Cisco Show and Share Multiple Vulnerabilities (SS-2011-009)

Nov 11, 2011

 

  • Affected software: Cisco Show and Share
  • Affected vendor: Cisco
  • Issue type: Authentication, authorisation & arbitrary code execution
  • Release date: 11 November 2011
  • Discovered by: Andy Yang , Mehdi Kiani
  • Issue status: Patch available

 
Summary

 

stratsec has identified two security issues in the Cisco Show and Share webcasting and video sharing product which could lead to complete system comprise.
 

Description & Technical Details

 

The first vulnerability is as an authentication and authorisation bypass. The Cisco Show and Share webcasting and video sharing application does not consistently enforce page access controls, and as a result it is possible for anyone to access and update pages which are only intended for administrators. Under some circumstances, it may allow an attacker to retrieve administrator's credentials.

The second issue identified is unrestricted file upload functionality. The application was found not to provide sufficient file type checking, which could result in a JSP page containing arbitrary code being uploaded and executed.

 

Impact

 

Successful attempts may allow system setting modification, privilege escalation and complete system compromise.

 

Affected products

 

All versions of Cisco Show and Share prior to 5.2(2.1) and 5.2(3) are affected.

 

Solution

 

Cisco released patches for different product version to addresses these issues.

 

Response timeline

 

  • 05/04/2011 - Vendor notified.
  • 05/04/2011 - Vendor acknowledges receipt of advisory.
  • 14/04/2011 - Vendor confirms issue presence.
  • 18/04/2011 - Vendor documented vulnerabilities in Cisco Bug IDS.
  • 19/05/2011 - Vendor notifies stratsec of the proposed date to publish advisory.
  • 07/06/2011 - Vendor notifies stratsec of a delay to the advisory.
  • 28/07/2011 - Vendor notifies stratsec of the new date to publish advisory.
  • 18/08/2011 - Vendor updates the date to publish advisory.   
  • 12/09/2011 - Vendor notifies stratsec of a delay to the advisory.   
  • 20/10/2011 - Vendor published advisory.
  • 11/11/2011 - This advisory published.

References

 

  • National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2584
  • CVE item: CVE-2011-2584
  • National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2585
  • CVE item: CVE-2011-2585