Security researchers have discovered a hole in the web server code of IOS, the software that powers Cisco networking devices.
The vulnerability - as reported by Secunia and SecurityFocus - could allow a potential attacker to view a memory dump of an IOS router via the HTTP server and inject script code into the router through the HTTP server. Attackers could use this method to get administrator-level access to a Cisco device.
The vulnerability only affects Cisco routers running IOS HTTP servers, which are used as an alternative management interface to the text-based command line for configuring routers. Cisco IOS versions 11.0 and higher are vulnerable, due to the fact that they ship with the HTTP server software. The HTTP server is not enabled by default in most IOS versions installed on routers shipped from Cisco, according to the companys Web site. However resellers, carriers and other partners could enable the HTTP for management purposes when deploying the device in customer networks.
Cisco is aware of the claims of the IOS HTTP vulnerability, a company spokesperson says, and is investigating the issue. An advisory will be sent to customers if deemed necessary by the company.