Cisco Systems Inc. Affected

Updated:  June 28, 2001

Status

Affected

Vendor Statement

Cisco has published a security advisory describing this vulnerability at http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

For you convenience, a copy of this advisory (at the time it was announced) is available here: -----BEGIN PGP SIGNED MESSAGE----- Security Advisory: IOS HTTP authorization vulnerability Revision 1.0 - INTERIM For public release 2001 June 27 08:00 (UTC -0800) Summary When HTTP server is enabled and local authorization is used, it is possible, under some circumstances, to bypass the authentication and execute any command on the device. It that case, the user will be able to exercise complete control over the device. All commands will be executed with the highest privilege (level 15). All releases of Cisco IOSĀ® software, starting with the release 11.3 and later, are vulnerable. Virtually, all mainstream Cisco routers and switches running Cisco IOS are affected by this vulnerability. Products that are not running Cisco IOS software are not vulnerable. The workaround for this vulnerability is to disable HTTP server on the router or to use Terminal Access Controller Access Control System (TACACS+) or Radius for authentication. This advisory will be posted at http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html Affected Products Any device running Cisco IOS software, starting with the release 11.3 and later is vulnerable. Cisco devices that may be running with affected IOS software releases include, but are not limited to: * Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, 1400, 1500, 1600, 1700, 2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700, AS5200, AS5300, AS5800, 6400, 7000, 7100, 7200, ubr7200, 7500, and 12000 series. * Most recent versions of the LS1010 ATM switch. * The Catalyst 6000 if it is running Cisco IOS software. * The Catalyst 2900XL LAN switch only if it is running Cisco IOS software. * The Catalyst 1900, 2800, 2900, 3000, and 5000 series LAN switches are affected. * The Cisco Distributed Director. For some products, the affected software releases are relatively new and may not be available on every device listed above. If you are not running Cisco IOS software, you are not affected by this vulnerability. Cisco products that do not run Cisco IOS software and are not affected by this defect include, but are not limited to: * 700 series dialup routers (750, 760, and 770 series). * The Catalyst 6000 is not affected if it is not running Cisco IOS software. * WAN switching products in the IGX and BPX lines. * The MGX (formerly known as the AXIS shelf). * Host-based software. * The Cisco PIX Firewall. * The Cisco LocalDirector. * The Cisco Cache Engine. No other Cisco products are affected. Details By sending a crafted URL it is possible to bypass authentication and execute any command on the router at level 15 (enable level, the most privileged level). This will happen only if the user is using a local database for authentication (usernames and passwords are defined on the device itself). The same URL will not be effective against every Cisco IOS software release and hardware combination. However, there are only 84 different combinations to try, so it would be easy for an attacker to test them all in a short period of time. The URL in question folows this format: http:///level/xx/exec/.... Where xx is a number between 16 and 99. This vulnerability is documented as Cisco Bug ID CSCdt93862. Impact An attacker can exercise complete control over the device. By exploiting this vulnerability, the attacker can see and change configuration of the device. Software Versions and Fixes Each row of the table describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix and the anticipated date of availability for each are listed in the "Rebuild", "Interim", and "Maintenance" columns. A device running any release in the given train that is earlier than the release in a specific column (less than the earliest fixed release) is known to be vulnerable, and it should be upgraded at least to the indicated release or a later version (greater than the earliest fixed release label). When selecting a release, keep in mind the following definitions: Maintenance Most heavily tested and highly recommended release of any label in a given row of the table. Rebuild Constructed from the previous maintenance or major release in the same train, it contains the fix for a specific defect. Although it receives less testing, it contains only the minimal changes necessary to effect the repair. Interim Built at regular intervals between maintenance releases and receives less testing. Interims should be selected only if there is no other suitable release that addresses the vulnerability, and interim images should be upgraded to the next available maintenance release as soon as possible. Interim releases are not available via manufacturing, and usually they are not available for customer download from CCO without prior arrangement with the Cisco TAC. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco TAC for assistance as shown in the following section. More information on IOS release names and abbreviations is available at http://www.cisco.com/warp/public/620/1.html. | | Description of | | | Train | Image or | Availability of Fixed Releases* | | | Platform | | |11.0-based Releases and Earlier | Rebuild | Interim** | Maintenance | | |Multiple | | | 10.3 |releases and |Not affected | | |platforms | | | |Multiple | | | 11.0 |releases and |Not affected | | |platforms | | | 11.1-based Releases | Rebuild | Interim** | Maintenance | | |Major release | | | 11.1 |for all |Not affected | | |platforms | | | 11.2-based Releases | Rebuild | Interim** | Maintenance | | |Major release |End of Engineering | | 11.2 |for all +-----------------------------------------+ | |platforms |Not affected | | 11.3-based Releases | Rebuild | Interim** | Maintenance | | |Major release |End of Engineering | | 11.3 |for all +-----------------------------------------+ | |platforms |Upgrade recommended to 12.0(18) | | |ED for dial | | | |platforms and |Not Scheduled | | 11.3AA |access servers +-----------------------------------------+ | |5800, 5200, |Upgrade recommended to 12.1(9) | | |5300, 7200 | | | |Early deployment|End of Engineering | | 11.3DA |train for ISP | | | |DSLAM 6200 +-----------------------------------------+ | |platform |Upgrade recommended to 12.1DA | | |Early deployment| | | |train for |End of Engineering | | |ISP/Telco/PTT | | | 11.3DB |xDSL broadband +-----------------------------------------+ | |concentrator | | | |platform, (NRP) |Upgrade recommended to 12.1DB | | |for 6400 | | | |Short-lived ED |End of Engineering | | 11.3HA |release for ISR | | | |3300 (SONET/SDH +-----------------------------------------+ | |router) |Upgrade recommended to 12.0(18) | | |MC3810 |End of Engineering | | 11.3MA |functionality +-----------------------------------------+ | |only |Upgrade recommended to 12.1(9) | | |Voice over IP, | | | |media |End of Engineering | | 11.3NA |convergence, +-----------------------------------------+ | |various |Upgrade recommended to 12.1(9) | | |platforms | | | |Early deployment|End of Engineering | | 11.3T |major release, | | | |feature-rich for+-----------------------------------------+ | |early adopters |Upgrade recommended to 12.0(18) | | | |End of Engineering | | 11.3XA |Introduction of +-----------------------------------------+ | |ubr7246 and 2600|Upgrade recommended to 12.0(18) | | | |End of Engineering | | 11.3WA4 |LightStream 1010+-----------------------------------------+ | | |Upgrade to be determined | | 12.0-based Releases | Rebuild | Interim** | Maintenance | | |General | | | | | 12.0 |Deployment | | |12.0(18) | | |release for all | | | | | |platforms | | | | | | |Not Scheduled | | 12.0DA |xDSL support +-----------------------------------------+ | |6100, 6200 |Upgrade recommended to 12.1(7)DA2 | | |Early Deployment| | | |(ED) release, | | | |which delivers |Not Scheduled | | |support for the | | | 12.0DB |Cisco 6400 +-----------------------------------------+ | |Universal Access| | | |Concentrator | | | |(UAC) for Node |Upgrade recommended to 12.1(5)DB2 | | |Switch Processor| | | |(NSP). | |Early Deployment| | | |(ED) release, | | | |which delivers |Not Scheduled | | |support for the | | | 12.0DC |Cisco 6400 +-----------------------------------------+ | |Universal Access| | | |Concentrator | | | |(UAC) for Node |Upgrade recommended to 12.1DC | | |Switch Processor| | | |(NSP). | |Core/ISP | | |12.0(18)S | | 