search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Cisco IOS software vulnerable to DoS via HTTP request containing "?/"

Vulnerability Note VU#683677

Original Release Date: 2000-11-08 | Last Revised: 2004-03-30

Overview

A vulnerability exists in multiple versions of Cisco's Internetworking Operating System (IOS) software that allows an attacker to force affected switches and routers to crash and reboot.

Description

To exploit this vulnerability, the IOS HTTP interface must be enabled and the attacker must transmit a request for "http://router-ip/anytext?/". Upon sending the request, the attacker will be asked for the device's "enable" password. If the password prompt is successfully answered, the software becomes trapped in a loop until a two-minute watchdog timer expires, causing the device to restart.

Impact

An attacker can force affected products to reboot, resulting in a denial-of-service while the device is restarting. In some situations, the device may not restart properly without manual intervention such as a power cycle.

Solution

Apply a patch from Cisco

Cisco has provided patches for affected versions of the IOS software. For further details, please consult the vendor section of this document.

Choose appropriate passwords


To exploit this vulnerability, an attacker must know the enable password for the affected router or switch. Therefore, devices with either an easily guessable password or no password at all are particularly vulnerable. For further information on choosing appropriate passwords, please consult the CERT Security Practice, "Configure computers for user authentication."

Disable the HTTP management interface

If it is not possible or practical to immediately patch an affected device, disable its HTTP management interface to prevent exploitation of this vulnerability.

Restrict access to the HTTP management interface

If it is not possible to disable the HTTP management interface, users should restrict outside networks from accessing it. For information on how to implement these restrictions, please consult the Cisco advisory at

Vendor Information

683677
 

Cisco Systems Inc. Affected

Updated:  November 09, 2000

Status

Affected

Vendor Statement

From the Cisco Advisory:

Cisco devices that may be running with affected IOS software releases include:

    • Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, 1400, 1500, 1600, 1700, 2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700, AS5200, AS5300, AS5800, 6400, 7000, 7200, ubr7200, 7500, and 12000 series.
    • Most recent versions of the LS1010 ATM switch.
    • The Catalyst 6000 if it is running IOS.
    • The Catalyst 2900XL LAN switch only if it is running IOS.
    • The Catalyst 1900, 2800, 2900, 3000, and 5000 series LAN switches are affected.
    • The Cisco DistributedDirector.
    For some products, the affected software releases are relatively new and may not be available on every device listed above.

    If you are not running Cisco IOS software, you are not affected by this vulnerability.

    Cisco products that do not run Cisco IOS software and are not affected by this defect include, but are not limited to:
      • 700 series dialup routers (750, 760, and 770 series) are not affected.
      • The Catalyst 6000 is not affected if it is not running IOS.
      • WAN switching products in the IGX and BPX lines are not affected.
      • The MGX (formerly known as the AXIS shelf) is not affected.
      • No host-based software is affected.
      • The Cisco PIX Firewall is not affected.
      • The Cisco LocalDirector is not affected.
      • The Cisco Cache Engine is not affected.

      Vendor Information

      The vendor has not provided us with any further information regarding this vulnerability.

      Addendum

      For the latest information on this vulnerability, please consult Cisco's web site at:


    CVSS Metrics

    Group Score Vector
    Base
    Temporal
    Environmental

    References

    Acknowledgements

    The CERT/CC thanks CORE SDI for discovering this vulnerability and Cisco for the information contained in their advisory.

    The CERT/CC portions of this document were written by Jeffrey P. Lanza based on information from the Cisco advisory.

    Other Information

    CVE IDs: CVE-2000-0984
    Severity Metric: 0.90
    Date Public: 2000-10-25
    Date First Published: 2000-11-08
    Date Last Updated: 2004-03-30 19:43 UTC
    Document Revision: 38

    Sponsored by CISA.