Technical Description
A vulnerability has been identified in various Cisco routers, whichcould be exploited by remote attackers to take complete control of anaffected device. This flaw is due to an error in the default IOSconfiguration shipped with the Cisco Router Web Setup (CRWS)application that does not include an "enable password" or an "enablesecret" command, which could be exploited by remote unauthenticatedattackers to access the Cisco IOS HTTP server interface and executearbitrary commands with level 15 privileges (the highest privilegelevel on Cisco IOS devices).
Affected Products
Cisco Router Web Setup (CRWS) versions prior to 3.3.0 build 31
Cisco 806
Cisco 826
Cisco 827
Cisco 827H
Cisco 827-4v
Cisco 828
Cisco 831
Cisco 836
Cisco 837
Cisco SOHO 71
Cisco SOHO 76
Cisco SOHO 77
Cisco SOHO 77H
Cisco SOHO 78
Cisco SOHO 91
Cisco SOHO 96
Cisco SOHO 97
Solution
Deploy the suggested workarounds :
http://www.cisco.com/warp/public/707/cisco-sa-20060712-crws.shtml#workarounds
