Reply to post: Re: faulty "role-based access control evaluation"

Four words from Cisco to strike fear into the most hardened techies: Guest account as root

Anonymous Coward
Anonymous Coward

Re: faulty "role-based access control evaluation"

My reading of this is that on IISR800's/CGR1000's you have the option of installing an add-on server module. The RBAC issue is around a user with access to the router potentially having access to the guest OS without the correct privilege level (from the linked vulnerability notice: "Exploitation of this vulnerability could allow the attacker to successfully log in to the Guest OS using a low-privileged IOS user credentials."). The intended design is to only allow access with level 15 privileges.

While I'm not disputing it is a bug, guest access to the router is likely to mean a user with restricted access rather than an unauthenticated user - knowing how Cisco's AAA system works and the ability to assign roles to privilege levels, the "only priv 15 should be allowed access" looks like an exception.

I would have thought restricting command sets would have been a suitable workaround, but Cisco doesn't list this as an option and I don't have access to any of these devices to test further.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon


Biting the hand that feeds IT © 1998–2019