Thread-topic: [SA25199] Cisco IOS FTP Server Multiple Vulnerabilities
> Cisco IOS FTP Server Multiple Vulnerabilities
> SECUNIA ADVISORY ID:
> VERIFY ADVISORY:
> Moderately critical
> Security Bypass, DoS, System access
> From remote
> OPERATING SYSTEM:
> Cisco IOS 12.x
> Cisco IOS 11.x
> Some vulnerabilities have been reported in Cisco IOS, which can be
> exploited by malicious users and malicious people to bypass certain
> security restrictions, cause a DoS (Denial of Service), or
> potentially compromise a vulnerable system.
> 1) An unspecified error exists in the IOS FTP server when verifying
> user credentials, which can be exploited to bypass user
> 2) An unspecified error exists when transferring files via FTP, which
> can be exploited to cause a DoS (Denial of Service).
> Successful exploitation may allow an attacker to retrieve any file
> from an affected system (including startup-config), cause IOS to
> reload, and potentially execute arbitrary code, but requires that the
> FTP server is enabled, which is not the default setting.
> The vulnerabilities are reported in IOS version 11.3, 12.0, 12.1,
> 12.2, 12.3, and 12.4 containing the FTP server feature.
> The vendor has issued an update that removes the FTP server ability.
> As a workaround, it is possible to disable the FTP server by
> executing the following command in configuration mode: "no ftp-server
> enable". See vendor advisories for more details.
> PROVIDED AND/OR DISCOVERED BY:
> Reported by the vendor.
> ORIGINAL ADVISORY: