize the search to include
all Cisco Security Advisories, a specific advisory, or all advisories in
the most recent bundled publication.
By default, the Cisco Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, customers can use the
Cisco Software Checker on Cisco.com and check the Medium check box in the
drop-down list under Impact Rating when customizing a search.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during the resolution of a Cisco TAC support
case.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: April 2022 Semiannual Cisco IOS and IOS XE Software
Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-capwap-mdns-6PSn7gKU
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2022-APR-13 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYldiPuNLKJtyKPYoAQhGow//bpEaCMuzegyhhyHZkrD2ax9Ohu8v4tmN
DybXD9cbtk8VnQqVEjwpbONkK31WM9PJpKbJ2qWtB9G3UomhPcQBGXGFLoqvzEMY
iZ7f1huq3RTOXO7LZ5snGAedydnVRnFlgYFSR8Uy+swvsmiw+qdEYTuuJT2N6ALB
S/izlSK7EgCHYIe4oHks8eIrc5LBhBnhEwuA1gSsPvmmFskHTDIjAPfe0acOB+qM
+K2eUJYQJSUtoVq2mXVEaeMYwi4K40IW7DXDg6xqEoJ5ZQePWnxxq5BI40jmYMg0
X+fIBt5LGVENGS9Te0zhdD8gq04HuJSauKp7G/+D6wBb4ZStVGasH6ljq9wRorNQ
VW2i2hXNBCkJMXlMxN/iLdVYvjokyofzXU4vEReDTPkQxOlLDe+wC/B0lHWUc0XE
1Ul1d+pfG5viWPt28Ch01Cs5mvp1bEnDyEP7QRDY2cmaloh1AYuacKG/AsPSMb6m
CHanzUGEjxIyXE52SnUccQ9jdSn47HmP4L+F4kWMUTxY45Uz4mvI4k5creSvNHFF
yx6SZkxIp4+O0Imh2pB4j7J6qeBBibq6ESjIuHSDRGsttQI0nbmNbV9MuU5Zys2b
Kmg1hdI2GwkqCuQlHP+kxOu63dzWxxfGS1SlWrLDU8rGhB1fU7svLOh+bUI930Lc
FWeqYfaiO+U=
=x/pN
-----END PGP SIGNATURE-----
ESB-2022.1611 - [Cisco] Cisco IOS XE Software: CVSS (Max): 7.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1611
Cisco IOS XE Software for Cisco Catalyst 9000 Family Switches and Catalyst
9000 Family Wireless Controllers Privilege Escalation Vulnerability
14 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco IOS XE Software
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Patch/Upgrade
CVE Names: CVE-2022-20681
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-priv-esc-ybvHKO5
Comment: CVSS (Max): 7.8 CVE-2022-20681 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco IOS XE Software for Cisco Catalyst 9000 Family Switches and Catalyst 9000
Family Wireless Controllers Privilege Escalation Vulnerability
Priority: High
Advisory ID: cisco-sa-ewlc-priv-esc-ybvHKO5
First Published: 2022 April 13 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvz37647
CVE Names: CVE-2022-20681
CWEs: CWE-266
Summary
o A vulnerability in the CLI of Cisco IOS XE Software for C isco Catalyst
9000 Family Switches and Cisco Catalyst 9000 Family Wireless Controllers
could allow an authenticated, local attacker to elevate privileges to level
15 on an affected device.
This vulnerability is due to insufficient validation of user privileges
after the user executes certain CLI commands. An attacker could exploit
this vulnerability by logging in to an affected device as a low-privileged
user and then executing certain CLI commands. A successful exploit could
allow the attacker to execute arbitrary commands with level 15 privileges
on the affected device.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-priv-esc-ybvHKO5
This advisory is part of the April 2022 release of the Cisco IOS and IOS XE
Software Security Advisory Bundled Publication. For a complete list of the
advisories and links to them, see Cisco Event Response: April 2022
Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
Publication.
Affected Products
o Vulnerable Products
This vulnerability affects the following Cisco products if they are running
a vulnerable release of Cisco IOS XE Software for C isco Catalyst 9000
Family Switches or Cisco Catalyst 9000 Family Wireless Controllers:
Catalyst 9300 Series Switches
Catalyst 9400 Series Switches
Catalyst 9500 Series Switches
Catalyst 9800 Embedded Wireless Controllers for Catalyst 9300, 9400,
and 9500 Series Switches
Catalyst 9800 Series Wireless Controllers
Catalyst 9800-CL Wireless Controllers for Cloud
Embedded Wireless Controllers on Catalyst Access Points
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco software:
IOS Software
IOS XR Software
Meraki products
NX-OS Software
Wireless LAN Controller (WLC) AireOS Software
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers with service contracts that entitle
them to regular software updates should obtain security fixes through their
usual update channels.
Customers may only install and expect support for software versions and
feature sets for which they have purchased a license. By installing,
downloading, accessing, or otherwise using such software upgrades,
customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
The Cisco Support and Downloads page on Cisco.com provides information
about licensing and downloads. This page can also display customer device
support coverage for customers who use the My Devices tool.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides the Cisco Software Checker to identify
any Cisco Security Advisories that impact a specific software release and
the earliest release that fixes the vulnerabilities described in each
advisory ("First Fixed"). If applicable, the tool also returns the earliest
release that fixes all the vulnerabilities described in all the advisories
identified ("Combined First Fixed").
Customers can use the Cisco Software Checker to search advisories in the
following ways:
Choose the software and one or more releases
Upload a .txt file that includes a list of specific releases
Enter the output of the show version command
After initiating a search, customers can customize the search to include
all Cisco Security Advisories, a specific advisory, or all advisories in
the most recent bundled publication.
By default, the Cisco Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, customers can use the
Cisco Software Checker on Cisco.com and check the Medium check box in the
drop-down list under Impact Rating when customizing a search.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during the resolution of a Cisco TAC support
case.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: April 2022 Semiannual Cisco IOS and IOS XE Software
Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-priv-esc-ybvHKO5
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2022-APR-13 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYldiM+NLKJtyKPYoAQj92RAAr+Rs6jc7pA4/xd3fhsb/70QoGhXcdfK9
ylajEZxhoFLMNGhaAW6gerrZkwyEV/DlTolxnCmkOUaGjvZD5pt19r/g+CxL1md8
dgGCJBnPKnc20tcLW/P8ai8+Nsh9AosvhP3jmR8ml+ba6IZmfXlXAf+LF/tojC5n
uPsVo9hliWQJgrHgxBY2f0QXb4ZuG7hC6hWju3B2T5OzR7pwit+PHVuKRoCxe//q
RqaFrSG4wyWPzmAr8JtK9JKBvb2WFZJv+/bH5sQB0vQVYbpPyvwUB2o2fRGRDq/W
aVQnk38FxNzj9vNibS/LknHgsLqpEXvaR5nCH6riljxNy6D/v8GIOhDzLPj1VAIA
FQdxhbshDze0D7amCoXWXPV5Pr6zkeG2bSFui24SVQb5Z6IUxgHdSS/0D8+Qtkn7
DTnV9FmgHZLlC4e5qdPUn8cyRNAPnE+pP/pjsTNMTY42DgLz9LVLbq5/GBvwYqjV
fuSmodPLhIdLt0OE+OJ57u4hg/qzYsL30U2JnrPfZvJ8WN06k37Rj2dXRrgerwE3
TUOjH/qwGP0PC5eD5h0QV0pqoBQegFqW9cygqvfkWvgOAKCIoSBsn7kwNpBu9aY+
Or7c9u+gE3Ip+y2PbvW5EN0XhAreRwHxrndmjfrILjL4VhTtiwdYh2tPdukwXe25
raNHtk6SU1M=
=oxzS
-----END PGP SIGNATURE-----
ESB-2022.1610 - [Cisco] Cisco IOS XE Software: CVSS (Max): 8.6
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1610
Cisco IOS XE Software for Catalyst 9800 Series Wireless Controllers
Application Visibility and Control Denial of Service Vulnerability
14 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco IOS XE Software
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Patch/Upgrade
CVE Names: CVE-2022-20683
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-fnf-dos-bOL5vLge
Comment: CVSS (Max): 8.6 CVE-2022-20683 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco IOS XE Software for Catalyst 9800 Series Wireless Controllers Application
Visibility and Control Denial of Service Vulnerability
Priority: High
Advisory ID: cisco-sa-c9800-fnf-dos-bOL5vLge
First Published: 2022 April 13 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvx21714
CVE Names: CVE-2022-20683
CWEs: CWE-124
Summary
o A vulnerability in the Application Visibility and Control (AVC-FNF) feature
of Cisco IOS XE Software for Cisco Catalyst 9800 Series Wireless
Controllers could allow an unauthenticated, remote attacker to cause a
denial of service (DoS) condition on an affected device.
This vulnerability is due to insufficient packet verification for traffic
inspected by the AVC feature. An attacker could exploit this vulnerability
by sending crafted packets from the wired network to a wireless client,
resulting in the crafted packets being processed by the wireless
controller. A successful exploit could allow the attacker to cause a crash
and reload of the affected device, resulting in a DoS condition.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-fnf-dos-bOL5vLge
This advisory is part of the April 2022 release of the Cisco IOS and IOS XE
Software Security Advisory Bundled Publication. For a complete list of the
advisories and links to them, see Cisco Event Response: April 2022
Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
Publication.
Affected Products
o Vulnerable Products
This vulnerability affects the following Cisco devices if they are running
a vulnerable release of Cisco IOS XE Software for Cisco Catalyst 9800
Series Wireless Controllers, have the AVC-FNF feature enabled for wireless
networks (disabled by default), and have any access points (APs) in an
operating mode other than FlexConnect Local Switching or fabric:
Catalyst 9800 Series Wireless Controllers
Catalyst 9800-CL Wireless Controllers for Cloud
Note: Certain AP modes are not affected by this vulnerability. Wireless
deployments that wholly consist of APs in either FlexConnect Local
Switching or fabric mode are not vulnerable.
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Determine the Device Configuration
To determine if a device is affected, verify whether the AVC-FNF feature is
enabled for wireless networks. Log in to the web UI of the wireless
controller with Administrator privileges and navigate to Configuration >
Services > Application Visibility . If the counter under Enable AVC shows
zero enabled networks, then AVC-FNF is disabled and the device is not
considered vulnerable.
If the counter under Enable AVC shows more than zero enabled networks and
there are wireless APs in local, bridge, or FlexConnect Central Switching
operating mode broadcasting any AVC-FNF-enabled wireless networks, then the
device is considered vulnerable.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
Catalyst 9800 Embedded Wireless Controllers for Catalyst 9300, 9400,
and 9500 Series Switches
Embedded Wireless Controllers on Catalyst Access Points
IOS Software
IOS XR Software
Meraki products
NX-OS Software
Wireless LAN Controller (WLC) AireOS Software
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers with service contracts that entitle
them to regular software updates should obtain security fixes through their
usual update channels.
Customers may only install and expect support for software versions and
feature sets for which they have purchased a license. By installing,
downloading, accessing, or otherwise using such software upgrades,
customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
The Cisco Support and Downloads page on Cisco.com provides information
about licensing and downloads. This page can also display customer device
support coverage for customers who use the My Devices tool.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides the Cisco Software Checker to identify
any Cisco Security Advisories that impact a specific software release and
the earliest release that fixes the vulnerabilities described in each
advisory ("First Fixed"). If applicable, the tool also returns the earliest
release that fixes all the vulnerabilities described in all the advisories
identified ("Combined First Fixed").
Customers can use the Cisco Software Checker to search advisories in the
following ways:
Choose the software and one or more releases
Upload a .txt file that includes a list of specific releases
Enter the output of the show version command
After initiating a search, customers can customize the search to include
all Cisco Security Advisories, a specific advisory, or all advisories in
the most recent bundled publication.
By default, the Cisco Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, customers can use the
Cisco Software Checker on Cisco.com and check the Medium check box in the
drop-down list under Impact Rating when customizing a search.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during the resolution of a Cisco TAC support
case.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: April 2022 Semiannual Cisco IOS and IOS XE Software
Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-fnf-dos-bOL5vLge
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2022-APR-13 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYldiJ+NLKJtyKPYoAQjRcw//ToB/JXWTfXMxx1URpD0i/UO1E7pDsSAV
5oxoFQeoHgJf1VPCMZ/PCCBhp1+j4bg4mqXlpMQhFOIJmROCxhIYrRjogiL7bNis
Gp2s+VTqHp6w1FogzpTf4QS6skPg79CwKEo6KMNnxHq1fiTI7FeBC7MAPTvlDAcN
ZiLptQOe91G7O1dEiiqKDX5OqJ5dRNqk0djknUnVZCTkn9C/RiraRLefux5yIrxG
G3hA87iSSRyRxPA3bftrTmuldAYh37cFVYUtwngMjogt35bqok8N30U/XQkA6KQr
pdOmdV2UbKZ43RY5hy2TLpK8h8apKCw34RYVThmf+buCT2SmAXuwVdwaq8i6OOAc
LU0FL0dPrKie1ULjHLy5bF3jPiWK+gfRiOqn7e+Clw2lKOJFj/qCZCM8X9b9I+HO
ZNuqP4GFVxAvHKxb7xB1feU8Cut8/dydhq0BHaA1Gi4iYy5puq71JUcDOW+iPxYK
QP7q7j5LbW6yTH5xZBzeQKhtPL5G+wywzKe//Q3zLd0jPftuXY3+rZmqVQuL+Y2g
9yiiqOxOE9X8N0zhUPNzrcD92B9lWM86h5OgZ/S5W1sdhIEhaYNNODZc91Krb51P
eJG9zkLlAj+h/cNxqCr5tDKPtEkPzL4LW3EeIWt8CAfbBFWaeEIud3H9UzsC66+v
ZXwWMqw7XMs=
=DJff
-----END PGP SIGNATURE-----
ESB-2022.1609 - [Cisco] Cisco IOS XE Software: CVSS (Max): 4.7
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1609
Cisco IOS XE Software Web UI API Injection Vulnerability
14 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco IOS XE Software
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Patch/Upgrade
CVE Names: CVE-2022-20693
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webuiapi-inj-Nyrq92Od
Comment: CVSS (Max): 4.7 CVE-2022-20693 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco IOS XE Software Web UI API Injection Vulnerability
Priority: Medium
Advisory ID: cisco-sa-webuiapi-inj-Nyrq92Od
First Published: 2022 April 13 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvy95612
CVE Names: CVE-2022-20693
CWEs: CWE-74
Summary
o A vulnerability in the web UI feature of Cisco IOS XE Software could allow
an authenticated, remote attacker to perform an injection attack against an
affected device.
This vulnerability is due to insufficient input validation. An attacker
could exploit this vulnerability by sending crafted input to the web UI
API. A successful exploit could allow the attacker to inject commands to
the underlying operating system with root privileges.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webuiapi-inj-Nyrq92Od
This advisory is part of the April 2022 release of the Cisco IOS and IOS XE
Software Security Advisory Bundled Publication. For a complete list of the
advisories and links to them, see Cisco Event Response: April 2022
Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
Publication.
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco products if
they were running a vulnerable release of Cisco IOS XE Software and had the
web UI feature enabled.
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Determine the HTTP Server Configuration
To determine whether the HTTP Server feature is enabled for a device, log
in to the device and use the show running-config | include ip http server|
secure|active command in the CLI to check for the presence of the ip http
server command or the ip http secure-server command in the global
configuration. If either command is present, the HTTP Server feature is
enabled for the device.
The following example shows the output of the show running-config | include
ip http server|secure|active command for a device that has the HTTP Server
feature enabled:
Router# show running-config | include ip http server|secure|active
ip http server
ip http secure-server
Note: The presence of either command or both commands in the device
configuration indicates that the web UI feature is enabled.
If the ip http server command is present and the configuration also
contains ip http active-session-modules none , the vulnerability is not
exploitable over HTTP.
If the ip http secure-server command is present and the configuration also
contains ip http secure-active-session-modules none , the vulnerability is
not exploitable over HTTPS.
Products Confirmed Not Vulnerable
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
IOS Software
IOS XR Software
Meraki products
NX-OS Software
Workarounds
o There are no workarounds that address this vulnerability.
Disabling the HTTP Server feature eliminates the attack vector for this
vulnerability and may be a suitable mitigation until affected devices can
be upgraded. To disable the HTTP Server feature, use the no ip http server
or no ip http secure-server command in global configuration mode. If both
the HTTP server and HTTPS server are in use, both commands are required to
disable the HTTP Server feature.
While this mitigation has been deployed and was proven successful in a test
environment, customers should determine the applicability and effectiveness
in their own environment and under their own use conditions. Customers
should be aware that any workaround or mitigation that is implemented may
negatively impact the functionality or performance of their network based
on intrinsic customer deployment scenarios and limitations. Customers
should not deploy any workarounds or mitigations before first evaluating
the applicability to their own environment and any impact to such
environment.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides the Cisco Software Checker to identify
any Cisco Security Advisories that impact a specific software release and
the earliest release that fixes the vulnerabilities described in each
advisory ("First Fixed"). If applicable, the tool also returns the earliest
release that fixes all the vulnerabilities described in all the advisories
identified ("Combined First Fixed").
Customers can use the Cisco Software Checker to search advisories in the
following ways:
Choose the software and one or more releases
Upload a .txt file that includes a list of specific releases
Enter the output of the show version command
After initiating a search, customers can customize the search to include
all Cisco Security Advisories, a specific advisory, or all advisories in
the most recent bundled publication.
By default, the Cisco Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, customers can use the
Cisco Software Checker on Cisco.com and check the Medium check box in the
drop-down list under Impact Rating when customizing a search.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o Cisco would like to thank the National Security Agency (NSA) for reporting
this vulnerability.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: April 2022 Semiannual Cisco IOS and IOS XE Software
Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webuiapi-inj-Nyrq92Od
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2022-APR-13 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYldiHeNLKJtyKPYoAQjJGQ/7BDfYIvkiXKwUpgQiwgSorEErjHqoCF3t
hBEz9/8QEtcXelpg2Q/MxvCNTfU27N+WJj0DAMCDSSSrJR4+kCHfJSZcK2Lz5bTm
dlRORc+Y1Sp5r0UA0lz5Pj6VrWdIfxkRFWvQYPFdHBLtRMmVOvjJj8kd1gNuqi+Q
2WtFW26+0txmbRvCL5dpGJs3An6iIZX65KOCTvfXQVb34ZL5vjiC+PuCFChA+IJ3
ehGuDOcIaDESVO8Awf4rI1MkjDjUIoJ46fcwQlkDxW1ZeZ3G4p0Gbs4gF0RSgUdZ
jUch/egrd8/6rMmKzzjc2YROQbXpkEQVyGOF8q1fJIPUTVyRS3HW2l0X8LpFaVpR
nHtuakcEM+jruAFLaoZKXuNuTS+X0Hw1quWswZwUKoIVQbN5kxWiV6pYe6tkoRGe
OyOndmvBSHg+GeEIlj18Vzh9YQbKGeHJzHw63KdtbT85gGZogA/P2XcYG2x3KIU4
PxulpYOel0Cms+x+O4k7BtB6Sx3G57jN8Tl0ozhGy7S9EL9t0fJf9A2/9rwLgbq2
ZKuZBm59IUXewFZZApUSShAijAOe/zeyGAXlvoAbs0f5fTLqRTRkTbJE8NYzjGSD
gnrqiHgRU7MGpk9B+FjVZTewMXzrHH18r8i2CQP5crfpO6l99dTDDzgqYrXXNg3T
H2HRQOOQnWA=
=1BZl
-----END PGP SIGNATURE-----
ESB-2022.1608 - [Cisco] Cisco IOS XE Software: CVSS (Max): 5.1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1608
Cisco IOS XE Software Tool Command Language Privilege
Escalation Vulnerability
14 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco IOS XE Software
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Patch/Upgrade
CVE Names: CVE-2022-20676
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-priv-esc-grbtubU
Comment: CVSS (Max): 5.1 CVE-2022-20676 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco IOS XE Software Tool Command Language Privilege Escalation Vulnerability
Priority: Medium
Advisory ID: cisco-sa-iosxe-priv-esc-grbtubU
First Published: 2022 April 13 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvy35833
CVE Names: CVE-2022-20676
CWEs: CWE-250
Summary
o A vulnerability in the Tool Command Language (Tcl) interpreter of Cisco IOS
XE Software could allow an authenticated, local attacker to escalate from
privilege level 15 to root- level privileges.
This vulnerability is due to insufficient input validation of data that is
passed into the Tcl interpreter. An attacker could exploit this
vulnerability by loading malicious Tcl code on an affected device. A
successful exploit could allow the attacker to execute arbitrary commands
as root . By default, Tcl shell access requires privilege level 15.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is part of the April 2022 release of the Cisco IOS and IOS XE
Software Security Advisory Bundled Publication. For a complete list of the
advisories and links to them, see Cisco Event Response: April 2022
Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
Publication.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-priv-esc-grbtubU
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco devices if
they were running a vulnerable release of Cisco IOS XE Software and
supported the tclsh command.
Note: Devices are not considered vulnerable if they do not support the
command or if the command returns an error.
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by these vulnerabilities.
Cisco has confirmed that these vulnerabilities do not affect the following
Cisco products:
IOS Software
IOS XR Software
Meraki products
NX-OS Software
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides the Cisco Software Checker to identify
any Cisco Security Advisories that impact a specific software release and
the earliest release that fixes the vulnerabilities described in each
advisory ("First Fixed"). If applicable, the tool also returns the earliest
release that fixes all the vulnerabilities described in all the advisories
identified ("Combined First Fixed").
Customers can use the Cisco Software Checker to search advisories in the
following ways:
Choose the software and one or more releases
Upload a .txt file that includes a list of specific releases
Enter the output of the show version command
After initiating a search, customers can customize the search to include
all Cisco Security Advisories, a specific advisory, or all advisories in
the most recent bundled publication.
By default, the Cisco Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, customers can use the
Cisco Software Checker on Cisco.com and check the Medium check box in the
drop-down list under Impact Rating when customizing a search.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing by X.B. of
the Cisco Advanced Security Initiatives Group (ASIG).
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: April 2022 Semiannual Cisco IOS and IOS XE Software
Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-priv-esc-grbtubU
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2022-APR-13 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYldiEuNLKJtyKPYoAQgl8g/8DTFuzR4FIv7+dEKXZr7ZUJtZJ1F6UdJN
wj/1P+IvayU2+x1/oD7wkS1QPiriMrmER7h65OAZaL0Pnkahc2V2Ys+IxoXnK48A
r6BC8Yp6KZkB0BIZnGaD9qI28heaOAhRo5FCV1sSi76ZbS+fHJGjKYX8vePfipLW
E06ZLrHMQcRSIY3FlsLpttkqjZfLVGO9Fp684QUcvkFyS0nu6YmP9ZauVzJxBjz6
Ryz100hgyh4TOyKTrGOTU8haz7MjpefnEtCEaQxtQwdEQ3YosS5EACKAvCitUtkO
QO7pMkJBBqlek3ywNMC2Q4bJ4uRGKBtzTyAj/qKoyyiW0BHvAElTbsHkwcS9tWMJ
0cI9DTXJsroiboOv5LP5hMGrUrTVxL89aUQVM77WppkvFmLbwZT60D5YmICI5/kY
ncDaz/ZMbpS1DZxL/x26pzb+SHFkjaRr7itVQ0yelQTHPuV9KGxZUjjTqHd6B+Vd
oW5GYcHjFJ+GnFlwIracFc68Jf2Iz+Wf7JxDDwDzkt+P1axhgzD4G21MS7EGrk5j
d+srQr9riaRywh80gkJs1bQzPZO2ME0qmHDb/hQZpnMxqOR+c2dSa/0GpIzt5GTt
wWK0s9oKUFsA+K2QAHbHAunNpNoBHbQSVf/GzEWLUEhkV1f7p4WYXBUziZoRsXNo
9O+D4gocELY=
=j+tD
-----END PGP SIGNATURE-----
ESB-2022.1607 - [Cisco] Cisco IOS XE Software: CVSS (Max): 7.7
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1607
Cisco IOS XE Software NETCONF Over SSH Denial of Service Vulnerability
14 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco IOS XE Software
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Patch/Upgrade
CVE Names: CVE-2022-20692
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ncossh-dos-ZAkfOdq8
Comment: CVSS (Max): 7.7 CVE-2022-20692 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco IOS XE Software NETCONF Over SSH Denial of Service Vulnerability
Priority: High
Advisory ID: cisco-sa-ncossh-dos-ZAkfOdq8
First Published: 2022 April 13 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvy95621
CVE Names: CVE-2022-20692
CWEs: CWE-400
Summary
o A vulnerability in the NETCONF over SSH feature of Cisco IOS XE Software
could allow a low-privileged, authenticated, remote attacker to cause a
denial of service condition (DoS) on an affected device.
This vulnerability is due to insufficient resource management. An attacker
could exploit this vulnerability by initiating a large number of NETCONF
over SSH connections. A successful exploit could allow the attacker to
exhaust resources, causing the device to reload and resulting in a DoS
condition on an affected device.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ncossh-dos-ZAkfOdq8
This advisory is part of the April 2022 release of the Cisco IOS and IOS XE
Software Security Advisory Bundled Publication. For a complete list of the
advisories and links to them, see Cisco Event Response: April 2022
Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
Publication.
Affected Products
o Vulnerable Products
This vulnerability affects Cisco products if they are running a vulnerable
release of Cisco IOS XE Software and have the NETCONF over SSH feature
enabled.
Note : NETCONF over SSH is not enabled by default.
Note : Releases 17.3.1 and later are not affected.
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Determine if NETCONF over SSH is Enabled
To determine whether NETCONF over SSH is enabled, administrators can issue
the show running-config | include netconf-yang command. The following
output shows a device with NETCONF over SSH enabled.
Router# show running-config | include netconf-yang
netconf-yang
Router#
If the command returns no output, the device is not affected.
Products Confirmed Not Vulnerable
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
IOS Software
IOS XR Software
Meraki products
NX-OS Software
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers with service contracts that entitle
them to regular software updates should obtain security fixes through their
usual update channels.
Customers may only install and expect support for software versions and
feature sets for which they have purchased a license. By installing,
downloading, accessing, or otherwise using such software upgrades,
customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
The Cisco Support and Downloads page on Cisco.com provides information
about licensing and downloads. This page can also display customer device
support coverage for customers who use the My Devices tool.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides the Cisco Software Checker to identify
any Cisco Security Advisories that impact a specific software release and
the earliest release that fixes the vulnerabilities described in each
advisory ("First Fixed"). If applicable, the tool also returns the earliest
release that fixes all the vulnerabilities described in all the advisories
identified ("Combined First Fixed").
Customers can use the Cisco Software Checker to search advisories in the
following ways:
Choose the software and one or more releases
Upload a .txt file that includes a list of specific releases
Enter the output of the show version command
After initiating a search, customers can customize the search to include
all Cisco Security Advisories, a specific advisory, or all advisories in
the most recent bundled publication.
By default, the Cisco Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, customers can use the
Cisco Software Checker on Cisco.com and check the Medium check box in the
drop-down list under Impact Rating when customizing a search.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o Cisco would like to thank the National Security Agency (NSA) who reported
this vulnerability.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: April 2022 Semiannual Cisco IOS and IOS XE Software
Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ncossh-dos-ZAkfOdq8
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2022-APR-13 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYldiCeNLKJtyKPYoAQhIoBAAgzMCLDTk3WNYcF9mvZZ7QRfm9v3JuHqO
koGB8zAmKC20DmI2UIMtW7Pf2/i3tU1IDIYStTp+VgVD1U4ZxRCsenOMAOuN+yWb
VBwMSTD4oSI3UzjYp2ds6HIkHE2StH3QU5G37QjE44yKayXCkSvGlT5sBQM65Kn6
JWgeVabSDWas4sLgL+BXnqJXvZ9YjfLm61ID7gR3h/3Z5G398BGAAWY9Su09ocjh
fRSdcUAehaVhNjEVeU0gEx3csoBsCZO7KVGMXC/9zU9q0tOuU4fARnrxkewTwUla
Y2k91weypt5i8//M3SQbJnb+1+lVqud2EcSXJ9fLah0i0TJfNUWYGYebwQD/AXut
m0gwd0tD+ZjT3RZ1QXcu21v9Vkfzdlq28bVegbQnj/uKeRS6OmQfTQJzvJFisazK
rlqJhqBGGYUCpvjtYXIT25iod/GPV1I04PM7SLE6p8/2+33Zc6GmJPvCL7QA526L
eKyWohWhAq30HP9OQVRNOhrAZN+p2hFCz5GvhxwdDPK0TerljxJGXUtlq+a1xzKH
PBQjc3jf1BS3ZJbIoY8bFSWslQ3iGk8ubI8wJIyyoFYxpvculGM6DQ+lEBTbijgo
V+3x7F4M25vqKlactGt6ImSJn9yD4boF9YjVfHWXLEM0ugyamnDJ/5LCkn5Z8llb
XODTIe1iG8M=
=eXOL
-----END PGP SIGNATURE-----
ESB-2022.1606 - [Cisco] Cisco IOS XE Software: CVSS (Max): 6.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1606
Cisco IOS XE Software IPSec Denial of Service Vulnerability
14 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco IOS XE Software
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Patch/Upgrade
CVE Names: CVE-2022-20679
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-qfp-ipsec-GQmqvtqV
Comment: CVSS (Max): 6.8 CVE-2022-20679 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco IOS XE Software IPSec Denial of Service Vulnerability
Priority: Medium
Advisory ID: cisco-sa-qfp-ipsec-GQmqvtqV
First Published: 2022 April 13 16:00 GMT
Version 1.0: Final
Workarounds: Yes
Cisco Bug IDs: CSCvz55575
CVE Names: CVE-2022-20679
CWEs: CWE-20
Summary
o A vulnerability in the IPSec decryption routine of Cisco IOS XE Software
could allow an unauthenticated, remote attacker to cause an affected device
to reload, resulting in a denial of service (DoS) condition.
