[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Subject: FW:*ALERT* NEW BID 10025 (URGENCY 9.3): Cisco CatOS Password





-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Symantec Vulnerability Alert

Cisco IOS Password Prompt Unauthorized Remote Command Execution
Vulnerability
Bugtraq ID 10025
CVE CVE-MAP-NOMATCH
Published Apr 01 2004 6:22:69 PM GMT
Remote Yes
Local No
Credibility Vendor Confirmed
Classification Access Validation Error
Ease No Exploit Required
Availability Always
Authentication Not Required

Impact 9.2 Severity 8.9 Urgency Rating 9.3

Last Change Cisco has responded to this issue; see Technical
Information and References for details.

Vulnerable Systems
- ------------------
Cisco IOS 11.0
Cisco IOS 11.1 CC
Cisco IOS 11.1 CA
Cisco IOS 11.1 AA
Cisco IOS 11.1
Cisco IOS 11.2 SA
Cisco IOS 11.2 P
Cisco IOS 11.2
Cisco IOS 11.3 T
Cisco IOS 11.3
Cisco IOS 12.0 XW
Cisco IOS 12.0 XV
Cisco IOS 12.0 XU
Cisco IOS 12.0 XS
Cisco IOS 12.0 XR
Cisco IOS 12.0 XQ
Cisco IOS 12.0 XP
Cisco IOS 12.0 XN
Cisco IOS 12.0 XM
Cisco IOS 12.0 XL
Cisco IOS 12.0 XK
Cisco IOS 12.0 XJ
Cisco IOS 12.0 XI
Cisco IOS 12.0 XH
Cisco IOS 12.0 XG
Cisco IOS 12.0 XF
Cisco IOS 12.0 XE
Cisco IOS 12.0 XD
Cisco IOS 12.0 XC
Cisco IOS 12.0 XB
Cisco IOS 12.0 XA
Cisco IOS 12.0 WT
Cisco IOS 12.0 WC
Cisco IOS 12.0 W5
Cisco IOS 12.0 T
Cisco IOS 12.0 SZ
Cisco IOS 12.0 SY
Cisco IOS 12.0 SX
Cisco IOS 12.0 ST
Cisco IOS 12.0 SP
Cisco IOS 12.0 SL
Cisco IOS 12.0 SC
Cisco IOS 12.0 S
Cisco IOS 12.0 DC
Cisco IOS 12.0 DB
Cisco IOS 12.0 DA
Cisco IOS 12.0
Cisco IOS 12.1 YJ
Cisco IOS 12.1 YI
Cisco IOS 12.1 YH
Cisco IOS 12.1 YF
Cisco IOS 12.1 YE
Cisco IOS 12.1 YD
Cisco IOS 12.1 YC
Cisco IOS 12.1 YB
Cisco IOS 12.1 XZ
Cisco IOS 12.1 XY
Cisco IOS 12.1 XX
Cisco IOS 12.1 XW
Cisco IOS 12.1 XV
Cisco IOS 12.1 XU
Cisco IOS 12.1 XT
Cisco IOS 12.1 XS
Cisco IOS 12.1 XR
Cisco IOS 12.1 XQ
Cisco IOS 12.1 XP
Cisco IOS 12.1 XM
Cisco IOS 12.1 XL
Cisco IOS 12.1 XK
Cisco IOS 12.1 XJ
Cisco IOS 12.1 XI
Cisco IOS 12.1 XH
Cisco IOS 12.1 XG
Cisco IOS 12.1 XF
Cisco IOS 12.1 XE
Cisco IOS 12.1 XD
Cisco IOS 12.1 XC
Cisco IOS 12.1 XB
Cisco IOS 12.1 XA
Cisco IOS 12.1 T
Cisco IOS 12.1 M
Cisco IOS 12.1 EY
Cisco IOS 12.1 EX
Cisco IOS 12.1 EW
Cisco IOS 12.1 EV
Cisco IOS 12.1 EC
Cisco IOS 12.1 EB
Cisco IOS 12.1 EA
Cisco IOS 12.1 E
Cisco IOS 12.1 DC
Cisco IOS 12.1 DB
Cisco IOS 12.1 DA
Cisco IOS 12.1 AY
Cisco IOS 12.1 AX
Cisco IOS 12.1 AA
Cisco IOS 12.1
Cisco IOS 12.2 ZJ
Cisco IOS 12.2 ZH
Cisco IOS 12.2 ZG
Cisco IOS 12.2 ZF
Cisco IOS 12.2 ZE
Cisco IOS 12.2 ZD
Cisco IOS 12.2 ZC
Cisco IOS 12.2 ZB
Cisco IOS 12.2 ZA
Cisco IOS 12.2 YZ
Cisco IOS 12.2 YY
Cisco IOS 12.2 YX
Cisco IOS 12.2 YW
Cisco IOS 12.2 YV
Cisco IOS 12.2 YU
Cisco IOS 12.2 YT
Cisco IOS 12.2 YS
Cisco IOS 12.2 YR
Cisco IOS 12.2 YQ
Cisco IOS 12.2 YP
Cisco IOS 12.2 YO
Cisco IOS 12.2 YN
Cisco IOS 12.2 YM
Cisco IOS 12.2 YL
Cisco IOS 12.2 YK
Cisco IOS 12.2 YJ
Cisco IOS 12.2 YH
Cisco IOS 12.2 YG
Cisco IOS 12.2 YF
Cisco IOS 12.2 YD
Cisco IOS 12.2 YC
Cisco IOS 12.2 YB
Cisco IOS 12.2 YA
Cisco IOS 12.2 XW
Cisco IOS 12.2 XT
Cisco IOS 12.2 XS
Cisco IOS 12.2 XR
Cisco IOS 12.2 XQ
Cisco IOS 12.2 XN
Cisco IOS 12.2 XM
Cisco IOS 12.2 XL
Cisco IOS 12.2 XK
Cisco IOS 12.2 XJ
Cisco IOS 12.2 XI
Cisco IOS 12.2 XH
Cisco IOS 12.2 XG
Cisco IOS 12.2 XF
Cisco IOS 12.2 XE
Cisco IOS 12.2 XD
Cisco IOS 12.2 XC
Cisco IOS 12.2 XB
Cisco IOS 12.2 XA
Cisco IOS 12.2 T
Cisco IOS 12.2 SZ
Cisco IOS 12.2 SY
Cisco IOS 12.2 SX
Cisco IOS 12.2 S
Cisco IOS 12.2 MX
Cisco IOS 12.2 MC
Cisco IOS 12.2 MB
Cisco IOS 12.2 JA
Cisco IOS 12.2 DX
Cisco IOS 12.2 DD
Cisco IOS 12.2 DA
Cisco IOS 12.2 CY
Cisco IOS 12.2 CX
Cisco IOS 12.2 BZ
Cisco IOS 12.2 BX
Cisco IOS 12.2 BW
Cisco IOS 12.2 BC
Cisco IOS 12.2 B
Cisco IOS 12.2 12.2XU
Cisco IOS 12.2

