COMMAND

    Cisco

SYSTEMS AFFECTED

    Cisco Content Service Switch 11000 Series

PROBLEM

    Following  is  based  on  a  Cisco  Security  Advisory.  The Cisco
    Content Service Switch (CSS) 11000 series switches do not  enforce
    the correct restrictions for a non privileged user opening an  FTP
    connection to  them.   All users  with valid  accounts can use the
    GET and PUT  commands to read  and write any  file on the  system.
    This vulnerability results in users gaining access to secure data.

    This vulnerability is documented as Cisco bug ID CSCdt64682.

    Affected  are  the  CSS  11000  series switches (formerly known as
    Arrowpoint), consist  of the  CSS 11050,  CSS 11150  and CSS 11800
    hardware platforms.  They run the Cisco WebNS Software.

    All switches  running the  following WebNS  software revisions are
    affected by this vulnerability

        * earlier than 4.01B23s
        * earlier than 4.10B13s

    No other Cisco product is  currently known to be affected  by this
    vulnerability.

    A  non  privileged  user  (user  account  without   administrative
    privileges)  can  open  an  FTP  connection  to a CSS 11000 series
    switch  and  use  GET  and  PUT  FTP  commands, with no user level
    restrictions enforced.  A non  privileged user can gain access  to
    files on the switch they normally would not have access to.   This
    vulnerability can be  minimized by restricting  ftp access to  the
    CSS 11000 series switch.

SOLUTION

    Don't  configure  non-privileged  users  on  the  switch (none are
    created  by  default).   Use  the  restrict  command  to enable or
    disable FTP access to the CSS (FTP access is enabled by default):

        (config)# restrict ftp

    Access control lists can be applied to restrict FTP access to  the
    Cisco CSS device.  Access control lists also affect traffic to the
    Virtual interface of the Cisco CSS device, so must be applied with
    care.   For  further  details  on  configuring access lists please
    refer to the product documentation:

        http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/bsccfggd/profiles.htm
        http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/advcfggd/sgacleql.htm

    This vulnerability  has been  fixed in  the following  Cisco WebNS
    software revisions

        * 4.01B23s or later
        * 4.10B13s or later