Description: there is a problem in many online help systems of Cisco router IOS, which may expose sensitive information. This vulnerability allows a low-level user (for example, a user who does not know the 'enable' password) to use the system to view some information, in theory, this information should be visible only to users who know the 'enable' password. This information includes the access control list and other content. Generally, after logging on to a lower-level user (level 1), use "show? "Only a part of the show command list can be seen. The 'enable' user can see all the commands. There are 75 show commands on a 12.0 router running IOS 3640 (5. In 'disable' mode, the user "show? "Only some of them can be seen. However, this only helps the system not display these commands. In fact, they still exist and are executable. Only 13 are indeed restricted, and the other 62 are still executable. For example: "show access-lists", "show ip", "show cdp", "show logging", "show cdp", "show vlans, although the help system is not displayed, it can still be executed. This may cause leakage of sensitive information to low-level users (or potential attackers ).
Suggestion:
-Set the default logon level to 0.
-Use "privilege exec" to specify commands that can be executed by level 0 users
Article entry: csh responsible editor: csh
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
