Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > May 2007 > Two Cisco Security Advisories: HTTP Full-Width and Half-Width Unicode Encoding Evasion, Multiple Vulnerabilities in the IOS FTP Server

May 2007

Two Cisco Security Advisories: HTTP Full-Width and Half-Width Unicode Encoding Evasion, Multiple Vulnerabilities in the IOS FTP Server

ID: 132
Ref: 074/2007
Date: 17 May 2007:16:10:55
Version: 1
Title: Two Cisco Security Advisories: HTTP Full-Width and Half-Width Unicode Encoding Evasion, Multiple Vulnerabilities in the IOS FTP Server
Abstract: Two Cisco Security Advisories: 1. Cisco Security Response: HTTP Full-Width and Half-Width Unicode Encoding Evasion 2. Multiple Vulnerabilities in the IOS FTP Server
Vendors affected: Cisco
Operating systems affected: Cisco
Applications affected: Cisco
1.

Cisco Security Response: HTTP Full-Width and Half-Width Unicode Encoding Evasion Document ID: 91767 Advisory ID: cisco-sr-20070514-unicode
Advisory: http://www.cisco.com/warp/public/707/cisco-sr-20070514-unicode.shtml

Revision 1.0
For Public Release 2007 May 14 2000 UTC (GMT)

-----------------------------------------------------------------------

Cisco Response
==============

The U.S. Computer Emergency Response Team (US-CERT) has reported a network evasion technique using full-width and half-width unicode characters that affects several Cisco products. The US-CERT advisory is available at the following link:

http://www.kb.cert.org/vuls/id/739224

By encoding attacks using a full-width or half-width unicode character set, an attacker can exploit this vulnerability to evade detection by an Intrusion Prevention System (IPS) or firewall. This may allow the attacker to covertly scan and attack systems normally protected by an IPS or firewall.

This response is posted at the following link:

http://www.cisco.com/warp/public/707/cisco-sr-20070514-unicode.shtml

Additional Information
======================

The following Cisco products are affected by this vulnerability (all versions are affected unless a specific version is explicitly
mentioned):

* Cisco Intrusion Prevention System (IPS): Cisco Bug ID CSCsi58602
* Cisco IOS with Firewall/IPS Feature Set: Cisco Bug ID CSCsi67763

The Cisco PSIRT is not aware of any malicious use of the vulnerability described in this document.

This issue was reported to Cisco by US-CERT. The original issue was reported to US-CERT by Fatih Ozavci and Caglar Cakici of Gamasec Security. Cisco would like to thank US-CERT, Fatih Ozavci and Caglar Cakici for bringing this issue to our attention.

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

Revision History
================

+------------------------------------------------------+
| Revision 1.0 | 2007-May-14 | Initial public release |
+------------------------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.

-----------------------------------------------------------------------
All contents are Copyright 2006-2007 Cisco Systems, Inc. All rights reserved.
-----------------------------------------------------------------------

Updated: May 14, 2007 Document ID: 91767

-----------------------------------------------------------------------


2.

Cisco Security Advisory: Multiple Vulnerabilities in the IOS FTP Server

Document ID: 90782
Advisory ID: cisco-sa-20070509-iosftp
http://www.cisco.com/warp/public/707/cisco-sa-20070509-iosftp.shtml

Revision 1.1
For Public Release 2007 May 09 1600 UTC (GMT)

Summary

The Cisco IOS FTP Server feature contains multiple vulnerabilities that can result in a denial of service (DoS) condition, improper verification of user credentials, and the ability to retrieve or write any file from the device filesystem, including the device's saved configuration. This configuration file may include passwords or other sensitive information.

The IOS FTP Server is an optional service that is disabled by default. Devices that are not specifically configured to enable the IOS FTP Server service are unaffected by these vulnerabilities.

This vulnerability does not apply to the IOS FTP Client feature.


Vulnerable Products

Cisco devices running IOS and configured for FTP server functionality are affected by these issues.

IOS versions based on 11.3, 12.0, 12.1, 12.2, 12.3 and 12.4 contain the IOS FTP server feature. The IOS FTP server feature was removed via CSCsg16908.

Only certain IOS releases based on the above IOS trains contain the IOS FTP server feature. For a device running Cisco IOS to be vulnerable, the following command must be present in the device configuration:

ftp-server enable


Impact

Successful exploitation of these vulnerabilities may allow unauthorized, remote users to access the filesystem on the IOS device, cause the affected device to reload, or execute arbitrary code.

Unauthorized users could retrieve the device's startup-config file from the filesystem. This file may contain information that could allow the attacker to gain escalated privileges.

Repeated exploitation of the vulnerabilities could lead to an extended Denial of Service (DoS).


Exploitation and Public Announcements

The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
This vulnerability was reported to Cisco by a customer.

For the full advisory inlcuding work arounds please visit: http://www.cisco.com/warp/public/707/cisco-sa-20070509-iosftp.shtml

______________________________________________________________________________

CPNI values your feedback.

1. Which of the following most reflects the value of the advisory to you?
(Place an 'X' next to your choice)

Very useful:__ Useful:__ Not useful:__

2. If you did not find it useful, why not?


3. Any other comments? How could we improve our advisories?


Thank you for your contribution.
______________________________________________________________________________

CPNI wishes to acknowledge the contributions of Cisco for the information contained in this advisory.
______________________________________________________________________________
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |