The flaw lies in the way Security Manager — which configures firewalls, VPN and intrusion prevention systems (IPS) — interacts with Cisco IPS Event Viewer (IEV). When IEV is launched, it opens several remotely available TCP ports on the Cisco Security Manager server and client. These ports could allow a cybercriminal to gain root access to the IEV database and server, and modify, add or delete devices that the Event Viewer recognizes.
Also, when Cisco IEV is closed, it leaves open ports on the Security Manager server, potentially allowing the server to be compromised.
The vulnerability affects the 3.1, 3.1.1, 3.2 and 3.2.1 versions of Security Manager. Versions 3.0x and 3.2.2 are not affected. A link to a patch for the vulnerability is provided on the Cisco website in security advisory cisco-sa-20090121-csm. One possible workaround is to disable IEV, if it has not been used already, until the system is patched.
Cisco has seen no reports of exploit code in the wild for this vulnerability, or any reports of attacks.
The company normally releases security patches every six months, in March and September. Cisco only releases out-of-cycle patches for flaws it considers serious or critical.