We came across a curious behavior on a number of Cisco routers, tied to the way the on-line help system presents options. It seems that, even though a regular (non-"enabled") user should not be able to see the access- lists or other security-related information in the router, one can do just that. The online help systems doesn't list the commands as being available, but out of 75 extra "show" options that are available in "enable" mode (on a 12.0(5) 3640), only 13 were actually restricted.
It seems that this has been known, to the point of being mentioned in some classes as an "insider trick", but when we looked up vulnerabilities for Cisco routers we couldn't find any reference to this. I hope that this helps document the issue and the workaround (see below).
Issue: Significant security-related information (such as access-lists) can be retrieved by an unprivileged user logged on to a Cisco router. While the on-line help system leads administrators to think that such information is not available, it is possible to obtain important information from the router.
Impact: Users with local, non-privileged, session access (such as junior administration staff telnetting to the router) can have access to sensitive information.
Workaround: a security-conscious Cisco router configuration should perform the following actions: . set the default privilege level for access lines to 0 (rather than leave at 1, the default) . using "privilege exec", specify which commands a user at level 0 can use
This will severely restrict the options a non-enabled user will have, thereby implementing a "default deny" stance on the router itself. Given the recent interest in Cisco routers (check Phrack 55 and 56), it seems to be a sensible thing to do.
Cisco's Product Security Incident Response Team has confirmed the issue and approved the recommended workaround.
A more verbose description can be found below. Thanks to Claudio Silotto (email@example.com) for help on discovering this and to Lisa Napier, from Cisco Security, for the feedback.
Cheers, Fernando Montenegro firstname.lastname@example.org --
Routers tested: 2500, 2600, 3600, 4000, 7200, 7500 series, running IOS 9.14, 11.1(21) (Distributed Director), 11.2(x) and 12.0(x). Some were tested on the local console, some over Telnet. We recently tested PIX 4.x, and found it was NOT vulnerable.
A regular user will log-on with privilege level equal to 1. This can be shown by running "show privilege" after logging on the router. For example:
User Access Verification
Username: joeuser Password: <password> Router2>sh priv Current privilege level is 1 Router2>
Now, if we try to get a list of all possible "show" commands, by doing "show ?", we get:
Router2>show privilege Current privilege level is 1 Router2>show ? backup Backup status cef Cisco Express Forwarding clock Display the system clock dialer Dialer parameters and statistics flash: display information about flash: file system history Display the session command history ...
Notice that we did not see an "access-lists" option, so the help system thinks we should not be able to run it...
Router2>show privilege Current privilege level is 1 Router2>show access-lists Standard IP access list 10 permit 172.16.0.1 deny any Extended IP access list eth0-IN permit udp host 172.16.0.1 10.11.12.0 0.0.0.255 eq snmp (14982 matches) permit udp host 172.16.0.1 10.11.13.128 0.0.0.127 eq snmp (4026 matches)
So, we can see the configuration, even though we shouldn't. We can't alter it, but even seeing the access-list is beneficial to an attacker.
Upon further testing on a 3640 running IOS 12.0(5), we got the following results: - We found 75 "show" commands that are supposed to be available only in enable mode. Meaning: the difference between "show ?" in enabled and disabled mode was this 75 commands - Out of 75, only 13 were truly restricted. The other 62 were available to be viewed by a session in a disabled mode. - Out of the 62 that were viewable, we counted 7 as being potentially very dangerous. "show ip" is one of them, as well as "show cdp", "show logging", "show cdp", "show vlans". There are others, but I don't have my list with me right now. - By combining "show ip" and "show access-lists" we had a very clear picture of how access-lists were distributed in the router.
One way to solve the issue is to require more privilege to run the show command. This can be accomplished by the following configuration command:
privilege exec level 15 show
Another, more efficient way, is to have users log in at level 0, as opposed to "1". Then, one needs to specify which commands will be "downgraded" to level 0. By doing this, we're "jailing" the user at level 0, leaving him/her only the commands we specifically downgraded.