VAR-200308-0076
Vulnerability from variot - Updated: 2025-04-03 22:16The web server for Cisco Aironet AP1x00 Series Wireless devices running certain versions of IOS 12.2 allow remote attackers to cause a denial of service (reload) via a malformed URL. The Cisco Aironet AP1X00 series is a wireless access point issued by Cisco that provides wireless access solutions based on the 802.11b WIFI standard.
The web interface of the Cisco Aironet AP1X00 does not properly handle HTTP GET requests. A remote attacker could use this vulnerability to conduct a denial of service attack on the device. This attack does not require any authentication. After the attack is successful, the device needs to be restarted or it cannot service normal communications.
All VxWorks software-based Cisco Aironet Access Point 1200s are not affected by this vulnerability. These software versions include 11.56, 12.01T1, 12.02T1, and 12.03T. Such a request will cause the device to reload. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Cisco Security Advisory: HTTP GET Vulnerability in AP1x00
Revision 1.0
For Public Release 2003 July 28 16:00 UTC (GMT)
----------------------------------------------------------------------
Contents
Summary
Affected Products
Details
Impact
Software Versions and Fixes
Obtaining Fixed Software
Workarounds
Exploitation and Public Announcements
Status of This Notice: FINAL
Distribution
Revision History
Cisco Security Procedures
----------------------------------------------------------------------
Summary
A vulnerability has been reported by an external researcher in Cisco IOS(R) release for Cisco Aironet AP1x00 Series Wireless devices. This vulnerability can cause the AP1x00 to reload and is documented as Cisco bug ID CSCeb49869 (registered customers only) (also CAN-2003-0511). There are workarounds available to mitigate the effects of this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20030728-ap1x00.shtml.
The external report can be found at http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003002.htm leavingcisco.com. Although it mentions two issues only one is addressed by this advisory. The other issue, Cisco bug ID CSCdz29724 (registered customers only) (also CAN-2003-512), is present in all IOS software and is duplicated by the AP1x00 specific Cisco bug ID CSCeb49842 (registered customers only) . More details about it can be found at http://www.cisco.com/warp/public/707/cisco-sn-20030724-ios-enum.shtml.
In order to determine your software release you should log on the Access Point using any account available and execute the following command:
access-point> show ver
Cisco Internetwork Operating System Software IOS (tm) C1100 Software (C1100-K9W7-M), Version 12.2(8)JA, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) ^^^^^^^^^ TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2003 by cisco Systems, Inc.
The Cisco IOS software version is displayed in the second line of the output. In this example it is 12.2(8)JA.
Impact
Repeated exploitation of this vulnerability can lead to a prolonged Denial-of-Service (DoS) of the AP1x00.
Obtaining Fixed Software
Cisco is offering free software upgrades to address these vulnerabilities for all affected customers. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at the Cisco Connection Online Software Center at http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Customers with service contracts should contact their regular update channels to obtain the free software upgrade identified via this advisory. For most customers with service contracts, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com/tacpage/sw-center/sw-wireless.shtml. To access the software download URL, you must be a registered user and you must be logged in.
Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with the upgrade, which should be free of charge.
Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Please have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC.
Workarounds
There are two workarounds for this vulnerability.
The example of using access-class is given here:
ap(config)# ip http access-class 10 ap(config)# access-list 10 permit host 10.0.0.1
In this example, host 10.0.0.1 is the only one that is allowed to access the AP. All other hosts are prohibited.
To disable HTTP and enable SSH use this example:
ap(config)# no ip http server ap(config)# ip domain name ap(config)# crypto key generate rsa The name for the keys will be: ap.your-domain Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys ...[OK] ap(config)# line vty 0 4 ap(config-line)# transport input ssh
Now you can connect to the Cisco Aironet AP using SSH client from your computer.
In addition to the workarounds it is possible to mitigate the exposure by configuring ACLs on the device so that only legitimate hosts can use the http service. This can be done in the following way:
access-list 111 permit tcp host 10.0.0.1 host 10.0.0.50 eq www
In this example the host 10.0.0.1 is the only one that is allowed to access the device at 10.0.0.50. You will have to change host IP addresses and the ACL number to suit your configuration. This ACL will have to be applied to all interfaces and block all IP addresses assigned to the affected device.
Exploitation and Public Announcements
This vulnerability is reported by Reda Zitouni from Vigilante. Their report can be found at http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003002.htm leavingcisco.com.
Status of This Notice: FINAL
This is a final advisory. Although Cisco cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Cisco does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Cisco will update this advisory.
A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.
Distribution
This notice will be posted on Cisco's worldwide website at .
In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* bugtraq@securityfocus.com
* full-disclosure@lists.netsys.com
* first-teams@first.org (includes CERT/CC)
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* comp.dcom.sys.cisco
* Various internal Cisco mailing lists
Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.
Revision History
+------------------------------------------+ |Revision|2003-July-28 16:00 UTC |Initial | |1.0 |(GMT) |public | | | |release.| +------------------------------------------+
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.
----------------------------------------------------------------------
This notice is Copyright 2003 by Cisco Systems, Inc. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, and include all date and version information.
----------------------------------------------------------------------
-----BEGIN PGP SIGNATURE----- Comment: PGP Signed by Sharad Ahlawat, Cisco Systems PSIRT
iD4DBQE/JUmbezGozzK2tZARArXRAKCIRsac6s3i7oRAEf4/2khQBKdEcgCXTsum aQeEFDQLBhqS5wu0CarFkg== =ehoq -----END PGP SIGNATURE-----
. Firmware version 12.2(4)JA and earlier. The Arionet Bridge is vulnerable to a denial of service.This can be exploited remotely by an attacker. No user login or password is necessary. This can be accomplished by submitting a specially crafted request to the web server. There is no need to authenticate to perform this attack, only access to the web server is required. The Aironet bridge reboots upon receiving the request and failing to handle correctly this one. Afterwards, no further access to the WLAN or its services is possible.
Vendor status:
Cisco was contacted June 19, 2003 and answered the same day. 5 days later, they told us that they would release a patch soon. The patch was finally released July 3, 2003.
Vulnerability Assessment: A test case to detect this vulnerability was added to SecureScan NX in the upgrade package of July 28, 2003. You can see the documentation of this test case 17655 on SecureScan NX web site at http://securescannx.vigilante.com/tc/17655 . Please note that this version fixes some other bugs as TC 15438 (refer to release note). If not needed - disable access to the web feature on the Aironet Bridge. 2. If needed - restrict access to the HTTP service for outside connections. CVE: Common Vulnerabilities and Exposures group ( reachable at http://cve.mitre.org/ ) was contacted and assigned CAN-2003-0511 to this vulnerability.
Links:
Cisco Advisory: http://www.cisco.com/warp/public/707/cisco-sa-20030728-ap1x00.shtml Vigilante Advisory: http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003001.htm Product Homepage: http://www.cisco.com/warp/public/cc/pd/witc/ps4570 CVE: CAN-2003-0511 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CAN-2003-0511
Credit:
This vulnerability was discovered by Reda Zitouni, member of our Security Watch Team at VIGILANTe. We wish to thank Cisco PSIRT Team for their fast answer to fix this problem.
Copyright VIGILANTe.com, Inc. 2003-07-28
Disclaimer:
The information within this document may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any consequences whatsoever arising out of or in connection with the use or spread of this information. Any use of this information lays within the user's responsibility.
