Several vulnerabilities in Cisco's IOS FTP server
The network equipment supplier Cisco cautions in a security report that the FTP server integrated in IOS contains several vulnerabilities. As a result attackers might execute arbitrary code, retrieve information or cause denial-of-service attacks.
Cisco does not explain the flaws in detail, but describes the effects: It reports that the IOS FTP server does not correctly check the user login data. As a result, attackers can retrieve or write arbitrary files on the server, such as the configuration files – which can also possibly contain access passwords. It is also apparently possible to execute injected code. During file transfers the operating system can suddenly restart. Attackers might misuse this to effect a denial-of-service attack.
The FTP server is not active in the standard configuration, however some administrators employ it to install new policies. The manufacturer has released updated software which simply disconnects the FTP server. An additional more secure version of the software is expected at a later date. According to the security report, those who are unable to carry out an update should deactivate the FTP server.
- Multiple Vulnerabilities in the IOS FTP Server, security report from Cisco
(mba)