The server side of the Secure Copy (SCP) implementation in Cisco Internetwork Operating System (IOS) contains a vulnerability that allows any valid user, regardless of privilege level, to transfer files to and from an IOS device that is configured to be a Secure Copy server. This vulnerability could allow valid users to retrieve or write to any file on the device's filesystem, including the device's saved configuration. This configuration file may include passwords or other sensitive information.
The IOS Secure Copy Server is an optional service that is disabled by default. Devices that are not specifically configured to enable the IOS Secure Copy Server service are not affected by this vulnerability.
This vulnerability does not apply to the IOS Secure Copy Client feature.
Affected Products: Vulnerable Products
Cisco devices running certain 12.2-based IOS releases and configured to offer Secure Copy server functionality are affected by this issue.
A device running a vulnerable Cisco IOS 12.2-based is affected if the following command is present in the device configuration:
ip scp server enable
The IOS Secure Copy server is disabled by default.
The Secure Copy server functionality is only available on encryption-capable images. Devices that do not run an encryption-capable images, which contain either k8 or k9 in the image name, are not vulnerable. If a device is running an encryption-capable image, the existence of the ip scp server enable command in the configuration will determine whether the device is affected.
Please consult the table of fixed software in the Software Version and Fixes section for the specific 12.2-based IOS releases that are affected.
To determine the software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS". The image name will be displayed between parentheses on the next line of output followed by "Version" and IOS release name. Other Cisco devices will not have the show version command or will give different output.
The following example identifies a Cisco product running IOS release 12.2(18)SXF10:
Cisco Internetwork Operating System Software
IOS (tm) s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 12.2(18)SXF10, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by cisco Systems, Inc.
Compiled Fri 13-Jul-07 08:32 by kellythw
Products Confirmed Not Vulnerable
Cisco devices that do not run IOS are not affected.
Cisco IOS devices that do not have the Secure Copy server feature enabled are not affected.
The following IOS release trains are not affected:
* 12.0-based releases
* 12.1-based releases
* 12.3-based releases
* 12.4-based releases
Cisco IOS XR is not affected.
No other Cisco devices are known to be affected.
Details:
Secure Copy (SCP) is a protocol similar to the Remote Copy (RCP) protocol, which allows for the transfer of files between systems. The main difference between SCP and RCP is that in SCP, all aspects of the file transfer session, including authentication, occur in encrypted form, which makes SCP a more secure alternative than RCP. SCP relies on the Secure Shell (SSH) protocol, which uses TCP port 22 by default.
The server side of the Secure Copy implementation in Cisco IOS contains a vulnerability that allows any valid user, regardless of privilege level, to transfer files to and from an IOS device that is configured to be a Secure Copy server. This vulnerability could allow valid users to retrieve or write to any file on the device's filesystem, including the device's saved configuration. This configuration file may include passwords or other sensitive information.
This vulnerability does not allow for authentication bypass; login credentials are verified and access is only granted if a valid username and password is provided. This vulnerability may cause authorization to be bypassed.
A device with the Secure Copy server enabled is vulnerable regardless of whether Authentication, Authorization, and Accounting (AAA) is enabled. If access control is enabled on the Virtual Terminal (vty) via the login command, which allows logins via Virtual Terminals, then the device is affected.
This vulnerability is documented in Cisco Bug ID CSCsc19259 ( registered customers only) .
Impact:
Successful exploitation of the vulnerability described in this advisory may allow valid but unauthorized users to retrieve or write to any file on the device's filesystem, including the device's saved configuration. This configuration file may include passwords or other sensitive information.
Workarounds:
If the IOS Secure Copy Server functionality is not needed then the vulnerability described in this document can be mitigated by disabling the Secure Copy server. The Secure Copy server can be disabled by executing the following command in global configuration mode:
no ip scp server enable
If the Secure Copy server cannot be disabled due to operational concerns, then no workarounds exist. The risk posed by this vulnerability can be mitigated by following the best practices detailed in "Improving Security on Cisco Routers" at http://www.cisco.com/warp/public/707/21.html. Please refer to the Obtaining Fixed Software section for appropriate solutions to resolve this vulnerability.
Due to the nature of this vulnerability, networking best practices like access control lists (ACLs) and Control Plane Policing (CoPP) that restrict access to a device to certain IP addresses or subnetworks may not be effective. If access is already granted to a specific IP address or subnetwork, a user with low privileges will be able to establish a Secure Copy session with the device, which would allow the user to exploit this vulnerability.