Feedback:
Please send suggestions, updates, and comments to securitywatch@vigilante.com
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200308-0076",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "ios",
"scope": "eq",
"trust": 1.6,
"vendor": "cisco",
"version": "12.2\\(8\\)ja"
},
{
"model": "ios",
"scope": "eq",
"trust": 1.6,
"vendor": "cisco",
"version": "12.2\\(4\\)ja1"
},
{
"model": "ios",
"scope": "eq",
"trust": 1.6,
"vendor": "cisco",
"version": "12.2\\(4\\)ja"
},
{
"model": "ios",
"scope": "eq",
"trust": 1.6,
"vendor": "cisco",
"version": "12.2\\(11\\)ja"
},
{
"model": "12.2 ja",
"scope": null,
"trust": 1.2,
"vendor": "ios",
"version": null
},
{
"model": "ios 12.2 ja",
"scope": null,
"trust": 0.9,
"vendor": "cisco",
"version": null
},
{
"model": "ios",
"scope": "eq",
"trust": 0.8,
"vendor": "cisco",
"version": "12.2"
},
{
"model": null,
"scope": null,
"trust": 0.6,
"vendor": "none",
"version": null
},
{
"model": "12.2 ja1",
"scope": null,
"trust": 0.4,
"vendor": "ios",
"version": null
},
{
"model": "ios 12.2 ja1",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.2 ja1",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": null
}
],
"sources": [
{
"db": "IVD",
"id": "7d7f4ed0-463f-11e9-87f9-000c29342cb1"
},
{
"db": "IVD",
"id": "992e5dac-23cd-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2003-2312"
},
{
"db": "BID",
"id": "8290"
},
{
"db": "JVNDB",
"id": "JVNDB-2003-000232"
},
{
"db": "CNNVD",
"id": "CNNVD-200308-181"
},
{
"db": "NVD",
"id": "CVE-2003-0511"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:cisco:ios",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2003-000232"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Reda Zitouni\u203b reda.zitouni@vigilante.com",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200308-181"
}
],
"trust": 0.6
},
"cve": "CVE-2003-0511",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CVE-2003-0511",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "7d7f4ed0-463f-11e9-87f9-000c29342cb1",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.2,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.9 [IVD]"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "992e5dac-23cd-11e6-abef-000c29c66e3d",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.2,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.9 [IVD]"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "VHN-7339",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2003-0511",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2003-0511",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-200308-181",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "IVD",
"id": "7d7f4ed0-463f-11e9-87f9-000c29342cb1",
"trust": 0.2,
"value": "MEDIUM"
},
{
"author": "IVD",
"id": "992e5dac-23cd-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-7339",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "7d7f4ed0-463f-11e9-87f9-000c29342cb1"
},
{
"db": "IVD",
"id": "992e5dac-23cd-11e6-abef-000c29c66e3d"
},
{
"db": "VULHUB",
"id": "VHN-7339"
},
{
"db": "JVNDB",
"id": "JVNDB-2003-000232"
},
{
"db": "CNNVD",
"id": "CNNVD-200308-181"
},
{
"db": "NVD",
"id": "CVE-2003-0511"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The web server for Cisco Aironet AP1x00 Series Wireless devices running certain versions of IOS 12.2 allow remote attackers to cause a denial of service (reload) via a malformed URL. The Cisco Aironet AP1X00 series is a wireless access point issued by Cisco that provides wireless access solutions based on the 802.11b WIFI standard. \n\n\u00a0The web interface of the Cisco Aironet AP1X00 does not properly handle HTTP GET requests. A remote attacker could use this vulnerability to conduct a denial of service attack on the device. This attack does not require any authentication. After the attack is successful, the device needs to be restarted or it cannot service normal communications. \n\n\u00a0All VxWorks software-based Cisco Aironet Access Point 1200s are not affected by this vulnerability. These software versions include 11.56, 12.01T1, 12.02T1, and 12.03T. Such a request will cause the device to reload. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n Cisco Security Advisory: HTTP GET Vulnerability in AP1x00\n\nRevision 1.0\n\n For Public Release 2003 July 28 16:00 UTC (GMT)\n\n ----------------------------------------------------------------------\n\nContents\n\n Summary\n Affected Products\n Details\n Impact\n Software Versions and Fixes\n Obtaining Fixed Software\n Workarounds\n Exploitation and Public Announcements\n Status of This Notice: FINAL\n Distribution\n Revision History\n Cisco Security Procedures\n\n ----------------------------------------------------------------------\n\nSummary\n\n A vulnerability has been reported by an external researcher in Cisco\n IOS(R) release for Cisco Aironet AP1x00 Series Wireless devices. This\n vulnerability can cause the AP1x00 to reload and is documented as Cisco\n bug ID CSCeb49869 (registered customers only) (also CAN-2003-0511). There\n are workarounds available to mitigate the effects of this vulnerability. \n\n This advisory is posted at\n http://www.cisco.com/warp/public/707/cisco-sa-20030728-ap1x00.shtml. \n\n The external report can be found at\n http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003002.htm\n leavingcisco.com. Although it mentions two issues only one is addressed by\n this advisory. The other issue, Cisco bug ID CSCdz29724 (registered\n customers only) (also CAN-2003-512), is present in all IOS software and is\n duplicated by the AP1x00 specific Cisco bug ID CSCeb49842 (registered\n customers only) . More details about it can be found at\n http://www.cisco.com/warp/public/707/cisco-sn-20030724-ios-enum.shtml. \n\n In order to determine your software release you should log on the Access\n Point using any account available and execute the following command:\n\n access-point\u003e show ver\n\n Cisco Internetwork Operating System Software\n IOS (tm) C1100 Software (C1100-K9W7-M), Version 12.2(8)JA, EARLY\n DEPLOYMENT RELEASE SOFTWARE (fc1) ^^^^^^^^^\n TAC Support: http://www.cisco.com/tac\n Copyright (c) 1986-2003 by cisco Systems, Inc. \n\n The Cisco IOS software version is displayed in the second line of the\n output. In this example it is 12.2(8)JA. \n\nImpact\n\n Repeated exploitation of this vulnerability can lead to a prolonged\n Denial-of-Service (DoS) of the AP1x00. \n\nObtaining Fixed Software\n\n Cisco is offering free software upgrades to address these vulnerabilities\n for all affected customers. Customers may only install and expect support\n for the feature sets they have purchased. By installing, downloading,\n accessing or otherwise using such software upgrades, customers agree to be\n bound by the terms of Cisco\u0027s software license terms found at\n http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set\n forth at the Cisco Connection Online Software Center at\n http://www.cisco.com/public/sw-center/sw-usingswc.shtml. \n\n Customers with service contracts should contact their regular update\n channels to obtain the free software upgrade identified via this advisory. \n For most customers with service contracts, this means that upgrades should\n be obtained through the Software Center on Cisco\u0027s worldwide website at\n http://www.cisco.com/tacpage/sw-center/sw-wireless.shtml. To access the\n software download URL, you must be a registered user and you must be\n logged in. \n\n Customers whose Cisco products are provided or maintained through prior or\n existing agreement with third-party support organizations such as Cisco\n Partners, authorized resellers, or service providers should contact that\n support organization for assistance with the upgrade, which should be free\n of charge. \n\n Customers who purchase direct from Cisco but who do not hold a Cisco\n service contract and customers who purchase through third-party vendors\n but are unsuccessful at obtaining fixed software through their point of\n sale should get their upgrades by contacting the Cisco Technical\n Assistance Center (TAC). TAC contacts are as follows. \n\n * +1 800 553 2447 (toll free from within North America)\n\n * +1 408 526 7209 (toll call from anywhere in the world)\n\n * e-mail: tac@cisco.com\n\n Please have your product serial number available and give the URL of this\n notice as evidence of your entitlement to a free upgrade. Free upgrades\n for non-contract customers must be requested through the TAC. \n\nWorkarounds\n\n There are two workarounds for this vulnerability. \n\n The example of using access-class is given here:\n\n ap(config)# ip http access-class 10\n ap(config)# access-list 10 permit host 10.0.0.1\n\n In this example, host 10.0.0.1 is the only one that is allowed to access\n the AP. All other hosts are prohibited. \n\n To disable HTTP and enable SSH use this example:\n\n ap(config)# no ip http server\n ap(config)# ip domain name \u003cyour-domain\u003e\n ap(config)# crypto key generate rsa\n The name for the keys will be: ap.your-domain\n Choose the size of the key modulus in the range of 360 to 2048 for your\n General Purpose Keys. Choosing a key modulus greater than 512 may take\n a few minutes. \n\n How many bits in the modulus [512]: 1024\n % Generating 1024 bit RSA keys ...[OK]\n ap(config)# line vty 0 4\n ap(config-line)# transport input ssh\n\n Now you can connect to the Cisco Aironet AP using SSH client from your\n computer. \n\n In addition to the workarounds it is possible to mitigate the exposure by\n configuring ACLs on the device so that only legitimate hosts can use the\n http service. This can be done in the following way:\n\n access-list 111 permit tcp host 10.0.0.1 host 10.0.0.50 eq www\n\n In this example the host 10.0.0.1 is the only one that is allowed to\n access the device at 10.0.0.50. You will have to change host IP addresses\n and the ACL number to suit your configuration. This ACL will have to be\n applied to all interfaces and block all IP addresses assigned to the\n affected device. \n\nExploitation and Public Announcements\n\n This vulnerability is reported by Reda Zitouni from Vigilante. Their\n report can be found at\n http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003002.htm\n leavingcisco.com. \n\nStatus of This Notice: FINAL\n\n This is a final advisory. Although Cisco cannot guarantee the accuracy of\n all statements in this advisory, all of the facts have been checked to the\n best of our ability. Cisco does not anticipate issuing updated versions of\n this advisory unless there is some material change in the facts. Should\n there be a significant change in the facts, Cisco will update this\n advisory. \n\n A stand-alone copy or paraphrase of the text of this security advisory\n that omits the distribution URL in the following section is an\n uncontrolled copy, and may lack important information or contain factual\n errors. \n\nDistribution\n\n This notice will be posted on Cisco\u0027s worldwide website at . \n\n In addition to worldwide web posting, a text version of this notice is\n clear-signed with the Cisco PSIRT PGP key and is posted to the following\n e-mail and Usenet news recipients. \n\n * cust-security-announce@cisco.com\n\n * bugtraq@securityfocus.com\n\n * full-disclosure@lists.netsys.com\n\n * first-teams@first.org (includes CERT/CC)\n\n * cisco@spot.colorado.edu\n\n * cisco-nsp@puck.nether.net\n\n * comp.dcom.sys.cisco\n\n * Various internal Cisco mailing lists\n\n Future updates of this advisory, if any, will be placed on Cisco\u0027s\n worldwide website, but may or may not be actively announced on mailing\n lists or newsgroups. Users concerned about this problem are encouraged to\n check the above URL for any updates. \n\nRevision History\n\n +------------------------------------------+\n |Revision|2003-July-28 16:00 UTC |Initial |\n |1.0 |(GMT) |public |\n | | |release.|\n +------------------------------------------+\n\nCisco Security Procedures\n\n Complete information on reporting security vulnerabilities in Cisco\n products, obtaining assistance with security incidents, and registering to\n receive security information from Cisco, is available on Cisco\u0027s worldwide\n website at\n http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This\n includes instructions for press inquiries regarding Cisco security\n notices. All Cisco security advisories are available at\n http://www.cisco.com/go/psirt. \n\n ----------------------------------------------------------------------\n\n This notice is Copyright 2003 by Cisco Systems, Inc. This notice may be\n redistributed freely after the release date given at the top of the text,\n provided that redistributed copies are complete and unmodified, and\n include all date and version information. \n\n ----------------------------------------------------------------------\n-----BEGIN PGP SIGNATURE-----\nComment: PGP Signed by Sharad Ahlawat, Cisco Systems PSIRT\n\niD4DBQE/JUmbezGozzK2tZARArXRAKCIRsac6s3i7oRAEf4/2khQBKdEcgCXTsum\naQeEFDQLBhqS5wu0CarFkg==\n=ehoq\n-----END PGP SIGNATURE-----\n\n. \nFirmware version 12.2(4)JA and earlier. \nThe Arionet Bridge is vulnerable to a denial of service.This can be\nexploited remotely by an attacker. No user login or password is\nnecessary. This can be accomplished by\nsubmitting a specially crafted request to the web server. There is no\nneed to authenticate to perform this attack, only access to the web\nserver is required. The Aironet bridge reboots upon receiving the\nrequest and failing to handle correctly this one. Afterwards, no further\naccess to the WLAN or its services is possible. \n \nVendor status:\n**************\nCisco was contacted June 19, 2003 and answered the same day. 5 days\nlater, they told us that they would release a patch soon. The patch was\nfinally released July 3, 2003. \n \nVulnerability Assessment:\nA test case to detect this vulnerability was added to SecureScan NX in\nthe upgrade package of July 28, 2003. You can see the documentation of\nthis test case 17655 on SecureScan NX web site at\nhttp://securescannx.vigilante.com/tc/17655 . Please note that this version fixes some other\nbugs as TC 15438 (refer to release note). If not needed - disable access to the web feature on the Aironet\nBridge. \n2. If needed - restrict access to the HTTP service for outside\nconnections. \nCVE: Common Vulnerabilities and Exposures group ( reachable at\nhttp://cve.mitre.org/ ) was contacted and assigned CAN-2003-0511 to this\nvulnerability. \n \nLinks:\n*****\nCisco Advisory:\nhttp://www.cisco.com/warp/public/707/cisco-sa-20030728-ap1x00.shtml\nVigilante Advisory:\nhttp://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003001.htm\nProduct Homepage: http://www.cisco.com/warp/public/cc/pd/witc/ps4570\nCVE: CAN-2003-0511\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CAN-2003-0511\n \n\nCredit:\n******\nThis vulnerability was discovered by Reda Zitouni, member of our\nSecurity Watch Team at VIGILANTe. \nWe wish to thank Cisco PSIRT Team for their fast answer to fix this\nproblem. \n \nCopyright VIGILANTe.com, Inc. 2003-07-28\n \nDisclaimer:\n**********\nThe information within this document may change without notice. Use of\nthis information constitutes acceptance for use in an AS IS condition. \nThere are NO warranties with regard to this information. In no event\nshall the author be liable for any consequences whatsoever arising out\nof or in connection with the use or spread of this information. Any use\nof this information lays within the user\u0027s responsibility. \n \nFeedback:\n********\nPlease send suggestions, updates, and comments to\nsecuritywatch@vigilante.com",
"sources": [
{
"db": "NVD",
"id": "CVE-2003-0511"
},
{
"db": "JVNDB",
"id": "JVNDB-2003-000232"
},
{
"db": "CNVD",
"id": "CNVD-2003-2312"
},
{
"db": "BID",
"id": "8290"
},
{
"db": "IVD",
"id": "7d7f4ed0-463f-11e9-87f9-000c29342cb1"
},
{
"db": "IVD",
"id": "992e5dac-23cd-11e6-abef-000c29c66e3d"
},
{
"db": "VULHUB",
"id": "VHN-7339"
},
{
"db": "PACKETSTORM",
"id": "31462"
},
{
"db": "PACKETSTORM",
"id": "31463"
}
],
"trust": 3.06
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-7339",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-7339"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2003-0511",
"trust": 4.0
},
{
"db": "BID",
"id": "8290",
"trust": 1.2
},
{
"db": "CNNVD",
"id": "CNNVD-200308-181",
"trust": 1.1
},
{
"db": "CNVD",
"id": "CNVD-2003-2312",
"trust": 1.0
},
{
"db": "JVNDB",
"id": "JVNDB-2003-000232",
"trust": 0.8
},
{
"db": "OVAL",
"id": "OVAL:ORG.MITRE.OVAL:DEF:5834",
"trust": 0.6
},
{
"db": "CISCO",
"id": "20030728 HTTP GET VULNERABILITY IN AP1X00",
"trust": 0.6
},
{
"db": "VULNWATCH",
"id": "20030728 CISCO AIRONET AP 1100 MALFORMED HTTP REQUEST CRASH VULNERABILITY",
"trust": 0.6
},
{
"db": "IVD",
"id": "7D7F4ED0-463F-11E9-87F9-000C29342CB1",
"trust": 0.2
},
{
"db": "IVD",
"id": "992E5DAC-23CD-11E6-ABEF-000C29C66E3D",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "31463",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "31462",
"trust": 0.2
},
{
"db": "SEEBUG",
"id": "SSVID-76747",
"trust": 0.1
},
{
"db": "EXPLOIT-DB",
"id": "22962",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-7339",
"trust": 0.1
}
],
"sources": [
{
"db": "IVD",
"id": "7d7f4ed0-463f-11e9-87f9-000c29342cb1"
},
{
"db": "IVD",
"id": "992e5dac-23cd-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2003-2312"
},
{
"db": "VULHUB",
"id": "VHN-7339"
},
{
"db": "BID",
"id": "8290"
},
{
"db": "JVNDB",
"id": "JVNDB-2003-000232"
},
{
"db": "PACKETSTORM",
"id": "31462"
},
{
"db": "PACKETSTORM",
"id": "31463"
},
{
"db": "CNNVD",
"id": "CNNVD-200308-181"
},
{
"db": "NVD",
"id": "CVE-2003-0511"
}
]
},
"id": "VAR-200308-0076",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "7d7f4ed0-463f-11e9-87f9-000c29342cb1"
},
{
"db": "IVD",
"id": "992e5dac-23cd-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2003-2312"
},
{
"db": "VULHUB",
"id": "VHN-7339"
}
],
"trust": 0.11000000000000001
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT",
"ICS"
],
"sub_category": null,
"trust": 0.6
},
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.4
}
],
"sources": [
{
"db": "IVD",
"id": "7d7f4ed0-463f-11e9-87f9-000c29342cb1"
},
{
"db": "IVD",
"id": "992e5dac-23cd-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2003-2312"
}
]
},
"last_update_date": "2025-04-03T22:16:46.854000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "cisco-sa-20030728-ap1x00",
"trust": 0.8,
"url": "http://www.cisco.com/warp/public/707/cisco-sa-20030728-ap1x00.shtml"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2003-000232"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2003-0511"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.1,
"url": "http://www.cisco.com/warp/public/707/cisco-sa-20030728-ap1x00.shtml"
},
{
"trust": 1.8,
"url": "http://www.vigilante.com/inetsecurity/advisories/vigilante-2003001.htm"
},
{
"trust": 1.7,
"url": "http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0055.html"
},
{
"trust": 1.1,
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a5834"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2003-0511"
},
{
"trust": 0.8,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2003-0511"
},
{
"trust": 0.8,
"url": "http://www.securityfocus.com/bid/8290"
},
{
"trust": 0.6,
"url": "http://oval.mitre.org/repository/data/getdef?id=oval:org.mitre.oval:def:5834"
},
{
"trust": 0.3,
"url": "/archive/1/330686"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2003-0511"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/public/sw-license-agreement.html,"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/warp/public/707/cisco-sn-20030724-ios-enum.shtml."
},
{
"trust": 0.1,
"url": "http://www.cisco.com/tacpage/sw-center/sw-wireless.shtml."
},
{
"trust": 0.1,
"url": "http://www.vigilante.com/inetsecurity/advisories/vigilante-2003002.htm"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/warp/public/707/sec_incident_response.shtml."
},
{
"trust": 0.1,
"url": "http://www.cisco.com/go/psirt."
},
{
"trust": 0.1,
"url": "http://www.cisco.com/warp/public/707/cisco-sa-20030728-ap1x00.shtml."
