Cisco IOS HTTP - multiple vulnerabilities

[deanwebb]

tl;dr - if you turned on HTTP and/or HTTPS on your IOS devices, you're in for a world of hurt. Turn that stuff off before you hurt somebody.



There have been multiple Cisco security advisories in the last few days about IOS and HTTP. Got another today. Make sure it's off on every dang IOS device that you got, and keep it that way.

[routerdork]

It's off on all devices except for the ASA's. We use ASDM for viewing logs, saves a lot of time with all the VPN's we have. Though we just need to use syslog more maybe.

[deanwebb]

ASA with HTTPS is fine. It's the IOS boxes you gotta watch out for.

[icecream-guy]

ASA with HTTPS is fine. It's the IOS boxes you gotta watch out for.

also it's not simply configuring 'no ip http' nand no 'ip http secure-server'
there is a web-exec process that also runs on the IOS, which needs to be disabled also

so a show 'ip http server session-module'

Code Select Expand


#show ip http server session-module

HTTP server application session modules:
Session module Name  Handle Status   Secure-status  Description
HTTP_IFS              1      Active   Active         HTTP based IOS File Server             
DISTRIB               2      Active   Active         Distributed HTTP server                 
HOME_PAGE             3      Active   Active         IOS Homepage Server                     
WEB_EXEC              4      Active   Active         HTTP based IOS EXEC Server             
IXI                   5      Active   Active         IOS XML Infra Application Server       


See up there the WEB_EXEC process is active, that's not good.

I''ll teach ya how to disable the WEB_EXEC process

here we create a session module list, with all the other service we want to stay active. I call it exclude_webexec

Code Select Expand


ip http session-module-list exclude_webexec HTTP_IFS,DISTRIB,HOME_PAGE,IXI


then we apply the session module list to the active-session-modules

Code Select Expand


ip http active-session-modules exclude_webexec


then we apply the session module list to the secure-active-session-modules

Code Select Expand


ip http secure-active-session-modules exclude_webexec


we're done,  so we now confirm

Code Select Expand


#show ip http server session-module

HTTP server application session modules:
Session module Name  Handle Status   Secure-status  Description
HTTP_IFS              1      Active   Active         HTTP based IOS File Server             
DISTRIB               2      Active   Active         Distributed HTTP server                 
HOME_PAGE             3      Active   Active         IOS Homepage Server                     
WEB_EXEC              4      Inactive Inactive       HTTP based IOS EXEC Server             
IXI                   5      Active   Active         IOS XML Infra Application Server       


See it's inactive now.

I think it's only the WEB_EXEC process that need to be killed, HOME_PAGE, I don't think needs to be killed, at least when I was researching this a while ago, all the vulns referenced the WEB_EXEC process only]

and save your config


p.s. all different models and code run abundant services, so it not like a cut/paste or a mass push would work,
One would need to go into each device determine the services and make a proper session module list, or who knows what might happen

as much as I've seen on a single device
HTTP_IFS,HOME_PAGE,http_ezsetup,QDM,QDM_SA,IXI,IPS_IDCONF,XML_Api,ITS,ITS_LOCDIR,IPS_SDEE,EzVPN-Web-intercept,tti-petitioner
GL


and while you are at it, you can kill those silly web SSL general certs in the config too, since you'll never be using them again.