| VID |
29031 |
| Severity |
40 |
| Port |
161 |
| Protocol |
UDP |
| Class |
CISCO |
| Detailed Description |
The Cisco IOS has a TFTP long filename vulnerability (Cisco Bug ID CSCdy03429). Successful exploitation of this vulnerability may cause a software reset of the device resulting in a loss of availability while the device reinitializes. Repeated exploitations could result in a Denial of Service until the workarounds for this vulnerability have been implemented.
Trivial File Transfer Protocol (TFTP) is a protocol which allows for easy transfer of files between network connected devices. A vulnerability has been discovered in the processing of filenames within a TFTP read request when Cisco IOS is configured to act as a TFTP server. By sending a crafted TFTP read request it is possible to trigger a buffer overflow in the TFTP server when no alias for all files being served have been defined. This vulnerability can be exploited remotely.
* Note: This check solely relied on the version number of the remote system to assess this vulnerability, so this might be a false positive. This check also requires a read access SNMP community string to collect the version number. To provide this access, add the valid community string to the check item, "snmp/guessable/r" from the Policy Editor.
* References:
http://www.cisco.com/warp/public/707/ios-tftp-long-filename-pub.shtml
http://online.securityfocus.com/archive/1/284634
* Platforms Affected:
Cisco IOS software versions 11.1, 11.2, 11.3
* Platforms Not Affected:
Cisco IOS software versions 11.1, 11.2, 11.3 when running on a 68040 based architecture such as a Route Processor |
| Recommendation |
The affected releases, 11.1, 11.2, and 11.3, are all at End of Life, which means they do not have a maintenance version scheduled, and will not be fixed. It is recommended to use the documented workarounds if these versions must be used.
There are two workarounds known to address this issue:
1. Disable the TFTP server entirely
Cisco IOS provides TFTP server functionality to facilitate the transfer of Cisco IOS images when another TFTP server may not be available. If the TFTP server functionality is not currently needed, the following steps may be taken to disable the TFTP server.
a) While in enable mode on the router, issue the command 'show running-config' and look for lines starting with 'tftp-server'.
b) For each line in the config starting with 'tftp-server', prepend the word 'no' followed by a space followed by the full text of the matching line in config mode to remove that entry. This step must be repeated for each matching line of the config.
c) Once this task has been completed, verify that there are no lines starting with 'tftp-server' by issuing the command 'show running-config' from the enable prompt.
d) Once verified, save the new configuration so that the server will be disabled upon the next reset of the device.
2. Provide aliases for TFTP server filenames
Cisco IOS provides the ability to alias a long filename to a shorter filename. If the tftp-server entries in the configuration have the keyword "alias" in them, the router will not be vulnerable to exploitation of this vulnerability. To implement this workaround, follow the directions above for disabling the TFTP server, and then add any configuration lines back to the config by appending the keyword "alias" followed by a short filename such that the command resembles:
tftp-server flash rsp-jv-mz.111-24a alias CiscoIOS
* Note: this must be done for every line starting with "tftp-server" in the configuration. The existence of a single line in the configuration beginning with "tftp-server" without an alias defined while running affected versions of software is all that is needed to become subject to this vulnerability.
For details, see http://www.cisco.com/warp/public/707/ios-tftp-long-filename-pub.shtml |
| Related URL |
CVE-2002-0813 (CVE) |
| Related URL |
5328 (SecurityFocus) |
| Related URL |
(ISS) |
|