},
{
"trust": 0.1,
"url": "http://www.cisco.com/tac"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/public/sw-center/sw-usingswc.shtml."
},
{
"trust": 0.1,
"url": "http://www.cisco.com/warp/public/cc/pd/witc/ps4570"
},
{
"trust": 0.1,
"url": "http://www.vigilante.com"
},
{
"trust": 0.1,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-can-2003-0511"
},
{
"trust": 0.1,
"url": "http://securescannx.vigilante.com/tc/17655"
},
{
"trust": 0.1,
"url": "http://cve.mitre.org/"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-7339"
},
{
"db": "BID",
"id": "8290"
},
{
"db": "JVNDB",
"id": "JVNDB-2003-000232"
},
{
"db": "PACKETSTORM",
"id": "31462"
},
{
"db": "PACKETSTORM",
"id": "31463"
},
{
"db": "CNNVD",
"id": "CNNVD-200308-181"
},
{
"db": "NVD",
"id": "CVE-2003-0511"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "7d7f4ed0-463f-11e9-87f9-000c29342cb1"
},
{
"db": "IVD",
"id": "992e5dac-23cd-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2003-2312"
},
{
"db": "VULHUB",
"id": "VHN-7339"
},
{
"db": "BID",
"id": "8290"
},
{
"db": "JVNDB",
"id": "JVNDB-2003-000232"
},
{
"db": "PACKETSTORM",
"id": "31462"
},
{
"db": "PACKETSTORM",
"id": "31463"
},
{
"db": "CNNVD",
"id": "CNNVD-200308-181"
},
{
"db": "NVD",
"id": "CVE-2003-0511"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2003-07-28T00:00:00",
"db": "IVD",
"id": "7d7f4ed0-463f-11e9-87f9-000c29342cb1"
},
{
"date": "2003-07-28T00:00:00",
"db": "IVD",
"id": "992e5dac-23cd-11e6-abef-000c29c66e3d"
},
{
"date": "2003-07-28T00:00:00",
"db": "CNVD",
"id": "CNVD-2003-2312"
},
{
"date": "2003-08-27T00:00:00",
"db": "VULHUB",
"id": "VHN-7339"
},
{
"date": "2003-07-28T00:00:00",
"db": "BID",
"id": "8290"
},
{
"date": "2007-04-01T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2003-000232"
},
{
"date": "2003-07-29T17:40:53",
"db": "PACKETSTORM",
"id": "31462"
},
{
"date": "2003-07-29T17:46:09",
"db": "PACKETSTORM",
"id": "31463"
},
{
"date": "2003-07-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200308-181"
},
{
"date": "2003-08-27T04:00:00",
"db": "NVD",
"id": "CVE-2003-0511"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2003-07-28T00:00:00",
"db": "CNVD",
"id": "CNVD-2003-2312"
},
{
"date": "2017-10-11T00:00:00",
"db": "VULHUB",
"id": "VHN-7339"
},
{
"date": "2009-07-11T22:56:00",
"db": "BID",
"id": "8290"
},
{
"date": "2007-04-01T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2003-000232"
},
{
"date": "2009-03-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200308-181"
},
{
"date": "2025-04-03T01:03:51.193000",
"db": "NVD",
"id": "CVE-2003-0511"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200308-181"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Cisco AP1x00 HTTP GET Request Remote Denial Of Service Attack Vulnerability",
"sources": [
{
"db": "IVD",
"id": "7d7f4ed0-463f-11e9-87f9-000c29342cb1"
},
{
"db": "IVD",
"id": "992e5dac-23cd-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2003-2312"
},
{
"db": "CNNVD",
"id": "CNNVD-200308-181"
}
],
"trust": 1.6
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "IVD",
"id": "7d7f4ed0-463f-11e9-87f9-000c29342cb1"
},
{
"db": "IVD",
"id": "992e5dac-23cd-11e6-abef-000c29c66e3d"
},
{
"db": "CNNVD",
"id": "CNNVD-200308-181"
}
],
"trust": 1.0
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.