COMMAND
CISCO
SYSTEMS AFFECTED
- Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 8xx, 1xxx, 25xx,
26xx, 30xx, 36xx, 40xx, 45xx, 47xx, AS52xx, AS53xx, 70xx, 72xx
(including the ubr72xx), 75xx, and 12xxx series
- Most recent versions of the LS1010 ATM switch
- Some versions of the Catalyst 2900XL LAN switch.
- The Cisco DistributedDirector
PROBLEM
Following is based on Cisco Field Notice. An error in Cisco IOS
software makes it possible for untrusted, unauthenticated users
who can gain access to the login prompt of a router or other Cisco
IOS device, via any means, to obtain fragments of text entered by
prior interactive users of the device. This text may contain
sensitive information, possibly including passwords. This
vulnerability exposes only text entered at prompts issued by the
IOS device itself; the contents of data packets forwarded by IOS
devices are not exposed, nor are data entered as part of outgoing
interactive connections, such as TELNET connections, from the IOS
device to other network nodes. The vulnerability affects the vast
majority of systems running Cisco IOS software as of this date.
The vulnerability can be exploited using direct console or
asynchronous serial connections (including dialup connections),
TELNET connections, UNIX "r" command connections, local-area
transport (LAT) connections, Maintenance Operation Protocol (MOP)
connections, X.29 connections, V.120 connections, and possibly
others. Except in extraordinary security environments,
administrators are strongly encouraged to assume that hostile
users can find ways to make interactive connections to their
Cisco IOS devices. It is not necessary to be able to actually
log in to exploit this vulnerability; simply establishing a
terminal connection is sufficient.
If attackers know the details of the Cisco IOS software error,
they will be able to obtain fragments of the last few lines of
text entered in response to IOS prompts on the physical or virtual
TTYs to which they are connected. The exact amount of recoverable
text varies, and will be split among fragments of various lines.
Nearly complete lines, and fragments tens of characters long, can
sometimes be obtained. If the previous session was brief, the
available information may include part or all of the password
that a previous user used to log into the router or to enable
privileged mode. If a previous user changed a system password,
such as the enable password, and logged out shortly thereafter, it
may be possible to recover the new password by reading the
configuration command used to make the change. This vulnerability
does not expose anything entered as part of an outgoing session
from the IOS device to another node. For example, if a user logs
into an IOS router, and then makes a TELNET connection to a remote
host, none of the data in the TELNET connection itself can be
recovered.
If you are a registered CCO user and you have logged in, you can
view bug details. This vulnerability has been assigned Cisco bug
ID CSCdk43920.
SOLUTION
Cisco devices which do not run classic Cisco IOS software, and are
not affected by this vulnerability, include the following:
* 7xx dialup routers (750, 760, and 770 series) are not
affected.
* Catalyst 19xx, 28xx, 29xx, 3xxx, and 5xxx LAN switches are
not affected, except for some versions of the Catalyst
2900XL. However, optional router modules running Cisco IOS
software in switch backplanes, such as the RSM module for
the Catalyst 5000 and 5500, are affected.
* WAN switching products in the IGX and BPX lines are not
affected.
* The MGX (formerly known as the AXIS shelf) is not affected.
* No host-based software is affected.
* The Cisco PIX Firewall is not affected.
* The Cisco LocalDirector is not affected.
* The Cisco Cache Engine is not affected.
This vulnerability affects all releases of Classic Cisco IOS
software, including special, interim, and beta software, from 9.1
up to, but not including, the following corrected releases:
Earliest Regular Releases Earliest Interim Releases
----------- -----------
11.0(22) 11.0(21.2)
11.1(22), 11.1(22)CA, 11.1(21)CC1, 11.1(22), 11.1(21.2)CA,
11.1(22)CE 11.1(21)CC1, 11.1(21.1)CE
11.2(16), 11.2(16)P, 11.2(15.4), 11.2(15.4)P,
11.2(16)BC,11.2(8)SA4 11.2(15.4)BC, 11.2(8)SA4
11.3(6), 11.3(6)T, 11.3(6)AA, 11.3(1)MA6, 11.3(5.6), 11.3(5.6)T,
11.3(6)NA, 11.3(9)WA4 11.3(5.6)AA, 11.3(1)MA54,
11.3(5.6)NA
12.0(1), 12.0(1)T, 12.0(1)S, other 12.0 Will be integrated in initial
12.0(1)x releases
There are two major workarounds for this vulnerability:
1. Prevent untrusted users from having interactive access to
the Cisco IOS device. If only IP-based interactive access
is of concern, access can be restricted by using the ip
access-class line configuration command to apply an access
list to all virtual terminals in the system. However, it
is important to remember that non-IP-based means of making
interactive connections to Cisco IOS devices do exist, and
to eliminate those means as possible routes of attack. The
transport input command is particularly useful in
controlling the protocols that can be used to get
interactive access. Interactive access can be prevented
completely by applying the configuration command no exec
to any asynchronous line, or the command transport input
none to any virtual terminal line, that may be accessible
to untrusted users.
2. Overwrite any potentially sensitive information before
logging out of any interactive session on an IOS device.
This can be done by entering repeated spaces at an IOS
command prompt until the command interpreter will accept no
more input on the line, then pressing the "return" key.
Follow this by entering a printing character, such as "q",
repeatedly until no more input is accepted, then pressing
control-A, followed by control-K, then "return" again.
This procedure vastly reduces the probability of
information leakage, but has not been verified to
completely eliminate the possibility in all affected
versions of Cisco IOS software.