COMMAND
CRM
SYSTEMS AFFECTED
Cisco Resource Manager 1.1 or 1.0 (Solaris, Win NT)
PROBLEM
Following info is based on Cisco Field Notice. Versions 1.0 and
1.1 of the Cisco Resource Manager (CRM) create log files and
temporary files on the management station which contain
potentially sensitive information. These files are not protected
using operating system mechanisms, and are therefore readable by
all users of the system on which CRM is installed. The information
exposed includes the usernames, passwords, and SNMP community
strings used by CRM to gain access to the devices being managed.
Users who have access to the computer on which CRM is installed
may gain access to information which gives them unauthorized
access to the managed routers and switches. This affects both
Solaris and Windows NT systems.
Several different unprotected files may contain sensitive
information. Applicable Cisco bug IDs include CSCdk13298,
CSCdk14992, CSCdk14993, and CSCdk13579.
Remote Access Logs (CSCdk13298)
-----------------------------
Cisco Resource Manager is capable of logging a great deal of
detailed information for debugging purposes. Debugging is
ordinarily under control of the administrator. However, a
software error in CRM 1.0 and 1.1 causes debugging to be enabled
at all times. The debugging information collected may include
usernames and passwords used to log into managed devices, SNMP
community strings, and enable passwords. The files containing
this information are readable by any user of the computer on
which CRM is run. The log files containing the offending data
are:
/var/adm/CSCOpx/files/schedule/job-id/swim_swd.log (Solaris)
C:\Program Files\CSCOpx\files\schedule\job-id\swim_swd.log (Windows NT)
These files are created by software distribution jobs
scheduled with "Distribute Images". Each job has its own
subdirectory (designated by "job-id" above) and its own log
file.
/tmp/swim_debug.log (Solaris)
C:\Program Files\CSCOpx\temp\swim_debug.log (Windows NT)
This file is used for logging debugging information from
Software Image Manager functions, such as "Import image from
File System/Device", Job administration and History
administration.
Database Update Logs (CSCdk13579)
-------------------------------
The "Local/Remote Import", "Import from File", "Add Devices",
and "Change Device Attributes" functions all record debugging
information in files readable to any user of the computer on which
CRM is run. This information may include usernames, login
passwords, SNMP community strings, and/or enable passwords. The
offending information is recorded in a log file named
"dbi_debug.log", which is located in /tmp on Solaris systems and
in C:\Program Files\CSCOpx\temp on Windows NT systems.
Import Temporary Files (CSCdk14992, CSCdk14993)
---------------------------------------------
The "Local/Remote Import" functions, which are used to load data
into the CRM database from databases maintained by other network
management tools, create temporary files containing usernames,
login passwords, community strings, and enable passwords. The
files are readable to any user of the computer on which CRM is
run. The files exist only for a short time during the information
gathering phase of an import operation, and are automatically
deleted upon successful completion of the operation. However,
should the information gathering phase of the operation fail
because of some system error, the files would not be deleted. The
offending files have names beginning with "DPR_", and are stored
in "/tmp" on Solaris systems and in "C:\Program Files\CSCOpx\temp"
on Windows NT systems.
SOLUTION
Cisco has modified the CRM software to eliminate all of the
vulnerabilities described here. The first regular release
containing the modifications will be CRM version 2.0, which
is tentatively scheduled for release in early October, 1998.
Customers who do not wish to wait for CRM version 2.0 may install
the CRM SWIM package version 1.1.1. The CRM SWIM package version
1.1.1 is a patched version, identical to the SWIM package in CRM
version 1.1, but containing a fix for bug ID CSCdk13298, which
Cisco believes to be the vulnerability most disruptive to
day-to-day system operation. The other vulnerabilities listed
are not addressed by the CRM SWIM package 1.1.1.
Workarounds for CSCdk13298
--------------------------
The simplest and most effective workaround for this vulnerability
is to prevent untrusted users from having access to the computer
on which CRM is being run or to the file systems on which the log
files are stored. The file systems in question should not be
shared over a network of any kind. If the computer on which CRM
is being run must be shared, then the files in question must be
protected from access by untrusted users. This may be done by
issuing the following Solaris commands while running as "root" or
"bin":
chmod 700 /var/adm/CSCOpx/files/schedule
chmod 700 /tmp/swim_debug.log
Note: Each time your system is rebooted, you will need to change
the permissions on /tmp/swim_debug.log. There is no analogous
workaround for Windows NT systems.
Workaround for CSCdk13579
-------------------------
The simplest and most effective workaround for this vulnerability
is to prevent untrusted users from having access to the computer
on which CRM is being run or to the file systems on which the log
files are stored. The file systems in question should not be
shared over a network of any kind. If the computer on which CRM
is run must be shared, the file "/tmp/dbi_debug.log" or
"C:\Program Files\CSCOpx\temp\dbi_debug.log" should be deleted
after any change to device attributes. Note that a window of
vulnerability will exist between the time at which the database
update is performed and the time at which the file is deleted. It
may be desirable to deny access to untrusted users during this
window, even though they may be given access to the system at
other times.
Workaround for CSCdk14992/CSCdk14993
------------------------------------
The only effective workaround for CSCdk14992 and CSCdk14993 is to
deny untrusted users access to the system on which CRM is run
during any import operation. Cisco believes that such operations
are sufficiently uncommon to make this a viable option.