Bugtraq mailing list archives
Re: Cisco Security Advisory: Multiple Vulnerabilities in CBOS
From: CDI <cdi () thewebmasters net>
Date: Fri, 8 Dec 2000 17:27:21 -0800
My apologies for the delay, I haven't had a chance to verify what I'm about to say until today. On Mon, 4 Dec 2000, Cisco Systems Product Security Incident Response Team wrote:
Multiple Vulnerabilities in CBOS
[snip]
The following releases of CBOS are vulnerable to all defects: 2.0.1, 2.1.0, 2.1.0a, 2.2.0, 2.2.1, 2.2.1a, 2.3, 2.3.2, 2.3.5, 2.3.7 and 2.3.8.
[snip]
CSCdr98772 The behavior is caused by inadequate URL parsing in CBOS.
[snip]
Note:Web access on all Cisco 600 routers is disabled by default and must be explicitly enabled.
Does no one at PSIRT fact check these before they go out? I thought I made it quite clear in my advisory that the web access interface of the 675 is ENABLED BY DEFAULT in every CBOS image I've ever seen. (2.0.x, 2.1.x, 2.2.x) Your implication is that the Cisco 600 series is "safe" unless you've enabled the web interface when in point-of-fact the exact opposite is the case. cbos#show version Cisco Broadband Operating System CBOS (tm) 675 Software (C675-I-M), Version v2.2.0.000 Copyright (c) 1986-1999 by cisco Systems, Inc. Compiled Aug 24 1999 18:31:28 NVRAM image at 0x1032bf20 cbos# set nvram erase Erasing Running Configuration. You must use "write" for changes to be permanent. cbos# write NVRAM written. cbos# reboot [blah blah] cbos# show web WEB Configuration Is enabled Currently accepts connections from any host Currently uses port 80 CDI ____________________________________ The Web Master's Net http://www.thewebmasters.net/ Today's Excuse: Someone hooked the twisted pair wires into the answering machine.
Current thread:
- Re: Cisco Security Advisory: Multiple Vulnerabilities in CBOS CDI (Dec 11)