Guest

Cisco ACE GSS 4400 Series Global Site Selector Appliances

Field Notice: FN - 62241 - GSS Software - CLI Users May Be Able to Access Resources Exceeding Their Privilege Level


Revised December 28, 2005

November 1, 2005

NOTICE:

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.


Products Affected

Products Affected

Comments

GSS - 1.0.2

all earlier versions

GSS - 1.1(1)

all earlier versions

GSS - 1.2(2)

all earlier versions

Problem Description

Under certain conditions, users already authenticated and logged-in into the GSS device might be able to execute commands above their privilege level or access resources they should not have access to. This is a potential security vulnerability.

Background

The GSS provides a Cisco IOS-like CLI, and allows for configuration of both admin and non-admin users. Users with admin permissions have access to all supported commands, but should not have access to underlying software infrastructure on the GSS appliance. Users with non-admin privileges are further restricted.

By default, the ftp client on the GSS device is enabled and available for all logged-in users, be they admin level users or normal users.

Problem Symptoms

Users logged into the GSS device using an admin account may be able to access underlying software infrastructure resources normally protected by system software.

Workaround/Solution

No workaround has been identified. Customers are encouraged to upgrade to an image that contains fixes for this issue.

The two images that this is fixed in are - 1.2(2.1.3) for 1.2 users and 1.1(1.7.0) for 1.1 users and can be found on the Cisco Global Site Selector Software download page (registered customers only) .

The ftp client is now disabled by default for all users. A new configuration mode command has been created to enable access to the ftp client for admin users only, or for all users:

gss.example.com(config)#ftp-client ? 
enable Enable the ftp command 
gss.example.com(config)#ftp-client enable ? 
admin Enable usage of the CLI ftp command for admin users only all 

Enable usage of the CLI ftp command for all users 

The three possible and non-overlapping configuration states are:

ftp client is disabled for all users, this is the default

ftp client is enabled for admin users only

ftp client is enabled for all users

Issue the no ftp-client enable command to remove a specific ftp client configuration and return to the default state of disabled.

The show running-config command has been updated to provide status of the ftp client enable state:

gss.example.com#show running-config 
... 
ftp-client enable all 
...

The show ftp command has been update to provide status of the ftp client enable state:

gss.example.com#show ftp 
... 
ftp-client is enabled for all users

In addition to the new ftp-client enable command, new access permissions have also been added, allowing the ftp client to only access the currently logged-in user home directory.

The ftp client's virtual root directory is more restricted than the root directory for CLI users in general, the scp client command, and the ftp server.

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.

DDTS

Description

CSCsb56101 (registered customers only)

Special Characters (non alpha-numeric characters) are handled incorrectly for some CLI commands in GSS, allowing the user to access resources for which they may not have adequate level of privilege.

CSCsc33938 (registered customers only)

The ftp client is now disabled by default, new command ftp-client enable. In addition to the new ftp-client enable command, new access permissions have also been added, allowing the ftp client to only access the currently logged-in user home directory.

Revision History

Revision

Date

Comment

Revision 1.1

28-Dec-2005

Updated the workaround section to reflect the 1.1(1.7.0) version.

Revision 1.0

01-Nov-2005

Initial public release.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.