When HTTP server is enabled and local authorization is used, it is possible, under some circumstances, to bypass the authentication and execute any command on the device. It that case, the user will be able to exercise complete control over the device. All commands will be executed with the highest privilege (level 15).
All releases of Cisco IOS software, starting with the release 11.3 and later, are vulnerable. Virtually, all mainstream Cisco routers and\switches running Cisco IOS are affected by this vulnerability.
Products that are not running Cisco IOS software are not vulnerable.
The workaround for this vulnerability is to disable HTTP server on the router or to use Terminal Access Controller Access Control System (TACACS+) or Radius for authentication.
Any device running Cisco IOS software, starting with the release 11.3 and later is vulnerable.
Cisco devices that may be running with affected IOS software releases include, but are not limited to:
* Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, 1400, 1500, 1600, 1700, 2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700, AS5200, AS5300, AS5800, 6400, 7000, 7100, 7200, ubr7200, 7500, and 12000 series.
* Most recent versions of the LS1010 ATM switch.
* The Catalyst 6000 if it is running Cisco IOS software.
* The Catalyst 2900XL LAN switch only if it is running Cisco IOS software.
* The Catalyst 1900, 2800, 2900, 3000, and 5000 series LAN switches are affected.
* The Cisco Distributed Director.
For some products, the affected software releases are relatively new and may not be available on every device listed above.
If you are not running Cisco IOS software, you are not affected by this vulnerability.
Cisco products that do not run Cisco IOS software and are not affected by this defect include, but are not limited to:
* 700 series dialup routers (750, 760, and 770 series).
* The Catalyst 6000 is not affected if it is not running Cisco IOS software.
* WAN switching products in the IGX and BPX lines.
* The MGX (formerly known as the AXIS shelf).
* Host-based software.
* The Cisco PIX Firewall.
* The Cisco LocalDirector.
* The Cisco Cache Engine.
No other Cisco products are affected.
By sending a specially-crafted URL it is possible to bypass authentication and execute any command on the router at level 15 (enable level, the most privileged level). This will happen only if the user is using a local database for authentication (usernames and passwords are defined on the device itself). The same URL will not be effective against every Cisco IOS software release and hardware combination. However, there are only 84 different combinations to try, so it would be easy for an attacker to test them all in a short period of time.
The URL in question follows this format:
Where xx is a number between 16 and 99.
This vulnerability is documented as Cisco Bug ID CSCdt93862.
An attacker can exercise complete control over the device. By exploiting this vulnerability, the attacker can see and change configuration of the device.
Obtaining fixed software:
Cisco is offering free software upgrades to eliminate this vulnerability for all affected customers.
Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's Worldwide Web site at http://www.cisco.com. Please do not contact either "firstname.lastname@example.org" or "email@example.com" for software upgrades.
The workaround for this vulnerability is to disable HTTP server on the router or to use TACACS+ or Radius for authentication.
To disable HTTP server, use the following commands:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# no ip http server