File: 1544.txt

package info (click to toggle)
snort 2.7.0-20.4
  • links: PTS
  • area: main
  • in suites: lenny
  • size: 34,512 kB
  • ctags: 18,772
  • sloc: ansic: 115,404; sh: 10,893; makefile: 1,372; perl: 487; sql: 213
file content (78 lines) | stat: -rw-r--r-- 2,672 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
Rule:
--
Sid:
1544
--
Summary:
This event is generated when an attempt is made to list the user 
configuration file on a Cisco router or switch.
--
Impact:
If successful, the switch will reveal the local authentication user 
configuration file to an attacker without requiring prior 
authentication.
--
Detailed Information:
The HTTP server that is part of some versions of the Cisco IOS software 
allows remote command execution when the access control method is set to
local authentication.

--
Affected Systems:
The following Cisco products can be affected.   Whether they actually 
are vulnerable or not depends on the version of IOS that they are 
running.   To properly determine if your product is vulnerable, see the 
Cisco website referenced below.   This is not exploitable if the device 
is using an access control method other than local authentication.
Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, 
1400, 1500, 1600, 1700, 2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700, 
AS5200, AS5300, AS5800, 6400, 7000, 7100, 7200, ubr7200, 7500, and 12000
series.
Most recent versions of the LS1010 ATM switch.
The Catalyst 6000 and 5000 if they are running Cisco IOS software.
The Catalyst 2900XL and 3500XL LAN switch only if it is running Cisco 
IOS software.
The Catalyst 2900 and 3000 series LAN switches are affected.
The Cisco Distributed Director.
--
Attack Scenarios:
By making the request to a vulnerable system, an attacker can take 
complete control of a Cisco device.
--
Ease of Attack:
Simple.  HTTP GET request, a browser may be used.
--
False Positives:
None known.

--
False Negatives:
This rule only looks for one particular command (show config cr).
However, this vulnerability will allow any other command to be executed 
on the device at the highest privilege level, and this rule will 
not detect them.

This rule only looks for attacks against systems that are included 
in the $HTTP_SERVERS group.   Many administrators do not consider 
routers or switches to be web servers, and therefore may not include 
vulnerable devices in this group, causing an attack to proceed 
unnoticed. If you think one of your routers or switches is vulnerable, 
reference it in the $HTTP_SERVERS group.
--
Corrective Action:
Turn off the web server functionality, use access lists to ensure only 
trusted hosts have access to the device, use TACACS+ or RADIUS for 
access control, or upgrade your version of IOS.
--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Snort documentation contributed by Kevin Peuhkurinen

-- 
Additional References:

Cisco
http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html

--