A vulnerability exists in multiple versions of Cisco's Internetworking Operating System (IOS) software that allows an attacker to force affected switches and routers to crash and reboot.
To exploit this vulnerability, the IOS HTTP interface must be enabled and the attacker must transmit a request for "http://router-ip/anytext?/". Upon sending the request, the attacker will be asked for the device's "enable" password. If the password prompt is successfully answered, the software becomes trapped in a loop until a two-minute watchdog timer expires, causing the device to restart.
An attacker can force affected products to reboot, resulting in a denial-of-service while the device is restarting. In some situations, the device may not restart properly without manual intervention such as a power cycle.
Apply a patch from Cisco
Cisco has provided patches for affected versions of the IOS software. For further details, please consult the vendor section of this document.
Choose appropriate passwords
To exploit this vulnerability, an attacker must know the enable password for the affected router or switch. Therefore, devices with either an easily guessable password or no password at all are particularly vulnerable. For further information on choosing appropriate passwords, please consult the CERT Security Practice, "Configure computers for user authentication."
Disable the HTTP management interface
If it is not possible or practical to immediately patch an affected device, disable its HTTP management interface to prevent exploitation of this vulnerability.
Restrict access to the HTTP management interface
If it is not possible to disable the HTTP management interface, users should restrict outside networks from accessing it. For information on how to implement these restrictions, please consult the Cisco advisory at
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Updated: November 09, 2000
From the Cisco Advisory:
Cisco devices that may be running with affected IOS software releases include:
* Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, 1400, 1500, 1600, 1700, 2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700, AS5200, AS5300, AS5800, 6400, 7000, 7200, ubr7200, 7500, and 12000 series. * Most recent versions of the LS1010 ATM switch. * The Catalyst 6000 _if_ it is running IOS. * The Catalyst 2900XL LAN switch _only if_ it is running IOS. * The Catalyst 1900, 2800, 2900, 3000, and 5000 series LAN switches are affected. * The Cisco DistributedDirector.
For some products, the affected software releases are relatively new and may not be available on every device listed above.
If you are not running Cisco IOS software, you are not affected by this vulnerability.
Cisco products that do not run Cisco IOS software and are not affected by this defect include, but are not limited to:
* 700 series dialup routers (750, 760, and 770 series) are not affected. * The Catalyst 6000 is not affected if it is not running IOS. * WAN switching products in the IGX and BPX lines are not affected. * The MGX (formerly known as the AXIS shelf) is not affected. * No host-based software is affected. * The Cisco PIX Firewall is not affected. * The Cisco LocalDirector is not affected. * The Cisco Cache Engine is not affected.
The vendor has not provided us with any further information regarding this vulnerability.
For the latest information on this vulnerability, please consult Cisco's web site at:
Group | Score | Vector
Base | |
Temporal | |
Environmental | |
The CERT/CC thanks CORE SDI for discovering this vulnerability and Cisco for the information contained in their advisory.
The CERT/CC portions of this document were written by Jeffrey P. Lanza based on information from the Cisco advisory.
CVE IDs: | CVE-2000-0984
Severity Metric: | 0.90
Date Public: | 2000-10-25
Date First Published: | 2000-11-08
Date Last Updated: | 2004-03-30 19:43 UTC
Document Revision: | 38