Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Cisco :: cisco12.htm

Cisco IOS - retrieve fragments of text from previous users



Vulnerability

    CISCO

Affected

   - Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 8xx, 1xxx, 25xx,
     26xx, 30xx,  36xx, 40xx,  45xx, 47xx, AS52xx, AS53xx, 70xx,  72xx
     (including the ubr72xx), 75xx, and 12xxx series
   - Most recent versions of the LS1010 ATM switch
   - Some versions of the Catalyst 2900XL LAN switch.
   - The Cisco DistributedDirector

Description

    Following is based on Cisco Field  Notice.  An error in Cisco  IOS
    software makes  it possible  for untrusted,  unauthenticated users
    who can gain access to the login prompt of a router or other Cisco
    IOS device, via any means, to obtain fragments of text entered  by
    prior interactive  users of  the device.   This text  may  contain
    sensitive   information,   possibly   including   passwords.  This
    vulnerability exposes only text  entered at prompts issued  by the
    IOS device itself; the contents  of data packets forwarded by  IOS
    devices are not exposed, nor are data entered as part of  outgoing
    interactive connections, such as TELNET connections, from the  IOS
    device to other network nodes.  The vulnerability affects the vast
    majority of systems running Cisco IOS software as of this date.

    The  vulnerability  can  be  exploited  using  direct  console  or
    asynchronous serial connections  (including dialup   connections),
    TELNET  connections,  UNIX  "r"  command  connections,  local-area
    transport (LAT) connections, Maintenance Operation Protocol  (MOP)
    connections,  X.29  connections,  V.120  connections, and possibly
    others.   Except   in    extraordinary   security    environments,
    administrators  are  strongly  encouraged  to  assume that hostile
    users  can  find  ways  to  make  interactive connections to their
    Cisco IOS devices.   It is not  necessary to be  able to  actually
    log  in  to  exploit  this  vulnerability;  simply  establishing a
    terminal connection is sufficient.

    If attackers  know the  details of  the Cisco  IOS software error,
    they will be  able to obtain  fragments of the  last few lines  of
    text entered in response to IOS prompts on the physical or virtual
    TTYs to which they are connected.  The exact amount of recoverable
    text varies, and will be  split among fragments of various  lines.
    Nearly complete lines, and  fragments tens of characters long, can
    sometimes be  obtained.   If the  previous session  was brief, the
    available  information  may  include  part  or all of the password
    that a  previous user  used to  log into  the router  or to enable
    privileged mode.  If a  previous user  changed a  system password,
    such as the enable password, and logged out shortly thereafter, it
    may  be  possible  to  recover  the  new  password  by reading the
    configuration command used to make the change.  This vulnerability
    does not expose  anything entered as  part of an  outgoing session
    from the IOS device to another  node. For example, if a user  logs
    into an IOS router, and then makes a TELNET connection to a remote
    host, none  of the  data in  the TELNET  connection itself  can be
    recovered.

    If you are a registered CCO  user and you have logged in,  you can
    view bug details.  This vulnerability has been assigned Cisco  bug
    ID CSCdk43920.

Solution

    Cisco devices which do not run classic Cisco IOS software, and are
    not affected by this vulnerability, include the following:

        * 7xx  dialup  routers  (750,  760,  and  770 series) are  not
          affected.
        * Catalyst 19xx, 28xx, 29xx,  3xxx, and 5xxx LAN switches  are
          not  affected,  except  for  some  versions  of the Catalyst
          2900XL.  However, optional router modules running Cisco  IOS
          software in switch  backplanes, such as  the RSM module  for
          the Catalyst 5000 and 5500, are affected.
        * WAN  switching products  in the  IGX and  BPX lines  are not
          affected.
        * The MGX (formerly known as the AXIS shelf) is not affected.
        * No host-based software is affected.
        * The Cisco PIX Firewall is not affected.
        * The Cisco LocalDirector is not affected.
        * The Cisco Cache Engine is not affected.

    This  vulnerability  affects  all  releases  of  Classic Cisco IOS
    software, including special, interim, and beta software,  from 9.1
    up to, but not including, the following corrected releases:

        Earliest Regular Releases                 Earliest Interim Releases
        -----------                               -----------
        11.0(22)                                  11.0(21.2)
        11.1(22), 11.1(22)CA, 11.1(21)CC1,        11.1(22), 11.1(21.2)CA,
        11.1(22)CE                                11.1(21)CC1, 11.1(21.1)CE
        11.2(16), 11.2(16)P,                      11.2(15.4), 11.2(15.4)P,
        11.2(16)BC,11.2(8)SA4                     11.2(15.4)BC, 11.2(8)SA4
        11.3(6), 11.3(6)T, 11.3(6)AA, 11.3(1)MA6, 11.3(5.6), 11.3(5.6)T,
        11.3(6)NA, 11.3(9)WA4                     11.3(5.6)AA, 11.3(1)MA54,
                                                  11.3(5.6)NA
        12.0(1), 12.0(1)T, 12.0(1)S, other 12.0   Will be integrated in initial
                                                  12.0(1)x releases

    There are two major workarounds for this vulnerability:

        1. Prevent untrusted users from having  interactive access  to
           the Cisco IOS device.  If only IP-based interactive  access
           is of  concern, access  can be  restricted by  using the ip
           access-class line configuration command to apply an  access
           list to all virtual terminals  in the system.  However,  it
           is important to remember that non-IP-based means of  making
           interactive connections to Cisco IOS devices do exist,  and
           to eliminate those means as possible routes of attack.  The
           transport  input   command  is   particularly  useful    in
           controlling  the  protocols  that   can  be  used  to   get
           interactive access.   Interactive access  can be  prevented
           completely by  applying the  configuration command  no exec
           to any  asynchronous line,  or the  command transport input
           none to any virtual  terminal line, that may  be accessible
           to untrusted users.

        2.  Overwrite  any  potentially  sensitive  information before
           logging out of  any interactive session  on an IOS  device.
           This can  be done  by entering  repeated spaces  at an  IOS
           command prompt until the command interpreter will accept no
           more input  on the  line, then  pressing the  "return" key.
           Follow this by entering a printing character, such as  "q",
           repeatedly until no more  input is accepted, then  pressing
           control-A,  followed  by  control-K,  then  "return" again.
           This   procedure   vastly   reduces   the   probability  of
           information  leakage,   but  has   not  been   verified  to
           completely  eliminate  the  possibility  in  all   affected
           versions of Cisco IOS software.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH