Cisco Patches Several CS-MARS Vulnerabilities

The CS-MARS appliance monitors multiple network devices for security problems by examining configurations on routers and switches, and it also enables companies to verify the security of their infrastructure against pre-defined security checklists.

Cisco issued a security advisory Wednesday and has made fixes available for the flaws, which affect CS-MARS appliances prior to version 4.2.1.

CS-MARS includes a JBoss web application server that could potentially allow an unauthenticated attacker to log in remotely and send specially designed HTTP requests to the CS-MARS appliance which would enable them to execute commands on the appliance with administrator privileges, Cisco said.

Security researcher Jon Hart posted a proof of concept for the JBoss flaw to the Full-Disclosure security mailing list Wednesday. In his post, Hart cited issues with JBoss version 3.2.7 which ships with CS-MARS, as well as a lack of security in the jmx console, which provides a view into the microkernel of the JBoss application server.

id
unit-1659132512259
type
Sponsored post

"Once an attacker has access to the jmx-console, the thoroughness with which the box can be compromised is only limited by their imagination," Hart wrote.

Meanwhile, a separate vulnerability stems from the Oracle database that is included with CS-MARS appliance and can be used to store network event information and authentication data for firewalls, routers and IPS devices. The database includes a number of default Oracle accounts with well-known passwords, which could allow attackers to access confidential information within the database, Cisco said.

However, CS-MARS appliance doesn't use the default Oracle database account and has been fortified to prevent local and remote unauthorized access to the database. The database accounts have also been disabled as a precautionary measure to prevent the vulnerability from being exploited, according to Cisco.

A number of vulnerabilities in the CS-MARS Command Line Interface (CLI), which administrators use to maintain the system, could make it possible for an authenticated administrator to execute arbitrary commands with root level privileges, Cisco said.

Symantec, in a DeepSight Threat Management System bulletin issued Wednesday, rated the vulnerabilities as 10 out of 10 in terms of both impact and severity.