__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Cisco uBR10012 Series Devices SNMP Vulnerability [Cisco Security Advisory Document ID: 107696] September 25, 2008 14:00 GMT Number S-376 ______________________________________________________________________________ PROBLEM: Cisco uBR10012 series devices automatically enable Simple Network Management Protocol (SNMP) read/write access to the device if configured for linecard redundancy. This can be exploited by an attacker to gain complete control of the device. PLATFORM: Cisco uBR10012 series devices that are configured for linecard redundancy are affected DAMAGE: Attacker may gain complete control of the device. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. Successful exploitation of the vulnerability ASSESSMENT: may allow an attacker to gain complete control of the device. ______________________________________________________________________________ CVSS 2 BASE SCORE: 10.0 TEMPORAL SCORE: 8.3 VECTOR: (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C) ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-376.shtml ORIGINAL BULLETIN: http://www.cisco.com/en/US/products/products_security_ advisory09186a0080a014b1.shtml CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2008-3807 ______________________________________________________________________________ [***** Start Cisco Security Advisory Document ID: 107696 *****] Cisco Security Advisory: Cisco uBR10012 Series Devices SNMP Vulnerability Document ID: 107696 Advisory ID: cisco-sa-20080924-ubr http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml Revision 1.0 For Public Release 2008 September 24 1600 UTC (GMT) -------------------------------------------------------------------------------- Contents Summary Affected Products Details Vulnerability Scoring Details Impact Software Versions and Fixes Workarounds Obtaining Fixed Software Exploitation and Public Announcements Status of this Notice: FINAL Distribution Revision History Cisco Security Procedures -------------------------------------------------------------------------------- Summary Cisco uBR10012 series devices automatically enable Simple Network Management Protocol (SNMP) read/write access to the device if configured for linecard redundancy. This can be exploited by an attacker to gain complete control of the device. Only Cisco uBR10012 series devices that are configured for linecard redundancy are affected. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml. NOTE: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOSŪ software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml [Expand all sections] [Collapse all sections] Affected Products Vulnerable Products Cisco uBR10012 series devices that are running Cisco IOS and configured for linecard redundancy are affected. Cisco uBR10012 series devices can be identified by issuing the show version command. The following example shows output from a Cisco uBR10012 series device running Cisco IOS software release 12.3(17b)BC7: ubr10k#show version | include IOS IOS (tm) 10000 Software (UBR10K-K8P6U2-M), Version 12.3(17b)BC7, RELEASE SOFTWARE (fc1) ubr10k#Please refer to the document entitled "White Paper: Cisco IOS Reference Guide" for additional information on the Cisco IOS release naming conventions. This document is available at the following link: http://www.cisco.com/warp/public/620/1.html A Cisco uBR10012 series device configured for linecard redundancy will have a line similar to the following in the output of show running-config command: member subslot / workingor hccp protect Any version of Cisco IOS prior to the versions listed in the Software Versions and Fixes section below is vulnerable. Products Confirmed Not Vulnerable Cisco uBR10012 series devices that are not configured for linecard redundancy are not affected. Cisco 10000 series devices are not affected even if they are configured for linecard redundancy. Other uBR platforms are not affected. No other Cisco products are currently known to be affected by this vulnerability. Top of the section Close Section Details Cisco uBR10012 series devices need to communicate with an RF Switch when configured for linecard redundancy. This communication is based on SNMP (Simple Network Management Protocol). When linecard redundancy is enabled on a Cisco uBR10012 series device, SNMP is also automatically enabled with a default community string of private that has read/write privileges. Since there are no access restrictions on this community string, it may be exploited by an attacker to gain complete control of the device. Changing the default community string, adding access restrictions on SNMP or doing both will mitigate this vulnerability. The recommended mitigation is to do both. This vulnerability is documented in the Cisco Bug ID CSCek57932 ( registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2008-3807. Top of the section Close Section Vulnerability Scoring Details Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html . Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss . CSCek57932 - SNMP enabled after redundancy is configured Calculate the environmental score of CSCek57932 CVSS Base Score - 10 Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact Network Low None Complete Complete Complete CVSS Temporal Score - 8.3 Exploitability Remediation Level Report Confidence Functional Official-Fix Confirmed Top of the section Close Section Impact Successful exploitation of the vulnerability may allow an attacker to gain complete control of the device. Top of the section Close Section Software Versions and Fixes When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table. Major Release Availability of Repaired Releases Affected 12.0-Based Releases First Fixed Release Recommended Release There are no affected 12.0 based releases Affected 12.1-Based Releases First Fixed Release Recommended Release There are no affected 12.1 based releases Affected 12.2-Based Releases First Fixed Release Recommended Release 12.2 Not Vulnerable 12.2B Not Vulnerable 12.2BC Vulnerable; migrate to any release in 12.3 12.2(33)SCA1 12.3(23)BC4 12.4(15)T7 12.4(18c) 12.2BW Not Vulnerable 12.2BX Not Vulnerable 12.2BY Not Vulnerable 12.2BZ Not Vulnerable 12.2CX Vulnerable; migrate to any release in 12.3 12.2(33)SCA1 12.3(23)BC4 12.4(15)T7 12.4(18c) 12.2CY Vulnerable; migrate to any release in 12.3 12.2(33)SCA1 12.3(23)BC4 12.4(15)T7 12.4(18c) 12.2CZ Not Vulnerable 12.2DA Not Vulnerable 12.2DD Not Vulnerable 12.2DX Not Vulnerable 12.2EW Not Vulnerable 12.2EWA Not Vulnerable 12.2EX Not Vulnerable 12.2EY Not Vulnerable 12.2EZ Not Vulnerable 12.2FX Not Vulnerable 12.2FY Not Vulnerable 12.2FZ Not Vulnerable 12.2IRB Not Vulnerable 12.2IXA Not Vulnerable 12.2IXB Not Vulnerable 12.2IXC Not Vulnerable 12.2IXD Not Vulnerable 12.2IXE Not Vulnerable 12.2IXF Not Vulnerable 12.2IXG Not Vulnerable 12.2JA Not Vulnerable 12.2JK Not Vulnerable 12.2MB Not Vulnerable 12.2MC Not Vulnerable 12.2S Not Vulnerable 12.2SB Not Vulnerable 12.2SBC Not Vulnerable 12.2SCA Not Vulnerable 12.2SE Not Vulnerable 12.2SEA Not Vulnerable 12.2SEB Not Vulnerable 12.2SEC Not Vulnerable 12.2SED Not Vulnerable 12.2SEE Not Vulnerable 12.2SEF Not Vulnerable 12.2SEG Not Vulnerable 12.2SG Not Vulnerable 12.2SGA Not Vulnerable 12.2SL Not Vulnerable 12.2SM Not Vulnerable 12.2SO Not Vulnerable 12.2SRA Not Vulnerable 12.2SRB Not Vulnerable 12.2SRC Not Vulnerable 12.2SU Not Vulnerable 12.2SV Not Vulnerable 12.2SVA Not Vulnerable 12.2SVC Not Vulnerable 12.2SVD Not Vulnerable 12.2SW Not Vulnerable 12.2SX Not Vulnerable 12.2SXA Not Vulnerable 12.2SXB Not Vulnerable 12.2SXD Not Vulnerable 12.2SXE Not Vulnerable 12.2SXF Not Vulnerable 12.2SXH Not Vulnerable 12.2SY Not Vulnerable 12.2SZ Not Vulnerable 12.2T Not Vulnerable 12.2TPC Not Vulnerable 12.2XA Not Vulnerable 12.2XB Not Vulnerable 12.2XC Not Vulnerable 12.2XD Not Vulnerable 12.2XE Not Vulnerable 12.2XF Vulnerable; migrate to any release in 12.3 12.2(33)SCA1 12.3(23)BC4 12.4(15)T7 12.4(18c) 12.2XG Not Vulnerable 12.2XH Not Vulnerable 12.2XI Not Vulnerable 12.2XJ Not Vulnerable 12.2XK Not Vulnerable 12.2XL Not Vulnerable 12.2XM Not Vulnerable 12.2XN Not Vulnerable 12.2XNA Not Vulnerable 12.2XNB Not Vulnerable 12.2XO Not Vulnerable 12.2XQ Not Vulnerable 12.2XR Not Vulnerable 12.2XS Not Vulnerable 12.2XT Not Vulnerable 12.2XU Not Vulnerable 12.2XV Not Vulnerable 12.2XW Not Vulnerable 12.2YA Not Vulnerable 12.2YB Not Vulnerable 12.2YC Not Vulnerable 12.2YD Not Vulnerable 12.2YE Not Vulnerable 12.2YF Not Vulnerable 12.2YG Not Vulnerable 12.2YH Not Vulnerable 12.2YJ Not Vulnerable 12.2YK Not Vulnerable 12.2YL Not Vulnerable 12.2YM Not Vulnerable 12.2YN Not Vulnerable 12.2YO Not Vulnerable 12.2YP Not Vulnerable 12.2YQ Not Vulnerable 12.2YR Not Vulnerable 12.2YS Not Vulnerable 12.2YT Not Vulnerable 12.2YU Not Vulnerable 12.2YV Not Vulnerable 12.2YW Not Vulnerable 12.2YX Not Vulnerable 12.2YY Not Vulnerable 12.2YZ Not Vulnerable 12.2ZA Not Vulnerable 12.2ZB Not Vulnerable 12.2ZC Not Vulnerable 12.2ZD Not Vulnerable 12.2ZE Not Vulnerable 12.2ZF Not Vulnerable 12.2ZG Not Vulnerable 12.2ZH Not Vulnerable 12.2ZJ Not Vulnerable 12.2ZL Not Vulnerable 12.2ZP Not Vulnerable 12.2ZU Not Vulnerable 12.2ZX Not Vulnerable 12.2ZY Not Vulnerable 12.2ZYA Not Vulnerable Affected 12.3-Based Releases First Fixed Release Recommended Release 12.3 Not Vulnerable 12.3B Not Vulnerable 12.3BC 12.3(17b)BC8 12.3(21)BC 12.3(23)BC4 12.3BW Not Vulnerable 12.3EU Not Vulnerable 12.3JA Not Vulnerable 12.3JEA Not Vulnerable 12.3JEB Not Vulnerable 12.3JEC Not Vulnerable 12.3JK Not Vulnerable 12.3JL Not Vulnerable 12.3JX Not Vulnerable 12.3T Not Vulnerable 12.3TPC Not Vulnerable 12.3VA Not Vulnerable 12.3XA Not Vulnerable 12.3XB Not Vulnerable 12.3XC Not Vulnerable 12.3XD Not Vulnerable 12.3XE Not Vulnerable 12.3XF Not Vulnerable 12.3XG Not Vulnerable 12.3XI Not Vulnerable 12.3XJ Not Vulnerable 12.3XK Not Vulnerable 12.3XL Not Vulnerable 12.3XQ Not Vulnerable 12.3XR Not Vulnerable 12.3XS Not Vulnerable 12.3XU Not Vulnerable 12.3XW Not Vulnerable 12.3XX Not Vulnerable 12.3XY Not Vulnerable 12.3XZ Not Vulnerable 12.3YA Not Vulnerable 12.3YD Not Vulnerable 12.3YF Not Vulnerable 12.3YG Not Vulnerable 12.3YH Not Vulnerable 12.3YI Not Vulnerable 12.3YJ Not Vulnerable 12.3YK Not Vulnerable 12.3YM Not Vulnerable 12.3YQ Not Vulnerable 12.3YS Not Vulnerable 12.3YT Not Vulnerable 12.3YU Not Vulnerable 12.3YX Not Vulnerable 12.3YZ Not Vulnerable 12.3ZA Not Vulnerable Affected 12.4-Based Releases First Fixed Release Recommended Release There are no affected 12.4 based releases Top of the section Close Section Workarounds Changing SNMP community string and restricting access By default, Cisco uBR10012 series devices that are configured for linecard redundancy use a community string of private. This community string can be changed in Cisco IOS versions 12.3(13)BC and later. It is recommended to change the community string and apply access control restrictions that only permit authorized devices SNMP access to the device. The following configuration example provides operators with information on changing the community string and adding SNMP access control restrictions using an access control list (ACL). access-list 90 permit host access-list 90 permit host access-list 90 permit host access-list 90 deny any redundancy linecard-group 1 cable rf-switch snmp-community snmp-server community rw 90 When the SNMP community is changed on a Cisco uBR10012 device, is must also be changed on the RF Switch. It can be changed by the following command: set SNMP COMMUNITY If there is an up-converter in the network, the SNMP community used by the up-converter must also be changed after changing the community string on the Cisco uBR10012 device. Information