Cisco web interface access
Created 7/3/01
CVE 2001-0537
Impact
A remote attacker could execute arbitrary commands on
the device through the web interface.
Background
Many Cisco devices come
with an HTTP interface, which allows device
configuration to take place through a web interface from
a standard web browser.
Users requesting access to a Cisco device must authenticate
to the device by supplying a password. Devices can be configured
to use local authentication, in which the password is verified
by the device itself, or a system such as
TACACS+ or
Radius,
in which the password is verified by a central server.
The Problem
An attacker can bypass the authentication process on
a device which uses local authentication and has the
HTTP interface enabled. The URL used in
this attack is in the following format:
http://<target>/level/XX/exec/...
where XX is
a number between 16 and 99. An attacker would have no way
of knowing which number can be used to bypass authentication,
but since the range is limited, the number could be determined
simply by trying every possibility.
Resolution
Upgrade to the releases referenced in the
Cisco advisory.
Alternatively, disable the HTTP interface
or use TACACS+ or Radius for authentication.
Where can I read more about this?
More information about this vulnerability is available
in CERT Advisory 2001-14
and in the Cisco advisory.