OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Advisory def-2000-02: Cisco Catalyst remote command execution
From: Olle Segerdahl (Olle.SegerdahlDEFCOM-SEC.COM)
Date: Thu Oct 26 2000 - 03:51:55 CDT


======================================================================
                   Defcom Labs Advisory def-2000-02

               Cisco Catalyst remote command execution

Author: Olle Segerdahl <olledefcom.com>
Release Date: 2000-10-26
======================================================================
------------------------=[Brief Description]=-------------------------
The Catalyst 3500 XL series switches web configuration interface lets
any user execute any command on the system without logging in.

This issue was extremely easy to find, as Cisco provides a link to it
from the first page of the web configuration service. This is one of
the reasons I have decided to go public with the issue so soon.

------------------------=[Affected Systems]=--------------------------
Cisco Catalyst 3500 XL series switches
Probably all Catalyst switches using the same or similar software.

----------------------=[Detailed Description]=------------------------
Cisco Catalyst 3500 XL series switches have a webserver configuration
interface. This interface lets any anonymous web user execute any
command without supplying any authentication credentials by simply
requesting the /exec location from the webserver. An example follows:
http://catalyst/exec/show/config/cr
This URL will show the configuration file, with all user passwords.

---------------------------=[Workaround]=-----------------------------
Disable the web configuration interface completely. Await software fix.

Refer to your vendor's documentation for information on how to
configure the switch to disable the web configuration interface.

--------------------------=[Vendor Status]=---------------------------
Vendor was notified on 2000-10-10.
I was denied any information about what other products might have the
same problems and have not heard anything from Cisco since....

Expect a software fix release from Cisco soon.

======================================================================
            This release was brought to you by Defcom Labs

              labsdefcom.com www.defcom.com
======================================================================