COMMAND
Cisco
SYSTEMS AFFECTED
Cisco with enabled ip httpd server
PROBLEM
Keith Woodworth found following. If you have:
ip http server
in your running config (not a great idea to have on a live router)
on your router and you do:
http://<router-ip>/%%
it crashes said router. It was confirmed on 1005 running 11.1(24)
and another fellow said it worked on his 2621 and 2524 (though he
didnt give IOS versions). For detail list of affected ciscos,
see solution section.
SOLUTION
A workaround is to turn off management via HTTP by configuring:
no ip http server
and saving the configuration so that it is not enabled at the
next reload.
The following list of products are affected if they are running a
release of Cisco IOS software that has the defect. To determine
if a Cisco product is running IOS, log in to the device and issue
the command show version. Classic Cisco IOS software will
identify itself simply as "Internetwork Operating System Software"
or "IOS (tm)" software and will display a version number. Other
Cisco devices either will not have the show version command, or
will give different output. Compare the version number obtained
from the router with the versions presented in the Software
Versions and Fixes section below. Cisco devices that may be
running affected releases include:
* Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900,
1000, 2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700, AS5200,
AS5300, AS5800, 6400, 7000, 7200, ubr7200, 7500, and 12000
series.
* Most recent versions of the LS1010 ATM switch.
* The Catalyst 6000 if it is running IOS.
* Some versions of the Catalyst 2900XL LAN switch.
* The Cisco DistributedDirector.
The following table summarizes the major releases of Cisco IOS
software affected by the defect described in this notice and
scheduled dates on which the earliest corresponding fixed releases
will be available. All dates are tentative and subject to change.
Each row of the table shows the earliest release that contains the
fix for the vulnerability in the "Rebuild", "Interim", or
"Maintenance" columns, presented in release number order.
A Maintenance Release is the most heavily-tested and
highly-recommended release in a given row. A Rebuild Release is
constructed from the previous maintenance or mainline release
with the addition of a code fix for the specific defect. Although
it receives less testing than a maintenance release, it is built
from the previous maintenance release and includes only the
minimum changes necessary to address the specific defect. An
Interim Release has much less testing than a maintenance release
and should be selected only if there is no other suitable release
that fixes the defect.
---------+------------------+-------------------------------------------
Major | Description or |
Release | Platform | Availability of Repaired Releases*
---------+------------------+-------------+--------------+--------------
Unaffected Earlier Releases | Rebuild | Interim** | Maintenance
---------+------------------+-------------+--------------+--------------
11.0 & | | | |
earlier, | | Not | Not |
all | Numerous | vulnerable | vulnerable | Not vulnerable
variants | | | |
---------+------------------+-------------+--------------+--------------
11.1-based Releases | Rebuild | Interim** | Maintenance
---------+------------------+-------------+--------------+--------------
| General | | |
11.1 | Deployment (GD): | Unavailable | Unavailable | Unavailable
| all platforms | | |
---------+------------------+-------------+--------------+--------------
| | | 11.1(33.2)CA | 11.1(34)CA
11.1CA | Core/ISP support:| | |
| rsp, c7200 | | |
| | | 2000-05-08 | 2000-05-30
---------+------------------+-------------+--------------+--------------
| | 11.1(33)CC1 | 11.1(33.1)CC | 11.1(34)CC
11.1CC | FIB support: rsp,| | |
| c7200 | | |
| | 2000-05-10 | 2000-05-22 | 2000-06-12
---------+------------------+-------------+--------------+--------------
11.2-based Releases | Rebuild | Interim** | Maintenance
---------+------------------+-------------+--------------+--------------
| General | 11.2(22a) | 11.2(22.2) | 11.2(23)
11.2 | Deployment (GD): | | |
| all platforms | 2000-05-29 | 2000-05-08 | 2000-07-10
---------+------------------+-------------+--------------+--------------
| IBM networking, | 11.2(22a)BC | 11.2(22.1)BC |
11.2BC | CIP & TN3270 | | |
| support: rsp | 2000-05-31 | 2000-05-05 |
---------+------------------+-------------+--------------+--------------
| | 11.2(22a)P | 11.2(22.2)P | 11.2(23)P
11.2P | All platforms | | |
| | 2000-05-29 | 2000-05-08 | 2000-07-17
---------+------------------+-------------+--------------+--------------
