Cisco Small Business 300 Series Managed Switches Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Small Business 300 Series Managed Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected system.

The vulnerability exists because the affected management interface performs insufficient validation of user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or allow the attacker to access sensitive, browser-based information.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-300-switch-xss

Security Impact Rating: Medium

CVE: CVE-2018-0465

Related:

Confused about meaning of SE and EX releases in cisco IOS

I have been looking into this for a while now, but I can’t find an explanation anywhere (the closest I could find was in wikipedia and cisco )
The switch is a 2960s that I need to stack to a 2960x (so I need the exact ios versions on both), I can download these two versions for the 2960S 15.0.2-EX5(ED) and 15.0.2-SE10a(MD)

Basically it seems to say that:

  • S Consolidates mainline, E, and other S, which supports
    high-end backbone routers, and fixes defects.
  • E Targets enterprise core and SP edge, supports
    advanced QoS, voice, security, and firewall, and fixes

But what means SE? It’s a mix of S and E? What means the X in EX?

Related:

Stand-alone Cisco switch in BladeCenter is un-pingable

After un-stacking a Cisco switch in my IBM blade center I can no longer ping the management IP I had configured on my management VLAN. The only item I see that changed is that the Bladecenter AMM added a internal Ethernet management port. There has been some discussion on reddit. Prior to un-stacking this VLAN interface was working.

I still haven’t found a resolution that would explain why this isn’t working or how to allow access over the current management VLAN. If possible I would like to keep L3 routing off on the switch.

As far as testing I have configured an access port and truck port native to the management VLAN. I connected a laptop with a static IP within the management VLAN range to these ports and was not able to ping or access the swith. When the switch is connected it does pass traffic, as expected, on all ports/VLANs. However I was still unable to ping or SSH the switch directly.

For testing purposes:

  • I have configured an access port and truck port native to the management VLAN, I’ve configured a laptop with a IP in the management VLAN to connect to these test ports.
  • I’ve devices on other VLAN are able to connect and pass traffic though this switch.
  • The switch its self cannot ping other devices when using no source, the FE interface as source, or the management VLAN IP as the source.
  • I’ve removed the management VLAN IP, and configured the FastEthernet port with the management VLAN IP.
    • I suspect this doesn’t work as I cannot set a VLAN onto the FastEthernet port
  • I’ve removed the default gateway with, and without, the VLAN ID configured and with the FasEthernet port configured.

Here is a partial config

no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname sw-7-tsting
!
boot-start-marker
boot-end-marker
!
enable secret ...
!
username ....
no aaa new-model
clock timezone EST -5 0
switch 1 provision ws-cbs3110g-s-i
system mtu routing 1500
!
!
ip domain-name abc.def
vtp mode transparent
!
!
crypto pki ...
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree pathcost method long
no spanning-tree vlan 1-4094
!
!
port-channel load-balance src-dst-ip
!
!
vlan internal allocation policy ascending
!
vlan N
 name traffic N
!
vlan NN
 name traffic NN
!
vlan NNN
 name traffic NNN
!
vlan XXX
 name network management
!
ip ssh time-out 60
ip ssh version 2
!
!
!
interface FastEthernet0
 ip address 192.168.x.x 255.255.255.0
!
interface GigabitEthernet1/0/17
 description used to test all vlans
 switchport trunk native vlan XXX
 switchport trunk allowed vlan N,NN,NNN,XXX
 switchport mode trunk
 switchport nonegotiate
!
interface GigabitEthernet1/0/18
 description used to test network VLAN XXX
 switchport access vlan XXX
 switchport mode access
 switchport nonegotiate
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan XXX
 ip address 10.XXX.200.236 255.255.255.0
!
ip default-gateway 10.XXX.200.1
ip http server
ip http secure-server
!
snmp-server community public RO
snmp-server host 10.XXX.200.30 version 2c public udp-port 161
!
line con 0
line vty 0 4
 login
 transport input ssh
line vty 5 15
 login
!
ntp server 129.6.15.30
end

Related:

Automating Cisco ACL changes

I’ve recently started taking on more network management tasks to help our short staffed networking team. I’m very comfortable with network theory and have configured an number of IOS devices, but am hardly a IOS guru.

