• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Cisco Content Service Switch FTP Access Control Vulnerability

Severity: HIGH

Description:

The Cisco Content Service (CSS) switch is an Enterprise-level utility by Cisco Systems. The CSS switch is a Layer 5 and 7 aware switch capable of providing a high performance frontend to web server farms and caches.

A problem discovered with the switch could allow users to overwrite files, or depending on their knownledge of the structure of the filesystem on the switch, download files. This could make it possible for a user to change configuration of the switch.

Under normal operating conditions of the switch, privileged and non-privileged users can access the switch with valid accounts. A privileged user is capable of initiating an FTP connection to the switch, and using GET to download data from the switch, as well as PUT to upload data to the switch. A non-privileged user is not permitted to perform these functions.

The problem involves the firmware not checking access control of users prior to permitting them to perform FTP actions. A non-privileged user may ftp to the CSS, and execute the GET and PUT functions. A valid user account on the CSS is required to FTP to the switch.

Affected Products:

• Cisco CSS11000 Content Services Switch
• Cisco CSS11050 Content Services Switch
• Cisco CSS11150 Content Services Switch
• Cisco CSS11501 Content Services Switch
• Cisco CSS11503 Content Services Switch
• Cisco CSS11506 Content Services Switch
• Cisco CSS11800 Content Services Switch
• Cisco WebNS 4.0.0
• Cisco WebNS 4.0.1
• Cisco WebNS 4.0.1B19s

References:

• Cisco Systems: Cisco Content Service Switch 11000 Series FTP Vulnerability

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.