Cisco CSS FTP connection allows unprivileged users to execute commands
| cisco-css-ftp-commands (6557) |  High Risk |
Description:
Cisco Content Services Switch (CSS), also known as Arrowpoint, could allow an unprivileged user to open an FTP connection and execute arbitrary commands on the system. An attacker, with a valid user account, could open an FTP connection and read from or write to any file on the system by using the GET and PUT commands. An attacker could use this vulnerability to gain elevated privileges.
The vulnerable switches are Cisco CSS 11050, CSS 11150, and CSS 11800.
Platforms Affected:
- Cisco, Content Services Switch 11050
- Cisco, Content Services Switch 11150
- Cisco, Content Services Switch 11800
Remedy:
Upgrade to the latest version of Cisco WebNS software (4.01B(13s) or later) or Cisco WebNS software (4.01B(23s) or later), as listed in Cisco Systems Field Notice, May 17, 2001. See References.
Consequences:
Gain Privileges
References:
- CIAC Information Bulletin L-085, Cisco Content Service Switch FTP Vulnerability at http://www.ciac.org/ciac/bulletins/l-085.shtml.
- Cisco Systems Field Notice, May 17, 2001, Cisco Content Service Switch 11000 Series FTP Vulnerability at http://www.cisco.com/warp/public/707/arrowpoint-ftp-pub.shtml.
- BID-2745: Cisco Content Service Switch FTP Access Control Vulnerability
- CVE-2001-0621: The FTP server on Cisco Content Service 11000 series switches (CSS) before WebNS 4.01B23s and WebNS 4.10B13s allows an attacker who is an FTP user to read and write arbitrary files via GET or PUT commands.
- OSVDB ID: 1834: Cisco CSS FTP File Disclosure
Reported:
May 17, 2001
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net