This vulnerability is due to buffer exhaustion that occurs while traffic on
a configured IPsec tunnel is being processed. An attacker could exploit
this vulnerability by sending traffic to an affected device that has a
maximum transmission unit (MTU) of 1800 bytes or greater. A successful
exploit could allow the attacker to cause the device to reload.
To exploit this vulnerability, the attacker may need access to the trusted
network where the affected device is in order to send specific packets to
be processed by the device. All network devices between the attacker and
the affected device must support an MTU of 1800 bytes or greater. This
access requirement could limit the possibility of a successful exploit.
Cisco has released software updates that address this vulnerability. There
are workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-qfp-ipsec-GQmqvtqV
This advisory is part of the April 2022 release of the Cisco IOS and IOS XE
Software Security Advisory Bundled Publication. For a complete list of the
advisories and links to them, see Cisco Event Response: April 2022
Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
Publication.
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected the following Cisco
products if they were configured to terminate IPsec VPN connections and
were running a vulnerable release of Cisco IOS XE Software that was running
in autonomous or controller mode:
1000 Series Integrated Services Routers
4221 Integrated Services Routers
4321 Integrated Services Routers
4331 Integrated Services Routers
4351 Integrated Services Routers
Catalyst 8200 Series Edge Platform
Catalyst 8300 Series Edge Platform
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Determine the Device Configuration
A device that is running Cisco IOS XE Software is configured to terminate
IPsec VPN connections. If one of the following conditions match, the device
is affected:
A crypto map is configured for at least one interface
The device is configured with IPsec virtual tunnel interfaces (VTIs)
The MTU of the interface that is used for encryption must also be increased
to 1800 bytes or greater.
To determine whether a crypto map is configured for at least one interface,
use the show running-config | include ^interface|^ crypto map |^ mtu
command. The following example shows a crypto map named map-group1 and
increased MTU configured on the GigabitEthernet 0/0/0 interface:
Router# show running-config | include ^interface|^ crypto map |^ mtu
interface GigabitEthernet0/0/0
mtu 1800
crypto map map-group1
To determine whether the device is configured with IPsec VTIs, use the show
running-config | include ^interface|^ tunnel protection ipsec profile |^
mtu command and verify that the returned output contains tunnel protection
ipsec profile configured under at least one tunnel interface and that the
MTU has been increased on the physical interface associated to the tunnel.
The following example shows VTI interface Tunnel1 and increased MTU on
GigabitEthernet0/0/0:
Router# show running-config | include ^interface|^ tunnel protection ipsec profile |^ mtu
interface Tunnel1
tunnel protection ipsec profile vti-1
interface GigabitEthernet0/0/0
mtu 1800
Note : IPsec VPN is not configured by default.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
IOS Software
IOS XR Software
Meraki products
NX-OS Software
Workarounds
o There is a workaround that addresses this vulnerability. Lower the MTU to
less than 1800 bytes on all IPsec-enabled interfaces on affected devices by
using the following command:
Router(config-if)#mtu 1750
Note: This will require changing the MTU on all peers of the IPsec
connection.
While this workaround has been deployed and proven successful in a test
environment, customers should determine the applicability and effectiveness
in their own environment and under their own use conditions. Customers
should be aware that any workaround or mitigation that is implemented may
negatively impact the functionality or performance of their network based
on intrinsic customer deployment scenarios and limitations. Customers
should not deploy any workarounds or mitigations before first evaluating
the applicability to their own environment and any impact to such
environment.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides the Cisco Software Checker to identify
any Cisco Security Advisories that impact a specific software release and
the earliest release that fixes the vulnerabilities described in each
advisory ("First Fixed"). If applicable, the tool also returns the earliest
release that fixes all the vulnerabilities described in all the advisories
identified ("Combined First Fixed").
Customers can use the Cisco Software Checker to search advisories in the
following ways:
Choose the software and one or more releases
Upload a .txt file that includes a list of specific releases
Enter the output of the show version command
After initiating a search, customers can customize the search to include
all Cisco Security Advisories, a specific advisory, or all advisories in
the most recent bundled publication.
By default, the Cisco Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, customers can use the
Cisco Software Checker on Cisco.com and check the Medium check box in the
drop-down list under Impact Rating when customizing a search.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during the resolution of a Cisco TAC support
case.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: April 2022 Semiannual Cisco IOS and IOS XE Software
Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-qfp-ipsec-GQmqvtqV
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2022-APR-13 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYldh+ONLKJtyKPYoAQjH5g//Sl2Zj4rBSzOlRiBt127CXDTh6FBsNb5e
9EIN7Ieap/LCtHx4U9DNd9gMTWb81Mdi9mNrb9kofh/5ChS+Air7WTtKHL0R7zO7
O6y0K5GCyOy6g4aM5qtohElQygSZtKs10bVXcekinYnbVUs+KhGdkYVDmNi9cSER
vtvxpGeg529HZRpeZOz5KoBu8rAN8zunK/d8BC/4QnGO+Kx7xFl1BVb15Z0JmV9b
SiDQKT0kEA4YLlL2CNmj0i8wjuYYDjvzPPAjKa9FeWP9HgVqxz3pUWEVW47L3xrm
WDCm9Q94ggkUIRAQvoQeoRYjtTORn9U5l3VkKTpTW0Mr3YP18vCBn1yOicAideUa
SOeSWo3hMxKlCAOcjFe1V+E/w20Pz3fLl4DTpfenhri21JKATT3lQxxyTdEdS5i3
QRNCrG7DBOhPD/T4iLZo3ZawoPUDl3Uh5ge6A2xeY2aF4BZ4RDE2AT6Toua/U2up
P3FN/jQu/aya5kKaxr/vRElMO4SZrcvba/qFtizhVMGN6QRPioQCRkfaiShzv4VD
5H4/gz9adRSm/CRDkM5YtwhyiI/CvbPTEsfkSqeQa8E+2a9//4ruQYrvpb8pZJnm
B9I/yR2ERlKBR4PVxpGtsJtbnKKg9mriEV3xwmiMUoFEfkmLKvDFVn5JOO2jlaKu
IplCA3OsbDs=
=vbWM
-----END PGP SIGNATURE-----
ESB-2022.1605 - [Cisco] Cisco IOS XE Software: CVSS (Max): 6.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1605
Cisco IOS XE Software Border Gateway Protocol Resource
Public Key Infrastructure Denial of Service Vulnerability
14 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco IOS XE Software
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Patch/Upgrade
CVE Names: CVE-2022-20694
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-rpki-dos-2EgCNeKE
Comment: CVSS (Max): 6.8 CVE-2022-20694 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco IOS XE Software Border Gateway Protocol Resource Public Key
Infrastructure Denial of Service Vulnerability
Priority: Medium
Advisory ID: cisco-sa-iosxe-rpki-dos-2EgCNeKE
First Published: 2022 April 13 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvz55292
CVE Names: CVE-2022-20694
CWEs: CWE-617
Summary
o A vulnerability in the implementation of the Resource Public Key
Infrastructure (RPKI) feature of Cisco IOS XE Software could allow an
unauthenticated, remote attacker to cause the Border Gateway Protocol (BGP)
process to crash, resulting in a denial of service (DoS) condition.
This vulnerability is due to the incorrect handling of a specific RPKI to
Router (RTR) Protocol packet header. An attacker could exploit this
vulnerability by compromising the RPKI validator server and sending a
specifically crafted RTR packet to an affected device. Alternatively, the
attacker could use man-in-the-middle techniques to impersonate the RPKI
validator server and send a crafted RTR response packet over the
established RTR TCP connection to the affected device. A successful exploit
could allow the attacker to cause a DoS condition because the BGP process
could constantly restart and BGP routing could become unstable.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-rpki-dos-2EgCNeKE
This advisory is part of the April 2022 release of the Cisco IOS and IOS XE
Software Security Advisory Bundled Publication. For a complete list of the
advisories and links to them, see Cisco Event Response: April 2022
Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
Publication.
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco devices if
they were running a vulnerable release of IOS XE Software and had the RPKI
feature configured and in use .
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Determine Whether RPKI is Enabled
To determine whether RPKI is enabled, issue the show bgp rpki servers
command. If the command returns output, RPKI is enabled and the device is
vulnerable. The following example shows the output of a device with RPKI
configured with a server at the IP address 10.10.10.10 on port 10000:
Router# show bgp rpki servers
% Command accepted but obsolete, unreleased or unsupported; see documentation.
BGP SOVC neighbor is 10.10.10.10/10000 connected to port 10000
Flags 0, Refresh time is 600, Serial number is 0, Session ID is 0
InQ has 0 messages, OutQ has 0 messages, formatted msg 0
Session IO flags 0, Session flags 4000
Neighbor Statistics:
.
.
.
Router#
Note : The IP addresses displayed for configured neighbors depend on the
device configuration.
If the command returns no output, the device is not affected.
Products Confirmed Not Vulnerable
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
IOS Software
IOS XR Software
Meraki products
NX-OS Software
Workarounds
o There are no workarounds that address this vulnerability.
However, administrators can remove the RPKI configuration as a mitigation.
If RPKI servers are either not in use or removed from the configuration,
the device is considered not vulnerable. The decision to remove the RPKI
configuration needs careful consideration.
While this mitigation has been deployed and was proven successful in a test
environment, customers should determine the applicability and effectiveness
in their own environment and under their own use conditions. Customers
should be aware that any workaround or mitigation that is implemented may
negatively impact the functionality or performance of their network based
on intrinsic customer deployment scenarios and limitations. Customers
should not deploy any workarounds or mitigations before first evaluating
the applicability to their own environment and any impact to such
environment.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides the Cisco Software Checker to identify
any Cisco Security Advisories that impact a specific software release and
the earliest release that fixes the vulnerabilities described in each
advisory ("First Fixed"). If applicable, the tool also returns the earliest
release that fixes all the vulnerabilities described in all the advisories
identified ("Combined First Fixed").
Customers can use the Cisco Software Checker to search advisories in the
following ways:
Choose the software and one or more releases
Upload a .txt file that includes a list of specific releases
Enter the output of the show version command
After initiating a search, customers can customize the search to include
all Cisco Security Advisories, a specific advisory, or all advisories in
the most recent bundled publication.
By default, the Cisco Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, customers can use the
Cisco Software Checker on Cisco.com and check the Medium check box in the
drop-down list under Impact Rating when customizing a search.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was reported to the Cisco PSIRT for resolution by the
U.S. National Security Agency (NSA).
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: April 2022 Semiannual Cisco IOS and IOS XE Software
Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-rpki-dos-2EgCNeKE
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2022-APR-13 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYldh7ONLKJtyKPYoAQgp1g/8DIsSZtlkyzckFPDW4WJtiUHLxz7/pNeF
08tRDQ9k0CEGfXBPBqfVt/40mK9UIsALovsEtFuK8Dul7wWxpeXkw/KHMXqLGkQB
HRmD0DG51I7F5J22l6NB/GSsF5sNgxR/QZaZBZHTVIYEyYlGBbzc/sZBSmSN35BW
+YJU+asPEJcg5d5ShUNomNZq9Nla9kILbrhrQR954aprtlj4Ajzmh830rYojBRqB
jqt/t4CRCH2CwtJ+IQKhfeAMwaLrSVs/Uc6iHqVt3psQ5DraD0Vs2jRi2y9hIV8j
+YD72GKIScmDpqEAiUQ1PXC/2fHMMmQSZ5Rvu7nX5Btkr41oEqjyrnp9MPxFwlsq
Yk9XKDVtWuJdiUsuktWTKkVdJHAzaILHek5BVMEgjN/Qr/PU9BhqNXr5R8rsMQkk
6Rag9PHeo3PYj5B+T24j6FGgRcifieaSHSCDbSKaoM+qwZ/zpHZCHCvionAZfQPi
TTCMyeqoWpmBEpUPt5dkaL3JO3DqW43jQCiXxJ5jByjG+dQOB4jVNFy4B5r2sGRw
Ayp1n7R6LaabvlGtYeB6QvadpIvLhoEDxSckwcQRHfJLG4fG7wHuXu+wrycQSSR0
cftAwgbX9wuKALd0nQqq34Iz/wU/YGwlRbdksNNiO6AbXi/gpSZagRqfscDQYh7k
I7gjACiw/hs=
=ym5B
-----END PGP SIGNATURE-----
ESB-2022.1604 - [Cisco] Cisco IOS XE Software: CVSS (Max): 8.6
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1604
Cisco IOS XE Software AppNav-XE Denial of Service Vulnerability
14 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco IOS XE Software
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Patch/Upgrade
CVE Names: CVE-2022-20678
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-appnav-xe-dos-j5MXTR4
Comment: CVSS (Max): 8.6 CVE-2022-20678 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco IOS XE Software AppNav-XE Denial of Service Vulnerability
Priority: High
Advisory ID: cisco-sa-appnav-xe-dos-j5MXTR4
First Published: 2022 April 13 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvx26652
CVE Names: CVE-2022-20678
CWEs: CWE-413
Summary
o A vulnerability in the AppNav-XE feature of Cisco IOS XE Software could
allow an unauthenticated, remote attacker to cause an affected device to
reload, resulting in a denial of service (DoS) condition.
This vulnerability is due to the incorrect handling of certain TCP
segments. An attacker could exploit this vulnerability by sending a stream
of crafted TCP traffic at a high rate through an interface of an affected
device. That interface would need to have AppNav interception enabled. A
successful exploit could allow the attacker to cause the device to reload.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-appnav-xe-dos-j5MXTR4
This advisory is part of the April 2022 release of the Cisco IOS and IOS XE
Software Security Advisory Bundled Publication. For a complete list of the
advisories and links to them, see Cisco Event Response: April 2022
Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
Publication.
Affected Products
o Vulnerable Products
This vulnerability affects the following Cisco products if they are running
a vulnerable release of Cisco IOS XE Software and have the AppNav-XE
feature enabled:
1000 Series Integrated Services Routers
4000 Series Integrated Services Routers
ASR 1001-X Routers
ASR 1002-X Routers
Catalyst 8300 Series Routers
Catalyst 8500 Series Routers
Catalyst 8000V Edge Software
Cloud Services Router 1000V Series
Note: The AppNav-XE feature is disabled by default in Cisco IOS XE
Software.
