CVE-2009-0637

Name of the Vulnerable Software and Affected Versions Cisco IOS versions 12.2 through 12.4

Description The SCP server in Cisco IOS does not enforce the CLI view configuration for file transfers when Role-Based CLI Access is enabled. This allows remote authenticated users with an attached CLI view to read or overwrite arbitrary files via an SCP command. The vulnerability could allow valid users to retrieve or write to any file on the device's file system, including the device's saved configuration and Cisco IOS image files, even if the CLI view attached to the user does not allow it. This configuration file may include passwords or other sensitive information.

Recommendations For Cisco IOS versions 12.2 through 12.4, update to a version that includes the software updates released by Cisco to address this vulnerability. As a temporary workaround, consider disabling either the SCP server or the CLI view feature if these services are not required by administrators.