Short Summary
- -------------
Some Cisco IOS versions are allegedly prone to an issue that may
permit remote attackers ot execute arbitrary commands from a password
prompt.

Impact
- ------
Remote attackers may allegedly execute shell commands on a vulnerable
device without needing to authenticate.

Technical Description
- ---------------------
It has been alleged that it is possible for remote attackers to execute
arbitrary commands without proper authorization. Reportedly it is
possible to execute shell commands from the password prompt on a device
running a vulnerable version of Cisco IOS. The attacker must be able to
connect to a vulnerable device via telnet, though it has not been ruled
out that other remote administrative services such as SSH do not also
present attack vectors.

The discoverer of this vulnerability has stated that it is possible to
exploit this issue by submitting a shell command to the password prompt,
followed by a colon and a right bracket.

Cisco has replied to this issue stating that it can be used to
execute commands, retrieve information from the device and reveal
information about traffic processed by the device. Details are available
to registered Cisco users at:
http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCdr10025


Attack Scenarios - ---------------- The attacker must identify a vulnerable device and be able to connect to the device via telnet.

The attacker exploits the vulnerability by submitting a properly
formatted command via the "Enter password:" prompt. This command may be
executed, potentially allowing the attacker to perform administrative
actions on the device.

Exploits
- --------
There is no exploit required.

Mitigating Strategies
- ---------------------
Block external access at the network boundary, unless service is
required by external parties.
Filter external access to devices through use of network access controls
and by only allowing trusted or internal networks and hosts to connect to
devices.

Disable any services that are not needed.
Disable remote administration services such as telnet or SSH if they are
not explicitly required to manage devices.


Solutions - --------- Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@xxxxxxxxxxxxxxxxx <mailto:vuldb@xxxxxxxxxxxxxxxxx>.


Credit - ------ Discovery is credited to flairloops@xxxxxxxxxxx


For help with interpreting the meaning of any of the sections or labels in the alert, please visit: https://alerts.symantec.com/help/sia-users/vulnerability-alert-pdf.htm

View public key at:
https://alerts.symantec.com/Members/gnupg-sigkey.asp



Symantec Corporation
The World Leader in Internet Security Technology and Early Warning Solutions
Visit our website at www.symantec.com


_______________________________ Symantec Deepsight Alert Services

Powered by EnvoyWorldWide, Inc.

_________________________________________________________________
Find a cheaper internet access deal - choose one to suit you. http://www.msn.co.uk/internetaccess


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html