Cisco har offentliggjort en advarsel om en kritisk sårbarhed, der påvirker deres IOS XE-operativsystem. Denne sårbarhed har en CVSS-score på 10, hvilket er den højeste score og kategoriseres som kritisk.
Uautoriserede personer kan udnytte en sårbarhed i webgrænsefladen til at oprette en ny bruger med administratorrettigheder på den berørte enhed. Denne konto kan derefter anvendes til at logge ind og foretage konfigurationsændringer.
Sårbarheden er relateret til HTTP/HTTPS-serveren. Du kan kontrollere, om denne er aktiveret ved at køre følgende kommando:
“show running-config | include ip http server|secure|active”
Hvis du ser følgende output – så er enheden såbar:
“ip http server
ip http secure-server”
Risikoen kan mindskes ved at:
- Deaktivere HTTP/HTTPS-management, indtil der offentliggøres en løsning.
- Begrænse hvilke netværk der har adgang til managementgrænsefladen.
- For de fleste installationer er management af netværksinfrastruktur normalt begrænset til et fåtal af IP-adresser, og vi mener, at de fleste af vores kunder har tilstrækkelig beskyttelse. Men vi anbefaler alle kunder at foretage en ekstra kontrol for at være sikre.
I tilfælde, hvor man kan undvære HTTP/HTTPS, indtil en løsning er tilgængelig, anbefaler vi at deaktivere det ved at køre følgende kommandoer:
“no ip http server”
“no ip http secure-server”
Kunder, der kører en lokal gæsteportal hostet lokalt på en IOS-XE-baseret WLC (LWA – Local Web Auth), bør kontakte os så hurtigt som muligt, hvis vi ikke allerede har kontaktet dem. Gæsteportalen bruger HTTP/HTTPS-serveren på WLC’en, og deaktivering af disse funktioner vil medføre afbrydelser i tjenesten.
Hvis man bruger en gæsteportalløsning, der hostes centralt med IOS-XE-baserede switche og WLC’er (CWA – Central Web Auth), skal man sørge for, at kommandoen “ip http server” kombineres med “ip http active-session-modules none” for at sikre, at gæsteportalløsningen fortsat fungerer.
Link til Cisco’s offentliggørelse af sårbarheden:
For yderligere information, kontakt venligst din account manager hos Conscia.
_____________________________________________________________________________________
English version:
Cisco has issued a warning about a critical vulnerability affecting their IOS XE operating system. This vulnerability has a CVSS score of 10, which is the highest score and is categorized as critical.
Unauthorized individuals can exploit a vulnerability in the web interface to create a new user with administrator privileges on the affected device. This account can then be used to log in and make configuration changes.
The vulnerability is related to the HTTP/HTTPS server. You can check if it is enabled by running the following command:
“show running-config | include ip http server|secure|active”
If you see the following output, the device is vulnerable:
“ip http server
ip http secure-server”
Risk can be mitigated by:
- Disabling HTTP/HTTPS management until a solution is published.
- Restricting which networks have access to the management interface.
- For most installations, network infrastructure management is typically limited to a few IP addresses, and we believe that most of our customers have sufficient protection. However, we recommend all customers perform an additional check to be sure.
In cases where HTTP/HTTPS can be disabled until a solution is available, we recommend disabling it by running the following commands:
“no ip http server”
“no ip http secure-server”
Customers running a local guest portal hosted locally on an IOS-XE-based WLC (LWA – Local Web Auth) should contact us as soon as possible if we have not already contacted them. The guest portal uses the HTTP/HTTPS server on the WLC, and disabling these functions will result in service disruptions.
If you are using a centrally hosted guest portal solution with IOS-XE-based switches and WLCs (CWA – Central Web Auth), make sure that the “ip http server” command is combined with “ip http active-session-modules none” to ensure that the guest portal solution continues to function.
Link to Cisco’s publication of the vulnerability:
For further information, please contact your account manager at Conscia.