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Determine the AppNav-XE Configuration
To determine the AppNav-XE configuration, first verify that all of the
following are true:
AppNav interception is enabled on at least one interface
An AppNav Controller group is configured and has at least one AppNav
Controller member
A service node group is configured and has at least one service node
member
A service context of type waas is configured, enabled, and links to an
AppNav Controller group, a service node group, and a service policy
To determine whether AppNav interception is enabled on at least one
interface, use either of the following options:
Use the show running-config | include ^interface|service-insertion waas
CLI command and confirm that service-insertion waas is configured under
at least one interface. The following example shows the output on a
device that has AppNav interception enabled on interface
GigabitEthernet1:
Router#show running-config | include ^interface|service-insertion waas
interface VirtualPortGroup0
interface GigabitEthernet1
service-insertion waas
interface GigabitEthernet2
Router#
Use the show service-insertion status | begin AppNav Enabled Interfaces
CLI command and confirm that at least one interface is listed in the
resulting output. The following example shows the output on a device
that has the AppNav-XE feature enabled on interface GigabitEthernet1:
Router#show service-insertion status | begin AppNav Enabled Interfaces
AppNav Enabled Interfaces:
GigabitEthernet1
Router#
To determine whether an AppNav Controller group , a service node group ,
and a service context of type waas are configured and enabled, use the show
running-config | section service-insertion CLI command. The following
example shows the output on a device that fulfills all of the requirements:
Router#show running-config | section service-insertion
service-insertion service-node-group WNG-Default-1
service-node 192.168.100.102
service-node 192.168.100.2
service-insertion appnav-controller-group scg
appnav-controller 192.168.10.10
service-insertion service-context waas/1
appnav-controller-group scg
service-node-group WNG-Default-1
service-policy APPNAV-1-PMAP
vrf default
enable
service-insertion waas
Router#
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
AppNav Controllers running Cisco Wide Area Application Services (WAAS)
Software
IOS Software
IOS XR Software
Meraki products
NX-OS Software
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers with service contracts that entitle
them to regular software updates should obtain security fixes through their
usual update channels.
Customers may only install and expect support for software versions and
feature sets for which they have purchased a license. By installing,
downloading, accessing, or otherwise using such software upgrades,
customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
The Cisco Support and Downloads page on Cisco.com provides information
about licensing and downloads. This page can also display customer device
support coverage for customers who use the My Devices tool.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides the Cisco Software Checker to identify
any Cisco Security Advisories that impact a specific software release and
the earliest release that fixes the vulnerabilities described in each
advisory ("First Fixed"). If applicable, the tool also returns the earliest
release that fixes all the vulnerabilities described in all the advisories
identified ("Combined First Fixed").
Customers can use the Cisco Software Checker to search advisories in the
following ways:
Choose the software and one or more releases
Upload a .txt file that includes a list of specific releases
Enter the output of the show version command
After initiating a search, customers can customize the search to include
all Cisco Security Advisories, a specific advisory, or all advisories in
the most recent bundled publication.
By default, the Cisco Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, customers can use the
Cisco Software Checker on Cisco.com and check the Medium check box in the
drop-down list under Impact Rating when customizing a search.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during the resolution of a Cisco TAC support
case.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: April 2022 Semiannual Cisco IOS and IOS XE Software
Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-appnav-xe-dos-j5MXTR4
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2022-APR-13 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYldh4uNLKJtyKPYoAQizIw//SsUnvnwAyaqnWiA/2LY3rjJT6cwiQrcy
KIrNeFDoggp5NUH2NVuF3GbKXi8OiJFHIO80kCIwU2EmeIX0QFXBzojmkDleTOj8
rm6q+eG5ueonQlgyXgatoRnHmvUCR17I7tiH6UJvooXSHng+U3wVcv+7IJR1pvOo
eaHwFchh7zLpb3GV205NxXlzBMdDvvibTDPu6H81du32zNLjOFmlAJVdm9tpTBUU
FRphoCiMUyAP9WiFucOu1UiMCyMeAIAjfZOxZ5vQs6HideVS4VG60uTw/7QmK6kO
CLfYdTFkId2eKzMsdCI8XNPgajtbaAPuqTHjKZXIALSYGkFpglDPEsgupCWHRdjR
21xHTzMu5ymZ7RKACXIRGlNTz0al0sGZn+zx5xzCXM4wIijtwTUN7zIjlbnmT002
873wrOyf6rUQ50tvJdutkwYdnXp7Lzgn7xyqOh2fpON3attYqAn+GIN2HvcgcaLC
Bjn+OR2qfHwsMIX5a57gAF25NAEWgINZAjSHseg0yqp50yh3AURCjh9GCeMX+Onc
RUM5h7kLsbW1n14gAvM5DW6mHtQRYmZNLJO0f8Xz4/KOgQc70sV/Q6HXzut3QW9c
mh8TB6S/4nMQgEV2KEJWnxqbLWMnYG0VkeCnAlm3MnY16LUPV3c2Abc40RmIZffh
LXO02Pqeft8=
=E4+n
-----END PGP SIGNATURE-----
ESB-2022.1603 - [Cisco] Cisco Embedded Wireless Controller: CVSS (Max): 8.6
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1603
Cisco Embedded Wireless Controller with Catalyst Access
Points IP Flood Denial of Service Vulnerability
14 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Embedded Wireless Controller
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Patch/Upgrade
CVE Names: CVE-2022-20622
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ap-ip-flood-dos-6hxxENVQ
Comment: CVSS (Max): 8.6 CVE-2022-20622 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Embedded Wireless Controller with Catalyst Access Points IP Flood Denial
of Service Vulnerability
Priority: High
Advisory ID: cisco-sa-ap-ip-flood-dos-6hxxENVQ
First Published: 2022 April 13 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvx88847
CVE Names: CVE-2022-20622
CWEs: CWE-770
Summary
o A vulnerability in IP ingress packet processing of the Cisco Embedded
Wireless Controller with Catalyst Access Points Software could allow an
unauthenticated, remote attacker to cause the device to reload
unexpectedly, causing a denial of service (DoS) condition. The device may
experience a performance degradation in traffic processing or high CPU
usage prior to the unexpected reload.
This vulnerability is due to improper rate limiting of IP packets to the
management interface. An attacker could exploit this vulnerability by
sending a steady stream of IP traffic at a high rate to the management
interface of the affected device. A successful exploit could allow the
attacker to cause the device to reload.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ap-ip-flood-dos-6hxxENVQ
Affected Products
o Vulnerable Products
This vulnerability affects Cisco devices if they are running a vulnerable
release of Cisco Embedded Wireless Controller with Catalyst Access Points
Software.
Note: To be vulnerable, devices must have the default configuration.
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and
9500 Series Switches
IOS Software
IOS XE Software
IOS XR Software
Meraki products
NX-OS Software
Wireless LAN Controller (WLC) AireOS Software
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers with service contracts that entitle
them to regular software updates should obtain security fixes through their
usual update channels.
Customers may only install and expect support for software versions and
feature sets for which they have purchased a license. By installing,
downloading, accessing, or otherwise using such software upgrades,
customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
The Cisco Support and Downloads page on Cisco.com provides information
about licensing and downloads. This page can also display customer device
support coverage for customers who use the My Devices tool.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
The process to upgrade an access point (AP) requires administrators to
upgrade the wireless controller to which the AP is registered. Customers
are advised to upgrade to an appropriate fixed software release as
indicated in the following table(s):
Cisco Embedded Wireless Controller with Catalyst Access First Fixed Release
Points Software Release
16.12 and earlier Not affected.
17.2 Not affected.
17.3 17.3.4
17.4 Migrate to a fixed
release.
17.5 Migrate to a fixed
release.
17.6 17.6.1
The Cisco Product Security Incident Response Team (PSIRT) validates only
the affected and fixed release information that is documented in this
advisory.
Exploitation and Public Announcements
o The Cisco PSIRT is not aware of any public announcements or malicious use
of the vulnerability that is described in this advisory.
Source
o This vulnerability was found by Miroslav Popovic of Cisco during internal
security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ap-ip-flood-dos-6hxxENVQ
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2022-APR-13 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYldh1uNLKJtyKPYoAQjj7A/9EpVRy8zOcc4xauJykUTN2JTSwg3JmGAf
n6h1eECsrWf7Q2z8k5EAw0cx6WldZpeizMQ9ZX4M5Mu5LdlmPyYX9Hl7uyOSbLbd
pMkL0Qi5yJXhD5TnnCrBNkSWaX9nwOFRZ+eXhGJRQSiF2SeOccGui5Iml9CecCfw
ves3mTDzv4gz9r7plLz8lSUVHZrR313iu5x5ibfnfVr4+mLXjRmF2Z5+krVz4For
6fdFPinX9/WNU6j8XwL2KEQNyho9xnWu4SoqwZfnoXcvYpmQ7tZqa0e0BdZrQOro
TCAHygacC2GrAJavDDZXlhOlC4NqoTrrBlpV5dZrJPWVmA8iY0fLYRcQYBcHdOfn
kC8Dn1wt4t9MRVAFJCdLy2njqVNf4Fi87KCWt3kEmj6bUAvW5mHOhIGg6tVU6O/P
jftVwbGhyWqpyQNTmyR7Refooc6+Q8UczBKhgCZAvBSSG38yEvvPJPvUwO7ze4lP
M7BUciLK88GJUMMeyqcAAcHx7jtZsOGeU6oxmazsWajD0h4F0kr9U0o6bfbBOdya
lcR8jVfUcogI8ODA5gNZDktsmaZTOJHEXX+/c3rsF6ID8pRhAdoBH5nl1gU5LWFG
2CFofJ5NsTynsPMBlz3cXB9D9EwymWsQCTO/FpD80Ux3l02O1OjPAP3KSl38eeGv
0Ryvb5Gg84s=
=0D2H
-----END PGP SIGNATURE-----
ESB-2022.1602 - [Cisco] Cisco Catalyst products: CVSS (Max): 6.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1602
Cisco Catalyst Digital Building Series Switches and Cisco
Catalyst Micro Switches Vulnerabilities
14 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Catalyst Digital Building Series Switches
Cisco Catalyst Micro Switches
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Patch/Upgrade
CVE Names: CVE-2022-20731 CVE-2022-20713 CVE-2022-20661
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cdb-cmicr-vulns-KJjFtNb
Comment: CVSS (Max): 6.8 CVE-2022-20731 (CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Catalyst Digital Building Series Switches and Cisco Catalyst Micro
Switches Vulnerabilities
Priority: High
Advisory ID: cisco-sa-cdb-cmicr-vulns-KJjFtNb
First Published: 2022 April 13 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvz02634 CSCvz30892 CSCvz34674 CSCvz42624 CSCvz57636
CVE Names: CVE-2022-20661 CVE-2022-20731
CWEs: CWE-1221 CWE-489
Summary
o Multiple vulnerabilities that affect Cisco Catalyst Digital Building Series
Switches and Cisco Catalyst Micro Switches could allow an attacker to
execute persistent code at boot time or to permanently prevent the device
from booting, resulting in a permanent denial of service (DoS) condition.
For more information about these vulnerabilities, see the Details section
of this advisory.
Cisco has released software updates that address these vulnerabilities.
There are no workarounds that address these vulnerabilities.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cdb-cmicr-dos-KJjFtNb
Affected Products
o Vulnerable Products
These vulnerabilities affect the following Cisco products if they are
running a release of Cisco IOS Software that contains Cisco Boot Loader
Version 15.2(7r)E2:
Catalyst Digital Building Series Switches with product identifiers
(PIDs) CDB-8P and CDB-8U (CVE-2022-20661 and CVE-2022-20731)
Catalyst Micro Switches with PIDs CMICR-4PS and CMICR-4PC
(CVE-2022-20661)
For information about which Cisco IOS Software releases contain the fixed
boot loader, see the Fixed Software section of this advisory.
Determine the Boot Loader Version
To determine the boot loader version, use the show version | include
BOOTLDR command on the device CLI.
Cisco Catalyst Digital Building Series Switches
The following example shows the output of the show version | include
BOOTLDR command on a Cisco Catalyst Digital Building Series Switch that is
running Cisco Boot Loader Version 15.2(7r)E2:
cdb> show version | include BOOTLDR
BOOTLDR: CDB Boot Loader (CDB-HBOOT-M) Version 15.2(7r)E2, RELEASE SOFTWARE (fc2)
Any other output indicates that the device is not affected by these
vulnerabilities.
Cisco Catalyst Micro Switches
The following example shows the output of the show version | include
BOOTLDR command on a Cisco Catalyst Micro Switch that is running Cisco Boot
Loader Version 15.2(7r)E2:
cmicr> show version | include BOOTLDR
BOOTLDR: CMICR Boot Loader (CMICR-HBOOT-M) Version 15.2(7r)E2, RELEASE SOFTWARE (fc2)
Any other output indicates that the device is not affected by these
vulnerabilities.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by these vulnerabilities.
Cisco has confirmed that these vulnerabilities do not affect the following
Cisco products:
Catalyst Micro Switch with PID CMICR-4PT
IOS XE Software
IOS XR Software
Meraki products
NX-OS Software
Details
o The vulnerabilities are not dependent on one another. Exploitation of one
of the vulnerabilities is not required to exploit the other vulnerability.
In addition, a software release that is affected by one of the
vulnerabilities may not be affected by the other vulnerability.
Details about the vulnerabilities are as follows:
CVE-2022-20731: Cisco Catalyst Digital Building Series Switches Boot Loader
Arbitrary Code Execution Vulnerability
A vulnerability in the boot loader of Cisco Catalyst Digital Building
Series Switches could allow an authenticated, local attacker with level 15
privileges or an unauthenticated attacker with physical access to an
affected device to execute persistent code at boot time and break the chain
of trust.
This vulnerability exists because Secure Boot is not properly enabled. An
attacker could exploit this vulnerability by loading unsigned code. A
successful exploit could allow the attacker to execute persistent code on
the underlying operating system.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
Bug ID(s): CSCvz34674
CVE ID: CVE-2022-20731
Security Impact Rating (SIR): High
CVSS Base Score: 6.8
CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-20661: Cisco Catalyst Digital Building Series Switches and Cisco
Catalyst Micro Switches Permanent Denial of Service Vulnerability
A vulnerability in the boot loader of Cisco Catalyst Digital Building
Series Switches and Cisco Catalyst Micro Switches could allow an
unauthenticated attacker with physical access to an affected device to
permanently prevent the device from booting, resulting in a permanent
denial of service (DoS) condition.
This vulnerability exists because the affected devices have an internal
Cisco development boot loader that includes capabilities beyond those
present in a normal boot loader. An attacker with physical access to an
affected device could exploit this vulnerability by causing the device to
reboot, breaking into the ROM monitor (ROMMON) during the boot cycle, and
then executing specific commands at the ROMMON prompt. A successful exploit
could allow the attacker to irrecoverably corrupt the boot ROM in such a
way that the device will be unable to boot correctly during the next boot
cycle. The device will continue to operate normally until it is reloaded or
power-cycled.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
Bug ID(s): CSCvz02634 , CSCvz30892 , CSCvz42624 , CSCvz57636
CVE ID: CVE-2022-20661
Security Impact Rating (SIR): Medium
CVSS Base Score: 4.6
CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Workarounds
o There are no workarounds that address these vulnerabilities.
