February 12, 2001, 11:20 AM — Two vulnerabilities have cropped up in Cisco Systems Inc. content switches that
could make them susceptible to denial-of-service attacks and allow unauthorized
users to view sensitive information.
The products are Cisco's Content Services Switches - the CSS 11050, CSS 11150
and CSS 11800 - which were obtained through the $6 billion acquisition of ArrowPoint
Communications Inc. last year. Once access to the command line interface (CLI)
of these products is granted, the switches can be forced into a temporary denial
of service by "unprivileged" users and to reveal file names and file
contents of data.
An unprivileged user is one who has access to the switch, and perhaps the switch's
CLI, but does not have administrative authority. Cisco issued a field notice
on its Web site two weeks ago alerting users to the problems.
Once unprivileged users gain command line access, certain commands can cause
the switch to restart if the command file name is the maximum length of the
input buffer. These commands can cause the switch to reboot and start a system
check, which will prevent normal functioning of the switch for up to 5 minutes,
the field notice states.
This vulnerability can be continuously reproduced to create a denial-of-service
The second vulnerability can provide unauthorized access to important files
such as the configuration files and directory structure information. It enables
unprivileged users to gain information on the directory structure by requesting
nonexistent file names and gain read access for files if the directory structure
of the target files is known.
These vulnerabilities are minimized if access to the CLI is well-protected.
"Presumably, they'd be inadvertent attacks because you'd only give logins
to employees," says Peter Spellman, CTO at iwant.com. "It all depends
who you allow to access your switch. The only people who have access to our
switch are our admin guys."
Cisco is offering free software upgrades on its Web site to eliminate the denial-of-service
vulnerability. The file system information disclosure vulnerabilities are scheduled
to be fixed.
Cisco recommends work-arounds in the interim. One such workaround is to apply
access control lists to restrict access to the Cisco content switch, as well
as additional firewall or access lists to restrict connection to the management
interface. Telnet service can also be disabled, but for many customers in a
collocation environment this is not feasible, Cisco says.
These vulnerabilities were discovered by a security consulting firm during
a customer security audit. Cisco says it is not aware of any malicious use of