A recently discovered bug in the built-in HTTP server of Cisco routers opens up the potential for a simple attack that could allow hackers to take complete control of the router, make configuration changes, and potentially take it offline. This article will take a look at the specific equipment affected and then explain how to fix the problem.
Cisco administrators can use the built-in HTTP server to remotely manage Cisco routers with a Web-based interface. The problem (identified as Cisco Bug ID CSCdt93862) arises from a flaw in the local authentication software, which uses a database that stores usernames and passwords defined on the device. Using remote authentication would avoid this problem.
Essentially, a very limited number of possible authorization codes exist for the affected routers, and they are easy to guess. Testing any router at random using only 84 different URLs of this form:
where xx is a number between 16 and 99, is a simple task that an attacker can quickly accomplish.
Cisco has published a description of the problem. Check that link for updates because Cisco has released only an interim security advisory, and it’s likely that there will be changes before it reaches final status. The CERT advisory (CA02001-14) contains a summary of the information in the Cisco link.
Virtually all routers based on the Cisco Internetwork Operating System (IOS) and Catalyst switches running Release 11.3 or higher and using local authentication are affected by this threat.
This includes the following equipment:
- Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, 1400, 1500, 1600, 1700, 2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700, AS5200, AS5300, AS5800, 6400, 7000, 7100, 7200, ubr7200, 7500, and 12000 series
- Most recent versions of the LS1010 ATM switch
- Catalyst 6000
- Catalyst 2900XL LAN switch
- Catalyst 1900, 2800, 2900, 3000, and 5000 series LAN switches
- The Cisco Distributed Director
Administrators with the hardware listed above should check to see if they are running Cisco IOS software with local authentication enabled. Since the software releases affected are fairly recent, the number of vulnerable systems is reduced. However, the above list is probably not exhaustive, so anyone running IOS should pay attention to this advisory.
Hardware not running IOS can’t be affected by this vulnerability. Cisco says that the following are specifically not affected:
- 700 series dial-up routers (750, 760, and 770 series)
- Catalyst 6000 (if it is not running Cisco IOS software)
- WAN switching products in the IGX and BPX lines
- The MGX (formerly known as the AXIS shelf)
- Host-based software
- Cisco PIX Firewall
- Cisco Local Director
- Cisco Cache Engine
By simply sending a particular URL to the HTTP server, an attacker would gain level 15 privileges on the hardware, permitting complete remote control of all functions.
Although the specific URL will vary from system to system, there are fewer than 100 possible combinations, so this vulnerability is simple for even a novice attacker to exploit.
One way to eliminate this problem is to disable the HTTP server. You can accomplish this with the following commands (from Cisco):
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# no ip http server
Since the problem is with authentication, you can also use TACACS+ or RADIUS for remote authentication in order to retain authorized remote control over the hardware. TACACS+ (Terminal Access Controller Access Control System) is freeware. RADIUS (Remote Authentication Dial-In User Service), developed by Livingston Enterprises Inc., has been supported by Cisco IOS software since Release 11.1. Cisco offers an overview of RADIUS as implemented in its software.
For more information on RADIUS, see Internet Engineering Task Force (IETF) RADIUS specification (RFC 2058) and RADIUS accounting standard (RFC 2059). The developers of the protocols have also produced a RADIUS white paper.
Do you have a plan for patching your Cisco equipment?
We look forward to getting your input and hearing about your experiences regarding this topic. Join the discussion below or send the editor an e-mail.