Vulnerability Report For Cisco IOS Web Administration DoS

Advisory ID Internal
CORE-22510

Bugtraq ID: 1838

CVE Name: None currently assigned.

Title: Cisco IOS Web Administration Denial of Service

Class: Denial of Service

Remotely Exploitable: Yes

Locally Exploitable: Yes

 

Vulnerability Description:

The HTTP service facility in the Cisco IOS provides remote management capabilities using any web browser as client.

It is commonly used to manage remote routers and switches with a simple and user-friendly Web interface.

A flaw in the HTTP server permits an attacker with access to the HTTP service port to crash the device and force a software re-load.

The service is enabled by default ONLY in Cisco 1003, 1004 and 1005 routers.

 

Vulnerable Packages/Systems:

Virtually all Cisco routers and switches running IOS versions 12.0 through 12.1 inclusive are vulnerable.

The following lists of products are affected if they are running a release of Cisco IOS software that has the defect. To determine if a Cisco product is running IOS, log in to the device and issue the command show version. Classic Cisco IOS software will identify itself simply as "Internetwork Operating System Software" or "IOS (tm)" software and will display a version number. Other Cisco devices either will not have the show version command, or will give different output.

Cisco devices that may be running affected releases include:
Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, 2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700, AS5200, AS5300, AS5800, 6400, 7000, 7200, ubr7200, 7500, and 12000 series.

Most recent versions of the LS1010 ATM switch.

The Catalyst 6000 if it is running IOS.

Catalyst 2900XL LAN switch if it is running IOS.

The Cisco DistributedDirector.

For some products, the affected software releases are relatively new and may not be available on every device listed above.

If you are not running classic Cisco IOS software then you are not affected by this vulnerability. Cisco products that do not run classic Cisco IOS software and thus are not affected by this defect include:
700 series dialup routers (750, 760, and 770 series) are not affected.
Catalyst 1900, 2800, 2900, 3000, and 5000 series LAN switches are not affected except for some versions of the Catalyst 2900XL. However, optional router modules running Cisco IOS software in switch backplanes, such as the RSM module for the Catalyst 5000 and 5500, are affected (see the Affected Products section above).

The Catalyst 6000 is not affected if it is not running IOS.

WAN switching products in the IGX and BPX lines are not affected.

The MGX (formerly known as the AXIS shelf) is not affected.

No host-based software is affected.

The Cisco PIX Firewall is not affected.

The Cisco LocalDirector is not affected.

The Cisco Cache Engine is not affected.

 

Solution/Vendor Information/Workaround:

For a software fix refer to the vendor field notice at:
http://www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml

Or as a workaround, the following actions can be taken to prevent explotation of the problem:
- Disable the HTTP service using the global configuration command:
no ip http server
or
- Restrict access to the HTTP service port (80/tcp or as set by the
ip http port command) using a standard access list on the device.

For example, if only a browser on host 10.10.10.1 needs to remotely
manage the Cisco device use the following global configuration
command:
access-list 1 permit 10.10.10.1
ip http access-class 1
If access list 1 is in use choose another number in the range 0-99.
- Restrict access to the HTTP service on border routers or
devices in the network path to the service port.

Vendor notified on: July 18th, 2000

 

Credits:

This vulnerability was discovered by Alberto Soliño of CORE SDI, S.A. Buenos Aires, Argentina.

Information regarding the extent of the problem, fixes and workarounds was provided by the Cisco PSIRT Team.

This advisory was drafted with the help of the SecurityFocus.com Vulnerability
Help Team. For more information or assistance drafting advisories please mail [email protected].

 

Technical Description - Exploit/Concept Code:

By sending an HTTP request with the following URI:
http://switch-server/cgi-bin/view-source?/

The switch crashes and performs a software re-load, network connectivity is disrupted while this is done.

By repeatly sending such HTTP requests, a denial of service attack can be performed against the switch and the entire network connected to it.

Tests were performed on the following switch model and software version:
Cisco Internetwork Operating System Software IOS (tm)
C2900XL Software (C2900XL-H2S-M), Version 12.0(5.1)XP, MAINTENANCE
INTERIM SOFTWARE

Copyright (c) 1986-1999 by cisco Systems, Inc.

Compiled Fri 10-Dec-99 10:57 by cchang

Image text-base: 0x00003000, data-base: 0x002BA814

ROM: Bootstrap program is C2900XL boot loader

Switch uptime is 21 minutes

System returned to ROM by power-on

System image file is "flash:c2900XL-h2s-mz-120.5.1-XP.bin"

cisco WS-C2924-XL (PowerPC403GA) processor (revision 0x11) with

192K/1024K bytes of memory.

Processor board ID 0x0E, with hardware revision 0x01

Last reset from power-on

Processor is running Enterprise Edition Software

Cluster member switch capable

24 FastEthernet/IEEE 802.3 interface(s)

 

Copyright notice:
The contents of this advisory are copyright (c) 2000 CORE SDI Inc. and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.