Positive Research has discovered a vulnerability in Cisco devices. The vulnerability allows attackers to bypass certain access restrictions.
A possible security flaw was detected because of privileged command restrictions, in particular – "more" command that allows attackers to obtain router configuration stored in nvram, system (RAM), flash elements.
If more command access settings are configured as privilege exec level {number} more, opposed to commands like show, disk element access is propagated to all lower levels that could allow unauthorized users to obtain router memory and its elements nvram, system (RAM), flash.
Such problems are detected for IOS routers and switchers 12.2, 12.3, 12.4, 15.0.
Details
IOS 12.2, 12.3 limit access to configuration that can be obtained from system:running-config, but prevent reading directly from router memory (system:memory) to get the data, also reading from configuration and other files in router’s flash and nvram can is not limited.
IOS 12.4, 15.0 opposed to versions 12.2, 12.3, do not limit access from all router’s elements nvram, system (RAM), flash.
More details and how to fix are available here: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtk17827
Example 1. How to get configuration
Cisco 3550-12T (12.2(50)SE)
C3550 Software (C3550-IPSERVICESK9-M), Version 12.2(50)SE)
A possible security flaw was detected because of privileged command restrictions, in particular – "more" command that allows attackers to obtain router configuration stored in nvram, system (RAM), flash elements.
If more command access settings are configured as privilege exec level {number} more, opposed to commands like show, disk element access is propagated to all lower levels that could allow unauthorized users to obtain router memory and its elements nvram, system (RAM), flash.
Such problems are detected for IOS routers and switchers 12.2, 12.3, 12.4, 15.0.
Details
IOS 12.2, 12.3 limit access to configuration that can be obtained from system:running-config, but prevent reading directly from router memory (system:memory) to get the data, also reading from configuration and other files in router’s flash and nvram can is not limited.
IOS 12.4, 15.0 opposed to versions 12.2, 12.3, do not limit access from all router’s elements nvram, system (RAM), flash.
More details and how to fix are available here: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtk17827
Example 1. How to get configuration
Cisco 3550-12T (12.2(50)SE)
C3550 Software (C3550-IPSERVICESK9-M), Version 12.2(50)SE)