Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
FTP Vulnerability in Cisco Arrowpoint Switches
A user account that does not have administrative privileges can open an FTP connection to a Cisco CSS 11000 series switch and use the GET and PUT FTP commands with no user-level restrictions enforced.
Ken Pfeil
June 3, 2001
1 Min Read
Reported May 17, 2001, by CiscoSystems.
VERSIONS AFFECTED
· All Cisco CSS 11000 series (formerlyknown as Arrowpoint) switches running WebNS software versions earlier than4.01B23s and 4.10B13s, including, CSS 11050, CSS 11150, and CSS 11800 hardwareplatform switches
DESCRIPTION
A user account that does not have administrative privileges can open anFTP connection to a Cisco CSS 11000 series switch and use the GET and PUT FTPcommands with no user-level restrictions enforced.
VENDOR RESPONSE
Ciscohas issued an advisoryregarding this vulnerability. Cisco recommends that users running theabove-listed WebNS software versions upgrade to versions 4.01B29s or 4.10B17s,available through regular support channels. As a workaround, Cisco recommendsthat users do not configure non-privileged users on the switch, as the softwaredoes not create any by default. Cisco also recommends using the RESTRICT command to disable FTP access to the switch and applying access controlto FTP users as specified in the following documents:
http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/bsccfggd/profiles.htmandhttp://www.cisco.com/univercd/cc/td/doc/product/webscale/css/advcfggd/sgacleql.htm
CREDIT
Discovered by Cisco.
About the Author
You May Also Like
.png?width=700&auto=webp&quality=80&disable=upscale)