search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Cisco IOS software vulnerable to DoS via HTTP request containing "%%"

Vulnerability Note VU#24346

Original Release Date: 2000-11-09 | Last Revised: 2004-03-30

Overview

There is a denial-of-service vulnerability in several Cisco switch and router products which allows an attacker to force affected devices to crash and reboot.

Description

A vulnerability exists in multiple versions of Cisco's Internetworking Operating System (IOS) software which allows an attacker to force affected switches and routers to crash and reboot. If the IOS HTTP interface is enabled and presented with a request for "http://router-ip/anytext/%%", the software becomes trapped in a loop until a two-minute watchdog timer expires, causing the device to restart.

Impact

An attacker can force affected products to reboot, resulting in a denial-of-service while the device is restarting. In some situations, the device may not restart properly without manual intervention such as a power cycle.

Solution

Apply a patch from Cisco

Cisco has released an advisory to address this issue and has provided patches for affected versions of the IOS software. For further details, please consult the vendor section of this document.

Disable the HTTP management interface


If it is not possible or practical to immediately patch an affected device, temporarily disabling its HTTP management interface will prevent exploitation of this vulnerability.

Restrict access to the HTTP management interface

If it is not possible to disable the HTTP management interface, users should restrict outside networks from accessing it. For information on how to implement these restrictions, please consult the Cisco advisory at:

Vendor Information

24346
 
Expand all

Cisco Systems Inc. Affected

Updated:  March 29, 2001

Status

Affected

Vendor Statement

From the Cisco Advisory:

The following list of products are affected if they are running a release of Cisco IOS software that has the defect. To determine if a Cisco product is running IOS, log in to the device and issue the command show version. Classic Cisco IOS software will identify itself simply as "Internetwork Operating System Software" or "IOS (tm)" software and will display a version number. Other Cisco devices either will not have the show version command, or will give different output. Compare the version number obtained from the router with the versions presented in the Software Versions and Fixes section below.

Cisco devices that may be running affected releases include:

    • Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, 2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700, AS5200,
    • AS5300, AS5800, 6400, 7000, 7200, ubr7200, 7500, and 12000 series.
    • Most recent versions of the LS1010 ATM switch.
    • The Catalyst 6000 if it is running IOS.
    • Some versions of the Catalyst 2900XL LAN switch.
    • The Cisco DistributedDirector.

For some products, the affected software releases are relatively new and may not be available on every device listed above.

If you are not running classic Cisco IOS software then you are not affected by this vulnerability. Cisco products that do not run classic Cisco IOS software and thus are not affected by this defect include:
    • 700 series dialup routers (750, 760, and 770 series) are not affected.
    • Catalyst 1900, 2800, 2900, 3000, and 5000 series LAN switches are not affected except for some versions of the Catalyst 2900XL.
    • However, optional router modules running Cisco IOS software in switch backplanes, such as the RSM module for the Catalyst 5000 and
    • 5500, are affected (see the Affected Products section above).
    • The Catalyst 6000 is not affected if it is not running IOS.
    • WAN switching products in the IGX and BPX lines are not affected.
    • The MGX (formerly known as the AXIS shelf) is not affected.
    • No host-based software is affected.
    • The Cisco PIX Firewall is not affected.
    • The Cisco LocalDirector is not affected.
    • The Cisco Cache Engine is not affected.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    For the latest information on this vulnerability, please consult the following Cisco Security Advisory:


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

The CERT/CC thanks Keith Woodworth for discovering this vulnerability and Cisco for the information contained in their advisory.

This document was written by Jeffrey P. Lanza.

Other Information

CVE IDs: CVE-2000-0380
Severity Metric: 11.25
Date Public: 2000-04-26
Date First Published: 2000-11-09
Date Last Updated: 2004-03-30 18:24 UTC
Document Revision: 14

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis