December 6, 2005
Another Reason to Disable the Cisco IOS HTTP Interface
Microsoft usually wins all awards for quantity and quality of network vulnerabilities, but don't be distracted. There are enough security holes for everyone, and it's easy to become complacent about seemingly innocuous devices like routers and switches. A case in point is a just-announced bug in Cisco IOS that affects all devices -- both routers and switches -- from version 11.0 through 12.4. The problem is with IOS' HTTP interface, a not very useful option that nevertheless is turned on by default in most Cisco products. This interface is a security time bomb, and should be disabled in virtually every Cisco deployment.
That's not just the opinion of Dr. I Doctor; it's conventional wisdom from the vast majority of security professionals in the world. The IOS HTTP interface is not a comprehensive GUI configuration interface -- it's just a gimick, really, that lets you execute textual command line interface commands through a Web browser. This latest vulnerability shows how dangerous such easily forgotten back doors can be.
In the instant event, Cisco reports that all these IOS devices are subject to a cross-site scripting attack in which an interloper can gain control of a router or switch by executing arbitrary IOS commands on a device being controlled through the HTTP CLI interface. To be sure, there are a lot of conditions to meet before this exploit is possible. First, somebody has to be actually using a Web browser on the HTTP interface. Second, they must at the same time visit a hostile site containing the exploit for this vulnerability. And third, the exploiter must have somehow gotten the command he wants executed into the device's memory buffers, and the user must execute an IOS command to view that buffer.
That's a long chain of coincidences, which makes this vulnerability, in theory, not very serious. But in the network security biz, where there's smoke, there's fire. Rarely do programmers commit bugs in isolation. It's quite probable that there are other bugs in the IOS HTTP interface, of unknown virulence, just waiting for hackers to find and exploit them. Since the HTTP interface is unnecessary for router operation, following the principle of least privilege, it should be turned off.
Since most of us have Cisco devices, and we all know (or should know) that the HTTP interface must be disabled as a best practice, this incident should serve as a wakeup call to verify that we have, in fact, disabled this hole. It only takes a minute to verify whether or not HTTP is running in IOS. Just type the command "show ip http server status". If the result is "enabled", you've got a problem. To disable the HTTP server, enter these two commands in configuration mode:
no ip http server
no ip http secure-server
The full Cisco security bulletin discussing this vulnerability is at:
http://www.cisco.com/en/US/products/products_security_advisory09186a008059e470.shtml
Posted by Mel Beckman at December 6, 2005 7:07 AM
