10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.968 High
EPSS
Percentile
99.7%
A vulnerability in Cisco Content Services Switches (Arrowpoint) allows a valid user to gain administrative access.
Cisco CSS switches run Cisco WebNS software. A user with a valid account on a CSS device can gain unauthorized administrative access to the device. See the Cisco advisory available at <http://www.cisco.com/warp/public/707/arrowpoint-useraccnt-debug-pub.shtml> for more information.
Local users can gain administrative access to the switch.
Update to version 4.01B19s of Cisco WebNS software.
174248
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: April 27, 2001
Affected
-----BEGIN PGP SIGNED MESSAGE-----
Revision 1.0
For Public Release 2001 April 04 08:00 (UTC -0700)
------------------------------------------------------------------------
Summary
The Cisco Content Services (CSS) switch product, also known as Arrowpoint,
To remove the vulnerability, Cisco is offering free software upgrades to
This advisory is available at
Affected Products
The CSS switch is also known as the Arrowpoint product, and runs the Cisco
Cisco CSS 11050, CSS 11150, and CSS 11800 hardware platforms are affected
If the switch is running a version prior to 4.01B19s, then it is affected
Details
A non-privileged user can issue a series of keystrokes to enter the debug
Impact
This vulnerability allows a non-privileged user to become a super-user,
Cisco Bug ID CSCdt32570 describes this vulnerability.
Software Versions and Fixes
CSCdt32570 is resolved in version 4.01B19s of Cisco WebNS software.
Obtaining Fixed Software
Cisco is offering free software upgrades to eliminate this vulnerability
for all affected customers.
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco’s Worldwide Web
site at <http://www.cisco.com>. Specifically, this fix can be found at
<http://www.cisco.com/cgi-bin/tablebuild.pl/webns>. Customers whose Cisco
products are provided or maintained through prior or existing agreement
with third-party support organizations such as Cisco Partners, authorized
resellers, or service providers should contact that support organization
for assistance with the upgrade, which should be free of charge.
Customers without contracts should get their upgrades by contacting the
Cisco Technical Assistance Center (TAC). TAC contacts are as follows:
* +1 800 553 2447 (toll-free from within North America)
See <http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml> for
Give the URL of this notice as evidence of your entitlement to a free
Workarounds
Access control lists can be applied to restrict access to the Cisco CSS
<http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/bsccfggd/profiles>
<http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/advcfggd/sgacleql>
Additionally, the use of SSH to prevent snooping of the management traffic
Telnet service can also be disabled. This is not a feasible option for many
CS150(config)# telnet access disabled
Exploitation and Public Announcements
Cisco knows of no public announcements or discussion of this vulnerability
Status of This Notice: FINAL
This is a final field notice. Although Cisco cannot guarantee the accuracy
Distribution
This notice will be posted on Cisco’s Worldwide Web site at
* [email protected]
Future updates of this notice, if any, will be placed on Cisco’s Worldwide
Revision History
Revision 2001-04-04Initial public release
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco
------------------------------------------------------------------------
This notice is Copyright 2001 by Cisco Systems, Inc. This notice may be
------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
iQEVAwUBOstK7miN3BRdFxkbAQEXYQgAmUyG3Z2jWnIZf4Y85PFi56gr7JrC9ZxAThe vendor has not provided us with any further information regarding this vulnerability.
The Ciso advisory can be found at <http://www.cisco.com/warp/public/707/arrowpoint-useraccnt-debug-pub.shtml>
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23174248 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
Our thanks to Cisco for the information provided in their advisory.
This document was written by Shawn V. Hernan.
CVE IDs: | CVE-2001-0414 |
---|---|
Severity Metric: | 13.50 Date Public: |