Cisco Router Web Setup Ships with Insecure Default IOS Configuration
cisco-sa-20060712-crws · NA · Published · Updated
The default Cisco IOS configuration shipped with the Cisco Router Web Setup (CRWS) application allows the execution of commands at privilege level 15 through the Cisco IOS HTTP (Hypertext Transfer Protocol) server web interface without requiring authentication credentials. Privilege level 15 is the highest privilege level on Cisco IOS�� devices. Fixed versions of the CRWS application have been modified by Cisco to provide a more secure default IOS configuration and additional functionality with regards to the Cisco IOS HTTP server web interface. This issue does not require a Cisco IOS software upgrade or a CRWS software upgrade. Customers who decide to upgrade to a fixed version of CRWS and deploy the new default IOS configuration will not need to deploy the suggested workarounds. Customers who elect NOT to upgrade to a fixed CRWS version, or customers upgrading to a fixed CRWS version who keep their existing configuration should implement the workarounds identified in this advisory. Additional information on the new default IOS configuration shipped with the CRWS application is available in the Details section of this advisory. This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20060712-crws.