Cisco Security Advisory
Click Icon to Copy Verbose Score
AV:R/AC:L/Au:R/C:C/I:C/A:C/B:N/E:F/RL:O/RC:C
-
The server side of the Secure Copy (SCP) implementation in Cisco Internetwork Operating System (IOS) contains a vulnerability that allows any valid user, regardless of privilege level, to transfer files to and from an IOS device that is configured to be a Secure Copy server. This vulnerability could allow valid users to retrieve or write to any file on the device's filesystem, including the device's saved configuration. This configuration file may include passwords or other sensitive information.
The IOS Secure Copy Server is an optional service that is disabled by default. Devices that are not specifically configured to enable the IOS Secure Copy Server service are not affected by this vulnerability.
This vulnerability does not apply to the IOS Secure Copy Client feature.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070808-scp.
Note: The August 08, 2007 publication includes four Security Advisories and one Security Response. The advisories all affect IOS, one additionally affects Cisco Unified Communications Manager as well. Each advisory lists the releases that correct the vulnerability described in the advisory, and the advisories also detail the releases that correct the vulnerabilities in all four advisories. Individual publication links are listed below:
-
Cisco IOS Information Leakage Using IPv6 Routing Header
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070808-IOS-IPv6-leak
-
Cisco IOS Next Hop Resolution Protocol Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070808-nhrp
-
Cisco IOS Secure Copy Authorization Bypass Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070808-scp
-
Voice Vulnerabilities in Cisco IOS and Cisco Unified Communications
Manager
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070808-IOS-voice
-
Cisco Unified MeetingPlace XSS Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070808-mp
-
Cisco IOS Information Leakage Using IPv6 Routing Header
-
Vulnerable Products
Cisco devices running certain 12.2-based IOS releases and configured to offer Secure Copy server functionality are affected by this issue.
A device running a vulnerable Cisco IOS 12.2-based is affected if the following command is present in the device configuration:
ip scp server enable
The IOS Secure Copy server is disabled by default.
The Secure Copy server functionality is only available on encryption-capable images. Devices that do not run an encryption-capable images, which contain either k8 or k9 in the image name, are not vulnerable. If a device is running an encryption-capable image, the existence of the ip scp server enable command in the configuration will determine whether the device is affected.
Please consult the table of fixed software in the Software Version and Fixes section for the specific 12.2-based IOS releases that are affected.
To determine the software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS". The image name will be displayed between parentheses on the next line of output followed by "Version" and IOS release name. Other Cisco devices will not have the show version command or will give different output.
The following example identifies a Cisco product running IOS release 12.2(18)SXF10:
Cisco Internetwork Operating System Software IOS (tm) s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 12.2(18)SXF10, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by cisco Systems, Inc. Compiled Fri 13-Jul-07 08:32 by kellythw
Additional information about Cisco IOS release naming is available at http://www.cisco.com/warp/public/620/1.html.
Products Confirmed Not Vulnerable
Cisco devices that do not run IOS are not affected.
Cisco IOS devices that do not have the Secure Copy server feature enabled are not affected.
The following IOS release trains are not affected:
-
12.0-based releases
-
12.1-based releases
-
12.3-based releases
-
12.4-based releases
Cisco IOS XR is not affected.
No other Cisco devices are known to be affected.
-
12.0-based releases
-
Secure Copy (SCP) is a protocol similar to the Remote Copy (RCP) protocol, which allows for the transfer of files between systems. The main difference between SCP and RCP is that in SCP, all aspects of the file transfer session, including authentication, occur in encrypted form, which makes SCP a more secure alternative than RCP. SCP relies on the Secure Shell (SSH) protocol, which uses TCP port 22 by default.
The server side of the Secure Copy implementation in Cisco IOS contains a vulnerability that allows any valid user, regardless of privilege level, to transfer files to and from an IOS device that is configured to be a Secure Copy server. This vulnerability could allow valid users to retrieve or write to any file on the device's filesystem, including the device's saved configuration. This configuration file may include passwords or other sensitive information.
This vulnerability does not allow for authentication bypass; login credentials are verified and access is only granted if a valid username and password is provided. This vulnerability may cause authorization to be bypassed.
A device with the Secure Copy server enabled is vulnerable regardless of whether Authentication, Authorization, and Accounting (AAA) is enabled. If access control is enabled on the Virtual Terminal (vty) via the login command, which allows logins via Virtual Terminals, then the device is affected.
This vulnerability is documented in Cisco Bug ID CSCsc19259 ( registered customers only) .
-
If the IOS Secure Copy Server functionality is not needed then the vulnerability described in this document can be mitigated by disabling the Secure Copy server. The Secure Copy server can be disabled by executing the following command in global configuration mode:
no ip scp server enable
If the Secure Copy server cannot be disabled due to operational concerns, then no workarounds exist. The risk posed by this vulnerability can be mitigated by following the best practices detailed in "Improving Security on Cisco Routers" at http://www.cisco.com/warp/public/707/21.html. Please refer to the Obtaining Fixed Software section for appropriate solutions to resolve this vulnerability.
Due to the nature of this vulnerability, networking best practices like access control lists (ACLs) and Control Plane Policing (CoPP) that restrict access to a device to certain IP addresses or subnetworks may not be effective. If access is already granted to a specific IP address or subnetwork, a user with low privileges will be able to establish a Secure Copy session with the device, which would allow the user to exploit this vulnerability.
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table.
