|
Cisco IOS AAA Command Authentication Bypass Vulnerability
|
|
|
|
|
Secunia Advisory:
|
SA18613
|
|
|
Release Date:
|
2006-01-26
|
|
Last Update:
|
2006-03-22
|
|
|
Critical:
|
Less critical
|
|
Impact:
|
Security Bypass
|
|
Where:
|
Local system
|
|
Solution Status:
|
Vendor Workaround
|
|
| OS: | Cisco IOS 12.x
Cisco IOS R12.x
|
|
| | CVE reference: | CVE-2006-0485 (Secunia mirror)
CVE-2006-0486 (Secunia mirror)
|
|
|
|
|
|
Description:
A vulnerability has been reported in Cisco IOS, which can be exploited by malicious, local users to bypass certain security restrictions.
The vulnerability is caused due to missing authorisation checks in the AAA (Authentication, Authorization, and Accounting) command authorisation feature for commands that are executed from the Tcl (Tool Command Language) exec shell. This can be exploited by malicious users to execute any IOS EXEC command at the users' authenticated privilege level.
Successful exploitation requires that the AAA command authorisation feature is enabled and Tcl functionality is supported by the device.
The vulnerability has been reported in IOS Version 12.0T or later.
Note: It has also been reported that an authenticated user is automatically placed into the Tcl Shell mode if a previous user goes into Tcl Shell mode and terminates the session before leaving the Tcl Shell mode. This may help to exacerbate the vulnerability.
Solution:
Fixes are available (see patch matrix in vendor advisory).
http://www.cisco.com/warp/public/707/cisco-response-20060125-aaatcl.shtml
Note: The vendor has reported that the vulnerability was not completely fixed in some versions of Cisco IOS. Refer to the updated patch matrix in vendor advisory for more information.
http://www.cisco.com/en/US/products/s..._security_notice09186a00805eead0.html
Apply vendor recommended workarounds until the updated fixes available.
Provided and/or discovered by:
The vendor credits Nicolas Fischbach of COLT Telecom.
Changelog:
2006-02-03: Added CVE references.
2006-03-22: Vendor releases updated patch matrix. Updated "Solution Status", "Solution" and "Original Advisory" sections.
Original Advisory:
http://www.cisco.com/warp/public/707/cisco-response-20060125-aaatcl.shtml
http://www.cisco.com/en/US/products/s..._security_notice09186a00805eead0.html
|
|
|
|
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
|
61 Related Secunia Security Advisories, displaying 10
|
|
|
1. Cisco Products DNS Cache Poisoning Vulnerability
|
|
2. Cisco Products SNMPv3 Two Vulnerabilities
|
|
3. Cisco IOS SSH Server Denial of Service
|
|
4. Cisco IOS Denial of Service Vulnerability
|
|
5. Cisco IOS Multiple Vulnerabilities
|
|
6. Cisco Products EAP Denial of Service Vulnerability
|
|
7. Cisco IOS Line Printer Daemon Buffer Overflow Vulnerability
|
|
8. Cisco IOS Regular Expressions Denial of Service
|
|
9. Cisco IOS Voice Service Multiple Protocol Handling Vulnerabilities
|
|
10. Cisco IOS Secure Copy Security Bypass Vulnerability
|
Show all related advisories
|
|
|
Send Feedback to Secunia
|
|
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
|
|
|
|
