Home page logo

bugtraq logo Bugtraq mailing list archives

Updated def-2000-02 advisory: Catalyst web....
From: Olle Segerdahl <olle () ENVY2 NXS SE>
Date: Tue, 14 Nov 2000 15:49:27 +0100

                   Defcom Labs Advisory def-2000-02

               Cisco Catalyst remote command execution

Author: Olle Segerdahl <olle () defcom com>
Release Date: 2000-10-26
------------------------=[Brief Description]=-------------------------
Under certain configurations the Catalyst 2900XL and 3500XL series
switches web configuration interface lets any user execute any command
on the system without supplying any authentication credentials.

------------------------=[Affected Systems]=--------------------------
Cisco Catalyst 2900XL and 3500XL series switches with no "enable" line
in the current configuration.

----------------------=[Detailed Description]=------------------------
Cisco Catalyst 3500 XL series switches have a webserver configuration
interface. This interface lets web users execute any command by
requesting the /exec location from the webserver. An example follows:
This URL will show the configuration file, with all user passwords.

Normally a user will be prompted for authentication credentials, but
in certain configurations, no authentication is needed:

Consider this setup. A reasonably security-concious administrator is
assigned responsibility for a number of Catalyst switches. Since this
type of device is relatively low in maintainence, he decides to create
just an "admin" user with full priviledges in the configuration and
doesn't worry about setting an "enable" password. (The enable password
is used by a user with low privs to obtain a higher priviledge level.)

Since he has (in his mind) adequately password protected the device
through all access means other than HTTP (telnet, serial, etc.) he may
think this is true for HTTP as well. His assumption is wrong.

Make sure an "enable" password is set for all Catalysts at all times.

Disable the web configuration interface completely with the following
configuration line: "no ip http server".

--------------------------=[Vendor Status]=---------------------------
Vendor was notified on 2000-10-10.

On 2000-11-13 their official response was:

"This situation may be confusing since admins will be prompted for a
password when trying to telnet to the switch but will not be asked for
it when using the Web to access the switch.
All switches from 2900XL and 3500XL families share this behavior."

            This release was brought to you by Defcom Labs

              labs () defcom com             www.defcom.com

  By Date           By Thread  

Current thread:
  • Updated def-2000-02 advisory: Catalyst web.... Olle Segerdahl (Nov 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]