Cisco Leaking Critical Information

Recently, I met a funny situation:

Users who logon to a Cisco router(without credential), on priviledge 1 (user mode) are able to view critical information like the router access-list setting and interfaces status.

Surprise right? But when you query about applicable command by typing “sh ?“, the options are not shown there.

There is no “access-list” right? But if you type “show access-list“:

Surprise right? The system administrator gonna be headache!!

Ok, let see its interfaces status by enter “show ip interface” command:

See? First, they don’t have outbound access-list! And then, they…

If you can view critical data like access-list and router interface status, then no surprise you can see other things like version, users etc.

At the time you had tried to access all possible information, then there is no much difference than viewing the whole configuration file with the command “show running-config“, just you don’t have the priviledge to modify it directly.

Thus, does modification is necessary for an external attack to occurs? NO! The attacker just need a security hole, so does we always say “Your security is as good as your weakest link!

So far, there is official solution has been released, as Cisco claimed it is an intended design, just not documented properly. CVE record (CVE-2000-0345) for this vulnerability is still under review, since 2000!

Suggested solution:

1. Escalate the privilege needed to run show command by entering commands below:
privilege exec level 15 show

2. Downgrade the user first-logon privilege from 1 to 0, and then downgrade other essential command’s privilege to 0 accordingly.

3. Enable password for user logon (only applicable for certain models).

Don’t blame Cisco! They are still quite good after all.


1. Neohapsis Archive

2. CVE-2000-0345

3. SecurityFocus: Cisco Online-Help vulnerability

4. National Vulnerability Database


0 Responses to “Cisco Leaking Critical Information”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

September 2008
« Aug   Oct »

%d bloggers like this: