CIS CYBER SECURITY ADVISORIES
MS-ISAC CYBER SECURITY ADVISORY NUMBER:
Vulnerability in CiscoWorks Internetwork Performance Monitor Could Allow Remote Code Execution
A vulnerability has been discovered in CiscoWorks Internetwork Performance Monitor (IPM) which could allow remote code execution. CiscoWorks IPM is a troubleshooting component used within the management solutions for CiscoWorks products which are used to configure, administer and monitor networks. Successful exploitation could result in an attacker gaining the same privileges as the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed attacks will likely cause denial-of-service conditions.
- CiscoWorks IPM 2.6 and earlier for Windows operating systems
- Large and medium government entities: High
- Small government entities: High
- Large and medium business entities: High
- Small business entities: High
Home users: Low
CiscoWorks Internetwork Performance Monitor (IPM) is prone to a remote buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data. Specifically, the issue is triggered when processing Common Object Request Broker Architecture (CORBA) GIOP requests. Attackers can exploit this issue to execute arbitrary code with SYSTEM-level privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed attacks will likely cause denial-of-service conditions.
We recommend the following actions be taken:
- Restrict access to only trusted computers and networks to reduce the likelihood of a successful exploit.
- Deploy network intrusion detection systems to monitor network traffic for malicious activity.
- Customers with active software licenses for the IPM component of CiscoWorks versions 2.6 and earlier should send email to email@example.com for instructions on migrating to non-vulnerable software.