|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Cisco Systems Product Security Incident Response Team (psirt
cisco.com)
Date: Wed Aug 29 2007 - 12:15:00 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Response: VTY Authentication Bypass Vulnerability
========================
http://www.cisco.com/warp/public/707/cisco-sr-20070829-vty.shtml
Revision 1.0
============
For Public Release 2007 August 29 1800 UTC (GMT)
Contents
========
Cisco Response
Additional Information
Revision History
Cisco Security Procedures
Cisco Response
==============
This is the Cisco PSIRT response to the NileSOFT Security Advisory
entitled "Bypass Authentication Vulnerability on Cisco Catalyst 3750
12.2(25)", posted on 2007 August 29th at 0900 UTC (GMT).
The original advisory was posted to a Korean website.
This vulnerability was previously discovered and reported to Cisco
by a customer in April 2005, and the contents of the Cisco bug ID
have been available on Cisco.com since April 2005.
This vulnerability is documented in Cisco bug ID CSCsa91175.
This Cisco Security Response is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sr-20070829-vty.shtml.
Additional Information
======================
The contents of the Cisco bug ID CSCsa91175 release note enclosure
is shown below:
Symptom
+------
If Authentication, Authorization and Accounting (AAA) is not
enabled on a device and any configuration is entered under the
VTY/AUX or CONSOLE line (except the "login" command), the command
"no login" will appear under the VTY lines.
Conditions
+---------
This symptom will only occur if AAA is not enabled on the device and
any configuration changes are made according to the Symptom
description above.
Although the command "no login" will appear in the configuration, the
device is not vulnerable until the running-configuration is saved to
NVRAM and the device is reloaded.
Cisco IOS software releases within 12.2 E, F, and S release trains
are affected if Cisco Bug ID CSCsa91175 is not integrated. Cisco
recommends checking the device configuration to confirm that under
the VTY lines configuration, the command "no login" is not present,
unless this is the desired configuration. Provided below is a list
of affected trains and the first fixed release.
+-----------------------------------------------------------------+
| Affected Release: | First Fixed Releases |
+--------------------+--------------------------------------------+
| 12.2E based trains | |
| EW | Vulnerable; apply workaround |
| EWA | Vulnerable; apply workaround |
| EU | Vulnerable; apply workaround |
| EX | Fixed in 12.2(35)EX |
| EY | Fixed in 12.2(37)EY |
+--------------------+--------------------------------------------+
| 12.2F based trains | |
| FX | Vulnerable; apply workaround |
| FY | Vulnerable; apply workaround |
| FZ | Vulnerable; apply workaround |
+--------------------+--------------------------------------------+
| 12.2S based trains | |
| S | Vulnerable; apply workaround |
| SB | Fixed in 12.2(31)SB |
| SBC | Vulnerable; apply workaround |
| SE | Fixed in 12.2(35)SE |
| SEA | Vulnerable; apply workaround |
| SED | Vulnerable; apply workaround |
| SEE | Vulnerable; apply workaround |
| SEF | Vulnerable; apply workaround |
| SEG | Vulnerable; apply workaround |
| SG | Fixed in 12.2(31)SG |
| SV | Vulnerable; apply workaround |
| SW | Vulnerable; apply workaround |
| SXD | Vulnerable; apply workaround |
| SXE | Fixed in 12.2(18)SXE4 and later |
| SZ | Vulnerable; apply workaround |
+--------------------+--------------------------------------------+
No other Cisco IOS release trains are known to be affected by this
vulnerability.
For more information on the terms "releases" and "trains", consult
the following URL:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper09186a008018305e.shtml
In order to check the device configuration, log in to the device and
enter the privileged command "show running-config". Confirm under
the VTY lines configuration that the command "no login" is not
present, unless this is the desired configuration.
For further information on the "login" command please reference:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/tersv_r/ter_l1g.htm#wp998262
An example of a device that will allow terminal access without a
password prompt is shown below:
Device#show running-config
<lines removed>
line VTY 0 4
no login
<lines removed>
Workaround
+---------
Configuring the VTY lines with "login" will ensure that any remote
access is prompted for a password first.
Cisco recommends for customers to migrate to SSH as a best practice
- - where available and practical.
NOTE: If configured for AAA please consult the AAA configuration
guides for additional commands that are used with the "login"
command.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
Revision History
================
+--------------------------------------------------------+
| Revision 1.0 | 2007-August-29 | Initial public release |
+--------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
iD8DBQFG1aSV8NUAbBmDaxQRAsRnAJ9ZG/QCH1EY+/RVyamvUyfUAysv9wCeONwO
YiQIGhXG3yEsw7irTCN64T0=
=FwhX
-----END PGP SIGNATURE-----
_______________________________________________
cust-security-announce mailing list
cust-security-announcecisco.com
To unsubscribe, send the command "unsubscribe" in the subject of your message to cust-security-announce-leavecisco.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]