Lucene search

SecurityvulnsSECURITYVULNS:DOC:1770

HistoryJun 28, 2001 - 12:00 a.m.

Security Advisory: IOS HTTP authorization vulnerability

2001-06-2800:00:00

vulners.com

JSON

-----BEGIN PGP SIGNED MESSAGE-----

        Security Advisory: IOS HTTP authorization vulnerability

Revision 1.0 - INTERIM

For public release 2001 June 27 08:00 (UTC -0800)
_________________________________________________________________

Summary

When HTTP server is enabled and local authorization is used, it is
possible, under some circumstances, to bypass the authentication and
execute any command on the device. It that case, the user will be able
to exercise complete control over the device. All commands will be
executed with the highest privilege (level 15).

All releases of Cisco IOS® software, starting with the release 11.3
and later, are vulnerable. Virtually, all mainstream Cisco routers and
switches running Cisco IOS are affected by this vulnerability.

Products that are not running Cisco IOS software are not vulnerable.

The workaround for this vulnerability is to disable HTTP server on the
router or to use Terminal Access Controller Access Control System
(TACACS+) or Radius for authentication.

This advisory will be posted at
http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html

Affected Products

Any device running Cisco IOS software, starting with the release 11.3
and later is vulnerable.

Cisco devices that may be running with affected IOS software releases
include, but are not limited to:
* Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900,
1000, 1400, 1500, 1600, 1700, 2500, 2600, 3000, 3600, 3800, 4000,
4500, 4700, AS5200, AS5300, AS5800, 6400, 7000, 7100, 7200,
ubr7200, 7500, and 12000 series.
* Most recent versions of the LS1010 ATM switch.
* The Catalyst 6000 if it is running Cisco IOS software.
* The Catalyst 2900XL LAN switch only if it is running Cisco IOS
software.
* The Catalyst 1900, 2800, 2900, 3000, and 5000 series LAN switches
are affected.
* The Cisco Distributed Director.

For some products, the affected software releases are relatively new
and may not be available on every device listed above.

If you are not running Cisco IOS software, you are not affected by
this vulnerability.

Cisco products that do not run Cisco IOS software and are not affected
by this defect include, but are not limited to:
* 700 series dialup routers (750, 760, and 770 series).
* The Catalyst 6000 is not affected if it is not running Cisco IOS
software.
* WAN switching products in the IGX and BPX lines.
* The MGX (formerly known as the AXIS shelf).
* Host-based software.
* The Cisco PIX Firewall.
* The Cisco LocalDirector.
* The Cisco Cache Engine.

No other Cisco products are affected.

Details

By sending a crafted URL it is possible to bypass authentication and
execute any command on the router at level 15 (enable level, the most
privileged level). This will happen only if the user is using a local
database for authentication (usernames and passwords are defined on
the device itself). The same URL will not be effective against every
Cisco IOS software release and hardware combination. However, there
are only 84 different combinations to try, so it would be easy for an
attacker to test them all in a short period of time.

The URL in question folows this format:

 http://&lt;device_addres&gt;/level/xx/exec/....

Where xx is a number between 16 and 99.

This vulnerability is documented as Cisco Bug ID CSCdt93862.

Impact

An attacker can exercise complete control over the device. By
exploiting this vulnerability, the attacker can see and change
configuration of the device.

Software Versions and Fixes

Each row of the table describes a release train and the platforms or
products for which it is intended. If a given release train is
vulnerable, then the earliest possible releases that contain the fix
and the anticipated date of availability for each are listed in the
"Rebuild", "Interim", and "Maintenance" columns. A device running any
release in the given train that is earlier than the release in a
specific column (less than the earliest fixed release) is known to be
vulnerable, and it should be upgraded at least to the indicated
release or a later version (greater than the earliest fixed release
label).

When selecting a release, keep in mind the following definitions:

    Maintenance
            Most heavily tested and highly recommended release of any
            label in a given row of the table.
            
    Rebuild
            Constructed from the previous maintenance or major
            release in the same train, it contains the fix for a
            specific defect. Although it receives less testing, it
            contains only the minimal changes necessary to effect the
            repair.
            
    Interim
            Built at regular intervals between maintenance releases
            and receives less testing. Interims should be selected
            only if there is no other suitable release that addresses
            the vulnerability, and interim images should be upgraded
            to the next available maintenance release as soon as
            possible. Interim releases are not available via
            manufacturing, and usually they are not available for
            customer download from CCO without prior arrangement with
            the Cisco TAC.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco TAC for assistance as shown in the following section.

More information on IOS release names and abbreviations is available
at http://www.cisco.com/warp/public/620/1.html.

Obtaining Fixed Software

Cisco is offering free software upgrades to eliminate this
vulnerability for all affected customers.

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's Worldwide
Web site at http://www.cisco.com. Please do not contact either
"[email protected]" or "[email protected]" for software upgrades.

Workarounds

The workaround for this vulnerability is to disable HTTP server on the
router or to use TACACS+ or Radius for authentication.

To disable HTTP server, use the following commands:

  Router# configure terminal
  Enter configuration commands, one per line.  End with CNTL/Z.
  Router&#40;config&#41;# no ip http server

In order to configure TACACS+ or Radius for authentication please
consult the following link
http://www.cisco.com/warp/public/480/tacplus.shtml

Exploitation and Public Announcements

This vulnerability has been reported to us independently by David
Hyams, Ernst & Young, Switzerland and by Bashis ([email protected]).

The Cisco PSIRT has received no reports of malicious exploitation of
this vulnerability and we are not aware of any public discussion.

Status of This Notice: INTERIM

This is an interim security advisory. Cisco anticipates issuing
updated versions of this notice at irregular intervals as there are
material changes in the facts, and will continue to update this notice
as necessary. The reader is warned that this notice may contain
inaccurate or incomplete information. Although Cisco cannot guarantee
the accuracy of all statements in this notice, all of the facts have
been checked to the best of our ability. Cisco anticipates issuing
monthly updates of this notice until it reaches FINAL status.

A standalone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.

Distribution

This notice will be posted on Cisco's Worldwide Web site at
http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html. In
addition to Worldwide Web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients:
* [email protected]
* [email protected]
* [email protected] (includes CERT/CC)
* [email protected]
* comp.dcom.sys.cisco
* [email protected]
* Various internal Cisco mailing lists

Future updates of this notice, if any, will be placed on Cisco's
Worldwide Web server, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the URL given above for any updates.

Revision History

Revision 1.0 2001-June-27 08:00 UTC -0800 Initial public release

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's Worldwide Web site at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml.
This includes instructions for press inquiries regarding Cisco
security notices.
_________________________________________________________________

This notice is Copyright 2000 by Cisco Systems, Inc. This notice may
be redistributed freely after the release date given at the top of the
text, provided that redistributed copies are complete and unmodified,
and include all date and version information.
_________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQEVAwUBOzn11WiN3BRdFxkbAQEwYwf/V48sYQX3IhLJFSBJacx0OJFXuVYRcvcR
uzg6L+0gSCMcD8N1he07/lLN1B6NoM95nqZ6Mq4duedBUDRj3JgY1452/yNDUnSW
l0E8B+sxqod0P5RChpilOQvrw2z7JGySxaS4b2KHzmIME1qqa2qvGZBkRQNUZH+5
9ws/PLg/xyG1mI2321I5te5gxAtDk0cpzkOBGeYX9+REYmvQVuz6QJZceDUyx/NT
4j8Va1u0ZvRe36D6KJA+Dj4Tl7MY9OeKukoW4g0ZctsEWFh28e8E40vChJQhlCXA
sVkxbZ8KYTnF5BeIYBhwkZ1PwMRAY+MLD7KOyxvtbn2w+NZD/TNURQ==
=QO5F
-----END PGP SIGNATURE-----

JSON