Re: Cisco Security Advisory: Multiple Vulnerabilities in CBOS

[CDI <cdi () thewebmasters net>]

My apologies for the delay, I haven't had a chance to verify what I'm
about to say until today.

On Mon, 4 Dec 2000, Cisco Systems Product Security Incident Response Team wrote:

>                         Multiple Vulnerabilities in CBOS
[snip]
>     The following releases of CBOS are vulnerable to all defects: 2.0.1,
>     2.1.0, 2.1.0a, 2.2.0, 2.2.1, 2.2.1a, 2.3, 2.3.2, 2.3.5, 2.3.7 and
>     2.3.8.
[snip]
>     CSCdr98772
>            The behavior is caused by inadequate URL parsing in CBOS.
[snip]
>            Note:Web access on all Cisco 600 routers is disabled by default
>            and must be explicitly enabled.

Does no one at PSIRT fact check these before they go out? I thought I made
it quite clear in my advisory that the web access interface of the 675 is
ENABLED BY DEFAULT in every CBOS image I've ever seen. (2.0.x, 2.1.x,
2.2.x)

Your implication is that the Cisco 600 series is "safe" unless you've
enabled the web interface when in point-of-fact the exact opposite is the
case.

cbos#show version

Cisco Broadband Operating System
CBOS (tm) 675 Software (C675-I-M), Version v2.2.0.000
Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Aug 24 1999 18:31:28
NVRAM image at 0x1032bf20

cbos# set nvram erase
Erasing Running Configuration.
You must use "write" for changes to be permanent.
cbos# write
NVRAM written.
cbos# reboot
[blah blah]

cbos# show web
WEB Configuration
Is enabled
Currently accepts connections from any host
Currently uses port 80


CDI
____________________________________
The Web Master's Net
http://www.thewebmasters.net/
Today's Excuse:
Someone hooked the twisted pair wires into the answering machine.