June 29, 2001, 2:10 PM — A flaw in Cisco Systems Inc.'s Cisco IOS (Internetwork Operating System) could allow hackers to gain full control over virtually all Cisco routers and switches using the software, Cisco said in a security advisory issued Thursday.
The Computer Emergency Response Team (CERT) at Carnegie Mellon University in Pittsburgh also warned of the vulnerability later Thursday.
A vulnerability exists in the HTTP (Hypertext Transfer Protocol) server component of the IOS software. By requesting a particular URL (Universal Resource Locator) from the server, a malicious user can bypass the authentication controls and execute commands on the device at the highest privilege level, level 15, Cisco said.
Only devices with the HTTP server software enabled and with user names and passwords stored on the device -- the local authentication database -- are vulnerable, the company said. The issue affects all releases of Cisco IOS software starting with release 11.3.
Once a hacker has gained access he could redirect data traffic, allowing him to intercept or modify the data. Additionally he could change or delete the device configuration, effectively disabling the router or switch until an engineer reprograms it, said Cisco Security and Network Management Systems Engineer Tames van der Does.
The HTTP server in IOS is used for remote management of the router or switch. However, a configuration with the HTTP server enabled and the local database for authentication used is a rarity, according to Van der Does.
"Most engineers use Telnet to access their network hardware and have a central TACACS+ (Terminal Access Controller Access Control System) or Radius server to authenticate users for all their networking hardware," he said, adding that the HTTP server is switched off by default on Cisco hardware.
Routers and switches direct network traffic and are used to interconnect computer networks. Cisco's hardware is used around the world by small and large businesses as well as home users.
Cisco has made software fixes available to plug the hole. Cisco's security advisory can be read online at: http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html.
Cisco, in San Jose, California, can be reached at +1-408-526-4000 or http://www.cisco.com/.