COMMAND
Cisco
SYSTEMS AFFECTED
All Cisco routers and switches running IOS 12.0 through 12.1 inclusive
PROBLEM
Following is based on a CORE SDI Security Advisory CORE-20002510.
The HTTP service facility in the Cisco IOS provides remote
management capabilities using any web browser as client. It is
commonly used to manage remote routers and switches with a simple
and user-friendly Web interface. A flaw in the HTTP server
permits an attacker with access to the HTTP service port to crash
the device and force a software re-load. The service is enabled
by default ONLY in Cisco 1003, 1004 and 1005 routers.
The following list of products are affected if they are running
a release of Cisco IOS software that has the defect. To determine
if a Cisco product is running IOS, log in to the device and issue
the command show version. Classic Cisco IOS software will
identify itself simply as "Internetwork Operating System Software"
or "IOS (tm)" software and will display a version number. Other
Cisco devices either will not have the show version command, or
will give different output. Cisco devices that may be running
affected releases include:
- Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800,
ubr900, 1000, 2500, 2600, 3000, 3600, 3800, 4000, 4500,
4700, AS5200, AS5300, AS5800, 6400, 7000, 7200, ubr7200,
7500, and 12000 series.
- Most recent versions of the LS1010 ATM switch.
- The Catalyst 6000 if it is running IOS.
- Catalyst 2900XL LAN switch if it is running IOS.
- The Cisco DistributedDirector.
For some products, the affected software releases are relatively
new and may not be available on every device listed above.
This vulnerability was discovered by Alberto Solino of CORE SDI.
By sending an HTTP request with the following URI:
http://switch-server/cgi-bin/view-source?/
The switch crashes and performs a software re-load, network
connectivity is disrupted while this is done. By repeatly
sending such HTTP requests, a denial of service attack can be
performed against the switch and the entire network connected to
it.
SOLUTION
If you are not running classic Cisco IOS software then you are
not affected by this vulnerability. Cisco products that do not
run classic Cisco IOS software and thus are not affected by this
defect include:
- 700 series dialup routers (750, 760, and 770 series) are not
affected
- Catalyst 1900, 2800, 2900, 3000, and 5000 series LAN
switches are not affected except for some versions of the
Catalyst 2900XL. However, optional router modules running
Cisco IOS software in switch backplanes, such as the RSM
module for the Catalyst 5000 and 5500, are affected (see the
Affected Products section above).
- The Catalyst 6000 is not affected if it is not running IOS.
- WAN switching products in the IGX and BPX lines are not
affected.
- The MGX (formerly known as the AXIS shelf) is not affected.
- No host-based software is affected.
- The Cisco PIX Firewall is not affected.
- The Cisco LocalDirector is not affected.
- The Cisco Cache Engine is not affected.
For a software fix refer to the vendor field notice at:
http://www.cisco.com/warp/public/707/httpserverquery-pub.shtml
Or as a workaround, the following actions can be taken to prevent
explotation of the problem:
- Disable the HTTP service using the global configuration
command: no ip http server , or
- Restrict access to the HTTP service port (80/tcp or as set
by the ip http port command) using a standard access list
on the device. For example, if only a browser on host
10.10.10.1 needs to remotely manage the Cisco device use the
following global configuration command:
access-list 1 permit 10.10.10.1 ip http access-class 1
If access list 1 is in use choose another number in the
range 0-99.
- Restrict access to the HTTP service on border routers or
devices in the network path to the service port.