Web Server Directory Traversal Vulnerability in Cisco CDS

The Cisco Internet Streamer application, part of the Cisco Content Delivery System, contains a directory traversal vulnerability on its web server component that allows for arbitrary file access. By exploiting this vulnerability, an attacker may be able to read arbitrary files on the device, outside of the web server document directory, by using a specially crafted URL.

An unauthenticated attacker may be able to exploit this issue to access sensitive information, including the password files and system logs, which could be leveraged to launch subsequent attacks.

All versions of system software on the Cisco Internet Streamer application are vulnerable prior to the first fixed release, but Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.

This vulnerability can be exploited over all open HTTP ports; TCP ports 80 (Default HTTP port), 443 (Default HTTPS port) and 8090 (Alternate HTTP and HTTPS port), as well as those that are configured as part of the HTTP proxy.

As an interim step prior to upgrading the Cisco content delivery system software, it is possible to deny access to sensitive directories via service rules. The following example shows denying access to move up a directory level. This also caters for other directory moves, such as “\.\./”, “.\./” or “\../”:

rule enable
rule action block pattern-list 1
rule pattern-list 1 url-regex ^http://.*/../.*
rule pattern-list 1 url-regex ^https://.*/../.*

If you are affected by this issue or just want to read more please do it at http://www.cisco.com/warp/public/707/cisco-sa-20100721-spcdn.shtml.

Cisco Network Magic – funny marketing video

Not too much to say about. We all know that Cisco is investing a lot into it’s image on the market and sometimes we are dissapointed that what marketing is showing is different from the final product, but the next video worth every penny. At least is funny and can bring a smile on your network engineer face.

Enjoy!


Cisco IOS: single user access in CLI configuration terminal


Usually big companies with large network have a dedicated department which deals with all the network configuration.  The problem that I have in mind is when this department is splitted over large geographical areas (e.g. some colleagues in Europe, some in Asia and some in America) it may happen that more than one colleague is working on the same device at the time.

This can cause overlapping configuration or other problems, due to the fact that more than one config is applied at the time causing conflicts.

There is one simple solution to avoid this problem by enabling single-user (exclusive) access functionality for the Cisco IOS command-line interface (CLI). Configuration of this feature is very simple:

1. enable

2. configure terminal

3. configuration mode exclusive {auto | manual}

4. end

As you can see mode exclusive has two options  auto or manual:

  • The auto keyword automatically locks the configuration session whenever the configure terminal command is used. This is the default.
  • The manual keyword allows you to choose to lock the configuration session manually or leave it unlocked.

I would recommend using the default auto mode, but if for some reason you need manual mode, then you need to perform some additional tasks:

1. enable

2. configure terminal lock

3. Configure the system by entering your changes to the running configuration.

4. end

The manual method allow you to be able to lock the configuration mode only when you really need it to be lock. Compared to this, the auto mode, is locking the configuration all the time, so it’s considered more safe.

When you are in configuration mode excluside (no matter if auto or manual), you are configuring something through CLI and another user connected to that device is issuing the configuration terminal command, the following message will be displayed:

Configuration mode locked exclusively by user ‘unknown’ process ’88’ from terminal ‘0’. Please try later.Rollback confirmed change timer is cancelled due to configuration lock error.

This is just an example. In your case the user, process or terminal may be different. The message is useful as the second user trying to configure the device knows what’s going on and the engineer is not left in the fog without any clue.

10 excuses you should avoid telling to your boss

I know, it’s not technical or related to Cisco, but it has everything to do with the industry in which we are network engineers are working. I found this great article by Justin James about the top 10 excuses a boss does not want to hear and I think it’s a good opportunity to share if with you. So look here what he’s saying:

“There are lots of reasons why a project might not be going well or may even fail. When your boss wants to know why, there is a world of difference between offering an excuse and providing a legitimate reason. In truth, most excuses only make your manager more upset and put the blame on you. Here are 10 common excuses that employees give their managers — and how you can turn them from weak excuses into a way of getting your supervisor to help you resolve the problems before your project is jeopardized.

1: I didn’t understand the assignment

Not every boss has great communication skills. And yes, having a manager who is not good at explaining what needs to be done makes life difficult. At the same time, using your boss’ inability to explain things as an excuse for not doing them just does not fly. If an assignment does not make sense, it’s your responsibility to find out what really has to happen. And if you find yourself in this situation more than once, it is a sign that you need to be extra careful when working with this particular person to get things fully understood.

2: The deadline was impossible

We all know this situation: A manager hands you an assignment with a deadline attached to it. You tell the manager that the deadline can’t be met and you’re told, “I don’t care; make it happen.” When the deadline is missed, you say, “But I told you the deadline was impossible!” and the boss is still angry. The disconnect here is that simply saying that the deadline is not possible is not good enough. As soon as the boss tells you to do it and you passively accept the ridiculous deadline, you make it your responsibility to meet it.

Your best defense is to negotiate a better deadline, and to do that, you need a project plan. The fact is, you always should be able to paint a picture of what a project will entail with some broad strokes anyway, and it is fairly easy to assign some rough estimates of the time to make each step happen. When you show your supervisor that even the most optimistic rough draft of a plan that omits a million minor details shows that it will take three months and they are demanding three weeks, guess what? It is now your manager’s responsibility to deal with the deadline issue. You have turned an opponent into an ally, and no sane boss can hold you accountable for the bad deadline anymore.”

Read the rest of the article here

Cisco Cius

It seems to me that Cisco want to compete with Apple on the touch screen devices market. The Cisco Cius product confirm this.

OK, skipping the funny part of this story, honestly I believe that Cisco is making efforts to take the (still) open part of the tablet devices market that is not so developed in this moment, and by this I mean the touch screen devices for professional use.

While companies like Apple focus their efforts to develop home use friendly devices, Cisco want to apply the same success recipe for the business sector. The launch of the iPad was enough to make Cisco think that Apple’s platform can be adapted for business use and in this idea they developed Cius.

The Cius will sport a a 7-inch screen, making it smaller and lighter than the iPad. Some highlights of the Cius technology are:

  • 802.11a/b/g/n Wi-Fi, 3G/4G data and Bluetooth 3.0 help employees stay connected on and off-campus
  • HD video (720p) with Cisco TelePresence solution interoperability for lifelike video communication with the simplicity of a phone call
  • Virtual desktop client enables highly secure access to cloud-based business applications
  • Android operating system, with access Android marketplace applications
  • Collaboration applications including Cisco Quad, Cisco Show and Share, WebEx, Presence, and IM
  • HD Soundstation supports Bluetooth and USB peripherals, 10/100/1000 wired connectivity and a handset option
  • Detachable and serviceable 8-hour battery for a full day of work
  • Highly secure remote connections with Cisco AnyConnect Security VPN Client
  • HD audio with wideband support (tablet, HD Soundstation)

Cisco is also negotiating with six phone companies around the world to procure their services for Cius. The tablet5 device from Cisco will feature the ability to connect to Wi-Fi hot spots and cellular broadband networks.

The Cius is expected to be sold for less than a $1,000 and if Cisco is able to make a dent in the sales of iPads by attracting customers, then I’m sure that other companies will jump on this “train” developing similar products.

Below, I you can enjoy 2 videos of the Cisco Cius product. One is the designed for the marketing purpose, but the second one has an interesting “hands on” demo.