For further information about how Cisco IOS is built, numbered and maintained, please see the following URL: http://www.cisco.com/warp/public/620/1.html
Major Release
Availability of Repaired Releases
Affected 12.0-Based Release
First Fixed Release
Recommended Release
There are no affected 12.0 based releases
Affected 12.1-Based Release
First Fixed Release
Recommended Release
There are no affected 12.1 based releases
Affected 12.2-Based Release
First Fixed Release
Recommended Release
12.2
Not Vulnerable
12.2B
Not Vulnerable
12.2BC
Not Vulnerable
12.2BW
Not Vulnerable
12.2BY
Not Vulnerable
12.2BZ
Not Vulnerable
12.2CX
Not Vulnerable
12.2CY
Not Vulnerable
12.2CZ
Not Vulnerable
12.2DA
Not Vulnerable
12.2DD
Not Vulnerable
12.2DX
Not Vulnerable
12.2EU
Not Vulnerable
12.2EW
Not Vulnerable
12.2EWA
Not Vulnerable
12.2EX
Not Vulnerable
12.2EY
Not Vulnerable
12.2EZ
Not Vulnerable
12.2FX
Not Vulnerable
12.2FY
Not Vulnerable
12.2FZ
Not Vulnerable
12.2IXA
Vulnerable; first fixed in 12.2(18)IXD1
12.2(18)IXD1
12.2IXB
Vulnerable; first fixed in 12.2(18)IXD1
12.2(18)IXD1
12.2IXC
Vulnerable; first fixed in 12.2(18)IXD1
12.2(18)IXD1
12.2IXD
12.2(18)IXD1
12.2(18)IXD1
12.2JA
Not Vulnerable
12.2JK
Not Vulnerable
12.2MB
Not Vulnerable
12.2MC
Not Vulnerable
12.2S
Not Vulnerable
12.2SB
Not Vulnerable
12.2SBC
Not Vulnerable
12.2SE
Not Vulnerable
12.2SEA
Not Vulnerable
12.2SEB
Not Vulnerable
12.2SEC
Not Vulnerable
12.2SED
Not Vulnerable
12.2SEE
Not Vulnerable
12.2SEF
Not Vulnerable
12.2SEG
Not Vulnerable
12.2SG
Not Vulnerable
12.2SGA
Not Vulnerable
12.2SL
Not Vulnerable
12.2SM
Not Vulnerable
12.2SO
Not Vulnerable
12.2SRA
Not Vulnerable
12.2SRB
Not Vulnerable
12.2SU
Not Vulnerable
12.2SV
Not Vulnerable
12.2SVA
Not Vulnerable
12.2SVC
Not Vulnerable
12.2SW
Not Vulnerable
12.2SX
Not Vulnerable
12.2SXA
Not Vulnerable
12.2SXB
Not Vulnerable
12.2SXD
Vulnerable; contact TAC
12.2SXE
Vulnerable; first fixed in 12.2(18)SXF9
12.2(18)SXF10
12.2SXF
12.2(18)SXF9
12.2(18)SXF10
12.2SXH
Not Vulnerable
12.2SY
Not Vulnerable
12.2SZ
Not Vulnerable
12.2T
Not Vulnerable
12.2TPC
Not Vulnerable
12.2UZ
Not Vulnerable
12.2VZ
Not Vulnerable
12.2XA
Not Vulnerable
12.2XB
Not Vulnerable
12.2XC
Not Vulnerable
12.2XD
Not Vulnerable
12.2XE
Not Vulnerable
12.2XF
Not Vulnerable
12.2XG
Not Vulnerable
12.2XH
Not Vulnerable
12.2XI
Not Vulnerable
12.2XJ
Not Vulnerable
12.2XK
Not Vulnerable
12.2XL
Not Vulnerable
12.2XM
Not Vulnerable
12.2XN
Not Vulnerable
12.2XQ
Not Vulnerable
12.2XR
Not Vulnerable
12.2XS
Not Vulnerable
12.2XT
Not Vulnerable
12.2XU
Not Vulnerable
12.2XV
Not Vulnerable
12.2XW
Not Vulnerable
12.2YA
Not Vulnerable
12.2YB
Not Vulnerable
12.2YC
Not Vulnerable
12.2YD
Not Vulnerable
12.2YE
Not Vulnerable
12.2YF
Not Vulnerable
12.2YG
Not Vulnerable
12.2YH
Not Vulnerable
12.2YJ
Not Vulnerable
12.2YK
Not Vulnerable
12.2YL
Not Vulnerable
12.2YM
Not Vulnerable
12.2YN
Not Vulnerable
12.2YO
Not Vulnerable
12.2YP
Not Vulnerable
12.2YQ
Not Vulnerable
12.2YR
Not Vulnerable
12.2YS
Not Vulnerable
12.2YT
Not Vulnerable
12.2YU
Not Vulnerable
12.2YV
Not Vulnerable
12.2YW
Not Vulnerable
12.2YX
Not Vulnerable
12.2YY
Not Vulnerable
12.2YZ
Not Vulnerable
12.2ZA
Not Vulnerable
12.2ZB
Not Vulnerable
12.2ZC
Not Vulnerable
12.2ZD
Not Vulnerable
12.2ZE
Not Vulnerable
12.2ZF
Not Vulnerable
12.2ZG
Not Vulnerable
12.2ZH
Not Vulnerable
12.2ZJ
Not Vulnerable
12.2ZL
Not Vulnerable
12.2ZP
Not Vulnerable
12.2ZR
Not Vulnerable
12.2ZU
Vulnerable; first fixed in 12.2(33)SXH available 31-Aug-07
12.2(33)SXH; available 31-Aug-07
12.2ZW
Not Vulnerable
12.2ZY
Not Vulnerable
Affected 12.3-Based Release
First Fixed Release
Recommended Release
There are no affected 12.3 based releases
Affected 12.4-Based Release
First Fixed Release
Recommended Release
There are no affected 12.4 based releases
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
This vulnerability was reported to Cisco by Vijay Sarvepalli from University of North Carolina at Greensboro.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.