[nsp] Cisco Security Advisory: IOS HTTP authorization vulnerability

From: Cisco Systems Product Security Incident Response Team (psirt@cisco.com)
Date: Wed Jun 27 2001 - 11:12:52 EDT

Next message: Cisco Systems Product Security Incident Response Team: "[nsp] Cisco Security Advisory: Multiple SSH vulnerabilities"
Previous message: Stefan M. Brandl: "[nsp] C800 and tacacs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

-----BEGIN PGP SIGNED MESSAGE-----

Security Advisory: IOS HTTP authorization vulnerability

Revision 1.0 - INTERIM

  For public release 2001 June 27 08:00 (UTC -0800)
     _________________________________________________________________

Summary

   When HTTP server is enabled and local authorization is used, it is
   possible, under some circumstances, to bypass the authentication and
   execute any command on the device. It that case, the user will be able
   to exercise complete control over the device. All commands will be
   executed with the highest privilege (level 15).

   All releases of Cisco IOSŽ software, starting with the release 11.3
   and later, are vulnerable. Virtually, all mainstream Cisco routers and
   switches running Cisco IOS are affected by this vulnerability.

   Products that are not running Cisco IOS software are not vulnerable.

   The workaround for this vulnerability is to disable HTTP server on the
   router or to use Terminal Access Controller Access Control System
   (TACACS+) or Radius for authentication.

   This advisory will be posted at
   http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html

Affected Products

   Any device running Cisco IOS software, starting with the release 11.3
   and later is vulnerable.

   Cisco devices that may be running with affected IOS software releases
   include, but are not limited to:
     * Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900,
       1000, 1400, 1500, 1600, 1700, 2500, 2600, 3000, 3600, 3800, 4000,
       4500, 4700, AS5200, AS5300, AS5800, 6400, 7000, 7100, 7200,
       ubr7200, 7500, and 12000 series.
     * Most recent versions of the LS1010 ATM switch.
     * The Catalyst 6000 if it is running Cisco IOS software.
     * The Catalyst 2900XL LAN switch only if it is running Cisco IOS
       software.
     * The Catalyst 1900, 2800, 2900, 3000, and 5000 series LAN switches
       are affected.
     * The Cisco Distributed Director.

   For some products, the affected software releases are relatively new
   and may not be available on every device listed above.

   If you are not running Cisco IOS software, you are not affected by
   this vulnerability.

   Cisco products that do not run Cisco IOS software and are not affected
   by this defect include, but are not limited to:
     * 700 series dialup routers (750, 760, and 770 series).
     * The Catalyst 6000 is not affected if it is not running Cisco IOS
       software.
     * WAN switching products in the IGX and BPX lines.
     * The MGX (formerly known as the AXIS shelf).
     * Host-based software.
     * The Cisco PIX Firewall.
     * The Cisco LocalDirector.
     * The Cisco Cache Engine.

   No other Cisco products are affected.

Details

   By sending a crafted URL it is possible to bypass authentication and
   execute any command on the router at level 15 (enable level, the most
   privileged level). This will happen only if the user is using a local
   database for authentication (usernames and passwords are defined on
   the device itself). The same URL will not be effective against every
   Cisco IOS software release and hardware combination. However, there
   are only 84 different combinations to try, so it would be easy for an
   attacker to test them all in a short period of time.

   The URL in question folows this format:

     http://>/level/xx/exec/....

   Where xx is a number between 16 and 99.

   This vulnerability is documented as Cisco Bug ID CSCdt93862.

Impact

   An attacker can exercise complete control over the device. By
   exploiting this vulnerability, the attacker can see and change
   configuration of the device.

Software Versions and Fixes

   Each row of the table describes a release train and the platforms or
   products for which it is intended. If a given release train is
   vulnerable, then the earliest possible releases that contain the fix
   and the anticipated date of availability for each are listed in the
   "Rebuild", "Interim", and "Maintenance" columns. A device running any
   release in the given train that is earlier than the release in a
   specific column (less than the earliest fixed release) is known to be
   vulnerable, and it should be upgraded at least to the indicated
   release or a later version (greater than the earliest fixed release
   label).

   When selecting a release, keep in mind the following definitions:

        Maintenance
                Most heavily tested and highly recommended release of any
                label in a given row of the table.

        Rebuild
                Constructed from the previous maintenance or major
                release in the same train, it contains the fix for a
                specific defect. Although it receives less testing, it
                contains only the minimal changes necessary to effect the
                repair.

        Interim
                Built at regular intervals between maintenance releases
                and receives less testing. Interims should be selected
                only if there is no other suitable release that addresses
                the vulnerability, and interim images should be upgraded
                to the next available maintenance release as soon as
                possible. Interim releases are not available via
                manufacturing, and usually they are not available for
                customer download from CCO without prior arrangement with
                the Cisco TAC.

