Cisco has posted workarounds for a vulnerability in the HTTP server found in Cisco’s IOS.
In early December, a researcher reported that the built-in HTTP server in IOS versions 11.0 through 12.4 was vulnerable to attacks that could grant a malicious person access to administrative privileges on affected devices.
According to Cisco, HTML code inserted into dynamically generated output from the server is passed to the browser requesting the page. In turn, the company said, “this HTML code could be interpreted by the client browser and potentially execute malicious commands against the device or other possible cross-site scripting attacks.”
Cisco said the best way to determine whether a device is running the HTTP server (and is therefore vulnerable) is to run the command “show ip http server status” and check the output. A response of “HTTP server status: Enabled” indicates that the device is running the server.
Though Cisco acknowledged that proof of concept code demonstrating potential exploits of the vulnerability has been released, the circumstances under which a malicious person could gain access to a Cisco device are limited.
“In order to be vulnerable to the cross-site scripting attack, a user must browse and view the content during the same period of time the injected code exists in memory. On the other hand, if a user does not browse contaminated dynamic content on the device, then exploitation is not possible,” the company said in its notice.
Cisco offered three workarounds to the vulnerability until it releases its patch, including disabling the HTTP server in IOS, disabling the HTTP WEB_EXEC service, and avoiding the use of Web-based “show” commands.