[NEWS] CBOS Web-based Configuration Utility Vulnerability

From: support@securiteam.com
Date: 08/26/01

From: support@securiteam.com
To: list@securiteam.com
Subject: [NEWS] CBOS Web-based Configuration Utility Vulnerability
Message-Id: <20010826063246.82D81138BF@mail.der-keiler.de>
Date: Sun, 26 Aug 2001 08:32:46 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  CBOS Web-based Configuration Utility Vulnerability


Multiple vulnerabilities have been identified and fixed in the Cisco
Broadband Operating System (CBOS), an operating system for the Cisco 600
family of routers. Any router in the Cisco 600 series family can be made
unresponsive by a large amount of HTTP traffic accessing the web-based
configuration utility on the router; additionally the web-based
configuration utility is enabled by default. This is documented in Cisco
Bug IDs CSCdv06084, CSCdv06088, CSCdv06089, and CSCdv06098.


Affected products:
The affected models are 627, 633, 673, 675, 675E, 677, 677i and 678.

These models are vulnerable if they run any of the following, or earlier,
CBOS releases: 2.0.1, 2.1.0, 2.1.0a, 2.2.0, 2.2.1, 2.2.1a, 2.3, 2.3.2,
2.3.5, 2.3.7, 2.3.8, 2.3.9, 2.4.1, 2.4.2, and 2.4.2ap.

No other releases of CBOS software are affected by this vulnerability. No
other Cisco products are affected by this vulnerability.

These defects will be fixed in the following CBOS releases: 2.4.2b and

When the Cisco 600 series router is accessed via telnet via multiple
connections, the router will fail to pass traffic, and may become
unresponsive to configuration attempts, requiring a reboot to recover to
normal operation.

When the Cisco 600 series router is accessed via HTTP via multiple
connections, the router will fail to pass traffic, and may become
unresponsive to configuration attempts, requiring a reboot to recover to
normal operation.

The web-based configuration utility in Cisco Broadband Operating System
(CBOS) binds itself to a TCP port (port 80 unless configured for another
port) even when web-based configuration services are disabled. This leaves
the Cisco 600 series router vulnerable to CSCdv06088 even when the
affected service is apparently disabled.

The web-based utility is now disabled by default, allowing customers to
choose to enable this configuration option.

The combination of each of these issues causes the Cisco 600 series router
to be vulnerable to a Denial-of-service attack. None of these defects
results in a failure of confidentiality of information stored on the unit.
None of these defects allows hostile code to be loaded onto the Cisco 600
series router.
Software versions and fixes:
The following
<http://www.cisco.com/warp/public/707/cisco-cbos-webserver-pub.shtml#Software> table summarizes the CBOS software releases affected by the vulnerabilities described in this notice and scheduled dates on which the earliest corresponding fixed releases will be available.

Obtaining fixed software:
Cisco is offering free software upgrades to eliminate this vulnerability
for all affected customers.

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's Worldwide Web
site at http://www.cisco.com. Customers whose Cisco products are provided
or maintained through prior or existing agreement with third-party support
organizations such as Cisco Partners, authorized resellers, or service
providers should contact that support organization for assistance with the
upgrade, which should be free of charge.

There is no specific workaround for each of these vulnerabilities;
however, a workaround exists which has proven a reasonable defense for the
CodeRed Worm attack. It is advisable to disable web management on port 80,
by setting the web management port to some number greater than 1024, with
the following command, replacing the text "number_greater-than_1024" with
an actual number.
   set web port number_greater-than_1024


The information has been provided by <mailto:psirt@cisco.com> Cisco
Systems Product Security Incident Response Team.


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages