COMMAND
Cisco
SYSTEMS AFFECTED
Cisco
PROBLEM
Following is based on a Cisco Security Advisory. The Cisco
Content Services (CSS) switch product, also known as Arrowpoint,
has several security vulnerabilities once access to the command
line interface (CLI) is granted. The first vulnerability, the
switch can be forced into a temporary denial of service by an
unprivileged user, this is documented in Cisco Bug ID CSCdt08730.
The second issue allows a non-privileged user to view filenames
and file contents. This is documented in Cisco Bug ID CSCdt12748.
The full text of this advisory can be viewed at:
http://www.cisco.com/warp/public/707/arrowpoint-cli-filesystem-pub.shtml
The Cisco Content Services Switch is affected by this group of
vulnerabilities. The CSS switch is also known as Arrowpoint
product, and runs the Cisco WebNS Software.
Cisco CSS 11050, CSS 11150, and CSS 11800 hardware platforms are
affected by this group of vulnerabilities. No other Cisco
products are affected by this group of vulnerabilities.
The Cisco CSS11000 must be configured to permit command line
access to users by providing a management address and defining
user accounts. Once command line access is gained by non
privileged users (defined user accounts without administrative
privileges), running a command requiring a filename, and providing
a filename that is the maximum length of the input buffer can
cause the switch to reboot, and a system check to be started
which will prevent normal function of the switch for up to 5
minutes. The show script, clear script, show archive, clear
archive, show log, and clear log commands are capable of causing
the CSS to restart if the specified file name is the maximum
length of the input buffer. Cisco Bug ID CSCdt08730.
If command line access is not restricted, a non privileged user
(defined user account without administrative privileges) can gain
information on the directory structure by requesting non-existent
filenames. Additionally, the non privileged user can gain read
access for files if the directory structure of the target files
are known to the user. Cisco Bug ID CSCdt12748 describes this
file system vulnerability.
The vulnerability described in CSCdt08730 can be continuously
reproduced to produce a Denial of Service attack. The additional
vulnerabilities provide unauthorized access to important files
such as the configuration files, and directory structure
information. If access to the command line interface is well
protected and restricted, then these vulnerabilities are
minimized.
SOLUTION
CSCdt08730 is resolved in revision 4.01(12s), and revision 3.10
(71s) of Cisco WebNS software. The file system information
disclosure vulnerabilities are scheduled to be fixed, but are
currently unresolved. Workarounds are recommended in the interim.
This notice will be updated when the vulnerabilities are resolved,
or monthly until the vulnerabilities are resolved.
Access control lists can be applied to restrict access to the
Cisco CSS device, as well as additional firewall or access lists
to restrict connection to the management interface. Access
control lists also affect traffic to the Virtual interface of the
Cisco CSS device, so must be applied with care. For further
details on configuring access lists please refer to the product
documentation:
http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/bsccfggd/profiles.htm
http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/advcfggd/sgacleql.htm
Additionally, the use of SSH to prevent snooping of the management
traffic to the device is encouraged.
Telnet service can also be disabled, for many customers in a
co-location environment this is not a feasible option, but is
included in this section for customers that may have the ability
to implement this configuration.
CS150(config)# telnet access disabled
Additionally, it is recommended to select strong passwords in
accordance with your own security policies, and to adhere to your
own security policies on changing passwords frequently, or when
staffing changes occur.