Defcom Labs Advisory def-2000-02 - The Cisco Catalyst 2900XL and 3500XL series switches web configuration interface lets any user execute any command on the system without supplying any authentication credentials if no enable password is set.
fb3eb565b332a1d4716df6739f52f1c56170f54af3e8c1051420af084f828026
======================================================================
Defcom Labs Advisory def-2000-02
Cisco Catalyst remote command execution
Author: Olle Segerdahl <olle@defcom.com>
Release Date: 2000-10-26
======================================================================
------------------------=[Brief Description]=-------------------------
Under certain configurations the Catalyst 2900XL and 3500XL series
switches web configuration interface lets any user execute any command
on the system without supplying any authentication credentials.
------------------------=[Affected Systems]=--------------------------
Cisco Catalyst 2900XL and 3500XL series switches with no "enable" line
in the current configuration.
----------------------=[Detailed Description]=------------------------
Cisco Catalyst 3500 XL series switches have a webserver configuration
interface. This interface lets web users execute any command by
requesting the /exec location from the webserver. An example follows:
http://catalyst/exec/show/config/cr
This URL will show the configuration file, with all user passwords.
Normally a user will be prompted for authentication credentials, but
in certain configurations, no authentication is needed:
Consider this setup. A reasonably security-concious administrator is
assigned responsibility for a number of Catalyst switches. Since this
type of device is relatively low in maintainence, he decides to create
just an "admin" user with full priviledges in the configuration and
doesn't worry about setting an "enable" password. (The enable password
is used by a user with low privs to obtain a higher priviledge level.)
Since he has (in his mind) adequately password protected the device
through all access means other than HTTP (telnet, serial, etc.) he may
think this is true for HTTP as well. His assumption is wrong.
-------------------------------=[Fix]=---------------------------------
Make sure an "enable" password is set for all Catalysts at all times.
Disable the web configuration interface completely with the following
configuration line: "no ip http server".
--------------------------=[Vendor Status]=---------------------------
Vendor was notified on 2000-10-10.
On 2000-11-13 their official response was:
"This situation may be confusing since admins will be prompted for a
password when trying to telnet to the switch but will not be asked for
it when using the Web to access the switch.
All switches from 2900XL and 3500XL families share this behavior."
======================================================================
This release was brought to you by Defcom Labs
labs@defcom.com www.defcom.com
======================================================================