Cisco Systems has released a patch to fix a critical vulnerability in its CiscoWorks Common Services product. The vulnerability could allow an unauthenticated attacker to access applications and operating system files. Only the Windows version of the product is affected, so Solaris users are safe, for now. Cisco has rated the vulnerability as high. The following products use CiscoWorks Common Services and are affected:
- Cisco Unified Service Monitor versions 1.0, 1.1, 2.0, and 2.1
- CiscoWorks Qos Policy Manager versions 4.0 and 4.1
- CiscoWorks LAN Management Solution versions 2.5, 2.6, 3.0, and 3.1
- Cisco Security Manager Versions 3.0, 3.1, and 3.2
- Cisco TelePresence Readiness Assessment Manager version 1.0
- CiscoWorks Voice Manager versions 3.0 and 3.1
- Cisco Works Health and Utilization Monitor versions 1.0 and 1.1
- Cisco Unified Operations Manager versions 1.0, 1.1, 2.0, and 2.1
- Cisco Unified Provisioning Manager versions 1.0, 1.1, 1.2, and 1.3
I spoke to several friends that use this product and they tell me that it is urgent that this patch be installed. The product contains a TFTP directory traversal vulnerability that could give an attacker the ability to modify applications and host operating system files.
The patch can be downloaded free from Cisco's site.