Severity: Medium
9 May, 2007
Summary:
Today, Cisco released an advisory describing two vulnerabilities that affect Cisco devices running IOS with the optional FTP server. By sending specially crafted FTP packets to your Cisco router or switch, an attacker can exploit the worst of these vulnerabilities to execute code and potentially gain complete control of your IOS device. If you have enabled the FTP server on Cisco IOS devices, you should download, test and install Cisco’s fixes as soon as possible.
Exposure:
Cisco’s IOS software is the operating system that runs on most Cisco routers and switches. The IOS operating system provides network services for managing Cisco devices, and processes the network traffic passing through the device. IOS also ships with an optional FTP server that allows you to directly access your IOS device’s file system.
Today, Cisco released an advisory describing two vulnerabilities that affect the FTP server that runs on Cisco IOS devices. The worst of these vulnerabilities involves a flaw in the way IOS checks an FTP visitor’s authorization. Cisco doesn’t describe this flaw in technical detail, but they admit that a remote attacker could exploit the flaw to gain access to your IOS device’s FTP server without any authentication. Once the attacker gains access to the FTP server, he can read and write to your IOS device’s file system, which in turn allows him to access your device’s startup-configuration file. Once an attack can access this important file, it’s “Game Over” for your Cisco IOS device. The attacker can exploit this flaw to elevate his privileges and do anything he wants.
Cisco also warns of a Denial of Service (DoS) vulnerability involving the way IOS reloads when transferring files. DoS vulnerabilities on devices such as routers and switches pose a pretty big risk, but not nearly as big a risk as the vulnerability described above. The first flaw alone should convince you to update your IOS software.
One mitigating factor significantly lowers the severity of both these vulnerabilities. Cisco IOS does not enable the FTP server by default. Your Cisco IOS devices are vulnerable to these flaws only if you have manually enabled the FTP server. Even if you haven’t enabled the FTP server, we suggest you apply Cisco’s update to make sure you (or another staff member) can’t accidentally enable the insecure server in the future.
Solution Path:
Cisco has released patches to fix these vulnerabilities. If you use any Cisco device running IOS software, you should immediately consult the “Software Versions and Fixes” and “Obtaining Fixed Software” section of Cisco’s advisory to learn which fixes apply to your devices, and how to obtain them.
Note: To fix the vulnerabilities in the IOS FTP server, Cisco chose to remove the feature entirely. If you actually use this FTP server, you should know that installing Cisco’s update will remove it. Cisco says they are considering adding a more secure FTP server in the future, but for now you will have to operate your IOS device without this feature.
For All WatchGuard Users:
Since this vulnerability can affect your router, which is typically in front of your WatchGuard firewall, Cisco’s patch is the best solution.
Status:
Cisco has issued a patch which fixes the problem.
