Cisco IOS authorization Security Restriction Bypass Vulnerability

Release date:
Updated on:

Affected Systems:
Cisco IOS 15.x
Cisco ios xe 3.x
Unaffected system:
Cisco IOS 15.1 SG
Cisco IOS 15.0SA
Cisco ios xe 3.6.0S
Cisco ios xe 3.2.xSG
Description:
--------------------------------------------------------------------------------
Bugtraq id: 52755
Cve id: CVE-2012-0384

Cisco's Internet Operating System (IOS) is a complex operating system optimized for Internet connection.

When Cisco IOS software uses AAA authorization, there is a security vulnerability in the implementation of remote applications or device permission levels, which allows remote unauthenticated attackers to bypass command authorization, allow remote authenticated HTTP or HTTPS sessions to execute all Cisco IOS commands configured at their authorization level. This vulnerability requires that the HTTP or HTTPS server be enabled on the device. Valid user name and password are required for successful exploitation.

<* Source: Cisco

Link: http://secunia.com/advisories/48636/

Http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-pai
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Cisco
-----
Cisco has released a Security Bulletin (cisco-sa-20120328-pai) and patches for this:

Cisco-sa-20120328-pai: Cisco IOS Software Command Authorization Bypass

Link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-pai