   In all cases, customers should exercise caution to be certain the
   devices to be upgraded contain sufficient memory and that current
   hardware and software configurations will continue to be supported
   properly by the new release. If the information is not clear, contact
   the Cisco TAC for assistance as shown in the following section.

   More information on IOS release names and abbreviations is available
   at http://www.cisco.com/warp/public/620/1.html.

   Cisco is offering free software upgrades to eliminate this
   vulnerability for all affected customers.

   Customers with contracts should obtain upgraded software through their
   regular update channels. For most customers, this means that upgrades
   should be obtained through the Software Center on Cisco's Worldwide
   Web site at http://www.cisco.com. Please do not contact either
   "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades.

Workarounds

   The workaround for this vulnerability is to disable HTTP server on the
   router or to use TACACS+ or Radius for authentication.

   To disable HTTP server, use the following commands:

      Router# configure terminal
      Enter configuration commands, one per line. End with CNTL/Z.
      Router(config)# no ip http server

   In order to configure TACACS+ or Radius for authentication please
   consult the following link
   http://www.cisco.com/warp/public/480/tacplus.shtml

Exploitation and Public Announcements

   This vulnerability has been reported to us independently by David
   Hyams, Ernst & Young, Switzerland and by Bashis (bash@ns.wcd.se).

   The Cisco PSIRT has received no reports of malicious exploitation of
   this vulnerability and we are not aware of any public discussion.

Status of This Notice: INTERIM

   This is an interim security advisory. Cisco anticipates issuing
   updated versions of this notice at irregular intervals as there are
   material changes in the facts, and will continue to update this notice
   as necessary. The reader is warned that this notice may contain
   inaccurate or incomplete information. Although Cisco cannot guarantee
   the accuracy of all statements in this notice, all of the facts have
   been checked to the best of our ability. Cisco anticipates issuing
   monthly updates of this notice until it reaches FINAL status.

   A standalone copy or paraphrase of the text of this security advisory
   that omits the distribution URL in the following section is an
   uncontrolled copy, and may lack important information or contain
   factual errors.

Distribution

   This notice will be posted on Cisco's Worldwide Web site at
   http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html. In
   addition to Worldwide Web posting, a text version of this notice is
   clear-signed with the Cisco PSIRT PGP key and is posted to the
   following e-mail and Usenet news recipients:
     * cust-security-announce@cisco.com
     * bugtraq@securityfocus.com
     * first-teams@first.org (includes CERT/CC)
     * cisco@spot.colorado.edu
     * comp.dcom.sys.cisco
     * firewalls@lists.gnac.com
     * Various internal Cisco mailing lists

   Future updates of this notice, if any, will be placed on Cisco's
   Worldwide Web server, but may or may not be actively announced on
   mailing lists or newsgroups. Users concerned about this problem are
   encouraged to check the URL given above for any updates.

Revision History

Revision 1.0 2001-June-27 08:00 UTC -0800 Initial public release

Cisco Security Procedures

   Complete information on reporting security vulnerabilities in Cisco
   products, obtaining assistance with security incidents, and
   registering to receive security information from Cisco, is available
   on Cisco's Worldwide Web site at
   http://www.cisco.com/warp/public/707/sec_incident_response.shtml.
   This includes instructions for press inquiries regarding Cisco
   security notices.
     _________________________________________________________________

   This notice is Copyright 2000 by Cisco Systems, Inc. This notice may
   be redistributed freely after the release date given at the top of the
   text, provided that redistributed copies are complete and unmodified,
   and include all date and version information.
     _________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQEVAwUBOzn11WiN3BRdFxkbAQEwYwf/V48sYQX3IhLJFSBJacx0OJFXuVYRcvcR
uzg6L+0gSCMcD8N1he07/lLN1B6NoM95nqZ6Mq4duedBUDRj3JgY1452/yNDUnSW
l0E8B+sxqod0P5RChpilOQvrw2z7JGySxaS4b2KHzmIME1qqa2qvGZBkRQNUZH+5
9ws/PLg/xyG1mI2321I5te5gxAtDk0cpzkOBGeYX9+REYmvQVuz6QJZceDUyx/NT
4j8Va1u0ZvRe36D6KJA+Dj4Tl7MY9OeKukoW4g0ZctsEWFh28e8E40vChJQhlCXA
sVkxbZ8KYTnF5BeIYBhwkZ1PwMRAY+MLD7KOyxvtbn2w+NZD/TNURQ==
=QO5F
-----END PGP SIGNATURE-----

Next message: Cisco Systems Product Security Incident Response Team: "[nsp] Cisco Security Advisory: Multiple SSH vulnerabilities"
Previous message: Stefan M. Brandl: "[nsp] C800 and tacacs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:43 EDT