Cisco Warns of IOS Vulnerability

Cisco Systems Inc. yesterday warned of multiple vulnerabilities in its IOS FTP server, an optional service that's disabled by default.

The FTP Server feature is a feature of Cisco IOS, which powers most Cisco switching, routing and firewall devices, with the exception of Cisco's new IOS XR-based products. As a result of the flaws, Cisco plans to remove the FTP server feature from its IOS builds.

The flaws could result in DoS, improper validation of user credentials, or -- most seriously -- the ability to access (and change) files from the device file system, including saved configurations. The configuration file often contains passwords and other sensitive information, Cisco warned.

If an administrator has specifically enabled and configured the IOS FTP server the device could be vulnerable, Cisco said. Cisco IOS releases based on mainline versions 11.3, 12.0, 12.1, 12.2, 12.3 and 12.4 contain the IOS FTP server. IOS XR is not vulnerable, according to Cisco.

Cisco acknowledged the existence of at least two vulnerabilities in the IOS FTP daemon: an "improper authorization checking" flaw and an "IOS reload when transferring files via FTP" issue. An attacker can exploit the former flaw by connecting to TCP ports 21 and 20. No user interaction or authentication is required, Cisco acknowledged. The same goes for the second vulnerability, as well. An attacker who successfully exploits either of these vulnerabilities could gain unauthorized access to the IOS file system, reload the device itself or -- in some scenarios -- even execute arbitrary code, Cisco acknowledged.

Just as troubling, an attacker could conceivably retrieve a device's startup configuration file. This file contains passwords or other information that an attacker could use to elevate his or her privileges. An attacker who repeatedly exploits the IOS FTP Server vulnerabilities could also trigger DoS, Cisco said.

A fix isn't yet available, although Cisco plans to release patches for the relevant versions of IOS. Officials recommend that customers disable the IOS FTP Server by switching to configuration mode and executing the "no ftp-server enable" command.

Additionally, and as a common security best practice, Cisco recommends the use of infrastructure access control lists (iACLs) to police which traffic can be sent to infrastructure devices. Similarly, customers can also use network access authentication to mitigate the improper authentication vulnerability, Cisco said.

A full list of recommended mitigations, complete with additional vulnerability details, is available here.

Finally, Cisco officials disclosed plans to remove the FTP Server feature from IOS -- for now. Cisco might add secure FTP server functionality at some point in the future, officials said.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.


  • The 2020 Microsoft Product Roadmap

    From the next major update to Windows 10 to the next generations of .NET and PowerShell, here's what's on tap from Microsoft this year.

  • 2020 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss. (Now updated with COVID-19-related event changes.)

  • Microsoft Closing Most of Its Retail Stores

    Microsoft on Friday announced a major shift in its retail operations, with plans to close most of its physical Microsoft Store outlets in favor of online sales.

  • Matrix

    Microsoft, Harvard Describe Joint Privacy Initiative

    To facilitate data sharing while still preserving data privacy, Microsoft and Harvard have embarked on a set of open source tool called the "OpenDP Initiative."

RCP Update

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.