If exploited, the flaw would let an intruder overcome the authentication mechanism in a router and take control of the device, including the ability to inspect or change its configuration.
Cisco issued a technical advisory about the flaw Wednesday, with a software fix that customers can download to fix the problem. Cisco said that for affected routers, "it is possible, under some circumstances" for hackers to "bypass the authentication and execute any command on the device. In that case, the [hacker] will be able to exercise complete control over the device."
The security flaw is present in Cisco's Internetwork Operating System software, which runs on almost all of Cisco's routers and many of its LAN switches. "Virtually all mainstream Cisco routers and switches running Cisco IOS software are affected by this vulnerability," Cisco said in its advisory. All versions of IOS from release 11.3 and on are affected, according to Cisco.
Specifically, the problem is part of the HTTP server component of IOS and is present on routers or switches that use local authentication database with the HTTP server component activated. Potentially, hackers can send a particular URL to an affected device to bypass its authentication mechanisms and gain complete control of the device.
The "malicious" URLs must follow a specific format, and one URL will not be able to overcome the security of all Cisco devices, Cisco said. Nevertheless, there are only 84 possible combinations for URLs that work, and hackers could easily try them all in short order, according to Cisco.
The security flaw can be fixed by disabling the HTTP component or by using other authentication mechanisms on the devices, according to Cisco.
The Computer Emergency Response Team of Carnegie Mellon University's Software Engineering Institute in Pittsburgh issued its own advisory on the security flaw Thursday. The CERT advisory directs IT managers to Cisco's Web site, where a technical fix is available.
"We are telling customers about the vulnerabilities and that fixes are available," a Cisco spokeswoman said Friday. So far, though, "we have seen no active exploitation of any of the vulnerabilities."
The Cisco advisory can be found at the Cisco Security Advisory: IOS HTTP Authorization Vulnerability