[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : CRM Temporary File Vulnerability

Title: CRM Temporary File Vulnerability
Released by: CISCO
Date: 13th August 1998
Printable version: Click here

Field Notice:

CRM Temporary File Vulnerability


For release 09:00 AM US/Pacific, Thursday, August 13, 1998



   * Summary

   *  Who is Affected

   *  Impact

   *  Details

        o  Remote Access Logs (CSCdk13298)

             +  Workarounds for CSCdk13298

        o Database Update Logs (CSCdk13579)

             +  Workaround for CSCdk13579

        o Import Temporary Files (CSCdk14992, CSCdk14993)

             +  Workaround for CSCdk14992/CSCdk14993

        o Planned Software Fixes

        o  Exploitation and Public Announcements

   * Status of This Notice

        o  Distribution

        o  Revision History

   * Cisco Security Procedures



Versions 1.0 and 1.1 of the Cisco Resource Manager (CRM) create log files

and temporary files on the management station which contain potentially

sensitive information. These files are not protected using operating system

mechanisms, and are therefore readable by all users of the system on which

CRM is installed. The information exposed includes the usernames, passwords,

and SNMP community strings used by CRM to gain access to the devices being


Users who have access to the computer on which CRM is installed may gain

access to information which gives them unauthorized access to the managed

routers and switches.  This affects both Solaris and Windows NT systems.

There are workarounds for this problem, and a patch is available for CRM

1.1. There is no patch for CRM 1.0.  Other than to install the patch, the

most effective solution for most installations is simply to deny untrusted

users any access to the computer on which CRM is installed or to its file


Who is Affected


All customers who run Cisco Resource Manager 1.1 or 1.0, and who allow

untrusted users access to the computer on which CRM is run or to its file

systems, are affected by these vulnerabilities.



Users who have direct access to the machine on which CRM is installed, or

who have network access to the files specified  in the "Details" section of

this document, may gain unauthorized access to the managed devices.  The

unauthorized access gained may include administrative access and the ability

to modify device configurations.



Several different unprotected files may contain sensitive information.

Applicable Cisco bug IDs include CSCdk13298, CSCdk14992, CSCdk14993, and


Remote Access Logs (CSCdk13298)

- - -----------------------------

Cisco Resource Manager is capable of logging a great deal of detailed

information for debugging purposes. Debugging is ordinarily under control of

the administrator. However, a software error in CRM 1.0 and 1.1 causes

debugging to be enabled at all times. The debugging information collected

may include usernames and passwords used to log into managed devices,  SNMP

community strings, and enable passwords.  The files containing this

information are readable by any user of the computer on which CRM is run.

The log files containing the offending data are:

   * /var/adm/CSCOpx/files/schedule/job-id/swim_swd.log (Solaris)

     C:\Program Files\CSCOpx\files\schedule\job-id\swim_swd.log (Windows NT)

     These files are created by software distribution jobs scheduled with

     "Distribute Images". Each job has its own subdirectory (designated by

     "job-id" above) and its own log file.

   * /tmp/swim_debug.log (Solaris)

     C:\Program Files\CSCOpx\temp\swim_debug.log (Windows NT)

     This file is used for logging debugging information from Software Image

     Manager functions, such as "Import image from File System/Device", Job

     administration and History administration.

Workarounds for CSCdk13298

- - ----

The simplest and most effective workaround for this vulnerability is to

prevent untrusted users from having access to the computer on which CRM is

being run or to the file systems on which the log files are stored. The file

systems in question should not be shared over a network of any kind.

If the computer on which CRM is being run must be shared, then the files in

question must be protected from access by untrusted users. This may be done

by issuing the following Solaris commands while running as "root" or "bin":

     chmod 700 /var/adm/CSCOpx/files/schedule

     chmod 700 /tmp/swim_debug.log

Note: Each time your system is rebooted, you will need to change the

permissions on /tmp/swim_debug.log.

There is no analogous workaround for Windows NT systems.

Database Update Logs (CSCdk13579)

- - -------------------------------

The "Local/Remote Import",  "Import from File", "Add Devices",  and "Change

Device Attributes" functions all record debugging information in files

readable to any user of the computer on which CRM is run. This information

may include usernames, login passwords, SNMP community strings, and/or

enable passwords.

The offending information is recorded in a log file named "dbi_debug.log",

which is located in /tmp on Solaris systems and in C:\Program

Files\CSCOpx\temp on Windows NT systems.

Workaround for CSCdk13579

- - ----

The simplest and most effective workaround for this vulnerability is to

prevent untrusted users from having access to the computer on which CRM is

being run or to the file systems on which the log files are stored. The file

systems in question should not be shared over a network of any kind.

If the computer on which CRM is run must be shared, the  file

"/tmp/dbi_debug.log" or "C:\Program Files\CSCOpx\temp\dbi_debug.log" should

be deleted after any change to device attributes. Note that a window of

vulnerability will exist between the time at which the database update is

performed and the time at which the file is deleted. It may be desirable to

deny access to untrusted users during this window, even though they may be

given access to the system at other times.

Import Temporary Files (CSCdk14992, CSCdk14993)

- - ---------------------------------------------

The "Local/Remote Import" functions, which are used to load data into the

CRM database from databases maintained by other network management tools,

create temporary files containing usernames, login passwords, community

strings, and enable passwords.  The files are readable to any user of the

computer on which CRM is run. The files exist only for a short time during

the information gathering phase of an import operation, and are

automatically deleted upon successful completion of the operation. However,

should the information gathering phase of the operation fail because of some

system error, the files would not be deleted.

The offending files have names beginning with "DPR_", and are stored in

"/tmp" on Solaris systems and in "C:\Program Files\CSCOpx\temp" on Windows

NT systems.

Workaround for CSCdk14992/CSCdk14993

- - ----

The only effective workaround for CSCdk14992 and CSCdk14993 is to deny

untrusted users access to the system on which CRM is run during any import

operation. Cisco believes that such operations are sufficiently uncommon to

make this a viable option.

Planned Software Fixes

- - --------------------

Cisco has modified the CRM software to eliminate all of the vulnerabilities

described in this notice. The first regular release containing  the

modifications will be CRM version 2.0, which is tentatively scheduled for

release in early October, 1998. This schedule is subject to change.

Customers who do not wish to wait for CRM version 2.0 may install the CRM

SWIM package version 1.1.1.  The CRM SWIM package version 1.1.1 is a patched

version, identical to the SWIM package in CRM version 1.1, but containing a

fix for bug ID CSCdk13298, which Cisco believes to be the vulnerability most

disruptive to day-to-day system operation.  The other vulnerabilities listed

in this notice are not addressed by the CRM SWIM package 1.1.1.

Customers with service contracts may obtain updates through their usual

channels; those who are registered users of CCO (Cisco's Worldwide Web site)

may download the CRM SWIM package version 1.1.1 update from CCO site at


Customers without service contracts should contact the Cisco TAC for

assistance. The CRM SWIM package 1.1.1 patch (but not the CRM 2.0 upgrade)

will be made available free of charge to all CRM customers, regardless of

service contract status. Please reference the URL of this notice as evidence

of your entitlement to the patch.

There will be no patched version of CRM 1.0. CRM 1.0 customers are eligible

for free upgrades to CRM 1.1 and the CRM SWIM package version  1.1.1.

Customers who wish to continue to use CRM 1.0 are strongly encouraged to

prevent all access by untrusted users to the computers on which they run CRM

or to those computers' file systems.

Exploitation and Public Announcements


Cisco has had no reports of malicious exploitation of the vulnerabilities

listed in this notice.

Cisco knows of no public announcements of these vulnerabilities before the

date of this notice.

Status of This Notice


This is a final field notice. Although Cisco cannot guarantee the accuracy

of all statements in this notice, all the facts have been checked to the

best of our ability. Cisco does not anticipate issuing updated versions of

this notice unless there is some material change in the facts. Should there

be a significant change in the facts, Cisco may update this notice.


- - ----------

This notice will be posted on Cisco's Worldwide Web site at

http://www.cisco.com/warp/public/770/crmtmp-pub.html. In addition to

Worldwide Web posting, the initial version of this notice is being sent to

the following e-mail recipients:

   * cust-security-announce@cisco.com

   * Various internal Cisco mailing lists

Future updates to this notice, if any, will be placed on Cisco's Worldwide

Web server, but may or may not be actively announced on mailing lists or

newsgroups. Users concerned about this problem are encouraged to check the

URL given above for any updates.

Revision History

 Revision 1.1,      Initial released version

 11:50 AM



Cisco Security Procedures


Please report security issues with Cisco products, and/or sensitive security

intrusion emergencies involving Cisco products, to security-alert@cisco.com.

Reports may be encrypted using PGP; public RSA and DSS keys for

"security-alert@cisco.com" are on the public PGP keyservers.

The alias "security-alert@cisco.com" is used only for reports incoming to

Cisco. Mail sent to the list goes only to a very small group of users within

Cisco. Neither outside users nor unauthorized Cisco employees may subscribe

to "security-alert@cisco.com".

Please do not use "security-alert@cisco.com" for configuration questions,

for security intrusions that you do not consider to be sensitive

emergencies, or for general, non-security-related support requests. We do

not have the capacity to handle such requests through this channel, and will

refer them to the TAC, delaying response to your questions. We advise

contacting the TAC directly with these requests. TAC contact information is

as follows:

   * Voice telephone: +1 800 553 2447 (toll-free from within North America)

   * Voice telephone: +1 408 526 7209 (toll call from anywhere in the world)

   * Electronic mail: tac@cisco.com

All formal public security notices generated by Cisco are sent to the public

mailing list "cust-security-announce@cisco.com". For information on

subscribing to this mailing list, send a message containing the single line

"info cust-security-announce" to "majordomo@cisco.com". An analogous list,

"cust-security-discuss@cisco.com" is available for public discussion of the

notices and of other Cisco security issues.


This notice is copyright 1998 by Cisco Systems, Inc. This notice may be

redistributed freely after the release date given at the top of the notice,

provided that redistributed copies are complete and unmodified, including

all date and version information.


Version: PGP for Personal Privacy 5.0

Charset: noconv









(C) 1999-2000 All rights reserved.