RE: Cisco Security Advisory: IOS HTTP authorization vulnerability

["Oliver Petruzel" <opetruzel () cox rr com>]

> -----Original Message-----
> From: David Hyams [mailto:david.hyams () kmu-security ch] 

> the advisory. Fortunately routers normally have HTTP disabled 
> by default, so there shouldn't be too many break-ins on the 
> Internet. Unfortunately HTTP is normally enabled on switches 
> by default. Even worse, many network administrators don't 
> realise this, so I expect a number of internal networks are 
> now in serious trouble.

Actually, it has been my experience during assessments and pentests that
administrators lean toward "ease of use" and actually activate HTTP
interfaces on ANY device which allows it.  When they install new routers
or new software in general, they tend to key in on HTTP capabilities as
a "bonus" which will make their work easier. They never have to leave
their browser, let alone their cubicle!  The only ones who don’t are the
ones who take the time to read all of cisco's security papers..and these
seem few and far between.

I see too many security products moving toward a web interface where
there are so many other options for connection available.  Adding strong
encryption mechanisms may be enough, but HTTP by itself, without SSL
implmented somwhere, makes it too easy for us, let alone the kiddies out
there, to find a hole... And in this case, a practically "plaintext"
hole.

(don't even get me started on the amount of info flying around networks
now via plaintext SNMP because of enterprise managaement consoles and
(soon to be nearly pointless) IDS systems.. Uhhg)


> If you're serious about security then you shouldn't be using 
> HTTP to access your Cisco devices at all. Most people don't 
> realise that the browser sends the enable password in 
> cleartext on every HTTP request.

The problem here is of course simply "lack of awareness", which is the
black plague of IT.
The average workload, especially in these days of mass-cutbacks, of an
IT staffer is overwhelming.  Thus, when devices such as Cisco offer an
ease-of-use function such as HTTP on their switches, the engineers tend
to say "hey, that's easier/faster...hell, ill simply enable it on all my
routers too..."


SIDE NOTE: I'd be VERY interested in seeing the process for discovery of
this latest cisco hole.  I havent been able to track down the logic used
in discovering the /xx/exec capability... Where is it and what led the
team in that direction?  Heck, I think we should have an entirely new
mailing list for this type of discussion.  The "how we found the hole"
list.  I feel this is one of our industry's largest weaknesses.  As we
train more and more folks to use these holes to their advantage, and add
them to their toolchest/checklists, we lack courses/sources for teaching
them how to discover the same or new ones...

_____________________________________
Oliver Petruzel
Systems Engineer, Security
Work: (703)250-3280 
Cell: (703)608-8250
Email: opetruzel () cox rr com