Fixed Software
o Cisco has released free software updates that address the vulnerabilities
described in this advisory. Customers with service contracts that entitle
them to regular software updates should obtain security fixes through their
usual update channels.
Customers may only install and expect support for software versions and
feature sets for which they have purchased a license. By installing,
downloading, accessing, or otherwise using such software upgrades,
customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
The Cisco Support and Downloads page on Cisco.com provides information
about licensing and downloads. This page can also display customer device
support coverage for customers who use the My Devices tool.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
In the following table(s), the left column lists Cisco software releases.
The right column indicates whether a release is affected by the
vulnerabilities described in this advisory and the first release that
includes the fix for these vulnerabilities. Customers are advised to
upgrade to an appropriate fixed software release as indicated in this
section.
Catalyst Digital Building Series Switches (CVE-2022-20661 and
CVE-2022-20713)
Cisco IOS Software Release First Fixed Release
15.2(5)EX Migrate to a fixed release.
15.2(7)E and earlier 15.2(7)E5
Catalyst Micro Switches (CVE-2022-20661)
Cisco IOS Software Release First Fixed Release
15.2(7)E and earlier 15.2(7)E5
15.2(8)E 15.2(8)E1
The Cisco Product Security Incident Response Team (PSIRT) validates only
the affected and fixed release information that is documented in this
advisory.
Exploitation and Public Announcements
o The Cisco PSIRT is not aware of any public announcements or malicious use
of the vulnerabilities that are described in this advisory.
Source
o These vulnerabilities were found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cdb-cmicr-vulns-KJjFtNb
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2022-APR-13 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYldhyeNLKJtyKPYoAQg4Cw//Wnl8EeNCdwmLO2AWdQt+Te7FcVN2y3Ek
tVubgXe27fu65y9R1neCaj8Da14M3FSZIktKTSrHnyKd2tap7zETv/f9BEDXokfa
PhMA9U8nyCmpHhjY/Bx/N+TFtgEKEuT6A0QyNzO1XCuENE5cV/5vDlV3UfArMkO5
cs/4jkrGyGATHJ5DnJTy68Pkckrd1jw2S4Gs/ulpxWBs2+MASRzF7yWayP3MsVuU
AucGzfsKP2UDzHVndafntm5BWAR971nl21di/pHaSm/LUmt9e/zo8dPRDM7Qxdxp
ZfWDZYlLIllO8UT1uLPSB+3xcc31eDwc3lL8c1R4dKeVwEOgf7nJ0CldOGblGNYi
JG+wza2QmYAdcCJ6hNPLCPGANLE7USjleb5DINIhN26tIzv59y1HY8ncjPqXck63
4N8QGya50J0GZhlDDobWyxd5OSr6a67qgl9obwknkuYv4sVRFanZLhsKnX48HTWE
sIWyK9MOwEDRHQ1x2Xks6xOsoXA30iqBUAw0ZPllBinnMqomut1JeMFio1aefiHP
ydS6Fb66ezIiGjekgIhVocd3uQ6u4o51jNe06UxGjDrlm7HhF8eHqtOV/lhxWb7X
5K+w+V3oOGqbd6d8yc6fq0nCP4wI/AmukQWIL+C/yW/VDCCgmbTmhGcS0v4DIYOO
7fYGbaIPPYY=
=aWEK
-----END PGP SIGNATURE-----
ESB-2022.1601 - [Cisco] Cisco 1000 Series Connected Grid Router: CVSS (Max): 7.4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1601
Cisco 1000 Series Connected Grid Router Integrated Wireless
Access Point Denial of Service Vulnerability
14 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco 1000 Series Connected Grid Router
Publisher: Cisco Systems
Operating System: Cisco
Resolution: Patch/Upgrade
CVE Names: CVE-2022-20761
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cgr1k-ap-dos-mSZR4QVh
Comment: CVSS (Max): 7.4 CVE-2022-20761 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
CVSS Source: Cisco Systems
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco 1000 Series Connected Grid Router Integrated Wireless Access Point Denial
of Service Vulnerability
Priority: High
Advisory ID: cisco-sa-cgr1k-ap-dos-mSZR4QVh
First Published: 2022 April 13 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvy41951
CVE Names: CVE-2022-20761
CWEs: CWE-248
Summary
o A vulnerability in the integrated wireless access point (AP) packet
processing of the Cisco 1000 Series Connected Grid Router (CGR1K) could
allow an unauthenticated, adjacent attacker to cause a denial of service
condition on an affected device.
This vulnerability is due to insufficient input validation of received
traffic. An attacker could exploit this vulnerability by sending crafted
traffic to an affected device. A successful exploit could allow the
attacker to cause the integrated AP to stop processing traffic, resulting
in a DoS condition. It may be necessary to manually reload the CGR1K to
restore AP operation.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cgr1k-ap-dos-mSZR4QVh
This advisory is part of the April 2022 release of the Cisco IOS and IOS XE
Software Security Advisory Bundled Publication. For a complete list of the
advisories and links to them, see Cisco Event Response: April 2022
Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
Publication.
Affected Products
o Vulnerable Products
This vulnerability affects Cisco 1000 Series Connected Grid Routers if they
are running a vulnerable release of Cisco IOS Software and have the
integrated wireless access point enabled.
For information about which Cisco software releases are vulnerable, see the
Fixed Software section of this advisory.
Determine Whether the Wireless Access Point is Enabled
To determine whether the integrated wireless access point is enabled, use
the show interface | include Dot11Radio command and checking the output.
The following output shows the integrated wireless access point as enabled
(up):
Router> show interface | include Dot11Radio
Dot11Radio2/1 is up, line protocol is up
Router>
If the output indicates administratively down , the integrated wireless
access point is disabled.
Products Confirmed Not Vulnerable
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
IOS Software on non-CGR1K platforms
IOS XE Software
IOS XR Software
NX-OS Software
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers with service contracts that entitle
them to regular software updates should obtain security fixes through their
usual update channels.
Customers may only install and expect support for software versions and
feature sets for which they have purchased a license. By installing,
downloading, accessing, or otherwise using such software upgrades,
customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
The Cisco Support and Downloads page on Cisco.com provides information
about licensing and downloads. This page can also display customer device
support coverage for customers who use the My Devices tool.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Cisco IOS and IOS XE Software
To help customers determine their exposure to vulnerabilities in Cisco IOS
and IOS XE Software, Cisco provides the Cisco Software Checker to identify
any Cisco Security Advisories that impact a specific software release and
the earliest release that fixes the vulnerabilities described in each
advisory ("First Fixed"). If applicable, the tool also returns the earliest
release that fixes all the vulnerabilities described in all the advisories
identified ("Combined First Fixed").
Customers can use the Cisco Software Checker to search advisories in the
following ways:
Choose the software and one or more releases
Upload a .txt file that includes a list of specific releases
Enter the output of the show version command
After initiating a search, customers can customize the search to include
all Cisco Security Advisories, a specific advisory, or all advisories in
the most recent bundled publication.
By default, the Cisco Software Checker includes results only for
vulnerabilities that have a Critical or High Security Impact Rating (SIR).
To include results for Medium SIR vulnerabilities, customers can use the
Cisco Software Checker on Cisco.com and check the Medium check box in the
drop-down list under Impact Rating when customizing a search.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found by Burt Welsh of Cisco during internal
security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: April 2022 Semiannual Cisco IOS and IOS XE Software
Security Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cgr1k-ap-dos-mSZR4QVh
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2022-APR-13 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYldhtuNLKJtyKPYoAQhwiw//R9PgN+mBSCMZ1I80mc8mUsyOUuPCkY5s
4MrnuNH1ZTBX4+RcaAT+40rwrSRcA4k27kMmCTfgDwFB06u63XZan8Jt7mB3HYMq
ijmqF9DTXckjHjb4nzG5jS1ZAPr6GonK2LVaaatSbfkdJlEqy9M83nmvphUh3C8a
c4mKnqmpqj11M3xiiXLNsCW02FSx+0/Zo9KaKZsvmSSDJtpRhZdWCeerOiS+McK6
Z9wTEHsOrGnfPlJfFoCsAJTBaUAZ5basyaz2OIAnua8qgjy7KnxqC/giPTO6qFqc
iTf5PkmXZ6jasa+Nfj9XREI2x+iFXV+U0vvPAyW9rc88mKNi1/5YmVbO5ofQHmZO
i4gdI084PnyliYap7DZN5zpMCIX0qwFCAZU7oIXR1T5CJQMR0iIUW36LLc3Yq9gW
K+CDJQYkqHYDFoKHY7uY/MeZ/3jMLn45gQ3tka7+o5uVOT123ZGuO/u5whmrIOVO
SdO+s4V9TV3s8Szkd5ljQ4fC8cKOw0cfGQ0oUONf6A1Pw0/JmXCIJ9qoR4IOCGxl
qpDAevLLblGp37oBxSlfnfTrka1Iv27eNJ6O/XGgBIfvunVIB06zFhrlITcXLyCY
JRULVPoLKAAv4t47ncZnfCgfJ7K9CjwfpOwpi3rPmNcvuhBbR+JJAkCUl6+OwdVP
mGnr1y9ak1M=
=5h4T
-----END PGP SIGNATURE-----
ASB-2022.0086.3 - UPDATE [Win][UNIX/Linux] Nginx Zero-Day:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2022.0086.3
NGINX Zero-Day
14 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Nginx Zero-Day
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Resolution: Mitigation
Revision History: April 14 2022: Re-formatting
April 13 2022: Formatting
April 13 2022: Initial Release
OVERVIEW
A new zero-day vulnerability in the Nginx web server has been claimed by
hacktivist group called "Against the West" allowing remote code execution
on a vulnerable system.[3]
NGINX confirmed security vulnerabilities in the NGINX LDAP reference implementation only.
"NGINX Open Source and NGINX Plus are not themselves affected, and no
corrective action is necessary if you do not use the reference implementation."[1]
NGINX noted in its advisory that it is published as a reference implementation
and is not a production-grade LDAP solution.
"For example, there is no encryption of the username and password used for
the sample login page, and security notices call this out."[3]
Currently the hacktivist group informed their findings to NGINX team and
are looking for reward but they also mentioned that they have been offered significant amounts
from other interested groups for the exploit[4].
IMPACT
NGINX determined that only the reference implementation is affected and
also there are conditions for the exploit.
"When configuration parameters are specified on the command line,
an attacker can override some or all of them by passing specially crafted
HTTP request headers."[1]
These are the conditions for the exploit[1]:
1. Command-line parameters are used to configure the Python daemon
2. There are unused, optional configuration parameters
3. LDAP authentication depends on specific group membership
MITIGATION
NGINX suggested these mitigations:
Mitigating Condition 1: Command-Line Parameters Are Used to Configure the Python Daemon
When configuration parameters are specified on the command line,
an attacker can override some or all of them by passing specially crafted HTTP request headers.
To protect against this, ensure that the corresponding configuration parameters
have an empty value in the location = /auth-proxy block in the NGINX configuration
(nginx-ldap-auth.conf in the repo)[1].
Mitigating Condition 2: Unused, Optional Configuration Parameters
As in Condition 1, an attacker can pass specially crafted HTTP request
headers to override certain configuration parameters, depending on the configuration used for
the LDAP search template. To protect against this, ensure that any unused,
optional parameters have an empty value in the location = /auth-proxy block
in the NGINX configuration[1].
Mitigating Condition 3: LDAP Group Membership Is Required
The Python daemon does not sanitize its inputs. To mitigate against this,
ensure that the backend daemon that presents the login form strips any
special characters from the username field.
In particular, it must remove the opening and closing parenthesis characters - ( ) - and
the equal sign (=), which all have special meaning for LDAP servers.
The backend daemon in the LDAP reference implementation will be updated in this way in due course[1].
REFERENCES
[1] Addressing Security Weaknesses in the NGINX LDAP Reference
Implementation
https://www.nginx.com/blog/addressing-security-weaknesses-nginx-ldap-reference-implementation/
[2] Nginx Zero-Day RCE Vulnerability Alert
https://securityonline.info/nginx-zero-day-rce-vulnerability-alert/
[3] Is there a 0day in NGINX? F5 investigates claims, finds LDAP issues
https://thestack.technology/nginx0-day-claims/
[4] NginxDay
https://github.com/AgainstTheWest/NginxDay
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYldMtONLKJtyKPYoAQh5/Q//aOBO5bfpEUidaXJwIcdSumm9thOoUPDf
V56Am+WBZgZGPUrU+g0YLunGV4f8vvQrujfKF6M6XdrTqcRmm5ikdMeuWcpuDL0v
ZT292akonXlDMYjzpPPEW/n5iJXa4Cdtak1KEUM1VNEZc0Zd8R6jMRN07eIGXruo
p0ihV062JUTP4+1Z3t6pdkeWIv8IvDzyINXsoP2JMmLtntrTaHeY7cf4dzFKwOEA
/3lNZSTCQM+zBAjUQtcpZ9e83nMy6ShU4TGZ3hva2UyNH7H+NGJbAe7pRtBe0YqX
EPgNZN1Auh+5HR2jVTwYbFucXNVhvXsD89Crs96yC9w2iAOE8rnLidW7C1Db2U+X
UmltsDgPcwnaS9uBAKqVqHoWJM2o4RuDIdeekJJ60bIUl+XVYg6zBw3HKAFdrFZy
s8hqayogc+112+AhCvo9buErzCVfjpN+9w5BzSXM7oct8xZPk9aDOdA/RkGkuZ6Z
gi44/i+nNBZ3a3aOd2/rS0P4wZkk6i7mBOhshUhezpYdyc56qwyyoNwxefQ+YMye
LGAin8mi1vCEgyJ5dKLxLrv0XTUFo8JMc0gKJGhpPgxCmHmQbDpRVrOJgRUNnjQQ
670MgXDwWmwG8fUg9ju/xn76x9VGNEFs3/X9qdvpvyHPvlnzDsB7/U9ovwwdb9RH
LkBoQL2B5zM=
=POtm
-----END PGP SIGNATURE-----
ASB-2022.0086.2 - UPDATE [Win][UNIX/Linux] Nginx Zero-Day:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2022.0086.2
NGINX Zero-Day
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Nginx Zero-Day
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Resolution: Mitigation
Revision History: April 13 2022: Formatting
April 13 2022: Initial Release
OVERVIEW
A new zero-day vulnerability in the Nginx web server has been claimed by hacktivist group called "Against the West" allowing remote code execution on a vulnerable system.[3]
NGINX confirmed security vulnerabilities in the NGINX LDAP reference implementation only.
"NGINX Open Source and NGINX Plus are not themselves affected, and no corrective action is necessary if you do not use the reference implementation."[1]
NGINX noted in its advisory that it is published as a reference implementation and is not a production-grade LDAP solution.
"For example, there is no encryption of the username and password used for the sample login page, and security notices call this out."[3]
Currently the hacktivist group informed their findings to NGINX team and are looking for reward but they also mentioned that they have been offered significant amounts
from other interested groups for the exploit[4].
IMPACT
NGINX determined that only the reference implementation is affected and also there are conditions for the exploit.
