Friday, November 13, 2009


Thanks to an eagle eyed reader, (though it is a couple of months old now), if you are running 6.0.4 and earlier, there is an Vulnerability when MARS is configured to pull Windows Event Logs.

"The Cisco Security Monitoring, Analysis and Response System (CS-MARS) 6.0.4 and earlier stores cleartext passwords in log/sysbacktrace.## files within error-logs.tar.gz archives, which allows context-dependent attackers to obtain sensitive information by reading these files."

You can view the CVE Here.

This was covered by Cisco Bug: CSCtb52450 , which mentioned it was only a bug when MARS was configured to PULL events rather than using Snare (or Honeycomb, and similar products)

Its was also mentioned , the issue can be mitigated if log files are not exported out of the CS-MARS device. (Only CS-MARS administrators can export log files)

BTW this was resolved in MARS release 6.0.5

No comments: