{"vuid":"VU#205225","idnumber":"205225","name":"Cisco Router Web Setup (CRWS) contains an insecure default IOS configuration","keywords":["Cisco","Router Web Setup","authentication bypass","arbitrary command execution","IOS","insecure default configuration","CRWS"],"overview":"A vulnerability in the Cisco Router Web Setup (CRWS) web configuration tool on some Cisco 800 and SOHO series routers may allow remote execution of system-level commands with no authentication.","clean_desc":"Cisco Router Web Setup Tool \nThe Cisco Router Web Setup tool, or CRWS, provides a GUI for an administrator configuring a Cisco 800 or SOHO series router. The Cisco IOS HTTP server provides the user interface, and is enabled by default on these routers. The CRWS may be enabled by default on the public interface, therefore may be accessible via the Internet. enable password / enable secret \nThese IOS commands set the administrator passwords on Cisco 800 and SOHO series routers. The Problem\nThe configuration shipped with the CRWS application does not include an enable password or enable secret command. This default configuration may allow execution of commands through the web interface at privilege level 15  (the highest level available) without requiring any authentication credentials. The following products are affected by this vulnerability: Cisco 806, Cisco 826, Cisco 827, Cisco 827H, Cisco 827-4v, Cisco 828, Cisco 831, Cisco 836, Cisco 837, Cisco SOHO 71, Cisco SOHO 76, Cisco SOHO 77, Cisco SOHO 77H, Cisco SOHO 78, Cisco SOHO 91, Cisco SOHO 96, Cisco SOHO 97.","impact":"A remote, unauthenticated attacker may be able to run commands at privilege level 15 through the web interface.","resolution":"Upgrade\nCisco has provided an upgrade to address this vulnerability. See Cisco Security Advisory cisco-sa-20060712-crws for more information.","workarounds":"Workarounds\nCisco has provided three workarounds for this vulnerability: 1. Disable the Cisco IOS HTTP server. 2. Configure a password manually. 3. Enable authentication of requests to the HTTP Server by using a different authentication system. Details on applying these workarounds can be found in the workarounds section of cisco-sa-20060712.","sysaffected":"","thanks":"This vulnerability was reported by Cisco Systems Product Security Incident Response Team.","author":"This document was written by Ryan Giobbi.","public":["http://www.cisco.com/warp/public/707/cisco-sa-20060712-crws.shtml","http://secunia.com/advisories/21028/"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2006-07-13T16:45:53Z","publicdate":"2006-07-12T00:00:00Z","datefirstpublished":"2006-07-14T16:33:52Z","dateupdated":"2006-07-14T16:34:09Z","revision":24,"vrda_d1_directreport":"0","vrda_d1_population":"2","vrda_d1_impact":"3","cam_widelyknown":"19","cam_exploitation":"4","cam_internetinfrastructure":"8","cam_population":"10","cam_impact":"20","cam_easeofexploitation":"20","cam_attackeraccessrequired":"20","cam_scorecurrent":"46.5","cam_scorecurrentwidelyknown":"48","cam_scorecurrentwidelyknownexploited":"72","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":46.5,"vulnote":null}