TUCoPS :: Cisco :: cisco41.htm

Cisco HTTP Service remote management
Vulnerability

    Cisco

Affected

    All Cisco routers and switches running IOS 12.0 through 12.1 inclusive

Description

    Following is based on a CORE SDI Security Advisory  CORE-20002510.
    The  HTTP  service  facility  in  the  Cisco  IOS  provides remote
    management capabilities using  any web browser  as client.   It is
    commonly used to manage remote routers and switches with a  simple
    and  user-friendly  Web  interface.   A  flaw  in  the HTTP server
    permits an attacker with access to the HTTP service port to  crash
    the device and force a  software re-load.  The service  is enabled
    by default ONLY in Cisco 1003, 1004 and 1005 routers.

    The following list  of products are  affected if they  are running
    a release of Cisco IOS software that has the defect.  To determine
    if a Cisco product is running IOS, log in to the device and  issue
    the  command  show  version.   Classic  Cisco  IOS  software  will
    identify itself simply as "Internetwork Operating System Software"
    or "IOS (tm)" software and  will display a version number.   Other
    Cisco devices either  will not have  the show version  command, or
    will give  different output.   Cisco devices  that may  be running
    affected releases include:

        - Cisco  routers  in  the  AGS/MGS/CGS/AGS+,  IGS,  RSM,  800,
          ubr900,  1000,  2500,  2600,  3000,  3600, 3800, 4000, 4500,
          4700,  AS5200,  AS5300,  AS5800,  6400, 7000, 7200, ubr7200,
          7500, and 12000 series.
        - Most recent versions of the LS1010 ATM switch.
        - The Catalyst 6000 if it is running IOS.
        - Catalyst 2900XL LAN switch if it is running IOS.
        - The Cisco DistributedDirector.

    For some products, the affected software releases are relatively
    new and may not be available on every device listed above.

    This vulnerability was discovered by Alberto Solino of CORE SDI.

    By sending an HTTP request with the following URI:

        http://switch-server/cgi-bin/view-source?/

    The  switch  crashes  and  performs  a  software  re-load, network
    connectivity  is  disrupted  while  this  is  done.   By  repeatly
    sending such  HTTP requests,  a denial  of service  attack can  be
    performed against the switch  and the entire network  connected to
    it.

Solution

    If you  are not  running classic  Cisco IOS  software then you are
    not affected by  this vulnerability.   Cisco products that  do not
    run classic Cisco IOS software  and thus are not affected  by this
    defect include:

        - 700 series dialup routers (750, 760, and 770 series) are not
          affected
        - Catalyst  1900,  2800,  2900,  3000,  and  5000  series  LAN
          switches are not  affected except for  some versions of  the
          Catalyst 2900XL.   However, optional router  modules running
          Cisco IOS  software in  switch backplanes,  such as  the RSM
          module for the Catalyst 5000 and 5500, are affected (see the
          Affected Products section above).
        - The Catalyst 6000 is not affected if it is not running IOS.
        - WAN  switching products  in the  IGX and  BPX lines  are not
          affected.
        - The MGX (formerly known as the AXIS shelf) is not affected.
        - No host-based software is affected.
        - The Cisco PIX Firewall is not affected.
        - The Cisco LocalDirector is not affected.
        - The Cisco Cache Engine is not affected.

    For a software fix refer to the vendor field notice at:

        http://www.cisco.com/warp/public/707/httpserverquery-pub.shtml

    Or as a workaround, the following actions can be taken to  prevent
    explotation of the problem:

        - Disable  the  HTTP  service  using the global  configuration
          command:  no ip http server , or
        - Restrict access to the HTTP service port (80/tcp or as set
          by the ip http port command) using a standard access list
          on the device.  For example, if only a browser on host
          10.10.10.1 needs to remotely manage the Cisco device use the
          following global configuration command:

          access-list 1 permit 10.10.10.1 ip http access-class 1

          If access  list 1  is in  use choose  another number  in the
          range 0-99.
        - Restrict  access to  the HTTP  service on  border routers or
          devices in the network path to the service port.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH