News

Cisco Warns of IOS Vulnerability

Cisco Systems Inc. yesterday warned of multiple vulnerabilities in its IOS FTP server, an optional service that's disabled by default.

The FTP Server feature is a feature of Cisco IOS, which powers most Cisco switching, routing and firewall devices, with the exception of Cisco's new IOS XR-based products. As a result of the flaws, Cisco plans to remove the FTP server feature from its IOS builds.

The flaws could result in DoS, improper validation of user credentials, or -- most seriously -- the ability to access (and change) files from the device file system, including saved configurations. The configuration file often contains passwords and other sensitive information, Cisco warned.

If an administrator has specifically enabled and configured the IOS FTP server the device could be vulnerable, Cisco said. Cisco IOS releases based on mainline versions 11.3, 12.0, 12.1, 12.2, 12.3 and 12.4 contain the IOS FTP server. IOS XR is not vulnerable, according to Cisco.

Cisco acknowledged the existence of at least two vulnerabilities in the IOS FTP daemon: an "improper authorization checking" flaw and an "IOS reload when transferring files via FTP" issue. An attacker can exploit the former flaw by connecting to TCP ports 21 and 20. No user interaction or authentication is required, Cisco acknowledged. The same goes for the second vulnerability, as well. An attacker who successfully exploits either of these vulnerabilities could gain unauthorized access to the IOS file system, reload the device itself or -- in some scenarios -- even execute arbitrary code, Cisco acknowledged.

Just as troubling, an attacker could conceivably retrieve a device's startup configuration file. This file contains passwords or other information that an attacker could use to elevate his or her privileges. An attacker who repeatedly exploits the IOS FTP Server vulnerabilities could also trigger DoS, Cisco said.

A fix isn't yet available, although Cisco plans to release patches for the relevant versions of IOS. Officials recommend that customers disable the IOS FTP Server by switching to configuration mode and executing the "no ftp-server enable" command.

Additionally, and as a common security best practice, Cisco recommends the use of infrastructure access control lists (iACLs) to police which traffic can be sent to infrastructure devices. Similarly, customers can also use network access authentication to mitigate the improper authentication vulnerability, Cisco said.

A full list of recommended mitigations, complete with additional vulnerability details, is available here.

Finally, Cisco officials disclosed plans to remove the FTP Server feature from IOS -- for now. Cisco might add secure FTP server functionality at some point in the future, officials said.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.