{"vuid":"VU#579324","idnumber":"579324","name":"Cisco IOS HTTP Server vulnerable to buffer overflow when processing overly large malformed HTTP GET request","keywords":["Cisco","IOS","HTTP Server","buffer overflow","large malformed HTTP GET request"],"overview":"The Cisco IOS HTTP Server contains a vulnerability that may permit a remote attacker to execute arbitrary code on the system.","clean_desc":"Cisco IOS ships with an HTTP Server. A buffer overflow vulnerability exists in the HTTP Server and may be exploited if a remote attacker sends a crafted HTTP request larger than 2GB in size. The HTTP server is not enabled by default on the majority of IOS platforms. This vulnerability is only exploitable if the HTTP Server is enabled. According to the Cisco documentation regarding this issue, all Cisco IOS software versions except 12.3 and 12.3T are affected, CatOS and PIX are not affected. Cisco has also issued an alert regarding this issue. An exploit for this vulnerability has been posted publicly.","impact":"An attacker can cause the router to reboot, and potentially execute arbitrary code on the router. Repeatedly rebooting the router will result in a denial-of-service situation.","resolution":"Cisco has released a document to address this issue. According to the Cisco documentation regarding this issue, 12.3 and 12.3T-based images are not vulnerable.","workarounds":"According to the Cisco documentation: The workaround is to configure access lists to explicitly permit authorized hosts or networks to the http service. The syntax for this command for routers and switches running Cisco IOS software is: ip http access-class <access-list number> access-list <access-list number> permit host <authorized host #1>\naccess-list <access-list number> permit host <authorized host #2> access-list <access-list number> deny any The <access-list number> in the above example needs to be in the range of 1-99 or 1300-1399 (IP Standard access list range).","sysaffected":"","thanks":"This vulnerability was reported to Cisco by FX of Phenoelit.","author":"This document was written by Jason A Rafail.","public":["http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note09186a00801a97e1.shtml","http://www.cisco.com/warp/public/707/cisco-sn-20030730-ios-2gb-get.shtml","http://www.secunia.com/advisories/9397/","http://securitytracker.com/alerts/2003/Jul/1007342.html"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2003-07-31T17:21:37Z","publicdate":"2003-07-31T00:00:00Z","datefirstpublished":"2003-07-31T18:58:46Z","dateupdated":"2003-08-11T15:28:20Z","revision":13,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"10","cam_population":"10","cam_impact":"15","cam_easeofexploitation":"15","cam_attackeraccessrequired":"15","cam_scorecurrent":"15.8203125","cam_scorecurrentwidelyknown":"18.984375","cam_scorecurrentwidelyknownexploited":"31.640625","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":15.8203125,"vulnote":null}