Vulnerability

    Cisco

Affected

    Cisco Catalyst 3500 XL

Description

    Following is based on a  Defcom Labs Advisory def-2000-02 by  Olle
    Segerdahl.  The Catalyst 3500 XL series switches web configuration
    interface lets any user execute any command on the system  without
    logging in.

    This issue was extremely easy to find, as Cisco provides a link to
    it from the  first page of  the web configuration  service.  Cisco
    Catalyst 3500  XL series  switches have  a webserver configuration
    interface.  This interface lets any anonymous web user execute any
    command without supplying any authentication credentials by simply
    requesting  the  /exec  location  from  the webserver.  An example
    follows:

        http://catalyst/exec/show/config/cr

    This  URL  will  show  the  configuration  file,  with  all   user
    passwords.

Solution

    Cisco investigated this  issue and found  that this holds  only if
    user did  not configured  an enable  password.   The only instance
    when this is true is  when switch administrator has configured  an
    access password  (on vty  lines) but  without an  enable password.
    This situation may be confusing since admins will be prompted  for
    a password when  trying to telnet  to the switch  but will not  be
    asked  for  it  when  using  the  Web  to  access the switch.  All
    switches from 2900XL and 3500XL families share this behavior.

    Cisco suspects that this scenario  was present when Olle made  his
    discovery.

    So, make  sure an  "enable" password  is set  for all Catalysts at
    all times.   Disable the  web configuration  interface  completely
    with the following configuration line: "no ip http server".