Cisco Web switches found to have security cracks

By Jim Duffy
Network World, 02/12/01

SAN JOSE - Two vulnerabilities have cropped up in Cisco content switches that could make them susceptible to denial-of-service attacks and allow unauthorized users to view sensitive information.

The products are Cisco's Content Services Switches - the CSS 11050, CSS 11150 and CSS 11800 - which were obtained through the $6 billion acquisition of ArrowPoint Communications last year. Once access to the command line interface (CLI) of these products is granted, the switches can be forced into a temporary denial of service by "unprivileged" users and to reveal file names and file contents of data.

An unprivileged user is one who has access to the switch, and perhaps the switch's CLI, but does not have administrative authority. Cisco issued a field notice on its Web site two weeks ago alerting users to the problems.

Once unprivileged users gain command line access, certain commands can cause the switch to restart if the command file name is the maximum length of the input buffer. These commands can cause the switch to reboot and start a system check, which will prevent normal functioning of the switch for up to 5 minutes, the field notice states.

This vulnerability can be continuously reproduced to create a denial-of-service attack.

The second vulnerability can provide unauthorized access to important files such as the configuration files and directory structure information. It enables unprivileged users to gain information on the directory structure by requesting nonexistent file names and gain read access for files if the directory structure of the target files is known.

These vulnerabilities are minimized if access to the CLI is well-protected.

"Presumably, they'd be inadvertent attacks because you'd only give logins to employees," says Peter Spellman, CTO at iwant.com. "It all depends who you allow to access your switch. The only people who have access to our switch are our admin guys."

Cisco is offering free software upgrades on its Web site to eliminate the denial-of-service vulnerability. The file system information disclosure vulnerabilities are scheduled to be fixed.

Cisco recommends work-arounds in the interim. One such workaround is to apply access control lists to restrict access to the Cisco content switch, as well as additional firewall or access lists to restrict connection to the management interface. Telnet service can also be disabled, but for many customers in a collocation environment this is not feasible, Cisco says.

These vulnerabilities were discovered by a security consulting firm during a customer security audit. Cisco says it is not aware of any malicious use of the vulnerabilities.