The “CiscoWorks Common Services” function for network management is built into several software products provided by Cisco Systems Inc. including “Cisco Security Manager”.

A security vulnerability known as directory traversal exists within “CiscoWorks Common Services”, which stems from a problem in the network file transfer service (TFTP^(*1) service).

In the event of an attack in which this vulnerability is exploited, there is a possibility that an arbitrary file within the computer may be accessed from an external source.

For detailed information, refer to the URL below:
http://www.cisco.com/warp/public/707/cisco-sa-20090520-cw.shtml

For the latest information, refer to the URL below:
http://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000032.html

The IPA first received a report concerning this vulnerability through the creditee below on October 28, 2008, and the JPCERT Coordination Center (JPCERT/CC), in line with the Information Security Early Warning Partnership, made adjustments to clarify the matter with the vendor and made the announcement public on May 29, 2009.
Credit: Jun Okada, NTT Data Security Corporation

In the event of an attack from an external source, there is a possibility that files within the computer may be accessed.

By being able to access these files, important information within the computer may be stolen or falsified, and the attacker with malicious intent may also obtain control of the computer itself.

To fix this vulnerability, update to the fixed version supplied by the vendor, or disable the TFTP service in “CiscoWorks Common Services”.

(1)Evaluation Result

(2) Base Score Metrics

■:Selected Values

This vulnerability has been CWE classified as “Path Traversal (CWE-22)”.

(*1)Trivial File Transfer Protocol. Protocol for transfer of files between computers via networks.

IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: