News

Cisco Warns of IOS Vulnerability

• By Stephen Swoyer
• May 10, 2007

Cisco Systems Inc. yesterday warned of multiple vulnerabilities in its IOS FTP server, an optional service that's disabled by default.

The FTP Server feature is a feature of Cisco IOS, which powers most Cisco switching, routing and firewall devices, with the exception of Cisco's new IOS XR-based products. As a result of the flaws, Cisco plans to remove the FTP server feature from its IOS builds.

The flaws could result in DoS, improper validation of user credentials, or -- most seriously -- the ability to access (and change) files from the device file system, including saved configurations. The configuration file often contains passwords and other sensitive information, Cisco warned.

If an administrator has specifically enabled and configured the IOS FTP server the device could be vulnerable, Cisco said. Cisco IOS releases based on mainline versions 11.3, 12.0, 12.1, 12.2, 12.3 and 12.4 contain the IOS FTP server. IOS XR is not vulnerable, according to Cisco.

Cisco acknowledged the existence of at least two vulnerabilities in the IOS FTP daemon: an "improper authorization checking" flaw and an "IOS reload when transferring files via FTP" issue. An attacker can exploit the former flaw by connecting to TCP ports 21 and 20. No user interaction or authentication is required, Cisco acknowledged. The same goes for the second vulnerability, as well. An attacker who successfully exploits either of these vulnerabilities could gain unauthorized access to the IOS file system, reload the device itself or -- in some scenarios -- even execute arbitrary code, Cisco acknowledged.

Just as troubling, an attacker could conceivably retrieve a device's startup configuration file. This file contains passwords or other information that an attacker could use to elevate his or her privileges. An attacker who repeatedly exploits the IOS FTP Server vulnerabilities could also trigger DoS, Cisco said.

A fix isn't yet available, although Cisco plans to release patches for the relevant versions of IOS. Officials recommend that customers disable the IOS FTP Server by switching to configuration mode and executing the "no ftp-server enable" command.

Additionally, and as a common security best practice, Cisco recommends the use of infrastructure access control lists (iACLs) to police which traffic can be sent to infrastructure devices. Similarly, customers can also use network access authentication to mitigate the improper authentication vulnerability, Cisco said.

A full list of recommended mitigations, complete with additional vulnerability details, is available here.

Finally, Cisco officials disclosed plans to remove the FTP Server feature from IOS -- for now. Cisco might add secure FTP server functionality at some point in the future, officials said.