COMMAND

    Cisco

SYSTEMS AFFECTED

    Cisco Cache Engine 2050, Release 1.0 through 1.7.6.
    Cisco Cache Engine 500, Release 2.0.1 through 2.0.2.

PROBLEM

    Following is based  on Cisco Security  Advisory.  A  vulnerability
    exists  that  could  allow  an  unauthorized  person to substitute
    arbitrary material in place of legitimate content for a  specified
    website.  This arbitrary content  would be viewable only by  users
    of the affected (or "polluted") Cache Engine.  This  vulnerability
    has Cisco bug ID CSCdm63310.

    A  second  vulnerability  exists  that  could  allow  unauthorized
    persons to view performance  information via the web  interface of
    the Cache Engine.  This vulnerability has Cisco bug ID CSCdp20180.

    A third  vulnerability existed  that allowed  a null  username and
    password pair to be accepted as valid authentication  credentials.
    This vulnerability has Cisco bug ID CSCdj56294.


    For Cisco bug ID CSCdm63310:
    ============================
    Content  can  be  stored  on  the  Cisco  Cache Engine, provided a
    well-known host name, and  clients behind that Cisco  Cache Engine
    will  only  receive  the  Cisco  Cache  Engine  content  for  that
    well-known host name.   This would allow an  opportunistic content
    provider to populate  a Cisco Cache  Engine with content  of their
    choosing, yet make  it appear as  any other host  name was serving
    this  content.   The  clients  using  this "polluted" cache engine
    would  be  the  only  ones  to  see  this tainted content, causing
    confusion  and  service  disruption.   Version  2.0.3 of the Cisco
    Cache  Engine  provides  additional  authentication to verify that
    the hostname provided actually  belongs to the site  providing the
    content.

    For Cisco bug ID CSCdp20180:
    ============================
    Though  the   Cache  Engine   web  administration   pages  request
    authentication,  a   script  can   be  written   to  bypass    the
    authentication  request  and  gain   access  to  the   performance
    statistics without  authentication.   This problem  has been fixed
    by adding extra security checks to verify the Java monitor  applet
    that  provides  the  performance  statistics  has  been   properly
    authenticated.

    For Cisco bug ID CSCdj56294:
    ============================
    This issue  would permit  unauthorized persons  to alter  files on
    the Cache  Engine, ranging  from blocked  site lists  to alternate
    software  versions.   Very   few  sites  were  provided   versions
    affected by this issue.

    These vulnerabilities  were all  originally reported  to Cisco  by
    separate customers.   Cisco knows  of no  public announcements  of
    these vulnerabilities, nor have  any malicious uses been  reported
    to Cisco.  A simple  HTML script is needed to  effectively exploit
    CSCdp20180.  Although Cisco knows  of no program available to  the
    public specifically for this purpose, writing such a script  would
    require little effort, and a basic understanding of HTML and  Java
    code.

SOLUTION

    If you are using a Cisco  Cache Engine that has not been  upgraded
    to  version  2.0.3,  you  are  vulnerable  to the first two issues
    (CSCdm63310 and CSCdp20180).   If you are  running a Cache  Engine
    that has not been upgraded  to version 1.5, you are  vulnerable to
    all three issues (CSCdm63310, CSCdp20180, and CSCdj56294).

    All issues are fixed in the Cisco Cache Engine 500, Release  2.0.3
    or later.   All issues  are fixed  in Cisco  Cache Engine  version
    2.0.3.  CSCdj56294 is resolved in Cisco Cache Engine version  1.5,
    and higher.  However, due to issues CSCdp20180 and CSCdm63310,  it
    is  strongly  recommended  that  customers  upgrade to Cisco Cache
    Engine version 2.0.3.  Software  version 2.0.3 will only apply  to
    the  following  Cisco  Cache  Engine  Hardware  platforms: CE-550,
    CE-505, and CE-550-DS3.   The CE-2050 chassis  cannot be  upgraded
    to version 2.0.3, and you will  need to contact the Cisco TAC  for
    assistance as detailed in the "Getting Fixed Software" section  of
    this notice.   If you do  not know which  hardware chassis of  the
    Cisco Cache Engine you have,  please contact the Cisco TAC  at one
    of the telephone numbers listed in the "Cisco Security Procedures"
    section of this notice.

    Workarounds to prevent  an attacker from  taking advantage of  the
    vulnerability described in CSCdm63310 include disabling the  Cisco
    Cache Engine or specifying a  strict list of permitted sites  that
    would restrict clients  to a list  of known, valid  websites.  The
    procedure  for  enabling  URL  restriction  is  detailed  in Cache
    Engine documentation version 1.7 at the following link:

        http://www.cisco.com/univercd/cc/td/doc/product/iaabu/webcache/ce17/ver17/wc17man.htm

    Workarounds for both CSCdp20180 and CSCdj56294 include other means
    of limiting access to both  web based management and FTP  ports on
    the Cache Engine, such as firewalls or access lists on routers  to
    limit  traffic  to  those  ports.   It  is strongly recommended to
    upgrade to version 2.0.3 of the Cisco Cache Engine.