Date:         Mon, 13 Nov 2000 20:35:08 +0000
From: Damir Rajnovic <gaus@CISCO.COM>
Subject:      Re: 3500XL
To: BUGTRAQ@SECURITYFOCUS.COM

-----BEGIN PGP SIGNED MESSAGE-----

Hello there,

This is the official reply to the def-2000-02, Defcom Labs Advisory,
posted on 2000-October-26 by Olle Sergerdahl (see
http://www.securityfocus.com/bid/1846)

This is the brief description from the def-2000-02 advisory:

"The Catalyst 3500 XL series switches web configuration interface lets
any user execute any command on the system without logging in.

This issue was extremely easy to find, as Cisco provides a link to it
from the first page of the web configuration service. This is one of
the reasons I have decided to go public with the issue so soon."

We investigated this issue and found that this holds only if
user did not configured an enable password. The only instance when
this is true is when switch administrator has configured an access
password (on vty lines) but without an enable password. This
situation may be confusing since admins will be prompted for a
password when trying to telnet to the switch but will not be asked
for it when using the Web to access the switch. All switches from
2900XL and 3500XL families share this behavior.

We suspect that this scenario was present when Olle made his
discovery, but have not yet received his configuration to confirm.

Cheers,

Gaus

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.0.2i

iQCVAwUBOhBQZMAFeq0PniW5AQHUDAQAoU7Th2I1DhmZXXq952HT1i9VWFURHGJV
8Zq4e19agp+0Br1pHgilo5zj1fk0LikEuTqCTpNrYCD8Ng8oI/eNGYfsV4oOYNh5
LY/YyuVWt0bnEGkSlRryazWfMpHs5Vbg5nLbyXEr3XgYzycTIs+s/Itm1AOs7BE9
wbu38N30lwA=
=HRnz
-----END PGP SIGNATURE-----

==============
Damir Rajnovic <psirt@cisco.com>, PSIRT Incident Manager, Cisco Systems
<http://www.cisco.com/warp/public/707/sec_incident_response.shtml>
Phone: +44 7715 546 033
4 The Square, Stockley Park, Uxbridge, MIDDLESEX UB11 1BN, GB
==============
There is no insolvable problems. Question remains: can you
accept the solution?