|
Vulnerability Cisco Affected All Cisco routers and switches running IOS 12.0 through 12.1 inclusive Description Following is based on a CORE SDI Security Advisory CORE-20002510. The HTTP service facility in the Cisco IOS provides remote management capabilities using any web browser as client. It is commonly used to manage remote routers and switches with a simple and user-friendly Web interface. A flaw in the HTTP server permits an attacker with access to the HTTP service port to crash the device and force a software re-load. The service is enabled by default ONLY in Cisco 1003, 1004 and 1005 routers. The following list of products are affected if they are running a release of Cisco IOS software that has the defect. To determine if a Cisco product is running IOS, log in to the device and issue the command show version. Classic Cisco IOS software will identify itself simply as "Internetwork Operating System Software" or "IOS (tm)" software and will display a version number. Other Cisco devices either will not have the show version command, or will give different output. Cisco devices that may be running affected releases include: - Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, 2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700, AS5200, AS5300, AS5800, 6400, 7000, 7200, ubr7200, 7500, and 12000 series. - Most recent versions of the LS1010 ATM switch. - The Catalyst 6000 if it is running IOS. - Catalyst 2900XL LAN switch if it is running IOS. - The Cisco DistributedDirector. For some products, the affected software releases are relatively new and may not be available on every device listed above. This vulnerability was discovered by Alberto Solino of CORE SDI. By sending an HTTP request with the following URI: http://switch-server/cgi-bin/view-source?/ The switch crashes and performs a software re-load, network connectivity is disrupted while this is done. By repeatly sending such HTTP requests, a denial of service attack can be performed against the switch and the entire network connected to it. Solution If you are not running classic Cisco IOS software then you are not affected by this vulnerability. Cisco products that do not run classic Cisco IOS software and thus are not affected by this defect include: - 700 series dialup routers (750, 760, and 770 series) are not affected - Catalyst 1900, 2800, 2900, 3000, and 5000 series LAN switches are not affected except for some versions of the Catalyst 2900XL. However, optional router modules running Cisco IOS software in switch backplanes, such as the RSM module for the Catalyst 5000 and 5500, are affected (see the Affected Products section above). - The Catalyst 6000 is not affected if it is not running IOS. - WAN switching products in the IGX and BPX lines are not affected. - The MGX (formerly known as the AXIS shelf) is not affected. - No host-based software is affected. - The Cisco PIX Firewall is not affected. - The Cisco LocalDirector is not affected. - The Cisco Cache Engine is not affected. For a software fix refer to the vendor field notice at: http://www.cisco.com/warp/public/707/httpserverquery-pub.shtml Or as a workaround, the following actions can be taken to prevent explotation of the problem: - Disable the HTTP service using the global configuration command: no ip http server , or - Restrict access to the HTTP service port (80/tcp or as set by the ip http port command) using a standard access list on the device. For example, if only a browser on host 10.10.10.1 needs to remotely manage the Cisco device use the following global configuration command: access-list 1 permit 10.10.10.1 ip http access-class 1 If access list 1 is in use choose another number in the range 0-99. - Restrict access to the HTTP service on border routers or devices in the network path to the service port.