ISS X-Force Database: cisco-css-elevate-privileges(6322): Cisco CSS debug mode allows users to gain administrative access

Cisco CSS debug mode allows users to gain administrative access

cisco-css-elevate-privileges (6322)

High Risk

Description:

Cisco Content Services Switch (CSS), also known as Arrowpoint, could allow an attacker with a valid user account to gain elevated privileges. The CSS switch allows unprivileged users to enter debug mode by issuing a series of keystrokes. Once in debug mode, the attacker can gain full administrative access to the system.

Platforms Affected:

Cisco, Content Services Switch 11050
Cisco, Content Services Switch 11150
Cisco, Content Services Switch 11800

Remedy:

Upgrade to the latest version of Cisco WebNS software (4.01B(19s) or later), as listed in Cisco Systems Field Notice, April 4, 2001. See References.

Consequences:

Gain Privileges

References:

CIAC Information Bulletin L-069, Cisco Content Services Switch User Account Vulnerability at http://www.ciac.org/ciac/bulletins/l-069.shtml.
CIAC Information Bulletin L-069, Cisco Content Services Switch User Account Vulnerability at http://www.ciac.org/ciac/bulletins/l-069.shtml.
Cisco Systems Field Notice, April 4, 2001, Cisco Content Services Switch User Account Vulnerability at http://www.cisco.com/warp/public/707/arrowpoint-useraccnt-debug-pub.shtml.
UNIRAS (UK Govt CERT) Electronic Briefing Notice - No. E46/01 dated 09.04.01, Cisco Content Services Switch User Account Vulnerability at http://www.niscc.gov.uk/niscc/docs/br-20010409-00052.html?lang=en.
BID-2559: Cisco Content Services Switch User Privilege Elevation Vulnerability
CVE-2001-0412: Cisco Content Services (CSS) switch products 11800 and earlier, aka Arrowpoint, allows local users to gain privileges by entering debug mode.
OSVDB ID: 1784: Cisco CSS Debug Mode Privilege Elevation
US-CERT VU#174248: Cisco Content Services Switch (CSS) permits non-privileged user to enter debug mode

Reported:

Apr 04, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page