Cisco Catalyst access
CVE 2000-0945
Impact
A remote attacker could execute arbitrary commands on
the switch through the web interface.
Background
The
Cisco Catalyst 3500 XL series of switches has a web
interface to allow network managers to manage many switches
from a single IP address using a web browser.
The Problem
If the enable password is not set,
the /exec location in the
Catalyst's web interface allows an anonymous
user to execute arbitrary commands on the switch without
any authentication. A remote attacker could change
the access lists, create
a denial of service, or maliciously re-route traffic by
modifying the switch configuration.
Resolution
Set the enable password.
Where can I read more about this?
This vulnerability was posted to
Bugtraq. The fix was also discussed in
Bugtraq.