Cisco Security Advisory-
The Cisco 6400 Access Concentrator Node Route Processor 2 (NRP2) module allows Telnet access when no password has been set. The correct response is to disallow any remote access to the module until the password has been set. This vulnerability may result in users gaining unintended access to secure systems.
This vulnerability is documented as Cisco bug ID CSCdt65960.
This advisory will be posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20010614-nrp2-telnet.
-
This section provides details on affected products.
Vulnerable Products
Cisco 6400 NRP2 modules running Cisco IOSĀ® release earlier than 12.1(05)DC01 are affected by this vulnerability.
To determine your software revision, type show version at the command line prompt.
Products Confirmed Not Vulnerable
Cisco 6400 NSP and Cisco 6400 NRP1 modules are not affected by this vulnerability. No other Cisco product is currently known to be affected by this vulnerability.
-
The Cisco 6400 Access Concentrator NRP2 module allows Telnet access when no password is set for the vtys on the NRP2. This vulnerability affects the Gigabit Ethernet, ATM and Serial interface on the NRP2. The correct response is to not allow any remote access to the module until the vty password has been set.
This vulnerability is documented as Cisco bug ID CSCdt65960, which requires a CCO account to view.
-
Apply password to all the 32 vtys on the NRP2.
Enable Prompt> vty 0 31 password "the-password"
-
This vulnerability has been fixed in Cisco IOS release 12.1(05)DC01 or later.
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory.
This vulnerability was reported to Cisco by a Cisco customer.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.