> -----Original Message----- > From: David Hyams [mailto:david.hyams@kmu-security.ch] > the advisory. Fortunately routers normally have HTTP disabled > by default, so there shouldn't be too many break-ins on the > Internet. Unfortunately HTTP is normally enabled on switches > by default. Even worse, many network administrators don't > realise this, so I expect a number of internal networks are > now in serious trouble. Actually, it has been my experience during assessments and pentests that administrators lean toward "ease of use" and actually activate HTTP interfaces on ANY device which allows it. When they install new routers or new software in general, they tend to key in on HTTP capabilities as a "bonus" which will make their work easier. They never have to leave their browser, let alone their cubicle! The only ones who don’t are the ones who take the time to read all of cisco's security papers..and these seem few and far between. I see too many security products moving toward a web interface where there are so many other options for connection available. Adding strong encryption mechanisms may be enough, but HTTP by itself, without SSL implmented somwhere, makes it too easy for us, let alone the kiddies out there, to find a hole... And in this case, a practically "plaintext" hole. (don't even get me started on the amount of info flying around networks now via plaintext SNMP because of enterprise managaement consoles and (soon to be nearly pointless) IDS systems.. Uhhg) > If you're serious about security then you shouldn't be using > HTTP to access your Cisco devices at all. Most people don't > realise that the browser sends the enable password in > cleartext on every HTTP request. The problem here is of course simply "lack of awareness", which is the black plague of IT. The average workload, especially in these days of mass-cutbacks, of an IT staffer is overwhelming. Thus, when devices such as Cisco offer an ease-of-use function such as HTTP on their switches, the engineers tend to say "hey, that's easier/faster...hell, ill simply enable it on all my routers too..." SIDE NOTE: I'd be VERY interested in seeing the process for discovery of this latest cisco hole. I havent been able to track down the logic used in discovering the /xx/exec capability... Where is it and what led the team in that direction? Heck, I think we should have an entirely new mailing list for this type of discussion. The "how we found the hole" list. I feel this is one of our industry's largest weaknesses. As we train more and more folks to use these holes to their advantage, and add them to their toolchest/checklists, we lack courses/sources for teaching them how to discover the same or new ones... _____________________________________ Oliver Petruzel Systems Engineer, Security Work: (703)250-3280 Cell: (703)608-8250 Email: opetruzelat_private
This archive was generated by hypermail 2b30 : Fri Jun 29 2001 - 00:27:57 PDT