FTP Vulnerability in Cisco Arrowpoint Switches

Reported May 17, 2001, by Cisco Systems.



·         All Cisco CSS 11000 series (formerly known as Arrowpoint) switches running WebNS software versions earlier than 4.01B23s and 4.10B13s, including, CSS 11050, CSS 11150, and CSS 11800 hardware platform switches


A user account that does not have administrative privileges can open an FTP connection to a Cisco CSS 11000 series switch and use the GET and PUT FTP commands with no user-level restrictions enforced.



Cisco has issued an advisory regarding this vulnerability. Cisco recommends that users running the above-listed WebNS software versions upgrade to versions 4.01B29s or 4.10B17s, available through regular support channels. As a workaround, Cisco recommends that users do not configure non-privileged users on the switch, as the software does not create any by default. Cisco also recommends using the RESTRICT command to disable FTP access to the switch and applying access control to FTP users as specified in the following documents:


http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/bsccfggd/profiles.htm and http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/advcfggd/sgacleql.htm


Discovered by Cisco.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.