From: "Cisco Systems Product Security Incident Response Team"
<[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, October 25, 2000 6:30 PM
Subject: Cisco Security Advisory: Cisco IOS HTTP Server Query Vulnerability
| -----BEGIN PGP SIGNED MESSAGE-----
|
| Cisco IOS HTTP Server Query Vulnerability
|
| Revision 1.0
|
| For public release 2000 October 25 at 08:00 US/Pacific (UTC+0700)
| _________________________________________________________________
|
| Summary
|
| A defect in multiple releases of Cisco IOS software will cause a Cisco
| router or switch to halt and reload if the IOS HTTP service is
| enabled, browsing to "http://router-ip/anytext?/" is attempted, and
| the enable password is supplied when requested. This defect can be
| exploited to produce a denial of service (DoS) attack.
|
| The vulnerability, identified as Cisco bug ID CSCdr91706, affects
| virtually all mainstream Cisco routers and switches running Cisco IOS
| software releases 12.0 through 12.1, inclusive. This is not the same
| defect as CSCdr36952.
|
| The vulnerability has been corrected and Cisco is making fixed
| releases available for free to replace all affected IOS releases.
| Customers are urged to upgrade to releases that are not vulnerable to
| this defect as shown in detail below.
|
| This vulnerability can only be exploited if the enable password is
| known or not set.
|
| The complete advisory is available at
| http://www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml .
|
| Affected Products
|
| The following products are affected if they run a Cisco IOS software
| release that has the defect. To determine if a Cisco product is
| running an affected IOS, log in to the device and issue the command
| show version. Cisco IOS software will identify itself as "Internetwork
| Operating System Software" or "IOS (tm)" software and will display a
| version number. Other Cisco devices either will not have the command
| show version, or will give different output. Compare the version
| number obtained from the router with the versions presented in the
| Software Versions and Fixes section below.
|
| Cisco devices that may be running with affected IOS software releases
| include:
| * Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900,
| 1000, 1400, 1500, 1600, 1700, 2500, 2600, 3000, 3600, 3800, 4000,
| 4500, 4700, AS5200, AS5300, AS5800, 6400, 7000, 7200, ubr7200,
| 7500, and 12000 series.
| * Most recent versions of the LS1010 ATM switch.
| * The Catalyst 6000 if it is running IOS.
| * The Catalyst 2900XL LAN switch only if it is running IOS.
| * The Cisco DistributedDirector.
|
| For some products, the affected software releases are relatively new
| and may not be available on every device listed above.
|
| If you are not running Cisco IOS software, you are not affected by
| this vulnerability.
|
| Cisco products that do not run Cisco IOS software and are not affected
| by this defect include, but are not limited to:
| * 700 series dialup routers (750, 760, and 770 series) are not
| affected.
| * Catalyst 1900, 2800, 2900, 3000, and 5000 series LAN switches are
| not affected, except for some versions of the Catalyst 2900XL.
| However, optional router modules running Cisco IOS software in
| switch backplanes, such as the RSM module for the Catalyst 5000
| and 5500, are affected (see the Affected Products section above).
| * The Catalyst 6000 is not affected if it is not running IOS.
| * WAN switching products in the IGX and BPX lines are not affected.
| * The MGX (formerly known as the AXIS shelf) is not affected.
| * No host-based software is affected.
| * The Cisco PIX Firewall is not affected.
| * The Cisco LocalDirector is not affected.
| * The Cisco Cache Engine is not affected.
|
| Details
|
| The HTTP server was introduced in IOS release 11.0 to extend router
| management to the worldwide Web. The "?" (question mark) character is
| defined in the HTML specifications as a delimiter for CGI arguments.
| It is also interpreted by the IOS command-line interface as a request
| for help.
|
| As of Cisco IOS Software Release 12.0T, the meaning of a question mark
| when it appears adjacent to a "/" (slash) character cannot be
| determined properly by the URI parser in affected versions of Cisco
| IOS software. When a URI containing "?/" is presented to the HTTP
| service on the router and a valid enable password is supplied, the
| router enters an infinite loop. A watchdog timer expires two minutes
| later and forces the router to crash and reload. The router continues
| to be vulnerable to this defect as long as it is running an affected
| IOS software release and the enable password is known.
|
| This vulnerability may only be exploited if the enable password is not
| set, it is well known, or it can be guessed.
|
| In rare cases, an affected device fails to reload, which means an
| administrator must physically cycle the power to resume operation.