"When configuration parameters are specified on the command line, an attacker can override some or all of them by passing specially crafted HTTP request headers."[1]
These are the conditions for the exploit[1]:
1. Command-line parameters are used to configure the Python daemon
2. There are unused, optional configuration parameters
3. LDAP authentication depends on specific group membership
MITIGATION
NGINX suggested these mitigations:
Mitigating Condition 1: Command-Line Parameters Are Used to Configure the Python Daemon
When configuration parameters are specified on the command line, an attacker can override some or all of them by passing specially crafted HTTP request headers.
To protect against this, ensure that the corresponding configuration parameters have an empty value in the location = /auth-proxy block in the NGINX configuration
(nginx-ldap-auth.conf in the repo)[1].
Mitigating Condition 2: Unused, Optional Configuration Parameters
As in Condition 1, an attacker can pass specially crafted HTTP request headers to override certain configuration parameters, depending on the configuration used for
the LDAP search template. To protect against this, ensure that any unused, optional parameters have an empty value in the location = /auth-proxy block in the NGINX configuration[1].
Mitigating Condition 3: LDAP Group Membership Is Required
The Python daemon does not sanitize its inputs. To mitigate against this, ensure that the backend daemon that presents the login form strips any special characters from the username field.
In particular, it must remove the opening and closing parenthesis characters - ( ) - and the equal sign (=), which all have special meaning for LDAP servers.
The backend daemon in the LDAP reference implementation will be updated in this way in due course[1].
REFERENCES
[1] Addressing Security Weaknesses in the NGINX LDAP Reference
Implementation
https://www.nginx.com/blog/addressing-security-weaknesses-nginx-ldap-reference-implementation/
[2] Nginx Zero-Day RCE Vulnerability Alert
https://securityonline.info/nginx-zero-day-rce-vulnerability-alert/
[3] Is there a 0day in NGINX? F5 investigates claims, finds LDAP issues
https://thestack.technology/nginx0-day-claims/
[4] NginxDay
https://github.com/AgainstTheWest/NginxDay
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlZuKONLKJtyKPYoAQiA1Q//ciAexxm5EaSPlZ+Pu5Cw1WC95DMjzcEP
RZuY/y/S781CnBBpR91w+rF/SwUMa90ByAH6oLX/vQwlQzDRt76RVuuVCGb0l+N6
Mq9DVDilQ9JU46c2CZZOHOvehqDA3+wHZ/h5U5KTVkRU6tVm/XmxXk2Oz2Z7QhFP
e46JosLUEP4e7GDokXmQipZUSH8X4844NkHMgug2KXybWSEBtgtYhw0o14FqW1KJ
YyrPwAJ5liEwSB6zIE42rTsHQmxWNvMpJdtwKuEf/Qv9yh1kPKgoDZpp5rsvIEvB
P0zYKQNDOuc9XqJead5L9ZQzVrJJTDjufBEecpqiwgp8T7bUDqnFfslFUMtFKyFe
YB8pK5i/1eTl+DeaXof0cbvyH+iXCJa14OJyUMNJ3eggdiDbSFnDSyDL90eQMd4T
4kpgMrTrIHl3gp8jqRoB5JM4go0ed70tTeARQT0q5r0AfHdV9AY555aNBOk57fU7
e44J/y0cmEIDCwGXubMfGcOArCPkvkEUMITibgolmzjlu+SEzVuch2dZa8p4NpKH
/x7OOyab0JlmDkJNoCycpKsyuk75akYCgBqboTfju5r5Pf7lC5JztndRrUSTNQeO
XNsyADuCZbAKoiX3jbSweG3A80hluhOAgk1s8uolUKNGx1gKw3x31x0HEeE18cZ6
b/FwBcA1g3I=
=xJNz
-----END PGP SIGNATURE-----
ESB-2022.1600 - [Win][UNIX/Linux] Jenkins Plugins: CVSS (Max): 8.0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1600
Jenkins plugins security advisory
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Jenkins Plugins
Publisher: Jenkins
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Resolution: Patch/Upgrade
CVE Names: CVE-2022-29052 CVE-2022-29051 CVE-2022-29050
CVE-2022-29049 CVE-2022-29048 CVE-2022-29047
CVE-2022-29046 CVE-2022-29045 CVE-2022-29044
CVE-2022-29043 CVE-2022-29042 CVE-2022-29041
CVE-2022-29040 CVE-2022-29039 CVE-2022-29038
CVE-2022-29037 CVE-2022-29036 CVE-2017-2601
Original Bulletin:
https://www.jenkins.io/security/advisory/2022-04-12/
Comment: CVSS (Max): 8.0 CVE-2022-29049 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)
CVSS Source: Jenkins
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Jenkins Security Advisory 2022-04-12
This advisory announces vulnerabilities in the following Jenkins deliverables:
o Credentials Plugin
o CVS Plugin
o Extended Choice Parameter Plugin
o Gerrit Trigger Plugin
o Git Parameter Plugin
o Google Compute Engine Plugin
o Jira Plugin
o Job Generator Plugin
o Mask Passwords Plugin
o Node and Label parameter Plugin
o Pipeline: Shared Groovy Libraries Plugin
o promoted builds Plugin
o Publish Over FTP Plugin
o Subversion Plugin
Descriptions
Stored XSS vulnerabilities in multiple plugins providing additional parameter
types
SECURITY-2617 / CVE-2022-29036 (Credentials), CVE-2022-29037 (CVS),
CVE-2022-29038 (Extended Choice Parameter), CVE-2022-29039 (Gerrit Trigger),
CVE-2022-29040 (Git Parameter), CVE-2022-29041 (Jira), CVE-2022-29042 (Job
Generator), CVE-2022-29043 (Mask Passwords), CVE-2022-29044 (Node and Label
Parameter), CVE-2022-29045 (promoted builds), CVE-2022-29046 (Subversion)
Multiple plugins do not escape the name and description of the parameter types
they provide:
o Credentials Plugin 1111.v35a_307992395 and earlier (SECURITY-2690 /
CVE-2022-29036)
o CVS Plugin 2.19 and earlier (SECURITY-2700 / CVE-2022-29037)
o Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier
(SECURITY-2704 / CVE-2022-29038)
o Gerrit Trigger Plugin 2.35.2 and earlier (SECURITY-2703 / CVE-2022-29039)
o Git Parameter Plugin 0.9.15 and earlier (SECURITY-2699 / CVE-2022-29040)
o Jira Plugin 3.7 and earlier (SECURITY-2691 / CVE-2022-29041)
o Job Generator 1.22 and earlier (SECURITY-2263 / CVE-2022-29042)
o Mask Passwords Plugin 3.0 and earlier (SECURITY-2701 / CVE-2022-29043)
o Node and Label parameter Plugin 1.10.3 and earlier (SECURITY-2702 /
CVE-2022-29044)
o promoted builds Plugin 873.v6149db_d64130 and earlier (SECURITY-2692 /
CVE-2022-29045)
o Subversion Plugin 2.15.3 and earlier (SECURITY-2698 / CVE-2022-29046)
This results in stored cross-site scripting (XSS) vulnerabilities exploitable
by attackers with Item/Configure permission.
Exploitation of these vulnerabilities requires that parameters are listed on
another page, like the "Build With Parameters" and "Parameters" pages provided
by Jenkins (core), and that those pages are not hardened to prevent
exploitation. Jenkins (core) has prevented exploitation of vulnerabilities of
this kind on the "Build With Parameters" and "Parameters" pages since 2.44 and
LTS 2.32.2 as part of the SECURITY-353 / CVE-2017-2601 fix. Additionally, the
following plugins have been updated to list parameters in a way that prevents
exploitation by default.
o Maven Release Plugin 0.16.3 (SECURITY-2669)
o Pipeline: Build Step Plugin 2.17 and 2.15.2 (SECURITY-2611)
o Pipeline: Input Step Plugin 447.v95e5a_6e3502a_ and 2.12.1 (SECURITY-2674)
o promoted builds Plugin 876.v99d29788b_36b_ and 3.10.1 (SECURITY-2670)
o Rebuilder Plugin 1.33.1 (SECURITY-2671)
o Release Plugin 2.14 (SECURITY-2672)
Older releases of these plugins allow exploitation of the vulnerabilities
listed above.
As of publication of this advisory, the following plugins have not yet been
updated to list parameters in a way that prevents exploitation of these
vulnerabilities:
o Coordinator Plugin (SECURITY-2668)
o Show Build Parameters Plugin (SECURITY-2325)
o Unleash Maven Plugin (SECURITY-2673)
These are not vulnerabilities in these plugins. Only plugins defining parameter
types can be considered to be vulnerable to this issue.
Some plugins both define parameter types and implement a page listing
Note parameters, so they can appear in multiple lists and may have both a
security fix and a security hardening applied.
The following plugins have been updated to escape the name and description of
the parameter types they provide in the versions specified:
o Credentials Plugin 1112.vc87b_7a_3597f6, 1087.1089.v2f1b_9a_b_040e4,
1074.1076.v39c30cecb_0e2, and 2.6.1.1
o CVS Plugin 2.19.1
o Gerrit Trigger Plugin 2.35.3
o Git Parameter Plugin 0.9.16
o Jira Plugin 3.7.1 and 3.6.1
o Mask Passwords Plugin 3.1
o Node and Label parameter Plugin 1.10.3.1
o promoted builds Plugin 876.v99d29788b_36b_ and 3.10.1
o Subversion Plugin 2.15.4
As of publication of this advisory, there is no fix available for the following
plugins:
o Extended Choice Parameter Plugin (SECURITY-2704 / CVE-2022-29038)
o Job Generator (SECURITY-2263 / CVE-2022-29042)
Untrusted users can modify some Pipeline libraries in Pipeline: Shared Groovy
Libraries Plugin
SECURITY-1951 / CVE-2022-29047
Multibranch Pipelines by default limit who can change the Pipeline definition
from the Jenkinsfile. This is useful for SCMs like GitHub: Jenkins can build
content from users without commit access, but who can submit pull requests,
without granting them the ability to modify the Pipeline definition. In that
case, Jenkins will just use the Pipeline definition in the pull request's
destination branch instead.
In Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier
the same protection does not apply to uses of the library step with a retriever
argument pointing to a library in the current build's repository and branch
(e.g., library(..., retriever: legacySCM(scm))). This allows attackers able to
submit pull requests (or equivalent), but not able to commit directly to the
configured SCM, to effectively change the Pipeline behavior by changing the
library behavior in their pull request, even if the Pipeline is configured to
not trust them.
Pipeline: Shared Groovy Libraries Plugin 566.vd0a_a_3334a_555 and 2.21.3 aborts
library retrieval if the library would be retrieved from the same repository
and revision as the current build, and the revision being built is untrusted.
CSRF vulnerability in Subversion Plugin
SECURITY-2075 / CVE-2022-29048
Subversion Plugin 2.15.3 and earlier does not require POST requests for several
form validation methods, resulting in cross-site request forgery (CSRF)
vulnerabilities.
These vulnerabilities allow attackers to connect to an attacker-specified URL.
Subversion Plugin 2.15.4 requires POST requests for the affected form
validation methods.
Promotion names in promoted builds Plugin are not validated when using Job DSL
SECURITY-2655 / CVE-2022-29049
promoted builds Plugin provides dedicated support for defining promotions using
Job DSL Plugin.
promoted builds Plugin 873.v6149db_d64130 and earlier does not validate the
names of promotions defined in Job DSL. This allows attackers with Job/
Configure permission to create a promotion with an unsafe name. As a result,
the promotion name could be used for cross-site scripting (XSS) or to replace
other config.xml files.
promoted builds Plugin 876.v99d29788b_36b_ and 3.10.1 validates the name of
promotions.
CSRF vulnerability and missing permission checks in Publish Over FTP Plugin
SECURITY-2321 / CVE-2022-29050 (CSRF), CVE-2022-29051 (missing permission
check)
Publish Over FTP Plugin 1.16 and earlier does not perform permission checks in
methods implementing form validation.
This allows attackers with Overall/Read permission to connect to an FTP server
using attacker-specified credentials.
Additionally, these form validation methods do not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.
Publish Over FTP Plugin 1.17 requires POST requests and appropriate permissions
for the affected form validation methods.
Private key stored in plain text by Google Compute Engine Plugin
SECURITY-2045 / CVE-2022-29052
Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted
in cloud agent config.xml files on the Jenkins controller as part of its
configuration.
These private keys can be viewed by users with Agent/Extended Read permission
or access to the Jenkins controller file system.
Google Compute Engine Plugin 4.3.9 stores private keys encrypted.
Severity
o SECURITY-1951: High
o SECURITY-2045: Medium
o SECURITY-2075: Medium
o SECURITY-2321: Medium
o SECURITY-2617: High
o SECURITY-2655: High
Affected Versions
o Credentials Plugin up to and including 1111.v35a_307992395
o CVS Plugin up to and including 2.19
o Extended Choice Parameter Plugin up to and including 346.vd87693c5a_86c
o Gerrit Trigger Plugin up to and including 2.35.2
o Git Parameter Plugin up to and including 0.9.15
o Google Compute Engine Plugin up to and including 4.3.8
o Jira Plugin up to and including 3.7
o Job Generator Plugin up to and including 1.22
o Mask Passwords Plugin up to and including 3.0
o Node and Label parameter Plugin up to and including 1.10.3
o Pipeline: Shared Groovy Libraries Plugin up to and including
564.ve62a_4eb_b_e039
o promoted builds Plugin up to and including 873.v6149db_d64130
o Publish Over FTP Plugin up to and including 1.16
o Subversion Plugin up to and including 2.15.3
Fix
o Credentials Plugin should be updated to version 1112.vc87b_7a_3597f6,
1087.1089.v2f1b_9a_b_040e4, 1074.1076.v39c30cecb_0e2, or 2.6.1.1
o CVS Plugin should be updated to version 2.19.1
o Gerrit Trigger Plugin should be updated to version 2.35.3
o Git Parameter Plugin should be updated to version 0.9.16
o Google Compute Engine Plugin should be updated to version 4.3.9
o Jira Plugin should be updated to version 3.7.1 or 3.6.1
o Mask Passwords Plugin should be updated to version 3.1
o Node and Label parameter Plugin should be updated to version 1.10.3.1
o Pipeline: Shared Groovy Libraries Plugin should be updated to version
566.vd0a_a_3334a_555 or 2.21.3
o promoted builds Plugin should be updated to version 876.v99d29788b_36b_ or
3.10.1
o Publish Over FTP Plugin should be updated to version 1.17
o Subversion Plugin should be updated to version 2.15.4
These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.
