COMMAND

    CSS

SYSTEMS AFFECTED

    Cisco CSS switch (Arrowpoint) 11050, 11150 and 11800

PROBLEM

    Following  is  based  on  a  Cisco  Security  Advisory.  The Cisco
    Content Services (CSS) switch  product, also known as  Arrowpoint,
    has a  security vulnerability  in a  previous release  that allows
    non-privileged users to escalate their privilege level, permitting
    them configuration ability on affected units.  This  vulnerability
    can only be exercised  from a valid user  account.  To remove  the
    vulnerability,  Cisco  is  offering  free  software  upgrades   to
    revision  4.01B19s  for  all  affected  platforms.  This defect is
    documented as Cisco bug ID CSCdt32570.

    The CSS switch is also  known as the Arrowpoint product,  and runs
    the Cisco  WebNS Software.   Cisco CSS  11050, CSS  11150, and CSS
    11800 hardware platforms are  affected by this vulnerability.   No
    other Cisco products are affected by this vulnerability.

    If the switch is running a  version prior to 4.01B19s, then it  is
    affected and should be upgraded as soon as possible.  You may type
    version at the command line to find out software version number.

    A non-privileged user  can issue a  series of keystrokes  to enter
    the debug mode, and from that mode can gain administrative access.

    This  vulnerability  allows  a  non-privileged  user  to  become a
    super-user, allowing unauthorized  access to important  files such
    as the configuration  files, and directory  structure information.
    If access  to the  command line  interface is  well protected  and
    restricted, these  vulnerabilities are  minimized.   Cisco Bug  ID
    CSCdt32570 describes this vulnerability.

SOLUTION

    CSCdt32570  is  resolved  in  version  4.01B19s  of  Cisco   WebNS
    software.  Non-privileged users can no longer enter debug mode.

    Access control  lists can  be applied  to restrict  access to  the
    Cisco CSS device, as well  as additional firewall or access  lists
    to  restrict  connection  to  the  management  interface.   Access
    control lists also affect traffic to the Virtual interface of  the
    Cisco  CSS  device,  so  must  be  applied with care.  For further
    details on configuring access  lists, please refer to  the product
    documentation:

        http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/bsccfggd/profiles.htm
        http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/advcfggd/sgacleql.htm

    Additionally, the use of SSH to prevent snooping of the management
    traffic to the device is  encouraged.  Telnet service can  also be
    disabled.  This is not a  feasible option for many customers in  a
    co-location environment, but  it is included  in this section  for
    customers  that   may  have   the  ability   to  implement    this
    configuration:

        CS150(config)# telnet access disabled