• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Multiple Cisco ACE Products Multiple Remote Vulnerabilities

Severity: CRITICAL

Description:

Cisco ACE Application Control Engine Module and Cisco ACE 4710 Application Control Engine are load-balancing and application-delivery solutions for data centers.

The products are prone these remote vulnerabilities:

1. Multiple authentication-bypass vulnerabilities occur because users aren't prompted to change the default administration password. An attacker can exploit these issues to modify configuration settings and possibly gain access to the host operating system. These issues are tracked by CVE-2009-0621 and CVE-2009-0620 and by Cisco Bug IDs CSCsq43828, CSCsq43229, and CSCsq32379. Cisco 4700 Series Application Control Engine Appliance devices are also vulnerable.

2. A privilege-escalation vulnerability may allow authenticated users to execute arbitrary commands through the command-line interface. This issue is tracked by CVE-2009-0622 and by Cisco Bug IDs CSCsq09839 and CSCsq48546.

3. A denial-of-service vulnerability occurs when handling a specially crafted SSH packet. An attacker can exploit this issue to cause the affected device to reload. This issue is tracked by CVE-2009-0623 and by Cisco Bug IDs CSCsv01877 and CSCsv01738. NOTE: SSH is not enabled by default.

4. A denial-of-service vulnerability occurs when handling a specially crafted SNMPv1 packet. An attacker can exploit this issue to cause the affected device to reload. This issue is tracked by CVE-2009-0624 and by Cisco Bug IDs CSCsu36038 and CSCsu47876.

5. A denial-of-service vulnerability occurs when handling a specially crafted SNMPv3 packet. An attacker can exploit this issue to cause the affected device to reload. This issue is tracked by CVE-2009-0625 and by Cisco Bug IDs CSCsq45432 and CSCso83126.

Attackers can exploit these issues to execute arbitrary commands, gain administrative access, and cause denial-of-service conditions on affected devices. Other attacks are also possible.

Affected Products:

• Cisco ACE 4710 Appliance
• Cisco ACE Module
• Cisco Application Control Engine (ACE) Module

References:

• CVE: CVE-2009-0620
• CVE: CVE-2009-0621
• CVE: CVE-2009-0622
• CVE: CVE-2009-0623
• CVE: CVE-2009-0624
• CVE: CVE-2009-0625
• Cisco: Cisco Applied Mitigation Bulletin: Identifying and Mitigating Exploitation of th
• Cisco: Cisco Homepage
• Cisco: Cisco Security Advisory: Multiple Vulnerabilities in the Cisco ACE Application C

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.