As of publication of this advisory, no fixes are available for the following
plugins:
o Extended Choice Parameter Plugin
o Job Generator Plugin
Credit
The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:
o Daniel Beck, CloudBees, Inc. for SECURITY-2045
o James Nord, CloudBees, Inc. and Daniel Beck, CloudBees, Inc. for
SECURITY-2075
o James Nord, CloudBees, Inc. and Jesse Glick, CloudBees, Inc. for
SECURITY-1951
o Kevin Guerroudj, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc. for
SECURITY-2655
o Kevin Guerroudj, CloudBees, Inc., Wadeck Follonier, CloudBees, Inc., and
Daniel Beck, CloudBees, Inc. for SECURITY-2617
o Kevin Guerroudj, Justin Philip, Marc Heyries for SECURITY-2321
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlY+EeNLKJtyKPYoAQh1Rg//R3y9nfT0/xI/f1QZr1D0AHDlpvtAF5qq
6bvqmpq6uNAl928i3Wh0VXr8znNgovb83sSXDHF316kXlcZxssh8Mnpl7tTg59QF
BOwEkjAtcZ9WzpB7fZuDOMbvM2vRs96qGIFvE5ukhCsTNuz5yZ+6D3P77kEe/EaX
lWA/kHgfdyxVexk0sZCgPFNRmvT00kSwg7fjSl4nibubO66E2AXl/4OWzadOgRI9
ul+ygnJcoRSSG1IwhOrXSDfnzqp4FedllkF2qYEn5bthBdOC4xyb99yD9PzxB+nt
VoTYDqzSdeInFx7ZeQPFbf9sGCEsbFTJ+/K1UUTV7dTkZlSg8nWH+1q5hpR+prAo
s7Sx1NHddI2ubrhUoeiFWoNfG17kIBl0sXCmwqqwvSYLUKjcaI/WvS6mTaV2ghmu
1QrUDhIQyBpn5KsGeSRPqwWFKgr5rny5WAcBXWDRJAQG+304UpGjRwTbgat4oCyz
jbjc/S4Qwdfmjp/lySHLEwG+nZcYJ6OYTQvLFoMN7xpHcieLeTNf7WJAM5Ey9uwn
GsMPKbunCPtFPM1Jp7Mwpa39ZmcJpZHPz8K2zhAYArFDYONYfJPY6zSVS0iOIF80
3n9y5Ey3NT0FV23OC/NA0nQ4WzwnAHLsaN4j/eaqziuNo0AIbvgWTd0RhArT7c6H
KbnznZ+H4fk=
=CIgj
-----END PGP SIGNATURE-----
ESB-2022.1599 - [Win][UNIX/Linux] Apache Struts: CVSS (Max): None
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1599
CVE-2021-31805: Apache Struts: Forced OGNL evaluation, when evaluated on
raw not validated user input in tag attributes, may lead to RCE
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Apache Struts
Publisher: Apache
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Resolution: Patch/Upgrade
CVE Names: CVE-2021-31805
Original Bulletin:
https://cwiki.apache.org/confluence/display/WW/S2-062
Comment: CVSS (Max): None available when published
- --------------------------BEGIN INCLUDED TEXT--------------------
Summary
Forced OGNL evaluation, when evaluated on raw not validated user input in tag
attributes, may lead to remote code execution - same as S2-061.
Who should read this All Struts 2 developers and users
Impact of vulnerability Possible Remote Code Execution vulnerability
Maximum security rating Important
Recommendation Upgrade to Struts 2.5.30 or greater
Affected Software Struts 2.0.0 - Struts 2.5.29
Reporters Chris McCown
CVE Identifier CVE-2021-31805
Problem
The fix issued for CVE-2020-17530 (S2-061) was incomplete. Still some of the
tag's attributes could perform a double evaluation if a developer applied
forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation
on untrusted user input can lead to a Remote Code Execution and security
degradation.
Solution
Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to
Struts 2.5.30 or greater which checks if expression evaluation won't lead to
the double evaluation.
DISCLAIMER
Struts won't accept double evaluation issues caused by not validated end-user
input (owing to developer error) anymore as vulnerability. We accepted this one
as vulnerability because it's about an error in our previously accepted
vulnerability. We welcome and appreciate reports in this regard to minimize
developer error effect albeit!
Backward compatibility
No issues expected when upgrading to Struts 2.5.30
Workaround
Do not use forced OGNL evaluation in the tag's attributes based on untrusted/
unvalidated user input, please follow out recommendations from the Security
Guide.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlY8bONLKJtyKPYoAQgcOhAAl+rUHWJCdMGzdMV+Q2NY5PFrPlfSnzQt
kq9/JVwrniFMUp5foAV1VqrAVS2SMt62qNKmXmGvbcbP4K9ypuxdqGzlnCcxW/9T
mEztJqJFv8gHDZXe6nBjau7CgPbS/dUYMXRQRXM0JjA05NJDhZurLd0lWFYhJgQo
AM7e2dYZDPBpr05C8pwhn6oHAyf33Do7nJBGM1YZmDTc8oWTpxug78I5I9mPsjtw
m266jljx8KLJYIb/0HhbpCnyV0m4FXJm+tiGZXqnB8lalMfXC2muLjrISeVnaaOV
xdt5whpeV0XcQO/fIdyumoPKxk0p5AcpW6rRHYT8/8uX44JwYJXgQet4K6tVJsyL
pYRbXHKgjerE8jkSuj9qz4hCz5qKsSVB8O4dwZrvMhBmK92hJb7Qm6b4SGPv1b+I
AGBFqPGspfFgaP9OK2fhviI7ZD8zNTqGUoYkAzOnqWYPosdmcqTeSD/qorfPXYKu
fGJOQtq2aXmEvywwuBfOYWHCd/NYzfeVLnZ/5NVo2hIr2jfzcK6nlYuaR5n/kLNw
Fn/oJUMxRHSRFCCf3rDY3UrDGbv8fGHM6aXxs6E6MaePl6+LEMfhhZ43GZXumGTm
tG3JWuzAW/OjKkPKXOYCYlUaMizFDQ3826ZIcbFR0gpvq1mg5FzBx4rMGBlcT+eF
esGM9UE5mcA=
=tr7Q
-----END PGP SIGNATURE-----
ESB-2022.1598 - [Win][UNIX/Linux] Google Chrome: CVSS (Max): None
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1598
Stable Channel Update for Desktop
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Google Chrome
Publisher: Google
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Resolution: Patch/Upgrade
CVE Names: CVE-2022-1314 CVE-2022-1313 CVE-2022-1312
CVE-2022-1311 CVE-2022-1310 CVE-2022-1309
CVE-2022-1308 CVE-2022-1307 CVE-2022-1306
CVE-2022-1305
Original Bulletin:
http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_11.html
Comment: CVSS (Max): None available when published
- --------------------------BEGIN INCLUDED TEXT--------------------
The Stable channel has been updated to 100.0.4896.88 for Windows, Mac and
Linux which will roll out over the coming days/weeks. A full list of
changes in this build is available in the log. Interested in switching
release channels? Find out how here. If you find a new issue, please let us
know by filing a bug. The community help forum is also a great place to
reach out for help or learn about common issues.
Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a
majority of users are updated with a fix. We will also retain restrictions
if the bug exists in a third party library that other projects similarly
depend on, but haven't yet fixed.
This update includes 11 security fixes. Below, we highlight fixes that were
contributed by external researchers. Please see the Chrome Security Page
for more information.
[$6000][1285234] High CVE-2022-1305: Use after free in storage. Reported by
Anonymous on 2022-01-07
[$3000][1299287] High CVE-2022-1306: Inappropriate implementation in
compositing. Reported by Sven Dysthe on 2022-02-21
[$3000][1301873] High CVE-2022-1307: Inappropriate implementation in full
screen. Reported by Irvan Kurniawan (sourc7) on 2022-03-01
[$1000][1283050] High CVE-2022-1308: Use after free in BFCache. Reported by
Samet Bekmezci @sametbekmezci on 2021-12-28
[$TBD][1106456] High CVE-2022-1309: Insufficient policy enforcement in
developer tools. Reported by David Erceg on 2020-07-17
[$TBD][1307610] High CVE-2022-1310: Use after free in regular expressions.
Reported by Brendon Tiszka on 2022-03-18
[$TBD][1310717] High CVE-2022-1311: Use after free in Chrome OS shell.
Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on
2022-03-28
[$TBD][1311701] High CVE-2022-1312: Use after free in storage. Reported by
Leecraso and Guang Gong of 360 Vulnerability Research Institute on
2022-03-30
[$TBD][1270539] Medium CVE-2022-1313: Use after free in tab groups.
Reported by Thomas Orlita on 2021-11-16
[$TBD][1304658] Medium CVE-2022-1314: Type Confusion in V8. Reported by
Bohan Liu (@P4nda20371774) of Tencent Security Xuanwu Lab on 2022-03-09
We would also like to thank all security researchers that worked with us
during the development cycle to prevent security bugs from ever reaching
the stable channel.
As usual, our ongoing internal security work was responsible for a wide
range of fixes:
[1315276] Various fixes from internal audits, fuzzing and other initiatives
Many of our security bugs are detected using AddressSanitizer,
MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity,
libFuzzer, or AFL.
PrudhviKumar Bommana
Google Chrome
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlY5H+NLKJtyKPYoAQhGUA/8Du6SBb1fVcGPoRTfnNpE9UDjXstjBfTW
0zJtG8NpL38Qpw4RnqRZWGIFqOIf2+m8ai6L5WQOdvlxxODDtFEYgZX/MhsoEx8h
A5uTnPbxChE8myuDSZwnZxEgri/FcFNvpk48X7HcnUoDdgGysggda0hFkLUwW2W9
UuxTi9BbPzT5MY4VIVlYmBMmUuZRTpMzT5wDCz8hgGkrJsMen4tG2UFLTaEnhExg
po1tYrLsrB7psX1MsLO30QV87VMVz7dPXCKNLwIEjbz3glip1fqYrKP+Ai9saPFJ
xZZkyoY4JG+3dD/c2io656rRaxU0q3PpLJbL+6oaZRh6YvgmWkk1PPCcu1Gw94OC
auI2IUk79oZPC3zVuItQLdYexxJJ0dhDonWQpu87wWAnMxHW03aH3oUuYIiVeJC4
TRhutiz2ulP2qn1+LcFnBJUYuPeUInZ28UXga11cqZ7Qh54CIWwnmvLTllxcYw6u
X52IsJfJ2wjyl8Ttgyc9gYGj15dj650hWJqcFDZonrtYm260e2CLhlaiKu7uBLtF
M3GPfQArY7qaYMDkPrv9f2RIP0iVaIGHZywZDjj5kZJJwt/HVdiVYmP1i9UAc/sv
VfSVgm8aOo93vrx3aYMzHhwP2oY+a5sqtw74eDliDYmg5g61BGiXdrT1ZG8zQ2Iv
hNTrQgITn48=
=kpq+
-----END PGP SIGNATURE-----
ESB-2022.1597 - [Win][Mac] Adobe Acrobat and Acrobat Reader: CVSS (Max): 7.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1597
APSB22-16 : Security update available for Adobe Acrobat and Reader
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Adobe Acrobat
Acrobat Reader
Publisher: Adobe
Operating System: Windows
macOS
Resolution: Patch/Upgrade
CVE Names: CVE-2022-28269 CVE-2022-28268 CVE-2022-28267
CVE-2022-28266 CVE-2022-28265 CVE-2022-28264
CVE-2022-28263 CVE-2022-28262 CVE-2022-28261
CVE-2022-28260 CVE-2022-28259 CVE-2022-28258
CVE-2022-28257 CVE-2022-28256 CVE-2022-28255
CVE-2022-28254 CVE-2022-28253 CVE-2022-28252
CVE-2022-28251 CVE-2022-28250 CVE-2022-28249
CVE-2022-28248 CVE-2022-28247 CVE-2022-28246
CVE-2022-28245 CVE-2022-28244 CVE-2022-28243
CVE-2022-28242 CVE-2022-28241 CVE-2022-28240
CVE-2022-28239 CVE-2022-28238 CVE-2022-28237
CVE-2022-28236 CVE-2022-28235 CVE-2022-28234
CVE-2022-28233 CVE-2022-28232 CVE-2022-28231
CVE-2022-28230 CVE-2022-27802 CVE-2022-27801
CVE-2022-27800 CVE-2022-27799 CVE-2022-27798
CVE-2022-27797 CVE-2022-27796 CVE-2022-27795
CVE-2022-27794 CVE-2022-27793 CVE-2022-27792
CVE-2022-27791 CVE-2022-27790 CVE-2022-27789
CVE-2022-27788 CVE-2022-27787 CVE-2022-27786
CVE-2022-27785 CVE-2022-24104 CVE-2022-24103
CVE-2022-24102 CVE-2022-24101 CVE-2022-24092
CVE-2022-24091 CVE-2021-45067 CVE-2021-45064
CVE-2021-44739 CVE-2021-44706 CVE-2021-44702
Original Bulletin:
https://helpx.adobe.com/security/products/acrobat/apsb22-16.html
Comment: CVSS (Max): 7.8 CVE-2022-28233 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVSS Source: Adobe
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Security update available for Adobe Acrobat and Reader | APSB22-16
Bulletin ID Date Published Priority
APSB22-16 April 12, 2022 2
Summary
Adobe has released security updates for Adobe Acrobat and Reader for Windows
and macOS. These updates address multiple critical , important and moderate
vulnerabilities. Successful exploitation could lead to arbitrary code
execution, memory leak, security feature bypass and privilege escalation.
Affected Versions
Product Track Affected Versions Platform
Acrobat DC Continuous 22.001.20085 and earlier versions Windows &
macOS
Acrobat Reader Continuous 22.001.20085 and earlier versions Windows &
DC macOS
20.005.30314 and earlier versions
(Windows)
Acrobat 2020 Classic Windows &
2020 macOS
20.005.30311 and earlier versions
(macOS)
20.005.30314 and earlier versions
(Windows)
Acrobat Reader Classic Windows &
2020 2020 macOS
20.005.30311 and earlier versions
(macOS)
Acrobat 2017 Classic 17.012.30205 and earlier versions Windows &
2017 macOS
Acrobat Reader Classic 17.012.30205 and earlier versions Windows &
2017 2017 macOS
For questions regarding Acrobat DC, please visit the Acrobat DC FAQ page .
For questions regarding Acrobat Reader DC, please visit the Acrobat Reader DC
FAQ page .
Solution
Adobe recommends users update their software installations to the latest
versions by following the instructions below.
The latest product versions are available to end users via one of the following
methods:
o Users can update their product installations manually by choosing Help >
Check for Updates.
o The products will update automatically, without requiring user
intervention, when updates are detected.
o The full Acrobat Reader installer can be downloaded from the Acrobat Reader
Download Center .
For IT administrators (managed environments):
o Refer to the specific release note version for links to installers.
o Install updates via your preferred methodology, such as AIP-GPO,
bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and
SSH.
