Multiple Cisco Products brstart sm_read_string_length Remote Code Execution

This script is Copyright (C) 2012-2017 Tenable Network Security, Inc.

Synopsis :

The monitoring application hosted on the remote server has a remote
code execution vulnerability.

Description :

A flaw exists within the brstart.exe service, which listens by
default on TCP port 9002. When handling a specially crafted SMARTS
request the process extracts a user provided value to allocate a
buffer via sm_read_string_length then blindly copies user supplied
data into this buffer on the heap. A remote, unauthenticated attacker
can exploit this vulnerability to execute arbitrary code under the
context of the service.

Note that Cisco Unified Service Monitor prior to version 8.6, Cisco
Unified Operations Manager prior to version 8.6, and CiscoWorks LAN
Management Solution software releases 3.1, 3.2, and 4.0 are affected.

Also note that these Cisco products use a bundled EMC SMARTS
application server, in which the vulnerability resides. As such,
multiple EMC Ionix products (ESA-2011-029) are also affected, but they
are not checked by this plugin as they may have a different attack

See also :

Solution :

Upgrade to Cisco Unified Operations Manager 8.6 or later;
Upgrade to Cisco Unified Service Monitor 8.6 or later;
Apply patch and upgrade for CiscoWorks LAN Management Solution
releases 3.1, 3.2, and 4.0, with detailed instructions at

Risk factor :

Critical / CVSS Base Score : 10.0
CVSS Temporal Score : 7.4
Public Exploit Available : false

Family: Gain a shell remotely

Nessus Plugin ID: 58004 ()

Bugtraq ID: 49627

CVE ID: CVE-2011-2738

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now