on changing the community string used by the up-converter can be found at the following link: http://www.cisco.com/en/US/tech/tk86/tk804/technologies_tech_note09186a00801f7622.shtml# communication If the Cisco IOS version does not support changing the community string, access control restrictions can be applied to the default community string. The following configuration example provides operators with information on applying access control restrictions to the default community string. access-list 90 permit host access-list 90 permit host access-list 90 permit host access-list 90 deny any snmp-server community private rw 90 Using Infrastructure ACLs at Network Boundary Although it is often difficult to block traffic transiting your network, it is possible to identify traffic which should never be allowed to target your infrastructure devices and block that traffic at the border of your network. iACLs are a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The iACL example shown below should be included as part of the deployed infrastructure access-list which will protect all devices with IP addresses in the infrastructure IP address range: !-- Permit SNMP (UDP port 161) packets from trusted hosts !-- destined to infrastructure addresses. ! access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 161 ! !-- Deny SNMP (UDP port 161) packets from all other sources !-- destined to infrastructure addresses. ! access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 161 ! !-- Permit/deny all other Layer 3 and Layer 4 traffic in !-- accordance with existing security policies and !-- configurations. ! !-- Permit all other traffic to transit the device. ! access-list 150 permit ip any any ! !-- Apply iACL to interfaces in the ingress direction. ! interface GigabitEthernet0/0 ip access-group 150 in ! The white paper entitled "Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for infrastructure protection access lists. This white paper can be obtained here: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml Additional Mitigation Techniques Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20080924-ipc-and-ubr.shtml Top of the section Close Section Obtaining Fixed Software Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml . Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. +1 800 553 2447 (toll free from within North America) +1 408 526 7209 (toll call from anywhere in the world) e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Top of the section Close Section Exploitation and Public Announcements The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was found internally. Top of the section Close Section Status of this Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Top of the section Close Section Distribution This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. cust-security-announce@cisco.com first-bulletins@lists.first.org bugtraq@securityfocus.com vulnwatch@vulnwatch.org cisco@spot.colorado.edu cisco-nsp@puck.nether.net full-disclosure@lists.grok.org.uk comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Top of the section Close Section Revision History Revision 1.0 2008-Sep-24 Initial public release. [***** End Cisco Security Advisory Document ID: 107696 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Cisco for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) S-213: Nukedit 'email' Parameter Vulnerability S-214: SurgeMail and WebMail 'Page' Command Vulnerability S-215: Symantec Backup Exec Scheduler ActiveX Control Multiple Vulnerabilities S-216: Juniper Networks Secure Access 2000 'rdremediate.cgi' Vulnerability S-217: Drupal Multiple HTML Vulnerabilities S-218: gd Security Update S-219: Juniper Networks Secure Access 2000 Web Root Path Vulnerability S-220: PHP-Nuke My_eGallery Module 'gid' Parameter Vulnerability S-221: Learn2 STRunner ActiveX Control Vulnerabilities S-222: Evolution Security Update