Vulnerability in Cisco Security Manager
Cisco Security Manager is an enterprise-class management application that is designed to configure firewall, VPN, and intrusion prevention security services on Cisco network and security devices. As part of Cisco Security Manager installation, the Cisco IEV is installed by default. The IEV is a Java-based application that allows users to view and manage alerts for up to five sensors, including the ability to report top alerts, attackers, and victims over a specified number of hours or days. Users can connect to and view alerts in real time or via imported log files, configure filters and views to help manage alerts, and import and export event data for further analysis.
A vulnerability exists in the Cisco Security Manager server. When the IEV is launched, it opens several remotely available TCP ports on the Cisco Security Manager server and client. These ports could allow remote, unauthenticated root access to the IEV database and server. When IEV is closed, it closes open ports on the Cisco Security Manager client that launched the IEV but fails to close open ports on the server. If the IEV has never been used on the system, the Cisco Security Manager server is not vulnerable.
The IEV database contains events that are collected from Cisco Intrusion Prevention System (IPS) devices. The IEV server allows an unauthenticated user to add, delete, or modify the devices that are added into the IEV.
Cisco has released free software updates that address this vulnerability. A workaround is also available to mitigate this vulnerability.
In the event that Cisco IEV is not being used, administrators are advised to disable the functionality until a patch is applied. To disable IEV on Cisco Security Manager, perform the following steps:
1. Access the Microsoft Windows Server that Cisco Security Manager is installed on.
2. Open the Services dialog box (Choose Start > Administrative Tools > Services).
3. Locate the Cisco IPS Event Viewer service and open Properties.
4. Change Startup Type: to Disabled and click Ok.
5. Stop the Cisco IPS Event Viewer service.
6. Stop and Restart the Cisco Security Manager Daemon Manager service.
7. Confirm that the Cisco IPS Event Viewer service has not restarted.
Upon disabling the Cisco IPS Event Viewer service, the open ports on the Cisco Security Manager server will be closed.