OpenNET security: Cisco IOS password encryption facts

Cisco IOS password encryption facts


<< Previous	INDEX	Search	src	Set bookmark	Go to bookmark	Next >>
Router & FWReturn-Path: <owner-bugtraq@NETSPACE.ORG.>
Delivered-To: admin@skyway.ru
From: John Bashinski <jbash@CISCO.COM.>
Subject:      Cisco IOS password encryption facts
X-To:         cisco@spot.colorado.edu, first-teams@first.org
X-Cc:         ce-group@cisco.com, lmc@cisco.com, psirt@cisco.com
To: BUGTRAQ@NETSPACE.ORG
Status:   
X-PMFLAGS: 33554560 0

-----BEGIN PGP SIGNED MESSAGE-----

A non-Cisco source has recently released a new program to decrypt user
passwords (and other passwords) in Cisco configuration files. The program
will not decrypt passwords set with the "enable secret" command.

The unexpected concern that this program has caused among Cisco customers
has led us to suspect that many customers are relying on Cisco password
encryption for more security than it was designed to provide. This document
explains the security model behind Cisco password encryption, and the
security limitations of that encryption.

User Passwords
- --------------
User passwords and most other passwords (*not* enable secrets) in Cisco IOS
configuration files are encrypted using a scheme that's very weak by modern
cryptographic standards.

Although Cisco does not distribute a decryption program, at least two
different decryption programs for Cisco IOS passwords are available to the
public on the Internet; the first public release of such a program of which
Cisco is aware was in early 1995. We would expect any amateur cryptographer
to be able to create a new program with no more than a few hours' work.

The scheme used by IOS for user passwords was never intended to resist a
determined, intelligent attack; it was designed to avoid casual
"over-the-shoulder" password theft. The threat model was someone reading a
password from an administrator's screen. The scheme was never supposed to
protect against someone conducting a determined analysis of the
configuration file.

Because of the weak encryption algorithm, it has always been Cisco's
position that customers should treat any configuration file containing
passwords as sensitive information, the same way they would treat a
cleartext list of passwords.

Enable Secret Passwords
- -----------------------
Enable secrets are hashed using the MD5 algorithm. As far as anyone at
Cisco knows, it is impossible to recover an enable secret based on the
contents of a configuration file (other than by obvious dictionary
attacks).

Note that this applies only to passwords set with "enable secret", *not*
to passwords set with "enable password". Indeed, the strength of the
encryption used is the only significant difference between the two
commands.

Other Passwords
- ---------------
Almost all passwords and other authentication strings in Cisco IOS
configuration files are encrypted using the weak, reversible scheme used
for user passwords. To determine which scheme has been used to encrypt a
specific password, check the digit preceding the encrypted string in the
configuration file. If that digit is a 7, the password has been encrypted
using the weak algorithm. If the digit is a 5, the password has been hashed
using the stronger MD5 algorithm.

For example, in the configuration command

    enable secret 5 $1$iUjJ$cDZ03KKGh7mHfX2RSbDqP.


The enable secret has been hashed with MD5, whereas in the command

    username jbash password 7 07362E590E1B1C041B1E124C0A2F2E206832752E1A01134D


The password has been encrypted using the weak reversible algorithm.

Can the algorithm be changed?
- -----------------------------
Cisco has no immediate plans to support a stronger encryption algorithm for
IOS user passwords. Should Cisco decide to introduce such a feature in the
future, that feature will definitely impose an additional ongoing
administrative burden on users who choose to take advantage of it.

It is not, in the general case, possible to switch user passwords over to
the MD5-based algorithm used for enable secrets, because MD5 is a one-way
hash, and the password can't be recovered from the encrypted data at all.
In order to support certain authentication protocols (notably CHAP), the
system needs access to the clear text of user passwords, and therefore must
store them using a reversible algorithm.

Key management issues would make it a nontrivial task to switch over to a
stronger reversible algorithm, such as DES. Although it would be easy to
modify IOS to use DES to encrypt passwords, there would be no security
advantage in doing so if all IOS systems used the same DES key. If
different keys were used by different systems, an administrative burden
would be introduced for all IOS network administrators, and portability of
configuration files between systems would be damaged. Customer demand
for stronger reversible password encryption has been small.

