An article about a Cisco FTP vulnerability caught my eye today. The article gave little detail, so I checked with Secunia and sure enough saw an advisory. That’s an interesting vulnerability (impacting, but not enabled by default…so not the holy grail of network hacking), and I would hope good admins have taken some measures to already mitigate or avoid this issue.
First, don’t use the FTP server. I’d rather use an external TFTP server as opposed to one on the router itself. Second, even if the config is disclosed, limit the damage by making sure your enable and enable secret passwords are different, as are the SNMP strings and other access passwords that may be disclosed in the config. Also make sure they’re all different across other routers (minus the SNMP string of course). Third, update your IOS, of course, and hope that Cisco puts in a (long overdue) SCP/SFTP solution sooner than later.
Of additional note, I’m still itching to get my hands on the Hacking Exposed: Cisco Networks book. It taunts me weekly from the bookstore shelf, but I just don’t want to get too confused as I am hitting the running strides of my study for CCNA (which I will take in late May or early June).