Cisco IOS software vulnerable to DoS via HTTP request containing "?/"

2000-11-08T00:00:00
ID VU:683677
Type cert
Reporter CERT
Modified 2004-03-30T19:43:00

Description

Overview

A vulnerability exists in multiple versions of Cisco's Internetworking Operating System (IOS) software that allows an attacker to force affected switches and routers to crash and reboot.

Description

To exploit this vulnerability, the IOS HTTP interface must be enabled and the attacker must transmit a request for "http://router-ip/anytext?/". Upon sending the request, the attacker will be asked for the device's "enable" password. If the password prompt is successfully answered, the software becomes trapped in a loop until a two-minute watchdog timer expires, causing the device to restart.


Impact

An attacker can force affected products to reboot, resulting in a denial-of-service while the device is restarting. In some situations, the device may not restart properly without manual intervention such as a power cycle.


Solution

Apply a patch from Cisco

Cisco has provided patches for affected versions of the IOS software. For further details, please consult the vendor section of this document.


Choose appropriate passwords

To exploit this vulnerability, an attacker must know the enable password for the affected router or switch. Therefore, devices with either an easily guessable password or no password at all are particularly vulnerable. For further information on choosing appropriate passwords, please consult the CERT Security Practice, "Configure computers for user authentication."

Disable the HTTP management interface

If it is not possible or practical to immediately patch an affected device, disable its HTTP management interface to prevent exploitation of this vulnerability.

Restrict access to the HTTP management interface

If it is not possible to disable the HTTP management interface, users should restrict outside networks from accessing it. For information on how to implement these restrictions, please consult the Cisco advisory at

<http://www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml>

Vendor Information

683677

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Cisco Systems Inc. __ Affected

Updated: November 09, 2000

Status

Affected

Vendor Statement

From the Cisco Advisory:

Cisco devices that may be running with affected IOS software releases include:

* Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, 1400, 1500, 1600, 1700, 2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700, AS5200, AS5300, AS5800, 6400, 7000, 7200, ubr7200, 7500, and 12000 series.
* Most recent versions of the LS1010 ATM switch.
* The Catalyst 6000 _if_ it is running IOS.
* The Catalyst 2900XL LAN switch _only if_ it is running IOS.
* The Catalyst 1900, 2800, 2900, 3000, and 5000 series LAN switches are affected.
* The Cisco DistributedDirector.

For some products, the affected software releases are relatively new and may not be available on every device listed above.

If you are not running Cisco IOS software, you are not affected by this vulnerability.

Cisco products that do not run Cisco IOS software and are not affected by this defect include, but are not limited to:

* 700 series dialup routers (750, 760, and 770 series) are not affected.
* The Catalyst 6000 is not affected if it is not running IOS.
* WAN switching products in the IGX and BPX lines are not affected.
* The MGX (formerly known as the AXIS shelf) is not affected.
* No host-based software is affected.
* The Cisco PIX Firewall is not affected.
* The Cisco LocalDirector is not affected.
* The Cisco Cache Engine is not affected.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

For the latest information on this vulnerability, please consult Cisco's web site at:

CVSS Metrics

Group | Score | Vector
---|---|---
Base | |
Temporal | |
Environmental | |

References

  • <http://www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml>
  • <http://www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml>
  • <http://www.core-sdi.com/advisories/cisco_ios_web_adm.htm>
  • <http://www.securityfocus.com/bid/1838>
  • <http://xforce.iss.net/static/5412.php>
  • <http://www.cert.org/security-improvement/practices/p069.html>

Acknowledgements

The CERT/CC thanks CORE SDI for discovering this vulnerability and Cisco for the information contained in their advisory.

The CERT/CC portions of this document were written by Jeffrey P. Lanza based on information from the Cisco advisory.

Other Information

CVE IDs: | CVE-2000-0984
---|---
Severity Metric: | 0.90
Date Public: | 2000-10-25
Date First Published: | 2000-11-08
Date Last Updated: | 2004-03-30 19:43 UTC
Document Revision: | 38