[NEWS] Cisco Systems IOS 11 Web Service CDP Status Page Code Injection

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Cisco Systems IOS 11 Web Service CDP Status Page Code Injection
------------------------------------------------------------------------


SUMMARY

" 
<http://www.cisco.com/en/US/products/ps6537/products_ios_sub_category_home.html>
 Cisco IOS Software is the world's leading network infrastructure software, 
delivering a seamless integration of technology innovation, business-critical 
services, and hardware platform support."

Improper validation of user provided input allow attackers to inject HTML 
and/or JavaScript code into the Cisco Systems IOS 11 Web Service.

DETAILS

Vulnerable Systems:
 * IOS version 11.2(8.11)SA6

Immune Systems:
 * IOS version 12

The vulnerability specifically exists due to insufficient filtering of 
user-supplied data which is displayed in the Cisco HTTP status pages.

One of the status pages included in the IOS 11 HTML package displays 
information about current CDP protocol statistics. The Cisco Discovery 
Protocol (CDP) is a proprietary, medium-independent protocol that runs 
over Layer 2 (the data link layer) on the Content Services Switches (CSS) 
and other Cisco manufactured equipment, such as routers, switches, 
bridges, and access servers.

Remote attackers can transmit carefully constructed CDP packets on the 
local segment to inject arbitrary scripting code into the CDP status 
pages. Once a legitimate user logs into the administrative website and 
views the CDP status page, arbitrary commands can be executed on the 
router via the injected scripting code.

Successful exploitation of this vulnerability allows unauthenticated 
remote attackers to execute arbitrary commands on the network device.

Once a legitimate user logs into the administrative web site and views the 
CDP status page, commands will execute with permissions of the logged in 
user. The the Cisco web administration interface allows users to access 
the same functionality available through the command line interface. A 
successful attack could manipulate routing information, add users, or 
execute any commands normally available to the logged in user.

A significant mitigating factor is that CDP is not a routed protocol and 
attacks are limited to the local segment, however the widespread practice 
of wardriving does increase the risk of attack for non-isolated segments. 
In addition, IOS 11 has been superseded by IOS 12 in new devices, however 
many older platforms cannot upgrade to IOS 12 due to flash ROM size 
constraints.

Remote exploitation of a input validation vulnerability in Cisco IOS 11 
HTML package can allow attackers to execute arbitrary scripting code.

Workaround:
If the network device is capable of running IOS 12, an upgrade is highly 
recommended.

If a workaround is required due to hardware restrictions, apply one of the 
following solutions to mitigate the vulnerability.

If CDP support is not required, disable CDP functionality from the IOS 
command line interface:
    cisco# configure terminal
    Enter configuration commands, one per line.  End with CNTL/Z.
    cisco(config)# no cdp run
    cisco(config)# end
    1w2d: %SYS-5-CONFIG_I: Configured from console by console
    cisco# write mem
    Building configuration...
    [OK]
    cisco# reload

If the web administration interface is not required, disable the http 
daemon via the IOS command line interface:
    cisco# configure terminal
    Enter configuration commands, one per line.  End with CNTL/Z.
    cisco(config)# no ip http server
    cisco(config)# end
    1w2d: %SYS-5-CONFIG_I: Configured from console by console
    cisco# write mem
    Building configuration...
    [OK]
    cisco# reload

If CDP support and the web interface are required, remove the CDP status 
page from the IOS flash:
    cisco#delete flash:html/cdp.html.gz
    Delete filename [html/cdp.html.gz]?y
    Delete flash:html/cdp.html.gz? [confirm]
    cisco#

It is also recommended to read the  
<http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a00801ee747.html>
 Cisco configuration guide.

Disclosure Timeline:
03/24/2005  Initial vendor notification
01/17/2006  Initial vendor response
01/17/2006  Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by  
<mailto:idlabs-advisories@lists.idefense.com> iDEFENSE Labs.
The original article can be found at:  
<http://www.idefense.com/intelligence/vulnerabilities/display.php?id=372> 
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=372
The vendor advisory can be found at:  
<http://www.securiteam.com/securitynews/6G0072AEUW.html> 
http://www.securiteam.com/securitynews/6G0072AEUW.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.