From olle@ENVY2.NXS.SE Tue Nov 14 10:56:25 2000 From: Olle Segerdahl To: BUGTRAQ@SECURITYFOCUS.COM Date: Tue, 14 Nov 2000 15:49:27 +0100 Subject: [BUGTRAQ] Updated def-2000-02 advisory: Catalyst web.... ====================================================================== Defcom Labs Advisory def-2000-02 Cisco Catalyst remote command execution Author: Olle Segerdahl Release Date: 2000-10-26 ====================================================================== ------------------------=[Brief Description]=------------------------- Under certain configurations the Catalyst 2900XL and 3500XL series switches web configuration interface lets any user execute any command on the system without supplying any authentication credentials. ------------------------=[Affected Systems]=-------------------------- Cisco Catalyst 2900XL and 3500XL series switches with no "enable" line in the current configuration. ----------------------=[Detailed Description]=------------------------ Cisco Catalyst 3500 XL series switches have a webserver configuration interface. This interface lets web users execute any command by requesting the /exec location from the webserver. An example follows: http://catalyst/exec/show/config/cr This URL will show the configuration file, with all user passwords. Normally a user will be prompted for authentication credentials, but in certain configurations, no authentication is needed: Consider this setup. A reasonably security-concious administrator is assigned responsibility for a number of Catalyst switches. Since this type of device is relatively low in maintainence, he decides to create just an "admin" user with full priviledges in the configuration and doesn't worry about setting an "enable" password. (The enable password is used by a user with low privs to obtain a higher priviledge level.) Since he has (in his mind) adequately password protected the device through all access means other than HTTP (telnet, serial, etc.) he may think this is true for HTTP as well. His assumption is wrong. -------------------------------=[Fix]=--------------------------------- Make sure an "enable" password is set for all Catalysts at all times. Disable the web configuration interface completely with the following configuration line: "no ip http server". --------------------------=[Vendor Status]=--------------------------- Vendor was notified on 2000-10-10. On 2000-11-13 their official response was: "This situation may be confusing since admins will be prompted for a password when trying to telnet to the switch but will not be asked for it when using the Web to access the switch. All switches from 2900XL and 3500XL families share this behavior." ====================================================================== This release was brought to you by Defcom Labs labs@defcom.com www.defcom.com ======================================================================