Details of VAR-200607-0356

ID

VAR-200607-0356

CVE

CVE-2006-3595

TITLE

Cisco Router Web Setup (CRWS) contains an insecure default IOS configuration

Trust: 0.8

sources: CERT/CC: VU#205225

DESCRIPTION

The default configuration of IOS HTTP server in Cisco Router Web Setup (CRWS) before 3.3.0 build 31 does not require credentials, which allows remote attackers to access the server with arbitrary privilege levels, aka bug CSCsa78190. This issue is due to the application's failure to ensure that remote web-based users are properly authenticated. This issue allows remote attackers to gain administrative access to affected routers. This may aid them in further attacks. This vulnerability is documented in Cisco Bug ID CSCsa78190. Other authentication mechanisms can also be configured, including using a local user database, an external RADIUS, or an external TACACS+ server. Privilege level 15 is the highest privilege level in Cisco IOS devices. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. The problem is caused due to the application shipping with an insecure default Cisco IOS configuration. This can be exploited to execute arbitrary commands with privilege level 15 via the web interface. SOLUTION: Update to version 3.3.0 build 31. http://www.cisco.com/pcgi-bin/tablebuild.pl/crws NOTE: Users upgrading from a previous version, who wish to keep their existing configuration, should apply the workarounds described in the vendor advisory. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20060712-crws.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.79

sources: NVD: CVE-2006-3595 // CERT/CC: VU#205225 // JVNDB: JVNDB-2006-000391 // BID: 18953 // VULHUB: VHN-19703 // PACKETSTORM: 48218

AFFECTED PRODUCTS

vendor:	cisco	model:	router web setup	scope:	eq	version:	3.3.0_build_30	Trust: 1.6
vendor:	cisco	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	ios	scope:	eq	version:	12.1	Trust: 0.8
vendor:	cisco	model:	ios	scope:	eq	version:	12.2	Trust: 0.8
vendor:	cisco	model:	ios	scope:	eq	version:	12.3	Trust: 0.8
vendor:	cisco	model:	ios	scope:	eq	version:	12.4	Trust: 0.8
vendor:	cisco	model:	soho	scope:	eq	version:	970	Trust: 0.3
vendor:	cisco	model:	soho	scope:	eq	version:	960	Trust: 0.3
vendor:	cisco	model:	soho	scope:	eq	version:	910	Trust: 0.3
vendor:	cisco	model:	soho	scope:	eq	version:	780	Trust: 0.3
vendor:	cisco	model:	soho h	scope:	eq	version:	77	Trust: 0.3
vendor:	cisco	model:	soho	scope:	eq	version:	770	Trust: 0.3
vendor:	cisco	model:	soho	scope:	eq	version:	760	Trust: 0.3
vendor:	cisco	model:	soho	scope:	eq	version:	710	Trust: 0.3
vendor:	cisco	model:	crws	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	-	scope:	eq	version:	8370	Trust: 0.3
vendor:	cisco	model:	-	scope:	eq	version:	8360	Trust: 0.3
vendor:	cisco	model:	-	scope:	eq	version:	8310	Trust: 0.3
vendor:	cisco	model:	-	scope:	eq	version:	8280	Trust: 0.3
vendor:	cisco	model:	h	scope:	eq	version:	827	Trust: 0.3
vendor:	cisco	model:	-	scope:	eq	version:	8270	Trust: 0.3
vendor:	cisco	model:	-	scope:	eq	version:	827-v4	Trust: 0.3
vendor:	cisco	model:	-	scope:	eq	version:	8260	Trust: 0.3
vendor:	cisco	model:	-	scope:	eq	version:	8060	Trust: 0.3
vendor:	cisco	model:	crws build	scope:	ne	version:	2.231	Trust: 0.3

sources: CERT/CC: VU#205225 // BID: 18953 // JVNDB: JVNDB-2006-000391 // CNNVD: CNNVD-200607-264 // NVD: CVE-2006-3595

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2006-3595
value:	HIGH
Trust: 1.0
CARNEGIE MELLON:	VU#205225
value:	46.50
Trust: 0.8
NVD:	CVE-2006-3595
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-200607-264
value:	HIGH
Trust: 0.6
VULHUB:	VHN-19703
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2006-3595
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-19703
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CERT/CC: VU#205225 // VULHUB: VHN-19703 // JVNDB: JVNDB-2006-000391 // CNNVD: CNNVD-200607-264 // NVD: CVE-2006-3595

PROBLEMTYPE DATA

problemtype:

NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2006-3595

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200607-264

TYPE

Design Error

Trust: 0.9

sources: BID: 18953 // CNNVD: CNNVD-200607-264

CONFIGURATIONS

sources: JVNDB: JVNDB-2006-000391

PATCH

title:	cisco-sa-20060712-crws	url:	http://www.cisco.com/warp/public/707/cisco-sa-20060712-crws.shtml	Trust: 0.8
title:	cisco-sa-20060712-crws	url:	http://www.cisco.com/japanese/warp/public/3/jp/service/tac/707/cisco-sa-20060712-crws-j.shtml	Trust: 0.8

sources: JVNDB: JVNDB-2006-000391

EXTERNAL IDS

db:	CERT/CC	id:	VU#205225	Trust: 3.3
db:	BID	id:	18953	Trust: 2.8
db:	SECUNIA	id:	21028	Trust: 2.6
db:	NVD	id:	CVE-2006-3595	Trust: 2.5
db:	VUPEN	id:	ADV-2006-2773	Trust: 1.7
db:	OSVDB	id:	27159	Trust: 1.7
db:	SECTRACK	id:	1016476	Trust: 1.7
db:	JVNDB	id:	JVNDB-2006-000391	Trust: 0.8
db:	CNNVD	id:	CNNVD-200607-264	Trust: 0.7
db:	OVAL	id:	OVAL:ORG.MITRE.OVAL:DEF:5826	Trust: 0.6
db:	CISCO	id:	20060712 CISCO ROUTER WEB SETUP SHIPS WITH INSECURE DEFAULT IOS CONFIGURATION	Trust: 0.6
db:	XF	id:	27688	Trust: 0.6
db:	VULHUB	id:	VHN-19703	Trust: 0.1
db:	PACKETSTORM	id:	48218	Trust: 0.1

sources: CERT/CC: VU#205225 // VULHUB: VHN-19703 // BID: 18953 // JVNDB: JVNDB-2006-000391 // PACKETSTORM: 48218 // CNNVD: CNNVD-200607-264 // NVD: CVE-2006-3595

REFERENCES

url:	http://www.cisco.com/warp/public/707/cisco-sa-20060712-crws.shtml	Trust: 2.6
url:	http://www.securityfocus.com/bid/18953	Trust: 2.5
url:	http://www.kb.cert.org/vuls/id/205225	Trust: 2.5
url:	http://www.osvdb.org/27159	Trust: 1.7
url:	http://securitytracker.com/id?1016476	Trust: 1.7
url:	http://secunia.com/advisories/21028	Trust: 1.7
url:	http://www.frsirt.com/english/advisories/2006/2773	Trust: 1.4
url:	https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a5826	Trust: 1.1
url:	http://www.vupen.com/english/advisories/2006/2773	Trust: 1.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/27688	Trust: 1.1
url:	http://secunia.com/advisories/21028/	Trust: 0.9
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-3595	Trust: 0.8
url:	http://nvd.nist.gov/nvd.cfm?cvename=cve-2006-3595	Trust: 0.8
url:	http://xforce.iss.net/xforce/xfdb/27688	Trust: 0.6
url:	http://oval.mitre.org/repository/data/getdef?id=oval:org.mitre.oval:def:5826	Trust: 0.6
url:	http://www.cisco.com/en/us/products/products_security_advisory09186a00806e0bc3.shtml#details	Trust: 0.3
url:	http://secunia.com/product/11021/	Trust: 0.1
url:	http://secunia.com/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/hardcore_disassembler_and_reverse_engineer/	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	http://www.cisco.com/pcgi-bin/tablebuild.pl/crws	Trust: 0.1
url:	http://secunia.com/about_secunia_advisories/	Trust: 0.1

sources: CERT/CC: VU#205225 // VULHUB: VHN-19703 // BID: 18953 // JVNDB: JVNDB-2006-000391 // PACKETSTORM: 48218 // CNNVD: CNNVD-200607-264 // NVD: CVE-2006-3595

CREDITS

Cisco Security bulletin

Trust: 0.6

sources: CNNVD: CNNVD-200607-264

SOURCES

db:	CERT/CC	id:	VU#205225
db:	VULHUB	id:	VHN-19703
db:	BID	id:	18953
db:	JVNDB	id:	JVNDB-2006-000391
db:	PACKETSTORM	id:	48218
db:	CNNVD	id:	CNNVD-200607-264
db:	NVD	id:	CVE-2006-3595

LAST UPDATE DATE

2024-08-14T14:47:54.746000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#205225	date:	2006-07-14T00:00:00
db:	VULHUB	id:	VHN-19703	date:	2017-10-11T00:00:00
db:	BID	id:	18953	date:	2006-07-13T21:43:00
db:	JVNDB	id:	JVNDB-2006-000391	date:	2007-04-01T00:00:00
db:	CNNVD	id:	CNNVD-200607-264	date:	2009-03-04T00:00:00
db:	NVD	id:	CVE-2006-3595	date:	2017-10-11T01:31:03.970

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#205225	date:	2006-07-14T00:00:00
db:	VULHUB	id:	VHN-19703	date:	2006-07-18T00:00:00
db:	BID	id:	18953	date:	2006-07-12T00:00:00
db:	JVNDB	id:	JVNDB-2006-000391	date:	2007-04-01T00:00:00
db:	PACKETSTORM	id:	48218	date:	2006-07-13T17:58:07
db:	CNNVD	id:	CNNVD-200607-264	date:	2006-07-18T00:00:00
db:	NVD	id:	CVE-2006-3595	date:	2006-07-18T15:37:00