Cisco has released a security advisory for its Arrowpoint switch, revealing that non-privileged users can either force a denial of service (DoS) attack on the hardware or view files to which they do not have access rights.
The company has said that although there is a fix available for the DoS problem, it can only currently offer a workaround for the file viewing glitch.
Only the carrier class Arrowpoint, or Content Services, switch is affected on hardware platforms 11050, 11150, and 11800 running the WebNS software. The problem poses a threat once access to the command line interface is gained.
But even a non-privileged user with access to the command line can run a command which contains a filename that is the maximum length of the input buffer. This would cause the switch to reboot and perform a systems check, effectively putting the machine out of action for about five minutes.
Cisco said that commands which can be manipulated to do this include show script, clear script, show archive, clear archive, show log and clear log. Non-privileged users can also read files they would not normally have access to if they know the location of the data.
A fix is available for the DoS vulnerability by upgrading the switch's WebNS software to version 4.01(12s) or revision 3.10(71s). Cisco is offering the software upgrades free of charge.
The file system information disclosure vulnerability is scheduled to be fixed, but is currently unresolved. In the meantime, the company recommends a workaround by applying access control lists and additional firewalling to restrict access to the command line interface on the device. It is also advisable to disable Telnet access to the switch by adding the command: CS150(config)# telnet access disabled.
Details of the fixes and software upgrades are available here.
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago