search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Cisco IOS HTTP Server vulnerable to buffer overflow when processing overly large malformed HTTP GET request

Vulnerability Note VU#579324

Original Release Date: 2003-07-31 | Last Revised: 2003-08-11


The Cisco IOS HTTP Server contains a vulnerability that may permit a remote attacker to execute arbitrary code on the system.


Cisco IOS ships with an HTTP Server. A buffer overflow vulnerability exists in the HTTP Server and may be exploited if a remote attacker sends a crafted HTTP request larger than 2GB in size. The HTTP server is not enabled by default on the majority of IOS platforms. This vulnerability is only exploitable if the HTTP Server is enabled. According to the Cisco documentation regarding this issue, all Cisco IOS software versions except 12.3 and 12.3T are affected, CatOS and PIX are not affected. Cisco has also issued an alert regarding this issue. An exploit for this vulnerability has been posted publicly.


An attacker can cause the router to reboot, and potentially execute arbitrary code on the router. Repeatedly rebooting the router will result in a denial-of-service situation.


Cisco has released a document to address this issue. According to the Cisco documentation regarding this issue, 12.3 and 12.3T-based images are not vulnerable.

According to the Cisco documentation:

The workaround is to configure access lists to explicitly permit authorized hosts or networks to the http service.

The syntax for this command for routers and switches running Cisco IOS software is:

ip http access-class <access-list number>

access-list <access-list number> permit host <authorized host #1>
access-list <
access-list number> permit host <authorized host #2>
access-list <
access-list number> deny any

The <access-list number> in the above example needs to be in the range of 1-99 or 1300-1399 (IP Standard access list range).

Vendor Information


Cisco Systems Inc. Affected

Updated:  July 31, 2003



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


Please see

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



This vulnerability was reported to Cisco by FX of Phenoelit.

This document was written by Jason A Rafail.

Other Information

CVE IDs: None
Severity Metric: 15.82
Date Public: 2003-07-31
Date First Published: 2003-07-31
Date Last Updated: 2003-08-11 15:28 UTC
Document Revision: 13

Sponsored by CISA.