12.0S |support GSR, | | |Available | | |RSP, c7200 | | |2001-July | | 12.0SC |Cable/broadband | | |12.0(16)SC | | |ISP ubr7200 | | | | | 12.0SL |10000 ESR c10k | | | | | |Cisco IOS | | | | | |software | | | | | |Release12.0ST is| | | | | |an early | | | | | |deployment (ED) | | | | | |release for the | | | | | 12.0ST |Cisco 7200, | | | | | |7500/7000RSP and| | | | | |12000 (GSR) | | | | | |series routers | | | | | |for Service | | | | | |Providers | | | | | |(ISPs). | |Early | | | |Deployment(ED) |Not Scheduled | | 12.0T |VPN, Distributed| | | |Director, +-----------------------------------------+ | |various |Upgrade recommended to 12.1(9) | | |platforms | | | |Catalyst | | | |switches | | | |cat8510c, | | |12.0(13)W5(19c)|cat8540c, c6msm,|Not vulnerable | | |ls1010, | | | |cat8510m, | | | |cat8540m | | | |Catalyst | | | | |12.0(10)W5(18g)|switches | | |12.0(18)W5(22a) | |cat2948g, | | |2001-August-23| | |cat4232 | | | | | |Catalyst | | | | |12.0(14)W5(20) |switches | | |12.0(18)W5(22)| | |cat5000ATM | | |2001-August-03| | | |Not Scheduled | | 12.0WC | +-----------------------------------------+ | | |Upgrade to be determined | | | |Not Scheduled | | 12.0WT |cat4840g +-----------------------------------------+ | | |Upgrade to be determined | | |Early Deployment|Not Scheduled | | 12.0XA |(ED) limited +-----------------------------------------+ | |platforms |Upgrade recommended to 12.1(9) | | |Short-lived |Not Scheduled | | 12.0XB |early deployment+-----------------------------------------+ | |release |Upgrade recommended to 12.1(9) | | |Early Deployment|Not Scheduled | | 12.0XC |(ED) limited +-----------------------------------------+ | |platforms |Upgrade recommended to 12.1(9) | | |Early Deployment|Not Scheduled | | 12.0XD |(ED) limited +-----------------------------------------+ | |platforms |Upgrade recommended to 12.1(9) | | |Early Deployment|Not Scheduled | | 12.0XE |(ED) limited +-----------------------------------------+ | |platforms |Upgrade recommended to 12.1(8a)E | | |Early Deployment|Not Scheduled | | 12.0XF |(ED) limited +-----------------------------------------+ | |platforms |Upgrade recommended to 12.1(9) | | |Early Deployment|Not Scheduled | | 12.0XG |(ED) limited +-----------------------------------------+ | |platforms |Upgrade recommended to 12.1(9) | | |Early Deployment|Not Scheduled | | 12.0XH |(ED) limited +-----------------------------------------+ | |platforms |Upgrade recommended to 12.1(9) | | |Early Deployment|Not Scheduled | | 12.0XI |(ED) limited +-----------------------------------------+ | |platforms |Upgrade recommended to 12.1(9) | | |Early Deployment|Not Scheduled | | 12.0XJ |(ED) limited +-----------------------------------------+ | |platforms |Upgrade recommended to 12.1(9) | | |Early Deployment|Not Scheduled | | 12.0(5)XK |(ED) limited +-----------------------------------------+ | |platforms |Upgrade recommended to 12.1(9) | | |Early Deployment|Not Scheduled | | 12.0(7)XK |(ED) limited +-----------------------------------------+ | |platforms |Upgrade recommended to 12.2 | | |Early Deployment|Not Scheduled | | 12.0XL |(ED) limited +-----------------------------------------+ | |platforms |Upgrade recommended to 12.1(9) | | |Early Deployment|Not Scheduled | | 12.0XM |(ED) limited +-----------------------------------------+ | |platforms |Upgrade recommended to 12.0(4)XM1 | | | |Availability date to be determined | | |Early Deployment|Not Scheduled | | 12.0XN |(ED) limited +-----------------------------------------+ | |platforms |Upgrade recommended to 12.1(9) | | |Early Deployment|Not Scheduled | | 12.0XP |(ED) limited +-----------------------------------------+ | |platforms |Upgrade to be determined | | |Early Deployment|Not Scheduled | | 12.0XQ |(ED) limited +-----------------------------------------+ | |platforms |Upgrade recommended to 12.1(9) | | |Early Deployment|Not Scheduled | | 12.0XR |(ED) limited +-----------------------------------------+ | |platforms |Upgrade recommended to 12.2(1b) | | |Early Deployment|End of Engineering | | 12.0XS |(ED) limited +-----------------------------------------+ | |platforms |Upgrade recommended to 12.1(8a)E | | |Early Deployment|Not Scheduled | | 12.0XU |(ED) limited +-----------------------------------------+ | |platforms |Upgrade to be determined | | |Early Deployment|Not Scheduled | | 12.0XV |(ED) limited +-----------------------------------------+ | |platforms |Upgrade to be determined | | 12.1-based Releases | Rebuild | Interim** | Maintenance | | |General | | | | | 12.1 |deployment | | |12.1(9) | | |release for all | | | | | |platforms | | | | | 12.1AA |Dial support | | | | | |Core/ISP | | | | | 12.1CX |support GSR, | | | | | |RSP, c7200 | | | | | 12.1DA |xDSL support |12.1(7)DA2 | | | | |6100, 6200 |2001-Jun-18 | | | | |Cisco IOS | | | | | |Software Release| | | | | |12.1(1)DB | | | | | 12.1DB |supports Cisco's| | | | | |6400 Universal | | | | | |Access | | | | | |Concentrator | | | | | |Cisco IOS | | | | | |Software Release| | | | | |12.1(1)DC | | | | | 12.1DC |supports Cisco's| | | | | |6400 Universal | | | | | |Access | | | | | |Concentrator | | | | | |Core/ISP | | | | | 12.1E |support GSR, | | |12.1(8a)E | | |RSP, c7200 | | |2001-Jul-09 | | |12.1EC is being | | | | | |offered to allow| | | | | |early support of| | | | | |new features on | | | | | |the uBR7200 | | | | | 12.1EC |platform, as | |12.1(6.5)EC3| | | |well as future | | | | | |support for new | | | | | |Universal | | | | | |Broadband Router| | | | | |headend | | | | | |platforms. | 12.1EX |Catalyst 6000 | | |12.1(8a)E | | |support | | |2001-Jul-09 | | |Cat8510c, | | | | | 12.1EY |Cat8510m, | | |12.1(6)EY | | |Cat8540c, | | | | | |Cat8540m, LS1010| | | | | |Early Deployment| | | | | 12.1EZ |(ED) special |12.1(6)EZ1 | | | | |image | | | | | |Early | | | |Deployment(ED) |Not Scheduled | | 12.1T |VPN, Distributed| | | |Director, +-----------------------------------------+ | |various |Upgrade recommended to 12.2(1b) | | |platforms | | | |Early Deployment| | | | | 12.1XA |(ED) limited | | | | | |platforms | | | | | |Early Deployment| | | | | 12.1XB |(ED) limited | | | | | |platforms | | | | | |Early Deployment| | | | | 12.1XC |(ED) limited | | | | | |platforms | | | | | |Early Deployment|Not Scheduled | | 12.1XD |(ED) limited +-----------------------------------------+ | |platforms |Upgrade recommended to 12.2(1b) | | |Early Deployment| | | | | 12.1XE |(ED) limited | | | | | |platforms | | | | | |Early Deployment| | | | | 12.1XF |(ED) 811 and |12.1(2)XF4 | | | | |813 (c800 |2001-July-09 | | | | |images) | | | | | |Early Deployment| | | | | 12.1XG |(ED) 800, 805, |12.1(5)XG5 | | | | |820, and 1600 |2001-July-09 | | | | |Early Deployment|Not Scheduled | | 12.1XH |(ED) limited +-----------------------------------------+ | |platforms |Upgrade recommended to 12.2(1b) | | |Early Deployment|Not Scheduled | | 12.1XI |(ED) limited +-----------------------------------------+ | |platforms |Upgrade recommended to 12.2(1b) | | |Early Deployment|Not Scheduled | | 12.1XJ |(ED) limited +-----------------------------------------+ | |platforms |Upgrade recommended to 12.1(5)YB4 | | |Early Deployment| | | | | 12.1XK |(ED) limited | | | | | |platforms | | | | | |Early Deployment|Not Scheduled | | 12.1XL |(ED) limited +-----------------------------------------+ | |platforms |Upgrade recommended to 12.2(1b) | | |Short-lived | | | | | 12.1XM |early deployment|12.1(4)XM4 | | | | |release |2001-June-27 | | | | |Early Deployment| | | | | 12.1XP |(ED) 1700 and |12.1(3)XP4 | | | | |SOHO | | | | | |Short-lived |Not Scheduled | | 12.1XQ |early deployment+-----------------------------------------+ | |release |Upgrade recommended to 12.2(1b) | | |Short-lived | | | | | 12.1XR |early deployment|12.1(5)XR2 | | | | |release | | | | | |Short-lived | | | | | 12.1XS |early deployment| | | | | |release | | | | | |Early Deployment| | | | | 12.1XT |(ED) 1700 |12.1(3)XT3 | | | | |series | | | | | |Early Deployment| | | | | 12.1XU |(ED) limited |12.1(5)XU1 | | | | |platforms | | | | | |Short-lived | | | | | 12.1XV |early deployment|12.1(5)XV3 | | | | |release |2001-July | | | | |Short-lived |Not Scheduled | | 12.1XW |early deployment+-----------------------------------------+ | |release |Upgrade recommended to 12.2DD | | |Short-lived | | | | | 12.1XX |early deployment| | |12.1(6)EZ | | |release | | | | | |Short-lived | | | | | 12.1XY |early deployment|12.1(5)XY6 | | | | |release |2001-July | | | | |Short-lived | | | | | 12.1XZ |early deployment|12.1(5)XZ4 | | | | |release |2001-July | | | | |Short-lived | | | | | 12.1YA |early deployment| |