Cisco inadvertently weakens password encryption in its IOS operating system

The password encryption scheme used in newer Cisco IOS versions is weak, researchers find

By Lucian Constantin, IDG News Service |  Networking

The company declined to name the exact affected products or IOS and IOS XE versions at this time. "We refer Cisco customers to our Security Response which provides important information on the use of Type 4 passwords in some Cisco IOS and IOS XE devices," a Cisco representative said Wednesday via email. "In some cases they may choose to revert to Type 5 passwords on these devices, so we have provided advice on how this can be achieved. We have also offered information on Cisco's plans to implement a new password type in future versions of IOS."

According to a Cisco IOS command reference manual found on the company's website, support for Type 4 encryption was first added to the "enable secret" command in Cisco IOS 15.0(1)S, 15.1(4)M and in Cisco IOS XE Release 3.1S.

Cisco included information on how to determine if a device uses Type 4 passwords and how to replace them with Type 5 passwords. However, while Type 5 passwords can be used on devices that support Type 4 passwords, they can't be generated on such devices.

"A Cisco IOS or Cisco IOS XE release with support for Type 4 passwords does not allow the generation of a Type 5 password from a plaintext password on the device itself," Cisco said. "Customers who need to replace a Type 4 password with a Type 5 password must generate the Type 5 password outside the device and then copy the Type 5 password to the device configuration."

Furthermore, backward compatibility issues might appear when downgrading from a device with Type 4 passwords configured to a device that doesn't support Type 4 passwords, Cisco said. "Depending on the specific device configuration, the administrator may not be able to log in to the device or to change into privileged EXEC mode, requiring a password recovery process to be performed."

Going forward, the Type 4 algorithm will be deprecated in favor of a new algorithm based on the correct design originally intended for Type 4, the company said. Until the new algorithm is put in place, the "enable secret" and "username" commands will revert back to their original behavior of generating Type 5 password hashes. Also, a warning displayed to users users of Cisco IOS devices about the deprecation of Type 5 passwords will be removed and these passwords will continue to be supported for backward compatibility reasons.

Schmidt and Steube contacted Cisco immediately after discovering the issue, which they describe as a "disastrous error," and followed the company's responsible disclosure policies. "Fortunately, the type 4 implementation was not yet present on all hardware devices and all IOS (XE) versions. Nevertheless, such an 'implementation mistake,' as Cisco calls it, should have never happened and the code should have never left the Cisco lab."

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

NetworkingWhite Papers & Webcasts

See more White Papers | Webcasts

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness