Cisco Router Online Help Vulnerability

Under certain revisions of IOS multiple Cisco routers have an information leakage vulnerability in their online help systems. In essence this vulnerability allows users who currently have access to the router at a low level of privilege (users without access to the 'enable' password) can use the help system to view information which should only in theory be available to an 'enabled' user. This information is comprised of access lists among other things. The help system itself does not list these items as being available via the 'show' commands yet none the less it will execute them.

The message which detailed this vulnerability to the Bugtraq mailing list is attached in the 'Credit' section of this vulnerability entry. It is suggested that you read it if this vulnerability affects your infrastructure.


Privacy Statement
Copyright 2010, SecurityFocus