Cisco IOS security hole surfaces in Web server code

Security researchers this week said they discovered a hole in the Web server code in Cisco’s IOS software.

The flaw could allow attackers - armed only with knowledge of the Cisco device’s IP address - to gain administrative control of a Cisco device or run arbitrary code on the machine, according to claims.

The vulnerability - as reported by the security organizations Secunia and SecurityFocus and detailed on Cisco’s Web site - could allow a potential attacker to view a memory dump (a record of the data in a router’s memory) of an IOS router via the HTTP server and inject script code into the router through the HTTP server. Attackers could use this method to get administrator-level access to a Cisco router or switch or run code on the device.

The vulnerability only affects Cisco routers running IOS HTTP servers, which are used as an alternative management interface to the text-based command line for configuring routers. Cisco IOS versions 11.0 and higher are vulnerable, due to the fact that they ship with the HTTP server software. The HTTP server is not enabled by default in most IOS versions installed on routers shipped from Cisco, according to the company’s Web site. However resellers, carriers and other partners could enable the HTTP for management purposes when deploying the device in customer networks.

Cisco is aware of the claims of the IOS HTTP vulnerability, a company spokesperson says, and is investigating the issue. An advisory will be sent to customers if deemed necessary by the company.

Cisco says it is working on a software release that fixes this vulnerability. The company says users should disable the HTTP server running feature on routers.

Users can check to see if a Cisco router has the HTTP server enabled by typing the IOS command: show ip http server status

If the device is running the HTTP server, the reply will read:

Router>show ip http server status

HTTP server status: Enabled

Cisco says its IOS XR operating system, used mostly in carrier deployments, is not affected by the HTTP server flaw.

Learn more about this topic

More on past vulnerabilities

11/07/05

Join the discussion
Be the first to comment on this article. Our Commenting Policies