One of the first large tasks I was assigned was to add some ACL rules to a hundred plus ACLs we have. Coming from the sys admin side of things, I was baffled to find out that these changes are all made by hand.

Is there not a way to automate these types of configuration issues? What tools should I be learning to use for changing configurations in a scripted fashion across many devices/ACLs? So far my Googlefu has only pointed to Python with pexpect. Just seems like this is such a common task that there would be better tools already setup for it.

I understand that this could be a fairly broad question, but I’m just looking for a starting place to work from.

Note: If there is a commercial tool that is a perfect fit for this case, just assume that we didn’t pay for it. That is normally how it goes.

Related:

Gre Tunnel Cisco Linux traffic forwarding

I setup a gre tunnel a cisco router and a Linux machine, the tunnel interface in the Linux box named pic.
Well i have to forward traffic coming from cisco through the Linux box.
the rules i’ve set in the Linux box is described as follow:


echo "1" > /proc/sys/net/ipv4/ip_forward
iptables  -A INPUT -p 47 -j ACCEPT
iptables  -A FORWARD -i ppp0 -j ACCEPT
iptables  -A FORWARD -i pic  -o ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables  -A FORWARD -i ppp0 -o pic -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables  -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE


I see the traffic coming from tunnel and forwarded to internet but no reply from sent packet.

May i miss something like a routing rule.

Related:

Problems with getting both ingress and egress Netflow data

I have a Cisco 6500 switch that I want to capture all vlan8 traffic incoming and outgoing. I talked with my networking group and they set me up with the following commands. (May not be exact commands but this was an example I gave them)

conf t
ip flow-export version
5
ip flow-export destination
192.168.20.30 1234
int vlan8
ip flow
egress
ip flow ingress
ip
route-cache flow

I am currently capturing this data using Ntop and we are getting a lot of traffic. I see all incoming and outgoing traffic from all vlan8 machines (192.168.8.0/24). However for any machine that is not in vlan8, but is talking to vlan8, I only see the received traffic from them.

Ex. 192.168.8.10 goes to a website on 192.168.9.20
I only see received traffic from the 192.168.9.20 machine and no sent traffic. Obviously it has sent traffic because 192.168.8.10 received the website.

I just wanted to verify that this is how Netflow captures data and that everything is working correctly. It kinda makes sense to me that sense 192.168.9.20 isn’t in vlan8 it may not get the outbound traffic (even though it sends it to vlan8). Ideally I’d want sent and received traffic from anything that touches vlan8. Thanks.

Related:

SIP User Directory Information Disclosure

This is the Cisco PSIRT response to the statements made by Dave Endler and Mark Collier in their presentation, ‘Hacking Voice over IP (VoIP) Exposed’ at BlackHat USA 2006.

We would like to thank Dave Endler for reporting this issue to us.

We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in product reports.

This issue is currently being tracked by Cisco bug ID CSCse92417 (registered customers only) for IOS CallManager Express (CME).

Cisco CallManager has been tested and is not vulnerable to this attack.

Additional Information

The attacks described in the report attempt to manipulate the Session
Initiation Protocol (SIP) stack in various voice products to gain information
from the SIP user directory. By sending various SIP messages to the VoIP
infrastructure, an attacker can discover the names of the users stored in the
SIP user database.

It is important to note that the attacks described do not disrupt VoIP
call processing or voice mail access.

Cisco’s recommended best practice of implementing the VoIP
infrastructure and data devices on separate VLANs would prevent malicious users
from launching such attacks against the VoIP network.

Please consult the following links for other recommendations and
guidelines for securing IP telephony networks:

Cisco was made aware of this issue on July 20, 2006. We are continuing
to investigate this issue and will update this document as additional
information becomes available.

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering to
receive security information from Cisco, is available on Cisco’s worldwide
website at
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.

Security Impact Rating: Informational

Related:

  • No Related Posts