Lee E Rian/TCO/HQ/BOC wrote on 08/29/2006 01:49:40 PM:
>
> I found something interesting w/ the cat6000s - telnet 127.0.0.11
> gets you into the switch & telnet 127.0.0.12 gets you into the router
>
> % snmpget 127.0.0.11 sysDescr.0
> RFC1213-MIB::sysDescr.0 = STRING: "Cisco Systems WS-C6509.Cisco
> Catalyst Operating System Software, Version 5.5(18).Copyright (c)
> 1995-2002 by Cisco Systems."
<.. snip ..>
> I'm trying to figure out if that opens us up to something or not.
Yes, the date is correct - it was a bit over a year ago when I wrote a
co-worker about the problem. And it did open us up to an attacker gaining
access to the router or switch; I sent a msg to Cisco PSIRT the same day.
Cisco has documented the fix in the release notes
(eg.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/ol_4164.htm#wp3511819)
but it's buried in the release notes and how many people will a) read the
release notes and b) realize the implications? So while I agree with Cisco
about this being a low to moderate vulnerability, that's only if one
realizes that the various line cards in a catalyst 6500 are accessible via
127.0.0.xx addresses from the network. At least in my mind, this is on the
same level as routers accepting snmp sets to 255.255.255.255, {network, 0}
and {network, -1} … a minor issue as long as you realize that it is
possible to access the router/switch that way.
Mitigating factors:
As an example of 'only the first MSFC in the path', the path from one of
our remote offices to a data center is
cat6500 with a supervisor 2 card (no MSFC)
cisco 2800 router
cisco 7200 router
cat6500 with a SUP720 in slot 5
Anyone in that remote office would have been able to access the data center
cat6500 by sending traffic to 127.0.0.51.
I would like to thank Ilker Temir of Cisco for his professionalism and many
courtesies extended to me while working on this issue.
Lee Rian
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/