OSVDB ID: 27159

Title: Cisco Router Web Setup (CRWS) Default Configuration Authentication Bypass

Info

Disclosure

Jul 12, 2006

Discovery

Unknown

Dates

Exploit

Jul 12, 2006

Solution

Unknown

Description

By default, Cisco Router Web Setup installs without an enable password, which allows complete control for any user. This allows attackers to trivially access the program or system.

Classification

Location: Remote / Network Access
Attack Type: Authentication Management
Impact: Loss of Integrity
Exploit: Exploit Public
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Upgrade to version 3.3.0 build 31 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Cisco Systems, Inc.	CRWS	3.3
		3.2
		3.0.2
		1.1

References

Security Tracker: 1016476
Bugtraq ID: 18953
CVE ID: 2006-3595 (see also: NVD)
CERT VU: 205225
Secunia Advisory ID: 21028
SCIP VulDB ID: 2375
ISS X-Force ID: 27688
VUPEN Advisory: ADV-2006-2773
Keyword: CSCsa78190
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0152.html
Vendor Specific Advisory URL: http://www.cisco.com/warp/public/707/cisco-sa-20060712-crws.shtml

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/27159

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Cisco Systems, Inc.

CRWS

References

Credit