Adobe categorizes these updates with the following priority ratings and
recommends users update their installation to the newest version:
Product Track Updated Platform Priority Availability
Versions Rating
22.001.20117
(Win)
Acrobat DC Continuous Windows and 2 Release
macOS Notes
22.001.20112
(Mac)
22.001.20117
(Win)
Acrobat Reader Continuous Windows and 2 Release
DC macOS Notes
22.001.20112
(Mac)
20.005.30334
Classic (Win) Windows and Release
Acrobat 2020 2020 macOS 2 Notes
20.005.30331
(Mac)
20.005.30334
Acrobat Reader Classic (Win) Windows and Release
2020 2020 macOS 2 Notes
20.005.30331
(Mac)
17.012.30229
(Win)
Acrobat 2017 Classic Windows and 2 Release
2017 macOS Notes
17.012.30227
(Mac)
17.012.30229
(Win)
Acrobat Reader Classic Windows and 2 Release
2017 2017 macOS Notes
17.012.30227
(Mac)
Vulnerability Details
Vulnerability Vulnerability Severity CVSS base CVSS vector CVE Number
Category Impact score
CVSS:3.0/
Use After AV:L/AC:L/
Free ( Memory Leak Moderate 3.3 PR:N/UI:R/ CVE-2022-24101
CWE-416 ) S:U/C:L/I:N/
A:N
CVSS:3.0/
Use After Arbitrary AV:L/AC:L/
Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-24103
CWE-416 ) execution S:U/C:H/I:H/
A:H
CVSS:3.0/
Use After Arbitrary AV:L/AC:L/
Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-24104
CWE-416 ) execution S:U/C:H/I:H/
A:H
CVSS:3.0/
Use After Arbitrary AV:L/AC:L/
Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27785
CWE-416 ) execution S:U/C:H/I:H/
A:H
CVSS:3.0/
Use After Arbitrary AV:L/AC:L/
Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-24102
CWE-416 ) execution S:U/C:H/I:H/
A:H
CVSS:3.0/
Use After Arbitrary AV:L/AC:L/
Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27786
CWE-416 ) execution S:U/C:H/I:H/
A:H
CVSS:3.0/
Out-of-bounds Arbitrary AV:L/AC:L/
Write ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27787
CWE-787 ) execution S:U/C:H/I:H/
A:H
CVSS:3.0/
Out-of-bounds Arbitrary AV:L/AC:L/
Write ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27788
CWE-787 ) execution S:U/C:H/I:H/
A:H
CVSS:3.0/
Use After Arbitrary AV:L/AC:L/
Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27789
CWE-416 ) execution S:U/C:H/I:H/
A:H
CVSS:3.0/
Use After Arbitrary AV:L/AC:L/
Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27790
CWE-416 ) execution S:U/C:H/I:H/
A:H
Stack-based CVSS:3.0/
Buffer Arbitrary AV:L/AC:L/
Overflow ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27791
CWE-121 ) execution S:U/C:H/I:H/
A:H
CVSS:3.0/
Out-of-bounds Arbitrary AV:L/AC:L/
Write ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27792
CWE-787 ) execution S:U/C:H/I:H/
A:H
CVSS:3.0/
Out-of-bounds Arbitrary AV:L/AC:L/
Write ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27793
CWE-787 ) execution S:U/C:H/I:H/
A:H
Access of CVSS:3.0/
Uninitialized Arbitrary AV:L/AC:L/
Pointer ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27794
CWE-824 ) execution S:U/C:H/I:H/
A:H
CVSS:3.0/
Use After Arbitrary AV:L/AC:L/
Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27795
CWE-416 ) execution S:U/C:H/I:H/
A:H
CVSS:3.0/
Use After Arbitrary AV:L/AC:L/
Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27796
CWE-416 ) execution S:U/C:H/I:H/
A:H
CVSS:3.0/
Use After Arbitrary AV:L/AC:L/
Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27797
CWE-416 ) execution S:U/C:H/I:H/
A:H
CVSS:3.0/
Out-of-bounds Arbitrary AV:L/AC:L/
Write ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27798
CWE-787 ) execution S:U/C:H/I:H/
A:H
CVSS:3.0/
Use After Arbitrary AV:L/AC:L/
Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27799
CWE-416 ) execution S:U/C:H/I:H/
A:H
CVSS:3.0/
Use After Arbitrary AV:L/AC:L/
Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27800
CWE-416 ) execution S:U/C:H/I:H/
A:H
CVSS:3.0/
Use After Arbitrary AV:L/AC:L/
Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27801
CWE-416 ) execution S:U/C:H/I:H/
A:H
CVSS:3.0/
Use After Arbitrary AV:L/AC:L/
Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27802
CWE-416 ) execution S:U/C:H/I:H/
A:H
CVSS:3.0/
Use After Arbitrary AV:L/AC:L/
Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-28230
CWE-416 ) execution S:U/C:H/I:H/
A:H
CVSS:3.0/
Out-of-bounds Arbitrary AV:L/AC:L/
Read ( code Critical 7.8 PR:N/UI:R/ CVE-2022-28231
CWE-125 ) execution S:U/C:H/I:H/
A:H
CVSS:3.0/
Use After Arbitrary AV:L/AC:L/
Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-28232
CWE-416 ) execution S:U/C:H/I:H/
A:H
CVSS:3.0/
Use After Arbitrary AV:L/AC:L/
Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-28233
CWE-416 ) execution S:U/C:H/I:H/
A:H
Heap-based CVSS:3.1/
Buffer Arbitrary AV:L/AC:L/
Overflow ( code Critical 7.8 PR:N/UI:R/ CVE-2022-28234
CWE-122 ) execution S:U/C:H/I:H/
A:H
CVSS:3.0/
Use After Arbitrary AV:L/AC:L/
Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-28235
CWE-416 ) execution S:U/C:H/I:H/
A:H
CVSS:3.0/
Out-of-bounds Arbitrary AV:L/AC:L/
Write ( code Critical 7.8 PR:N/UI:R/ CVE-2022-28236
CWE-787 ) execution S:U/C:H/I:H/
A:H
CVSS:3.0/
Use After Arbitrary AV:L/AC:L/
Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-28237
CWE-416 ) execution S:U/C:H/I:H/
A:H
CVSS:3.0/
Use After Arbitrary AV:L/AC:L/
Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-28238
CWE-416 ) execution S:U/C:H/I:H/
A:H
CVSS:3.0/
Out-of-bounds Arbitrary AV:L/AC:L/
Read ( code Critical 7.8 PR:N/UI:R/ CVE-2022-28239
CWE-125 ) execution S:U/C:H/I:H/
A:H
CVSS:3.0/
Use After Arbitrary AV:L/AC:L/
Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-28240
CWE-416 ) execution S:U/C:H/I:H/
A:H
CVSS:3.0/
Out-of-bounds Arbitrary AV:L/AC:L/
Read ( code Critical 7.8 PR:N/UI:R/ CVE-2022-28241
CWE-125 ) execution S:U/C:H/I:H/
A:H
CVSS:3.0/
Use After Arbitrary AV:L/AC:L/
Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-28242
CWE-416 ) execution S:U/C:H/I:H/
A:H
Out-of-bounds Arbitrary CVSS:3.0AV:L
Read ( code Critical 7.8 /AC:L/PR:N/ CVE-2022-28243
CWE-125 ) execution UI:R/S:U/C:H
/I:H/A:H
Violation of CVSS:3.1/
Secure Design Arbitrary AV:L/AC:L/
Principles ( code Important 6.3 PR:N/UI:R/ CVE-2022-28244
CWE-657 ) execution S:C/C:H/I:N/
A:N
CVSS:3.1/
Out-of-bounds AV:L/AC:L/
Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28245
CWE-125 ) S:U/C:H/I:N/
A:N
CVSS:3.1/
Out-of-bounds AV:L/AC:L/
Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28246
CWE-125 ) S:U/C:H/I:N/
A:N
Missing CVSS:3.1/
Support for Privilege AV:L/AC:H/
Integrity escalation Important 6.7 PR:L/UI:R/ CVE-2022-28247
Check ( S:U/C:H/I:H/
CWE-353 ) A:H
CVSS:3.1/
Out-of-bounds AV:L/AC:L/
Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28248
CWE-125 ) S:U/C:H/I:N/
A:N
CVSS:3.1/
Out-of-bounds AV:L/AC:L/
Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28249
CWE-125 ) S:U/C:H/I:N/
A:N
CVSS:3.1/
Use After AV:L/AC:L/
Free ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28250
CWE-416 ) S:U/C:H/I:N/
A:N
CVSS:3.1/
Out-of-bounds AV:L/AC:L/
Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28251
CWE-125 ) S:U/C:H/I:N/
A:N
CVSS:3.0/
Out-of-bounds AV:L/AC:L/
Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28252
CWE-125 ) S:U/C:L/I:N/
A:N
CVSS:3.1/
Out-of-bounds AV:L/AC:L/
Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28253
CWE-125 ) S:U/C:H/I:N/
A:N
CVSS:3.1/
Out-of-bounds AV:L/AC:L/
Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28254
CWE-125 ) S:U/C:H/I:N/
A:N
CVSS:3.1/
Out-of-bounds AV:L/AC:L/
Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28255
CWE-125 ) S:U/C:H/I:N/
A:N
CVSS:3.1/
Use After AV:L/AC:L/
Free ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28256
CWE-416 ) S:U/C:H/I:N/
A:N
CVSS:3.1/
Out-of-bounds AV:L/AC:L/
Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28257
CWE-125 ) S:U/C:H/I:N/
A:N
CVSS:3.1/
Out-of-bounds AV:L/AC:L/
Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28258
CWE-125 ) S:U/C:H/I:N/
A:N
CVSS:3.1/
Out-of-bounds AV:L/AC:L/
Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28259
CWE-125 ) S:U/C:H/I:N/
A:N
CVSS:3.1/
Out-of-bounds AV:L/AC:L/
Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28260
CWE-125 ) S:U/C:H/I:N/
A:N
CVSS:3.1/
Out-of-bounds AV:L/AC:L/
Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28261
CWE-125 ) S:U/C:H/I:N/
A:N
CVSS:3.1/
Out-of-bounds AV:L/AC:L/
Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28262
CWE-125 ) S:U/C:H/I:N/
A:N
CVSS:3.1/
Out-of-bounds AV:L/AC:L/
Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28263
CWE-125 ) S:U/C:H/I:N/
A:N
CVSS:3.1/
Out-of-bounds AV:L/AC:L/
Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28264
CWE-125 ) S:U/C:H/I:N/
A:N
CVSS:3.1/
Out-of-bounds AV:L/AC:L/
Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28265
CWE-125 ) S:U/C:H/I:N/
A:N
CVSS:3.1/
Out-of-bounds AV:L/AC:L/
Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28266
CWE-125 ) S:U/C:H/I:N/
A:N
CVSS:3.1/
Out-of-bounds AV:L/AC:L/
Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28267
CWE-125 ) S:U/C:H/I:N/
A:N
CVSS:3.0/
Out-of-bounds AV:L/AC:L/
Read ( Memory Leak Moderate 3.3 PR:N/UI:R/ CVE-2022-28268
CWE-125 ) S:U/C:L/I:N/
A:N
CVSS:3.0/
Use After AV:L/AC:L/
Free ( Memory Leak Moderate 3.3 PR:N/UI:R/ CVE-2022-28269
CWE-416 ) S:U/C:L/I:N/
A:N
Acknowledgements
Adobe would like to thank the following for reporting these issues and for
working with Adobe to help protect our customers:
o Mat Powell of Trend Micro Zero Day Initiative - CVE-2022-28250,
CVE-2022-28251, CVE-2022-28252, CVE-2022-28253, CVE-2022-28254,
CVE-2022-28255, CVE-2022-28256, CVE-2022-28257, CVE-2022-28258,
CVE-2022-28259, CVE-2022-28260, CVE-2022-28261, CVE-2022-28262,
CVE-2022-28263, CVE-2022-28264, CVE-2022-28265, CVE-2022-28266,
CVE-2022-28267, CVE-2022-28268, CVE-2022-28239, CVE-2022-28240,
CVE-2022-28241, CVE-2022-28242, CVE-2022-28243, CVE-2022-27800,
CVE-2022-27802, CVE-2022-24101
o Anonymous working with Trend Micro Zero Day Initiative - CVE-2022-27785,
CVE-2022-27786, CVE-2022-27787, CVE-2022-27788, CVE-2022-27790,
CVE-2022-27791, CVE-2022-27792, CVE-2022-27793, CVE-2022-27794,
CVE-2022-27797, CVE-2022-27798, CVE-2022-27801, CVE-2022-28231,
CVE-2022-28232, CVE-2022-28233, CVE-2022-28236, CVE-2022-28237,
CVE-2022-28238, CVE-2022-28245, CVE-2022-28246, CVE-2022-28248,
CVE-2022-28269
o Rich working with Trend Micro Zero Day Initiative - CVE-2022-24102,
CVE-2022-24103, CVE-2022-24104,
o Mark Vincent Yason (@MarkYason) working with Trend Micro Zero Day
Initiative - CVE-2022-27795, CVE-2022-27796, CVE-2022-27799,
CVE-2022-28230, CVE-2022-28235
o Krishnakant Patil and Ashfaq Ansari - HackSys Inc working with Trend Micro
Zero Day Initiative - CVE-2022-28249, CVE-2022-27789
o HackAndPwn (hackandpwn) - CVE-2022-28247
o Gehirn Inc. - Maru Asahina, Ren Hirasawa, Tatsuki Maekawa(@mtk0308),
Tsubasa Iinuma, Hikaru Ida(@howmuch515) - CVE-2022-28244
o RUC_SE_SEC (ruc_se_sec) - CVE-2022-28234
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlY10uNLKJtyKPYoAQgbsBAAqf3nXO/cNCMg0wNC8t/loBw9IR+QaY6u
2MDInGEzY7dpIFQv7+KLJrCS27AvTDySWpExr2M3lWPUZfBWNZA9lYd3aYsmErYN
kWMZj1muou8QCO92kj7H97OBRRBY8Iz9saWs509EoNHY9WfPc54fmFLI96J3V9OQ
XJCnIzl8lAooaTa+6MG3+xpUrYJIobSTAYtUyAf28JpEyI+1SVCpQcgY396gmApj
P/6BSWf6P/0Y7ASJI5MU0Zi/5q51toAkAZorO4eRBZ8Rxis99NXPmBHvwESTGXo5
t/TKhse2vhFW6Vi9hYDxqppsK9eX+b7CPLtA6NaFhNHi6K+tolIbYqA4ZLXojorR
118j7HX9AL91l+j0TxuTBBW6j5ZcFFUPBhRngXYPEB79/wTqAqHt9Kbz5skX+hSZ
qhrriQiZaRmsjSpZECH3RTlCQCmAKT83+dSc7Tk0N6VD7mA47XruPVkS6nMUWoUM
2/0+gdpj8fsXHeqlK2LEflMj2PZohU4nptVZ8dGUppICpSH5MfBF++5RsOR4zX1B
ccuojxPplyo4mWm8p6RESDnrEzLiyfIEluvGHRG/KNlMVS+aeFwy8rZPcjg0ka2r
ib9IAgRYrm5dAvSPDkI+OxL6YmsD5nJohLsKmJgdAaJETnKwD9nAgPGAcwv/xGj6
01HbAnWE1qg=
=K/x6
-----END PGP SIGNATURE-----