|
| The HTTP server is not enabled by default except on unconfigured Cisco
| model 1003, 1004, and 1005 routers. Once initial access is granted to
| configure the router, the customer may set an enable password, and
| disable or limit access to the HTTP server by changing the
| configuration. Once the new configuration has been saved, the HTTP
| server will not be enabled when the router restarts.
|
| Impact
|
| An affected Cisco IOS device that is operating with the HTTP service
| enabled and is not protected by having the enable password configured
| can be forced to halt for up to two minutes and then reload. The
| vulnerability can be exercised repeatedly, possibly creating a denial
| of service (DOS) attack, unless the service is disabled, the enable
| password is set, or the router is upgraded to a fixed release.
|
| In instances in which a router at a remote location fails to reload,
| an administrator must visit the site to enable the device to recover
| from the defect.
|
| Software Versions and Fixes
|
| The following table summarizes the Cisco IOS software releases
| affected by the defect described in this notice and scheduled dates on
| which the earliest corresponding fixed releases will be available.
| Dates are tentative and subject to change.
|
| Each table row shows the earliest release that contains the fix in the
| "Rebuild", "Interim", or "Maintenance" columns, presented in release
| number order.
|
| A Maintenance Release is the most heavily tested and highly
| recommended release.
|
| A Rebuild Release is constructed from a previous maintenance or
| mainline release and contains a code fix for a specific defect.
| Although it receives less testing than a maintenance release, it is
| built from a previous maintenance release and includes minimum changes
| to address a specific defect.
|
| An Interim Release has much less testing than a maintenance release
| and should be selected only if no other suitable release fixes the
| defect.
|
| In all cases, customers should exercise caution to be certain the
| devices to be upgraded contain sufficient memory and that current
| hardware and software configurations will continue to be supported
| properly by the new release.
|
|
+==========+=================+==============================================
+
| | Major | Description or |
|
| | Release | Platform | Availability of Repaired Releases*
|
|
+==========+=================+===============+==============+===============
+
| |Unaffected Earlier Releases | Rebuild | Interim** | Maintenance
|
|
+==========+=================+===============+==============+===============
+
| |11.0 & | | | |
|
| |earlier, | | |Not |
|
| |all |Numerous |Not vulnerable |vulnerable |Not
vulnerable |
| |variants | | | |
|
|
+----------+-----------------+---------------+--------------+---------------
+
| | |11.1 AA, 11.1 | | |
|
| |11.1 |CA, 11.1 CC, |Not vulnerable |Not |Not
vulnerable |
| | |11.1 CT, 11.1 IA | |vulnerable |
|
|
+----------+-----------------+---------------+--------------+---------------
+
| | |11.2 SA, 11.2 | | |
|
| |11.2 |BC, 11.2 P, 11.2 |Not vulnerable |Not |Not
vulnerable |
| | |F, 11.2 GS, 11.2 | |vulnerable |
|
| | |WA3, 11.2 XA | | |
|
|
+----------+-----------------+---------------+--------------+---------------
+
| | |11.3 NA, 11.3 | | |
|
| | |AA, 11.3 DA, | | |
|
| |11.3 |11.3 XA, 11.3 |Not vulnerable |Not |Not
vulnerable |
| | |HA, 11.3 WA, | |vulnerable |
|
| | |11.3 MA, 11.3 DB | | |
|
|
+==========+=================+===============+==============+===============
+
| | 12.0-based Releases | Rebuild | Interim** | Maintenance
|
|
+==========+=================+===============+==============+===============
+
| | |General | | |
|
| |12.0 |Deployment (GD): |Not vulnerable |Not |Not
vulnerable |
| | |all platforms | |vulnerable |
|
|
+----------+-----------------+---------------+--------------+---------------
+
| |12.0DA |xDSL support: |Not vulnerable | Not | Not
vulnerable|
| | |6100, 6200 | |vulnerable |
|
|
+----------+-----------------+---------------+--------------+---------------
+
| | |Core/ISP | | |
|
| |12.0S |support: gsr, |Not vulnerable |Not |Not
vulnerable |
| | |rsp, c7200 | |vulnerable |
|
|
+----------+-----------------+---------------+--------------+---------------
+
| |12.0SC |Cable/broadband | Not |Not |Not
vulnerable |
| | |ISP: ubr7200 |vulnerable |vulnerable |
|
|
+----------+-----------------+---------------+--------------+---------------
+
| |12.0SL |10000 ESR: c10k |Not vulnerable |Not |Not
vulnerable |
| | | | |vulnerable |
|
|
+----------+-----------------+---------------+--------------+---------------
+
| | |Early | | |
|
| | |Deployment(ED): | | |
|
| |12.0T |VPN, Distributed | | |
|
| | |director, | | |
|
| | |various | | |Unknown
|
| | |platforms | | |
|
|
+----------+-----------------+---------------+--------------+---------------
+
| | |cat8510c, | | |
|
| | |cat8540c, c6msm | | |
|
| | | | |
|12.0(13)W5(19) |
| | |ls1010, | | |
|
| | |cat8510m, | | |
|
| | |cat8540m | |
+---------------+
| | |c5atm, c5atm, | | |
|
| |12.0W5 |c3620, c3640, | | |
|
| | |c4500, c5rsfc, | | |2000-NOV-13
|
| | |c5rsm, c7200, | | |
|
| | |rsp | | |
|
|
+----------+-----------------+---------------+--------------+---------------
+
| | |cat2948g, | |
|12.0(10)W5(18e)|
| | |cat4232 | |
+---------------+
| | | | | |2000-NOV-14
|
|
+----------+-----------------+---------------+--------------+---------------
+
| | |Early Deployment | | |
|
| |12.0XA |(ED): limited | | |12.1(5)
|
| | |platforms | | |
|
|
+----------+-----------------+---------------+--------------+---------------
+
| | |Early Deployment |12.1(3a)E4 | |
|
| |12.0XE |(ED): limited +---------------+ |
|
| | |platforms |2000-OCT-24 | |
|
|
+----------+-----------------+---------------+--------------+---------------
+
| | |Early Deployment |12.0(4)XH4 | |
|
| |12.0XH |(ED): limited +---------------+ |
|
| | |platforms |Unknown | |
|
|
+----------+-----------------+---------------+--------------+---------------
+
| | |Early Deployment |12.0(5)XJ6 | |
|
| |12.0XJ |(ED): limited +---------------+ |
|
| | |platforms |Unknown | |
|
|
+==========+=================+===============+==============+===============
+
| | 12.1-based Releases | Rebuild | Interim** | Maintenance
|
|
+==========+=================+===============+==============+===============
+
| | |General | | |12.1(05)
|
| |12.1 |Deployment (GD) | | |
|
| | |candidate: all | |
+---------------+
| | |platforms | | |2000-OCT-30
|
|
+----------+-----------------+---------------+--------------+---------------
+
| | |Access & Dial |12.1(4)AA1 | |
|
| | |Early Deployment | | |
|
| |12.1AA |(ED): c5200, +---------------+ |
|
| | |c5300, c5800, |Unknown | |
|
| | |dsc-c5800 | | |
|
|
+----------+-----------------+---------------+--------------+---------------
+
| | | | | |12.01(04)DA
|
| |12.1DA |xDSL support: | | |
|
| | |6160, 6260 | |
+---------------+
| | | | | |2000-OCT-30
|
|
+----------+-----------------+---------------+--------------+---------------
+
| | | | | |12.01(4)DB
|
| |12.1DB |xDSL support: | | |
|
| | |c6400 | |
+---------------+
| | | | | |2000-NOV-13
|
|
+----------+-----------------+---------------+--------------+---------------
+
| | | | | |12.01(4)DC
|
| |12.1DC |xDSL NRP | | |
|
| | |support: c6400r | |
+---------------+
| | | | | |2000-NOV-13
|
|
+----------+-----------------+---------------+--------------+---------------
+
| | |ELB Early |12.1(3a)E4 | |
|
| | |Deployment (ED): | | |
|
| |12.1E |cat6k, 8500, +---------------+ |
|
| | |ls1010, 7500, |2000-OCT-24 | |
|
| | |7200, 7100 | | |
|
|
+----------+-----------------+---------------+--------------+---------------
+
| | |Cable/broadband | 12.01(03a)EC1 | |
|
| |12.1EC |Early Deployment +---------------+ |
|
| | |(ED): ubr7200 | Unknown | |
|
|
+----------+-----------------+---------------+--------------+---------------
+
| | |New technology | | 12.1(5.0.x)T | 12.1(5)T
|
| |12.1T |Early Deployment | | |
|
| | |(ED): all |
+--------------+---------------+
| | |platforms | | Unknown | Unknown
|
|
+----------+-----------------+---------------+--------------+---------------
+
| | |Early Deployment | | |
|
| |12.1XA |(ED): limited | Not scheduled | | 12.1(5)T
|
| | |platforms | | |
|
|
+----------+-----------------+---------------+--------------+---------------
+
| | |Early Deployment | | |
|
| |12.1XB |(ED): limited | Not scheduled | |
|
| | |platforms | | |
|
|
+----------+-----------------+---------------+--------------+---------------
+
| | | Early | | |
|
| | 12.XC |Deployment (ED): |Not scheduled | | 12.1(5)T
|
| | |limited | | |
|
| | |platforms | | |
|
|
+----------+-----------------+---------------+--------------+---------------
+
| | |Early Deployment | | |
|
| |12.1XD |(ED): limited |Not scheduled | | 12.1(5)T
|
| | |platforms | | |
|
|
+----------+-----------------+---------------+--------------+---------------
+
| | |Early Deployment | | |
|
| |12.1XE |(ED): limited |Not scheduled | | 12.1(5)T
|
| | |platforms | | |
|
|
+----------+-----------------+---------------+--------------+---------------
+
| | |Early Deployment | | |
|
| |12.1XF |(ED): limited |Not scheduled | | 12.1(5)T
|
| | |platforms | | |
|
|
+----------+-----------------+---------------+--------------+---------------
+
| | |Early Deployment | | |
|
| |12.1XG |(ED): limited |Not scheduled | |
|
| | |platforms | | |
|
|
+----------+-----------------+---------------+--------------+---------------
+
| | |Early Deployment | | |
|
| |12.1XH |(ED): limited |Not scheduled | | 12.1(5)T
|
| | |platforms | | |
|
|
+----------+-----------------+---------------+--------------+---------------
+
| | |Early Deployment | | |
|
| |12.1XI |(ED): limited |Not scheduled | |
|
| | |platforms | | |
|
|
+----------+-----------------+---------------+--------------+---------------
+
| | |Early Deployment | | |
|
| |12.1XJ |(ED): limited |Not scheduled | |
|
| | |platforms | | |
|
|
+----------+-----------------+---------------+--------------+---------------
+
| | |Early Deployment | | |
|
| |12.1XL |(ED): limited |Not scheduled | |
|
| | |platforms | | |
|
|
+----------+-----------------+---------------+--------------+---------------
+
| | |Early Deployment | | |
|
| |12.1XP |(ED): limited |Not scheduled | | 12.1(5)T
|
| | |platforms | | |
|
|
+==========+=================+===============+==============+===============
+
| | Notes
|
|
+===========================================================================
+
| |* All dates are estimated and subject to change.
|
|
+---------------------------------------------------------------------------
+
| |** Interim releases are subjected to less rigorous testing than regular
|
| |maintenance releases, and may have serious bugs.
|
|
+===========================================================================
+
|
| Obtaining Fixed Software
|
| Cisco offers free software upgrades to affected customers to remedy
| this vulnerability. Customers with service contracts may upgrade to
| any software release. Customers without contracts may upgrade only
| within a single row of the table above, except that any available
| fixed software release will be provided to any customer who can use it
| and for whom the standard fixed software release is not yet available.
| Customers may install only the feature sets they have purchased.
|
| Not all fixed software may be available as of the release date of this
| notice.
|
| Customers with contracts should obtain upgraded software through
| regular update channels. Most customers can obtain upgrades via the
| Software Center on Cisco's Worldwide Web site at
| http://www.cisco.com/.
|
| Customers without contracts should obtain their upgrades by contacting
| the Cisco Technical Assistance Center (TAC) as follows:
| * +1 800 553 2447 (toll-free call within North America)
| * +1 408 526 7209 (toll call from elsewhere in the world)
| * E-mail: [EMAIL PROTECTED]
|
| Additional contact information for the TAC is on-line at
| http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml, including
| instructions and e-mail addresses for use by non-English speakers.
|
| Give the URL of this notice as evidence of your entitlement to a free
| upgrade.
|
| Free upgrades for noncontract customers must be requested through the
| TAC.
|
| Please do not contact either "[EMAIL PROTECTED]" or
| "[EMAIL PROTECTED]" for software upgrades. You will obtain
| faster results by contacting the TAC directly.
|
| Workarounds
|
| In lieu of an upgrade, the threat may be eliminated or reduced by
| taking any of the following measures:
| * Select and configure strong passwords on networking devices.
| Or
|
| * Disable the HTTP server using the command no ip http server while
| in global configuration mode.
| Or
|
| * If the HTTP server must remain enabled while unrepaired, network
| access to it can be controlled by applying a standard access list
| to the HTTP service itself. For example, if the router's HTTP
| service should be reachable only from a browser running on a
| computer at IP address 10.1.2.3, then use the following commands
| in global configuration mode to create a standard access list and
| apply it to the HTTP server:
| access-list 1 permit 10.1.2.3
| ip http access-class 1
|
| If access list 1 is already in use, then choose another number in
| the range 0-99. The implicit deny rule added to the end of every
| access list will prevent access from other IP addresses.