11.3-based Releases | Rebuild | Interim** | Maintenance
---------+------------------+-------------+--------------+--------------
| xDSL access | 11.3(1)DA9 | |
11.3DA | multiplexer: | | |
| c6200 | 2000-05-31 | |
---------+------------------+-------------+--------------+--------------
12.0-based Releases | Rebuild | Interim** | Maintenance
---------+------------------+-------------+--------------+--------------
| General | 12.0(11a) | 12.0(11.1) | 12.0(12)
12.0 | Deployment (GD): | | |
| all platforms | 2000-05-31 | 2000-05-22 | 2000-07-17
---------+------------------+-------------+--------------+--------------
| | 12.0(8)DA5 | |
12.0DA | xDSL support: | | |
| 6100, 6200 | | |
| | 2000-05-31 | |
---------+------------------+-------------+--------------+--------------
| | 12.0(10)S1 | 12.0(10.6)S | 12.0(11)S
12.0S | Core/ISP support:| | |
| gsr, rsp, c7200 | | |
| | 2000-05-03 | 2000-05-15 | 2000-05-29
---------+------------------+-------------+--------------+--------------
| | | 12.0(10.6)SC | 12.0(11)SC
12.0SC | Cable/broadband | | |
| ISP: ubr7200 | | |
| | | 2000-05-15 | 2000-05-30
---------+------------------+-------------+--------------+--------------
| | 12.0(9)SL1 | | 12.0(10)SL
12.0SL | 10000 ESR: c10k | | |
| | 2000-05-15 | | 2000-05-31
---------+------------------+-------------+--------------+--------------
| | 12.0(9)ST1 | | 12.0(10)ST
12.0ST | MPLS/VPN support:| | |
| gsr, rsp, c7200 | | |
| | 2000-05-31 | | 2000-06-12
---------+------------------+-------------+--------------+--------------
| cat8510c, | | | 12.0(5)W5(13d)
| cat8540c, c6msm | | |
| | | | 2000-05-19
+------------------+-------------+--------------+--------------
| ls1010, cat8510m,| | | 12.0(7)W5(15c)
| cat8540m | | |
| | | | 2000-05-08
+------------------+-------------+--------------+--------------
12.0W5 | | | | 12.0(7)W5(15d)
| cat2948g, cat4232| | |
| | | | 2000-05-12
+------------------+-------------+--------------+--------------
| c5atm, c5atm, | | | 12.0(9)W5(17a)
| c3620, c3640, | | |
| c4500, c5rsfc, | | |
| c5rsm, c7200, rsp| | | 2000-05-22
---------+------------------+-------------+--------------+--------------
12.1-based Releases | Rebuild | Interim** | Maintenance
---------+------------------+-------------+--------------+--------------
| General | 12.1(1b) | 12.1(2.1) | 12.1(3)
12.1 | Deployment (GD) | | |
| candidate: all | | |
| platforms | 2000-05-01 | 2000-05-15 | 2000-07-10
---------+------------------+-------------+--------------+--------------
| Access & Dial | | |
| Early Deployment | 12.1(1)AA2 | | 12.1(2)AA
12.1AA | (ED): c5200, | | |
| c5300, c5800, | 2000-05-31 | | 2000-05-22
| dsc-c5800 | | |
---------+------------------+-------------+--------------+--------------
| | | | 12.1(1)DA
12.1DA | xDSL support: | | |
| 6160, 6260 | | |
| | | | 2000-05-11
---------+------------------+-------------+--------------+--------------
| | | | 12.1(1)DB
12.1DB | xDSL support: | | |
| c6400 | | |
| | | | 2000-05-30
---------+------------------+-------------+--------------+--------------
| | | | 12.1(1)DC
12.1DC | xDSL NRP support:| | |
| c6400r | | |
| | | | 2000-05-15
---------+------------------+-------------+--------------+--------------
| ELB Early | | |
| Deployment (ED): | 12.1(1)E2 | | 12.1(2)E
12.1E | cat6k, 8500, | | |
| ls1010, 7500, | 2000-05-04 | | 2000-05-30
| 7200, 7100 | | |
---------+------------------+-------------+--------------+--------------
| Cable/broadband | | | 12.1(2)EC
12.1EC | Early Deployment | | |
| (ED): ubr7200 | | | 2000-05-30
---------+------------------+-------------+--------------+--------------
| New technology | | 12.1(2.0.1)T2| 12.1(2)T
12.1T | Early Deployment | | |
| (ED): all | | |
| platforms | | 2000-05-01 | 2000-05-22
---------+------------------+-------------+--------------+--------------
| | 12.1(1)XA3 | | 12.1(2)T***
12.1XA*** | Obsolete | | |
| | 2000-05-31 | | 2000-05-22
---------+------------------+-------------+--------------+--------------
| Early Deployment | | | 12.1(1)XD
12.1XD | (ED): limited | | |
| platforms | | | 2000-05-15
---------+------------------+-------------+--------------+--------------
| Early Deployment | | | 12.1(1)XE
12.1XE | (ED): limited | | |
| platforms | | | 2000-05-08
---------+------------------+-------------+--------------+--------------
Notes
------------------------------------------------------------------------
* All dates are estimated and subject to change.
** Interim releases are subjected to less rigorous testing than
regular maintenance releases, and may have serious bugs.
*** 12.1XA is obsolete. Customers should upgrade to 12.1(2)T when it
becomes available. This is not a misprint.