Cisco Warns of IOS Vulnerability

Cisco Systems Inc. yesterday warned of multiple vulnerabilities in its IOS FTP server, an optional service that's disabled by default.

The FTP Server feature is a feature of Cisco IOS, which powers most Cisco switching, routing and firewall devices, with the exception of Cisco's new IOS XR-based products. As a result of the flaws, Cisco plans to remove the FTP server feature from its IOS builds.

The flaws could result in DoS, improper validation of user credentials, or -- most seriously -- the ability to access (and change) files from the device file system, including saved configurations. The configuration file often contains passwords and other sensitive information, Cisco warned.

If an administrator has specifically enabled and configured the IOS FTP server the device could be vulnerable, Cisco said. Cisco IOS releases based on mainline versions 11.3, 12.0, 12.1, 12.2, 12.3 and 12.4 contain the IOS FTP server. IOS XR is not vulnerable, according to Cisco.

Cisco acknowledged the existence of at least two vulnerabilities in the IOS FTP daemon: an "improper authorization checking" flaw and an "IOS reload when transferring files via FTP" issue. An attacker can exploit the former flaw by connecting to TCP ports 21 and 20. No user interaction or authentication is required, Cisco acknowledged. The same goes for the second vulnerability, as well. An attacker who successfully exploits either of these vulnerabilities could gain unauthorized access to the IOS file system, reload the device itself or -- in some scenarios -- even execute arbitrary code, Cisco acknowledged.

Just as troubling, an attacker could conceivably retrieve a device's startup configuration file. This file contains passwords or other information that an attacker could use to elevate his or her privileges. An attacker who repeatedly exploits the IOS FTP Server vulnerabilities could also trigger DoS, Cisco said.

A fix isn't yet available, although Cisco plans to release patches for the relevant versions of IOS. Officials recommend that customers disable the IOS FTP Server by switching to configuration mode and executing the "no ftp-server enable" command.

Additionally, and as a common security best practice, Cisco recommends the use of infrastructure access control lists (iACLs) to police which traffic can be sent to infrastructure devices. Similarly, customers can also use network access authentication to mitigate the improper authentication vulnerability, Cisco said.

A full list of recommended mitigations, complete with additional vulnerability details, is available here.

Finally, Cisco officials disclosed plans to remove the FTP Server feature from IOS -- for now. Cisco might add secure FTP server functionality at some point in the future, officials said.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.


  • Spaceflight Training in the Middle of a Pandemic

    Surprisingly, the worldwide COVID-19 lockdown has hardly slowed down the space training process for Brien. In fact, it has accelerated it.

  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.