|
| Or
|
| * Prevent network access to a vulnerable HTTP server by blocking
| traffic in the network path to the server's port with an extended
| access list. Such a list would be applied on an interface of the
| vulnerable router itself or on another Cisco router in the path of
| a potential attack, e.g., applied inbound on the outside interface
| of an edge router. The port number used in the extended access
| list statement must be the default port used by the HTTP server,
| port 80, or equal to whatever value it may have been set via the
| ip http port command. Use this workaround with great care; it
| cannot be recommended confidently without knowledge of specific
| customer network configurations.
|
| Save the resulting configuration in memory so that protection of the
| server is not inadvertently removed after a reload.
|
| Exploitation and Public Announcements
|
| The Cisco PSIRT was alerted to this issue by CORE SDI, which
| discovered the issue during routine security audits on equipment. The
| security audit included a check for common CGI vulnerabilities against
| a Cisco device without a configured password; the audit attempted to
| browse to "http://<router-ip>/cgi-bin/source-help?/", which caused the
| device to crash and reload.
|
| The Cisco PSIRT has received no reports of malicious exploitation of
| this vulnerability.
|
| Status of This Notice: INTERIM
|
| This is an interim notice. Cisco expects the contents of this report
| to change. The reader is warned that this notice may contain
| inaccurate or incomplete information. Although Cisco cannot guarantee
| the accuracy of all statements in this notice, all of the facts have
| been checked to the best of our ability. Cisco anticipates issuing
| monthly updates of this notice until it reaches final status.
|
| Distribution
|
| This notice will be posted at
| http://www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml.
| In addition to this HTML version on Cisco's worldwide Web site, a text
| version of this notice will be clear-signed with the Cisco PSIRT PGP
| key and posted to the following e-mail addresses and Usenet
| newsgroups:
| * [EMAIL PROTECTED]
| * [EMAIL PROTECTED]
| * [EMAIL PROTECTED]
| * [EMAIL PROTECTED] (which includes the CERT/CC)
| * [EMAIL PROTECTED]
| * [EMAIL PROTECTED]
| * comp.dcom.sys.cisco
| * Various internal Cisco mailing lists
|
| Any updates to this notice will appear on Cisco's worldwide Web
| server. The updates may or may not be announced on mailing lists or
| newsgroups. Users concerned about this problem are encouraged to check
| http://www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml. for
| any updates.
|
| Revision History
|
| +-------------+-----------+---------------------------------------------+
| |Revision 1.0 |2000-09-29 |Draft for initial public release 2000-10-11. |
| +-------------+-----------+---------------------------------------------+
|
| Cisco Product Security Incident Assistance Process
|
| The Web page at
| http://www.cisco.com/warp/public/707/sec_incident_response.shtml
| describes how to report security vulnerabilities in Cisco products,
| obtain assistance with security incidents, and register to receive
| product security information from Cisco Systems, Inc., including
| instructions for press inquiries regarding Cisco Security Advisories
| and notices. This advisory is Cisco's official public statement
| regarding this vulnerability.
| _________________________________________________________________
|
| This notice is copyright 2000 by Cisco Systems, Inc. This notice may
| be redistributed freely after the release date given at the top of the
| text, provided that redistributed copies are complete and unmodified,
| including all date and version information.
| _________________________________________________________________
|
| -----BEGIN PGP SIGNATURE-----
| Version: PGP 6.0.2
|
| iQEVAwUBOfdAvmiN3BRdFxkbAQHr9Af/Z2Q2C8P7cngCfigUAIg3URxfq5pQmaga
| nFtU7750h1J1DVmKpsROV4joGxmpPQKLPpFQKcs/fQJkEF9Rr9bGcau1NibNeGOf
| RL6o1p2UPSL23FoWmOSbphmKEvzM7VNXWLyqh3zxcOTqLVlr1DVi7AEW7msqonNV
| gL705eNtPZbaPHtlqdkOj9HrU5oFWv5thCvsY3t/kb4ZC9N2WDveD+LzzouNRdNg
| G0SAwHbsyYC9n6IPmJOMUZdWWPik9Z3ShfbyhcFyM7llWWT9ojOV7BzNk4iKI9YP
| +ml+9PgesIcj4u7mun4cRAzshRk9Px9xvNTBhc7moRbFO90+GSU3Ug==
| =V85b
| -----END PGP SIGNATURE-----
|
|
|
