Cisco Warns of IOS Vulnerability
- By Stephen Swoyer
- May 10, 2007
Cisco Systems Inc. yesterday warned of multiple
vulnerabilities in its IOS FTP server, an optional service that's
disabled by default.
The FTP Server feature is a feature of Cisco IOS, which powers most Cisco switching,
routing and firewall devices, with the exception of Cisco's new IOS XR-based
products. As a result of the flaws, Cisco plans to remove the FTP server feature
from its IOS builds.
The flaws could result in DoS, improper validation of user credentials, or
-- most seriously -- the ability to access (and change) files from the device
file system, including saved configurations. The configuration file often contains
passwords and other sensitive information, Cisco warned.
If an administrator has specifically enabled and configured the IOS FTP server
the device could be vulnerable, Cisco said. Cisco IOS releases based on mainline
versions 11.3, 12.0, 12.1, 12.2, 12.3 and 12.4 contain the IOS FTP server. IOS
XR is not vulnerable, according to Cisco.
Cisco acknowledged the existence of at least two vulnerabilities in the IOS
FTP daemon: an "improper authorization checking" flaw and an "IOS
reload when transferring files via FTP" issue. An attacker can exploit
the former flaw by connecting to TCP ports 21 and 20. No user interaction or
authentication is required, Cisco acknowledged. The same goes for the second
vulnerability, as well. An attacker who successfully exploits either of these
vulnerabilities could gain unauthorized access to the IOS file system, reload
the device itself or -- in some scenarios -- even execute arbitrary code, Cisco
Just as troubling, an attacker could conceivably retrieve a device's startup
configuration file. This file contains passwords or other information that an
attacker could use to elevate his or her privileges. An attacker who repeatedly
exploits the IOS FTP Server vulnerabilities could also trigger DoS, Cisco said.
A fix isn't yet available, although Cisco plans to release patches for the
relevant versions of IOS. Officials recommend that customers disable the IOS
FTP Server by switching to configuration mode and executing the "no ftp-server
Additionally, and as a common security best practice, Cisco recommends the
use of infrastructure access control lists (iACLs) to police which traffic can
be sent to infrastructure devices. Similarly, customers can also use network
access authentication to mitigate the improper authentication vulnerability,
A full list of recommended mitigations, complete with additional vulnerability
details, is available here.
Finally, Cisco officials disclosed plans to remove the FTP Server feature from
IOS -- for now. Cisco might add secure FTP server functionality at some point
in the future, officials said.
Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.