Cisco Security Advisory-
The Cisco Content Services (CSS) switch product, also known as Arrowpoint, has a security vulnerability in a previous release that allows non-privileged users to escalate their privilege level, permitting them configuration ability on affected units. This vulnerability can only be exercised from a valid user account.
To remove the vulnerability, Cisco is offering free software upgrades to revision 4.01B19s for all affected platforms. This defect is documented as Cisco bug ID CSCdt32570.
This advisory is available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20010404-arrowpoint-usr-accnt-bug.
-
This section provides details on affected products.
Vulnerable Products
The CSS switch is also known as the Arrowpoint product, and runs the Cisco WebNS Software.
Cisco CSS 11050, CSS 11150, and CSS 11800 hardware platforms are affected by this vulnerability. No other Cisco products are affected by this vulnerability.
If the switch is running a version prior to 4.01B19s, then it is affected and should be upgraded as soon as possible. You may type version at the command line to find out software version number.
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
A non-privileged user can issue a series of keystrokes to enter the debug mode, and from that mode can gain administrative access.
-
Access control lists can be applied to restrict access to the Cisco CSS device, as well as additional firewall or access lists to restrict connection to the management interface. Access control lists also affect traffic to the Virtual interface of the Cisco CSS device, so must be applied with care. For further details on configuring access lists, please refer to the product documentation:
http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/bsccfggd/profiles.htm
http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/advcfggd/sgacleql.htm
Additionally, the use of SSH to prevent snooping of the management traffic to the device is encouraged.
Telnet service can also be disabled. This is not a feasible option for many customers in a co-location environment, but it is included in this section for customers that may have the ability to implement this configuration.
CS150(config)# telnet access disabled
-
CSCdt32570 is resolved in version 4.01B19s of Cisco WebNS software. Non-privileged users can no longer enter debug mode.
-
Cisco knows of no public announcements or discussion of this vulnerability before the date of this notice. Cisco has had no reports of malicious exploitation of this vulnerability. This bug was identified and reported by Cisco's own technical support staff.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.