From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 19 Jan 2006 17:05:59 +0200
Subject: [NEWS] Cisco Systems IOS 11 Web Service CDP Status Page Code Injection
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20060119213044.C99785851@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Cisco Systems IOS 11 Web Service CDP Status Page Code Injection
------------------------------------------------------------------------
SUMMARY
"
<http://www.cisco.com/en/US/products/ps6537/products_ios_sub_category_home.html>; Cisco IOS Software is the world's leading network infrastructure software, delivering a seamless integration of technology innovation, business-critical services, and hardware platform support."
Improper validation of user provided input allow attackers to inject HTML
and/or JavaScript code into the Cisco Systems IOS 11 Web Service.
DETAILS
Vulnerable Systems:
* IOS version 11.2(8.11)SA6
Immune Systems:
* IOS version 12
The vulnerability specifically exists due to insufficient filtering of
user-supplied data which is displayed in the Cisco HTTP status pages.
One of the status pages included in the IOS 11 HTML package displays
information about current CDP protocol statistics. The Cisco Discovery
Protocol (CDP) is a proprietary, medium-independent protocol that runs
over Layer 2 (the data link layer) on the Content Services Switches (CSS)
and other Cisco manufactured equipment, such as routers, switches,
bridges, and access servers.
Remote attackers can transmit carefully constructed CDP packets on the
local segment to inject arbitrary scripting code into the CDP status
pages. Once a legitimate user logs into the administrative website and
views the CDP status page, arbitrary commands can be executed on the
router via the injected scripting code.
Successful exploitation of this vulnerability allows unauthenticated
remote attackers to execute arbitrary commands on the network device.
Once a legitimate user logs into the administrative web site and views the
CDP status page, commands will execute with permissions of the logged in
user. The the Cisco web administration interface allows users to access
the same functionality available through the command line interface. A
successful attack could manipulate routing information, add users, or
execute any commands normally available to the logged in user.
A significant mitigating factor is that CDP is not a routed protocol and
attacks are limited to the local segment, however the widespread practice
of wardriving does increase the risk of attack for non-isolated segments.
In addition, IOS 11 has been superseded by IOS 12 in new devices, however
many older platforms cannot upgrade to IOS 12 due to flash ROM size
constraints.
Remote exploitation of a input validation vulnerability in Cisco IOS 11
HTML package can allow attackers to execute arbitrary scripting code.
Workaround:
If the network device is capable of running IOS 12, an upgrade is highly
recommended.
If a workaround is required due to hardware restrictions, apply one of the
following solutions to mitigate the vulnerability.
If CDP support is not required, disable CDP functionality from the IOS
command line interface:
cisco# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
cisco(config)# no cdp run
cisco(config)# end
1w2d: %SYS-5-CONFIG_I: Configured from console by console
cisco# write mem
Building configuration...
[OK]
cisco# reload
If the web administration interface is not required, disable the http
daemon via the IOS command line interface:
cisco# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
cisco(config)# no ip http server
cisco(config)# end
1w2d: %SYS-5-CONFIG_I: Configured from console by console
cisco# write mem
Building configuration...
[OK]
cisco# reload
If CDP support and the web interface are required, remove the CDP status
page from the IOS flash:
cisco#delete flash:html/cdp.html.gz
Delete filename [html/cdp.html.gz]?y
Delete flash:html/cdp.html.gz? [confirm]
cisco#
It is also recommended to read the
<http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a00801ee747.html>; Cisco configuration guide.
Disclosure Timeline:
03/24/2005 Initial vendor notification
01/17/2006 Initial vendor response
01/17/2006 Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@lists.idefense.com.> iDEFENSE Labs.
The original article can be found at:
<http://www.idefense.com/intelligence/vulnerabilities/display.php?id=372>;
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=372
The vendor advisory can be found at:
<http://www.securiteam.com/securitynews/6G0072AEUW.html>;
http://www.securiteam.com/securitynews/6G0072AEUW.html
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
