Wednesday, March 28, 2018

Cisco IOS XE Software Arbitrary File Write Vulnerability

This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS XE Software, if the HTTP Server feature is enabled. The default state of the HTTP Server feature is version-dependent.

For information about which Cisco IOS XE Software releases are vulnerable, consult the Cisco bug ID(s) at the top of this advisory.

Assessing the HTTP Server Configuration

To determine whether the HTTP Server feature is enabled for a device, administrators can log in to the device and use the show running-config | include http (secure|server) command in the CLI to check for the presence of the ip http server command or the ip http secure-server command in the global configuration. If either command is present and configured, the HTTP Server feature is enabled for the device.

The following example shows the output of the show running-config | include http (secure|server) command for a router that has the HTTP Server feature enabled:

Router# show running-config | include http (secure|server)

ip http server
ip http secure-server

Determining the Cisco IOS XE Software Release

To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text.

The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M:

ios-xe-device# show version

Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
.
.
.

For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide.

No other Cisco products are currently known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect Cisco IOS Software, Cisco IOS XR Software, or Cisco NX-OS Software.



from Cisco Security Advisory https://ift.tt/2pRDFb5
Posted by at

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)