COMMAND

    Cisco

SYSTEMS AFFECTED

    Cisco Content Service Switch 11000 Series

PROBLEM

    Following  is  based  on  a  Cisco  Security  Advisory.  The Cisco
    Content Service Switch (CSS) 11000 series switches do not  enforce
    the correct restrictions for accessing the web management URL.

    After successful  authentication users  are redirected  to the web
    management URL.  If users  directly connect to the redirected  URL
    they are granted  access to the  web management interface  without
    having to  reauthenticate.   This vulnerability  results in  users
    gaining access to secure  data.  This vulnerability  is documented
    as Cisco bug ID CSCdu20931.

    This advisory will be posted at

        http://www.cisco.com/warp/public/707/arrowpoint-webmgmt-vuln-pub.shtml.

    The  CSS  11000  series  switches  (formerly known as Arrowpoint),
    consist  of  the  CSS  11050,  CSS  11150  and  CSS 11800 hardware
    platforms.   They  run  the  Cisco  WebNS  Software.  All switches
    running the  following WebNS  software revisions  are affected  by
    this vulnerability

        * earlier than 4.01B29s
        * earlier than 4.10B17s

    No other Cisco product is  currently known to be affected  by this
    vulnerability.  To determine your software revision, type  version
    at the command line prompt.

    If  users  bookmark  the  URL  they  are  redirected  to  after  a
    successful authentication on the  CSS 11000 series switches,  they
    can later access  the web management  interface without having  to
    reauthenticate.   A user  can gain  access to  the web  management
    interface  without  being  authenticated  on  the CSS 11000 series
    switch.  This vulnerability  can be minimized by  restricting http
    access to the CSS 11000 series switch.

SOLUTION

    This vulnerability  has been  fixed in  the following  Cisco WebNS
    software revisions

        * 4.01B29s or later
        * 4.10B17s or later

    As  workaround  Web  Management  can  be  disabled  on the switch.
    Access control  lists can  be applied  to restrict  HTTP access to
    the  Cisco  CSS  11000  series  switch.  Access control lists also
    affect traffic  to the  Virtual interface  of the  Cisco CSS 11000
    series switch, so must be applied with care.  For further  details
    on  configuring  access   lists  please  refer   to  the   product
    documentation:

        http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/bsccfggd/profiles.htm
        http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/advcfggd/sgacleql.htm