[NEWS] Cisco Web-Browser Interface Vulnerability

---

• From: SecuriTeam <support@xxxxxxxxxxxxxx>
• Date: 29 Jun 2006 14:27:07 +0200

---

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Cisco Web-Browser Interface Vulnerability
------------------------------------------------------------------------


SUMMARY

The Cisco web-browser interface for Cisco several access point products
contains a vulnerability that could, under certain circumstances, remove
the default security configuration from the managed access point and allow
administrative access without validation of administrative user
credentials.

DETAILS

Vulnerable Systems:
* Cisco IOS Software Release 12.3(8)JA
* Cisco IOS Software Release 12.3(8)JA1
* 350 Wireless Access Point and Wireless Bridge
* 1100 Wireless Access Point
* 1130 Wireless Access Point
* 1200 Wireless Access Point
* 1240 Wireless Access Point
* 1310 Wireless Bridge
* 1410 Wireless Access Point

Immune Systems:
* Access points that are not running Cisco IOS.
* Access points that are running any version of Cisco IOS other than
Cisco IOS Software Release 12.3(8)JA or 12.3(8)JA1.
* Access points with disabled web-interface management (both HTTP and
HTTP secure) are not vulnerable.
* All Cisco access points running in lightweight mode.

The web-browser interface contains management pages that are used to
change the wireless device settings, upgrade firmware, and monitor and
configure other wireless devices on the network. The web-browser interface
is enabled by default, and is indicated by the configuration command ip
http server or ip http secure-server.

An access point running a default configuration will use the default
enable secret password for administrative access. This can be modified via
the web-browser interface tab Security > Admin Access > Default
Authentication (Global Password) or via the CLI with the configuration
command enable secret [new_secret] .

Local User List Only (Individual Passwords) allows administrators of the
access points to define a local unique username/password database for
their administrators, so that a common global password is not shared.

A vulnerability exists in the access point web-browser interface when
Security > Admin Access is changed from Default Authentication (Global
Password) to Local User List Only (Individual Passwords). This results in
the access point being re-configured with no security, either Global
Password or Individual Passwords, enabled. This allows for open access to
the access point via the web-browser interface or via the console port
with no validation of user credentials.

Access points configured for Local User List Only (Individual Passwords)
and running non-vulnerable versions of Cisco IOS which are subsequently
upgraded to a vulnerable version of IOS are not affected by this
vulnerability as long as the configuration is not altered after the
upgrade.

To determine if web-interface management is enabled on a Cisco access
point, log into the device and issue the show ip http server status
command. If the output shows either http server status or http secure
server status as enabled, web-interface management is enabled. An example
is shown below with web-interface management enabled:

ap#show ip http server status
HTTP server status: Enabled
HTTP server port: 80
[...lines removed...]
HTTP secure server status: Disabled
HTTP secure server port: 443
[...lines removed...]

Web-interface management (HTTP server) is enabled by default.

To check the version of Cisco IOS running on the access point:

* Via Browser Click on the System Software menu. The Cisco IOS version
will be displayed in the System Software Version field.
* Via Command Line Interface (CLI) To determine the software running
on a Cisco access point, log into the device and issue the show version
command to display the system banner.

Cisco IOS software will identify itself as "Internetwork Operating System
Software" or simply "IOS".

On the next line of output, the image name will be displayed between
parentheses, followed by "Version" and the Cisco IOS release name. Other
Cisco devices will not have the show version command or will give
different output.

Successful exploitation of this vulnerability will result in unauthorized
administrative access to the access point via the web management interface
or via the console port.

The following example identifies a Cisco access point running Cisco IOS
Software Release 12.3(7)JA1 with an installed image name of C1200-K9W7-M:

ap#show version
Cisco IOS Software, C1200 Software (C1200-K9W7-M),
Version 12.3(7)JA1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Thu 06-Oct-05 09:40 by evmiller
!
[...lines removed...]
!

Additional information about Cisco IOS release naming can be found at:
<http://www.cisco.com/warp/public/620/1.html>
http://www.cisco.com/warp/public/620/1.html

Workaround:
Either of the following workarounds and mitigations may be used to help
mitigate the effects of this vulnerability:

* Disable Web-Based Management
To prevent the use of the web-browser interface via:

* Web-Based Management Select the Disable Web-Based Management check box
on the Services > HTTP-Web Server page and click Apply.

* CLI Log into the device and issue these configuration commands (save
the configuration upon exiting):

ap(config)#no ip http server
ap(config)#no ip http secure-server
ap(config)#exit

* Configure via CLI

Enabling Local User List Only (Individual Passwords) via the CLI rather
than the web-browser interface will provide the access point with the
desired protected configuration. Log into the device and issue thees
configuration commands (save the configuration upon exiting):

ap#configure terminal

!--- Setup the username password pair first.

ap(config)#username test privilege 15 password test

!--- Enable AAA.

ap(config)#aaa new-model

!--- Enable aaa authentication to the local database.

ap(config)#aaa authentication login default local

!--- Enable aaa authorization to the local database.

ap(config)#aaa authorization exec default local

!--- Enable http authentication to AAA.

ap(config)#ip http authentication aaa
ap(config)#exit

* Configure RADIUS/TACACS Server first

Via the web-browser interface enabling any RADIUS/TACACS+ server within
Security > Server Manager > Corporate Servers and then performing the
option of Security > Admin Access as Local User List Only (Individual
Passwords) will provide a workaround to this vulnerability.


ADDITIONAL INFORMATION

The information has been provided by <mailto:psirt@xxxxxxxxx> Cisco
Systems Product Security.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20060628-ap.shtml>
http://www.cisco.com/warp/public/707/cisco-sa-20060628-ap.shtml



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

---

• Prev by Date: [EXPL] Mailenable SMTP Service DoS PoC
• Next by Date: [NT] Novell GroupWise Authentication Bypass
• Previous by thread: [EXPL] Mailenable SMTP Service DoS PoC
• Next by thread: [NT] Novell GroupWise Authentication Bypass
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Planning on running a server: My dim8300 or dim300? ... even bigger is that most home ISP's block port 80 going to their homes. ... running a web server has a ton of security issues, if you dont mind a bunch of packets trying to bang away at your door trying to break in. ... I was considerring running both a game server and HTTP server, perhaps through the router's DMZ, not sure. ... (alt.sys.pc-clone.dell) WhiteHat Arsenal 1.06 Beta Released ... fitted with an HTTP Response Code lookup utility. ... WHArsenal the best web application security product available. ... WhiteHat Arsenal logs all HTTP Request activities in either XML or HTML ... The Session Manager keeps log files ... (SecProg) [NEWS] Crafted TCP Packet Can Cause DoS ... Get your security news from a reliable source. ... Crafted TCP Packet Can Cause DoS ... The Cisco IOS Transmission Control Protocol listener in certain ... access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES ... (Securiteam) [NEWS] Firewall-1 HTTP Security Server - Proxy Vulnerability ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A security vulnerability in the way Checkpoint's Firewall-1 handles ... AllUsers@SomeNet webserver http UserAuth Long Allow Auth HTTP ... It appears that the default for the HTTP Security server is to allow any ... (Securiteam) [NEWS] Cisco VPN 3000 DoS ... Get your security news from a reliable source. ... Cisco VPN 3000 DoS ... HTTP is an application protocol for which the default TCP ... the concentrator can be configured to use HTTPS ... (Securiteam)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)