From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 29 Jun 2006 14:27:07 +0200
Subject: [NEWS] Cisco Web-Browser Interface Vulnerability
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20060629165314.B54AD5741@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Cisco Web-Browser Interface Vulnerability
------------------------------------------------------------------------
SUMMARY
The Cisco web-browser interface for Cisco several access point products
contains a vulnerability that could, under certain circumstances, remove
the default security configuration from the managed access point and allow
administrative access without validation of administrative user
credentials.
DETAILS
Vulnerable Systems:
* Cisco IOS Software Release 12.3(8)JA
* Cisco IOS Software Release 12.3(8)JA1
* 350 Wireless Access Point and Wireless Bridge
* 1100 Wireless Access Point
* 1130 Wireless Access Point
* 1200 Wireless Access Point
* 1240 Wireless Access Point
* 1310 Wireless Bridge
* 1410 Wireless Access Point
Immune Systems:
* Access points that are not running Cisco IOS.
* Access points that are running any version of Cisco IOS other than
Cisco IOS Software Release 12.3(8)JA or 12.3(8)JA1.
* Access points with disabled web-interface management (both HTTP and
HTTP secure) are not vulnerable.
* All Cisco access points running in lightweight mode.
The web-browser interface contains management pages that are used to
change the wireless device settings, upgrade firmware, and monitor and
configure other wireless devices on the network. The web-browser interface
is enabled by default, and is indicated by the configuration command ip
http server or ip http secure-server.
An access point running a default configuration will use the default
enable secret password for administrative access. This can be modified via
the web-browser interface tab Security > Admin Access > Default
Authentication (Global Password) or via the CLI with the configuration
command enable secret [new_secret] .
Local User List Only (Individual Passwords) allows administrators of the
access points to define a local unique username/password database for
their administrators, so that a common global password is not shared.
A vulnerability exists in the access point web-browser interface when
Security > Admin Access is changed from Default Authentication (Global
Password) to Local User List Only (Individual Passwords). This results in
the access point being re-configured with no security, either Global
Password or Individual Passwords, enabled. This allows for open access to
the access point via the web-browser interface or via the console port
with no validation of user credentials.
Access points configured for Local User List Only (Individual Passwords)
and running non-vulnerable versions of Cisco IOS which are subsequently
upgraded to a vulnerable version of IOS are not affected by this
vulnerability as long as the configuration is not altered after the
upgrade.
To determine if web-interface management is enabled on a Cisco access
point, log into the device and issue the show ip http server status
command. If the output shows either http server status or http secure
server status as enabled, web-interface management is enabled. An example
is shown below with web-interface management enabled:
ap#show ip http server status
HTTP server status: Enabled
HTTP server port: 80
[...lines removed...]
HTTP secure server status: Disabled
HTTP secure server port: 443
[...lines removed...]
Web-interface management (HTTP server) is enabled by default.
To check the version of Cisco IOS running on the access point:
* Via Browser Click on the System Software menu. The Cisco IOS version
will be displayed in the System Software Version field.
* Via Command Line Interface (CLI) To determine the software running
on a Cisco access point, log into the device and issue the show version
command to display the system banner.
Cisco IOS software will identify itself as "Internetwork Operating System
Software" or simply "IOS".
On the next line of output, the image name will be displayed between
parentheses, followed by "Version" and the Cisco IOS release name. Other
Cisco devices will not have the show version command or will give
different output.
Successful exploitation of this vulnerability will result in unauthorized
administrative access to the access point via the web management interface
or via the console port.
The following example identifies a Cisco access point running Cisco IOS
Software Release 12.3(7)JA1 with an installed image name of C1200-K9W7-M:
ap#show version
Cisco IOS Software, C1200 Software (C1200-K9W7-M),
Version 12.3(7)JA1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Thu 06-Oct-05 09:40 by evmiller
!
[...lines removed...]
!
Additional information about Cisco IOS release naming can be found at:
<http://www.cisco.com/warp/public/620/1.html>;
http://www.cisco.com/warp/public/620/1.html
Workaround:
Either of the following workarounds and mitigations may be used to help
mitigate the effects of this vulnerability:
* Disable Web-Based Management
To prevent the use of the web-browser interface via:
* Web-Based Management Select the Disable Web-Based Management check box
on the Services > HTTP-Web Server page and click Apply.
* CLI Log into the device and issue these configuration commands (save
the configuration upon exiting):
ap(config)#no ip http server
ap(config)#no ip http secure-server
ap(config)#exit
* Configure via CLI
Enabling Local User List Only (Individual Passwords) via the CLI rather
than the web-browser interface will provide the access point with the
desired protected configuration. Log into the device and issue thees
configuration commands (save the configuration upon exiting):
ap#configure terminal
!--- Setup the username password pair first.
ap(config)#username test privilege 15 password test
!--- Enable AAA.
ap(config)#aaa new-model
!--- Enable aaa authentication to the local database.
ap(config)#aaa authentication login default local
!--- Enable aaa authorization to the local database.
ap(config)#aaa authorization exec default local
!--- Enable http authentication to AAA.
ap(config)#ip http authentication aaa
ap(config)#exit
* Configure RADIUS/TACACS Server first
Via the web-browser interface enabling any RADIUS/TACACS+ server within
Security > Server Manager > Corporate Servers and then performing the
option of Security > Admin Access as Local User List Only (Individual
Passwords) will provide a workaround to this vulnerability.
ADDITIONAL INFORMATION
The information has been provided by <mailto:psirt@cisco.com.> Cisco
Systems Product Security.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20060628-ap.shtml>;
http://www.cisco.com/warp/public/707/cisco-sa-20060628-ap.shtml
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
