COMMAND

    Cisco

SYSTEMS AFFECTED

    Cisco

PROBLEM

    Fernando Montenegro  found following.   He came  across a  curious
    behavior on a number of Cisco routers, tied to the way the on-line
    help system presents options. It seems that, even though a regular
    (non-"enabled") user should not be able to see the access-lists or
    other security-related information in the router, one can do  just
    that.  The online help systems doesn't list the commands as  being
    available, but out of 75  extra "show" options that are  available
    in  "enable"  mode  (on  a  12.0(5)  3640),  only 13 were actually
    restricted.

    It seems that this has been known, to the point of being mentioned
    in  some  classes  as  an  "insider  trick", but when we looked up
    vulnerabilities for Cisco routers  we couldn't find any  reference
    to this.

    So  the  issue  is  that  significant security-related information
    (such as access-lists)  can be retrieved  by an unprivileged  user
    logged on to a Cisco router.  While the on-line help system  leads
    administrators to  think that  such information  is not available,
    it is possible  to obtain important  information from the  router.
    Users with local, non-privileged,  session access (such as  junior
    administration staff telnetting to the router) can have access  to
    sensitive information.

    Routers tested: 2500, 2600, 3600, 4000, 7200, 7500 series, running
    IOS 9.14,  11.1(21) (Distributed  Director), 11.2(x)  and 12.0(x).
    Some were tested on the  local console, some over Telnet.   Tested
    PIX 4.x was found NOT vulnerable.

    A regular user will log-on with privilege level equal to 1.   This
    can be  shown by  running "show  privilege" after  logging on  the
    router.  For example:

        User Access Verification

        Username: joeuser
        Password: <password>
        Router2>sh priv
        Current privilege level is 1
        Router2>

    Now, if we try to get  a list of all possible "show"  commands, by
    doing "show ?", we get:

        Router2>show privilege
        Current privilege level is 1
        Router2>show ?
          backup         Backup status
          cef            Cisco Express Forwarding
          clock          Display the system clock
          dialer         Dialer parameters and statistics
          flash:         display information about flash: file system
          history        Display the session command history
        ...

    Notice that we did not  see an "access-lists" option, so  the help
    system thinks we should not be able to run it...  However,

        Router2>show privilege
        Current privilege level is 1
        Router2>show access-lists
        Standard IP access list 10
            permit 172.16.0.1
            deny   any
        Extended IP access list eth0-IN
            permit udp host 172.16.0.1 10.11.12.0 0.0.0.255 eq snmp (14982 matches)
            permit udp host 172.16.0.1 10.11.13.128 0.0.0.127 eq snmp (4026 matches)

    So, we can  see the configuration,  even though we  shouldn't.  We
    can't alter it, but even  seeing the access-list is beneficial  to
    an attacker.

    Upon further  testing on  a 3640  running IOS  12.0(5), we got the
    following results:

    - We found  75 "show" commands  that are supposed  to be available
      only in enable mode.   Meaning: the difference between "show  ?"
      in enabled and disabled mode was this 75 commands
    - Out of  75, only 13  were truly restricted.   The other 62  were
      available to be viewed by a session in a disabled mode.
    - Out  of  the  62  that  were  viewable,  we  counted 7 as  being
      potentially very dangerous.  "show ip" is  one of them,  as well
      as "show cdp", "show logging", "show cdp", "show vlans".   There
      are others....
    - By  combining "show  ip" and  "show access-lists"  we had a very
      clear  picture  of  how  access-lists  were  distributed  in the
      router.

SOLUTION

    One way to solve the issue is to require more privilege to run the
    show  command.   This  can   be  accomplished  by  the   following
    configuration command:

        privilege exec level 15 show

    Another, more efficient way, is to have users log in at level 0, as
    opposed to "1".  Then, one needs to specify which commands will be
    "downgraded" to level 0.  By doing this, we're "jailing" the  user
    at  level  0,  leaving  him/her  only the commands we specifically
    downgraded.

    This will severely  restrict the options  a non-enabled user  will
    have, thereby implementing a  "default deny" stance on  the router
    itself.  Given the recent interest in Cisco routers (check  Phrack
    55 and 56), it seems to be a sensible thing to do.

    Cisco's Product Security Incident Response Team has confirmed  the
    issue and approved the recommended workaround.

    Matti Saarinen explained how the on-line help can be configured to
    show all the  commands available (see  below).  This  explains the
    apparent lack  of authorization  control over  the "show" options.
    It  seems  that  the  only  issue  left  is  that there is so much
    information available  from the  non-enabled account.  It seem you
    do have to not enable full on-line help.