GEN:SID 1:1544
Message WEB-MISC Cisco Catalyst command execution attempt
Summary This event is generated when an attempt is made to list the user
configuration file on a Cisco router or switch.
Impact If successful, the switch will reveal the local authentication user
configuration file to an attacker without requiring prior
authentication.
Detailed Information The HTTP server that is part of some versions of the Cisco IOS software
allows remote command execution when the access control method is set to
local authentication.
Affected Systems The following Cisco products can be affected.   Whether they actually
are vulnerable or not depends on the version of IOS that they are
running.   To properly determine if your product is vulnerable, see the
Cisco website referenced below.   This is not exploitable if the device
is using an access control method other than local authentication.
Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000,
1400, 1500, 1600, 1700, 2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700,
AS5200, AS5300, AS5800, 6400, 7000, 7100, 7200, ubr7200, 7500, and 12000
series.
Most recent versions of the LS1010 ATM switch.
The Catalyst 6000 and 5000 if they are running Cisco IOS software.
The Catalyst 2900XL and 3500XL LAN switch only if it is running Cisco
IOS software.
The Catalyst 2900 and 3000 series LAN switches are affected.
The Cisco Distributed Director.
Attack Scenarios By making the request to a vulnerable system, an attacker can take
complete control of a Cisco device.
Ease of Attack Simple.  HTTP GET request, a browser may be used.
Corrective Action Turn off the web server functionality, use access lists to ensure only
trusted hosts have access to the device, use TACACS+ or RADIUS for
access control, or upgrade your version of IOS.
Additional References Cisco
http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html
Rule References bugtraq: 1846
cve: 2000-0945
nessus: 10545