|
|
|
|
| |
| The Cisco web-browser interface for Cisco several access point products contains a vulnerability that could, under certain circumstances, remove the default security configuration from the managed access point and allow administrative access without validation of administrative user credentials. |
| |
Credit:
The information has been provided by Cisco Systems Product Security.
The original article can be found at: http://www.cisco.com/warp/public/707/cisco-sa-20060628-ap.shtml
|
| |
Vulnerable Systems:
* Cisco IOS Software Release 12.3(8)JA
* Cisco IOS Software Release 12.3(8)JA1
* 350 Wireless Access Point and Wireless Bridge
* 1100 Wireless Access Point
* 1130 Wireless Access Point
* 1200 Wireless Access Point
* 1240 Wireless Access Point
* 1310 Wireless Bridge
* 1410 Wireless Access Point
Immune Systems:
* Access points that are not running Cisco IOS.
* Access points that are running any version of Cisco IOS other than Cisco IOS Software Release 12.3(8)JA or 12.3(8)JA1.
* Access points with disabled web-interface management (both HTTP and HTTP secure) are not vulnerable.
* All Cisco access points running in lightweight mode.
The web-browser interface contains management pages that are used to change the wireless device settings, upgrade firmware, and monitor and configure other wireless devices on the network. The web-browser interface is enabled by default, and is indicated by the configuration command ip http server or ip http secure-server.
An access point running a default configuration will use the default enable secret password for administrative access. This can be modified via the web-browser interface tab Security > Admin Access > Default Authentication (Global Password) or via the CLI with the configuration command enable secret [new_secret] .
Local User List Only (Individual Passwords) allows administrators of the access points to define a local unique username/password database for their administrators, so that a common global password is not shared.
A vulnerability exists in the access point web-browser interface when Security > Admin Access is changed from Default Authentication (Global Password) to Local User List Only (Individual Passwords). This results in the access point being re-configured with no security, either Global Password or Individual Passwords, enabled. This allows for open access to the access point via the web-browser interface or via the console port with no validation of user credentials.
Access points configured for Local User List Only (Individual Passwords) and running non-vulnerable versions of Cisco IOS which are subsequently upgraded to a vulnerable version of IOS are not affected by this vulnerability as long as the configuration is not altered after the upgrade.
To determine if web-interface management is enabled on a Cisco access point, log into the device and issue the show ip http server status command. If the output shows either http server status or http secure server status as enabled, web-interface management is enabled. An example is shown below with web-interface management enabled:
ap#show ip http server status
HTTP server status: Enabled
HTTP server port: 80
[...lines removed...]
HTTP secure server status: Disabled
HTTP secure server port: 443
[...lines removed...]
Web-interface management (HTTP server) is enabled by default.
To check the version of Cisco IOS running on the access point:
* Via Browser Click on the System Software menu. The Cisco IOS version will be displayed in the System Software Version field.
* Via Command Line Interface (CLI) To determine the software running on a Cisco access point, log into the device and issue the show version command to display the system banner.
Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS".
On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the Cisco IOS release name. Other Cisco devices will not have the show version command or will give different output.
Successful exploitation of this vulnerability will result in unauthorized administrative access to the access point via the web management interface or via the console port.
The following example identifies a Cisco access point running Cisco IOS Software Release 12.3(7)JA1 with an installed image name of C1200-K9W7-M:
ap#show version
Cisco IOS Software, C1200 Software (C1200-K9W7-M),
Version 12.3(7)JA1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Thu 06-Oct-05 09:40 by evmiller
!
[...lines removed...]
!
Additional information about Cisco IOS release naming can be found at: http://www.cisco.com/warp/public/620/1.html
Workaround:
Either of the following workarounds and mitigations may be used to help mitigate the effects of this vulnerability:
* Disable Web-Based Management
To prevent the use of the web-browser interface via:
* Web-Based Management Select the Disable Web-Based Management check box on the Services > HTTP-Web Server page and click Apply.
* CLI Log into the device and issue these configuration commands (save the configuration upon exiting):
ap(config)#no ip http server
ap(config)#no ip http secure-server
ap(config)#exit
* Configure via CLI
Enabling Local User List Only (Individual Passwords) via the CLI rather than the web-browser interface will provide the access point with the desired protected configuration. Log into the device and issue thees configuration commands (save the configuration upon exiting):
ap#configure terminal
!--- Setup the username password pair first.
ap(config)#username test privilege 15 password test
!--- Enable AAA.
ap(config)#aaa new-model
!--- Enable aaa authentication to the local database.
ap(config)#aaa authentication login default local
!--- Enable aaa authorization to the local database.
ap(config)#aaa authorization exec default local
!--- Enable http authentication to AAA.
ap(config)#ip http authentication aaa
ap(config)#exit
* Configure RADIUS/TACACS Server first
Via the web-browser interface enabling any RADIUS/TACACS+ server within Security > Server Manager > Corporate Servers and then performing the option of Security > Admin Access as Local User List Only (Individual Passwords) will provide a workaround to this vulnerability.
|
|
|
|
|
|
|
