COMMAND

    Cisco

SYSTEMS AFFECTED

    Cisco

PROBLEM

    Following  is  based  on  a  Cisco  Security  Advisory.  The Cisco
    Content Services (CSS) switch  product, also known as  Arrowpoint,
    has several  security vulnerabilities  once access  to the command
    line interface  (CLI) is  granted.   The first  vulnerability, the
    switch can  be forced  into a  temporary denial  of service  by an
    unprivileged user, this is documented in Cisco Bug ID  CSCdt08730.
    The second issue  allows a non-privileged  user to view  filenames
    and file contents.  This is documented in Cisco Bug ID CSCdt12748.

    The full text of this advisory can be viewed at:

        http://www.cisco.com/warp/public/707/arrowpoint-cli-filesystem-pub.shtml

    The Cisco  Content Services  Switch is  affected by  this group of
    vulnerabilities.   The  CSS  switch  is  also  known as Arrowpoint
    product, and runs the Cisco WebNS Software.

    Cisco CSS 11050, CSS 11150,  and CSS 11800 hardware platforms  are
    affected  by  this  group  of  vulnerabilities.   No  other  Cisco
    products are affected by this group of vulnerabilities.

    The  Cisco  CSS11000  must  be  configured  to permit command line
    access to  users by  providing a  management address  and defining
    user  accounts.   Once  command  line  access  is  gained  by  non
    privileged  users  (defined  user  accounts without administrative
    privileges), running a command requiring a filename, and providing
    a filename  that is  the maximum  length of  the input  buffer can
    cause  the  switch  to  reboot,  and  a system check to be started
    which  will  prevent  normal  function  of  the switch for up to 5
    minutes.   The  show  script,  clear  script,  show archive, clear
    archive, show log, and clear  log commands are capable of  causing
    the  CSS  to  restart  if  the  specified file name is the maximum
    length of the input buffer.  Cisco Bug ID CSCdt08730.

    If command line  access is not  restricted, a non  privileged user
    (defined user account without administrative privileges) can  gain
    information on the directory structure by requesting  non-existent
    filenames.  Additionally,  the non privileged  user can gain  read
    access for files  if the directory  structure of the  target files
    are known  to the  user.   Cisco Bug  ID CSCdt12748 describes this
    file system vulnerability.

    The  vulnerability  described  in  CSCdt08730  can be continuously
    reproduced to produce a Denial of Service attack.  The  additional
    vulnerabilities  provide  unauthorized  access  to important files
    such  as   the  configuration   files,  and   directory  structure
    information.   If access  to the  command line  interface is  well
    protected  and   restricted,  then   these  vulnerabilities    are
    minimized.

SOLUTION

    CSCdt08730 is  resolved in  revision 4.01(12s),  and revision 3.10
    (71s)  of  Cisco  WebNS  software.   The  file  system information
    disclosure  vulnerabilities  are  scheduled  to  be fixed, but are
    currently unresolved.  Workarounds are recommended in the interim.
    This notice will be updated when the vulnerabilities are resolved,
    or monthly until the vulnerabilities are resolved.

    Access control  lists can  be applied  to restrict  access to  the
    Cisco CSS device, as well  as additional firewall or access  lists
    to  restrict  connection  to  the  management  interface.   Access
    control lists also affect traffic to the Virtual interface of  the
    Cisco  CSS  device,  so  must  be  applied with care.  For further
    details on configuring  access lists please  refer to the  product
    documentation:

        http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/bsccfggd/profiles.htm
        http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/advcfggd/sgacleql.htm

    Additionally, the use of SSH to prevent snooping of the management
    traffic to the device is encouraged.

    Telnet  service  can  also  be  disabled,  for many customers in a
    co-location  environment  this  is  not  a feasible option, but is
    included in this section for  customers that may have the  ability
    to implement this configuration.

        CS150(config)# telnet access disabled

    Additionally,  it  is  recommended  to  select strong passwords in
    accordance with your own security policies, and to adhere to  your
    own security  policies on  changing passwords  frequently, or when
    staffing changes occur.