November 10, 1997

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQEVAwUBNGen1wyPsuGbHvEpAQFYHwgAtIs5PykwbZ11H3kzKxpl67I4OX4Kngli
wKL7PHxbKMvB12l/oiFoTcrOqWXVWN6AQ3ObbkJ+GD02zHbW+5rU/2/dys86GQAi
MGBLS/7pKrb9oPjeI5P+ZZIGfaM/Cs6y6nRN2jeC2ZSglGmlsaWua0Sm+9ytvz1b
x730JE1yGybxnBHYGsonSpRNQ8xx8RKjG+HZ5gFROWkY/gsBeqiEcz/y+XJq0qwO
6ULpwAKVV9jld4m93ZJe3LzyjrOUM7+pk3UzNAZu1IfUoy1L3J/VfehbBc7BmMy7
0AylJwuhNd3mlCe3Vl0VgCG/qC/hjX+860QY9CWb411Nstc+pyjcqw==
=JdSr
-----END PGP SIGNATURE-----

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP for Personal Privacy 5.0

mQENAzPvjNgBbQEIANK7KlAHQsajB9t0ddYhrZNmaOnyPL8T5JZRDq7uSf3HfXZ9
gcE+DU3/2/TuCa7l/P0fblpUtxOo2FScjdg6Zd/V+8FH++wfH7GP+M2lJIw1N/UN
hLfqUe7RJZtAvAb2VRpA3pV816ngk0H7tb2RyAsu3H7MvwTDZaZ/dzhM/40uDz2b
OUjkaoxC/cKLsP+ODLydPK3XPzjq9XipC3AX8zDLbjAMSyNTpQP4c2NvIf6X4Q4Q
D+yZJu0dYA8i/QC2F9cb4sT6fKtoRENwVLQhHwkxwKLqmyokLLOZ7QvQw1Rqs8ZU
E4o5OFdf0XvqW2+C1+CWQ5Z987ZHDI+y4Zse8SkABRG0R0Npc2NvIFN5c3RlbXMg
UHJvZHVjdCBTZWN1cml0eSBJbmNpZGVudCBSZXNwb25zZSBUZWFtIDxwc2lydEBj
aXNjby5jb20+iQEVAwUQM++M2AyPsuGbHvEpAQFlYwgAk9yGvvH1Rsz3dQAgbzBR
iA68u5YYX/b8/n5aTrtxK1Z9KltjdDjcU/rv2fqmwhsc9Q2JYE1re/iiUUuxTTXc
xCdnLfZ75w6P7v1XaE8HbaXvUbYmFuKxvhzI6gnZ3OWEqVQ/P1RB7zzSwHtvMAOm
rkty+vFz8g432tDeU/WEif0PAeNassVjIBE3mSFcnoF9PwR7+983oLI+QUTz+KZ3
po7r7ETFXBaie8MY5vMo2a0ds6GUsrMVpFiJ2zruSCJQJvVVoe9VT9pg92fHw6vS
YZBf6jcPd+3kUjAcAZQj5Jkuo5QtDc+JpCs6A4JS+nk2UPYisFOfxHjR2bv396ym
lYkAPwMFEDPvjPSWgad8PVLgfxEC85sAoLW7FY3dWWXLiZD6FbN3G81/SYm2AKC3
EPPlj+zNMt83UlBIR06BWOhPmYkAPwMFEDPvjehhWBbFOs5V/hEChMsAoIHN2sJN
Nso+kYr3G2BZ90KJ++7HAJ9vQkdJRwI7HSyL+iyfQS3YV4ivKYkAlQMFEDPvuil3
prw+JwB2/QEBujkEAKvxs8A5OMk/TD8tuQMATILDxnj0ZGepAV0wbJjJx8bYQ54s
hF6r4OlyWEVPOn9sMn81QyWOeaprpJfYWgqntyJ8aO4Mh2gfI4uKzKn5hJ9n424g
L3cOcJUKmARBGFgL4gB6QZU6k+52qubv08gHYBDUTpxbtYy09/bieET6Tu6NiQB1
AwUQM/DnKABQXdL3LtV5AQEB1gMAntCpluUCoH9Spn+4RBKQU9qVYjZL9ye7Qd9z
8uKIUGM7VFMD/ECavREEd6ggYFCX2t1YV1j6805+oROx/xhxCe4OSG2PX6NQx3Mc
hMWgQSiBKFikfxXcbDTwU4HGk/U8iQCVAwUQM/Dk3Rim+KqOZxohAQFO0AP+PkRZ
AMsuGJ62XOmO27ZwoB1yMB+LahS9zWlVUuCrBs0NloC0Uc9aydw+tWqr5PU8972O
ZmMI1mPnjsAao7hJeVFEKmNpJ+nPFx56fmO138D6h+1eYYsXMEkx4FNHYmr/hP9R
T7JuqFChB4eHAtL37GDo6pUqIpRdbI6imU+TGWSJAJUDBRAz8OmMetUtBpz0lbkB
AZnqA/9Vcjr5qpxELEwYmJhBih4Eha0bPebxDpT/wDQlWF8KQVT+dVa4/kXDZDSQ
EOcV+Q+Z0YAxqFFaWHI1CYr2pR+jDqzxxdsxvwLPaJ2Yq2vnb/UozPzCYXaRr8dK
E2LaRpUIe/frpaKggGfT+HP35WWSAkS4yP91I+9xw2xAHC7F/IkAPwMFEDPw8Uu4
sEdhxJFDBxECSu4An0Vs1WvZhg1+F9gXVAdWeZeQwjPjAJ9kiB4mUt6PeE1Yafo0
y9h1h25z44kAlQMFEDPw6arUWbxRv7Y9YQEBrGYD/AyYF/uH6EJVZww/oASl5pxt
2Q9YR5Kb60f7RsMOi48SgIV0lrUCk8rEN7HiEMlMSzjqtCuAPbxc85ltYA2V8GMB
uz16DZ+LshmN2Bdo5HvlJ7oONRfTznAaeKVH40MYI+4oj0Z+mXbhIT48OkQUaWAx
+XxdzLufxNNU8oForJ/FiQEVAwUQM/NXXx9quvkcD7cJAQHDZwgAkh5R/OS8SzEV
WOOlnUPSaI/PNPSeKdEOOvU5K6u8DMsb/M5775fg9paCGi+UngRiL3xWjykJzfrp
94F/0d4PpdkcQUEao6+uZBgIbDK9S/W0bDAFCgCnwy20JPXxJgdikQb0GLBzP+31
WHl4JSMXTuNAFJ8z7Uc/a2JWe3QZ+w8uZP5IyASimYYLu+19Hxo4fYT/bOOQ975z
arCgaDO6b4HU68GG3WqytmuBj6Vpu1x5Ia9cNpxgPmtM4wg83zmx06fDTGN89EYH
rt7dluxCBesxPhUsmZn071Xdq1zMYIzHns4jxwCREp5kNMtPsUKA8dSA4UO2BdkO
q5IX6scTOokAPwMFEDPyrMUi3EpiOkv3cBECgNEAn0dTtLw0NDPHn/XPgxz8jcnR
szjkAJ0bHBmB26616zdcrgPZrYtvac9gVYkAlQMFEDPxEE1/tdR0mmHbCQEBO2YE
APGeRsytUHeL7tUbdDgLmz6fcroNkJk6sjQLAw0HYqnHbwhfXCvFQmAb00Whw4xQ
cSXej3JUJSwXDyEJ5AhOD3IdTkKJnJA81xJzYJXhp8kJTF09M5voB5eZg1Fp0bcE
w3a2MXy3SWRWfJ7SSA2De7dBpf2oOZeI9AuRltHfVmKPtFBDaXNjbyBTeXN0ZW1z
IHByb2R1Y3Qgc2VjdXJpdHkgaW5jaWRlbnQvYnVnIHJlcG9ydGluZyA8c2VjdXJp
dHktYWxlcnRAY2lzY28uY29tPokBFQMFEDPvjV0Mj7Lhmx7xKQEBCCsH/3i8JxEV
xwj+F/fff2lCRDD83fJTGhYNYvOACxYaRSs1hwZ1pAWSLUzN+cc3Iqub+dT9zgbu
brHFP8kYB5oPxEh92myV7d0ijLI82RNc7yrql9MI2H9yIYdgrT2aP98KbGulxri3
U9HQ1AnVPE43eu8F96fgiOggRqDKi7lWP9ADvcaKO3a1aDk/X2EO1I0jSJMTfZ1c
yMlpmrnTs3i5x2lX+42GHjpgA3tWGlTN6DFWa5k2dU7TzE3dKL1qz5Zdu81WMdT4
xDbk2Q6Z8rGu2oKA+YXprSlF0dBsG3qFTKSFgnHijTT4fJI2+gebEzpe8vGUf4FJ
XQmjZ+bG2dTdUKyJAD8DBRAz7410loGnfD1S4H8RAqdjAJ9VVM6GixYnpOpZMvvp
uKk3OHowKACfQxP/Dcmqg5KtDPnd6hHMaVbEBAaJAD8DBRAz7435YVgWxTrOVf4R
AhkwAKDWgIbBaQ/qoR9F/CMhmpYztcsMBwCg2DThE7h3j5HGvsiwy8MsZZmLq5mJ
AJUDBRAz77opd6a8PicAdv0BAXKbA/9uZcSak/u41uFuow5uwkydjkfHz7XRFK49
HX7ozwoJbVydzlURMIOvbwpf6ws/bFTyhM1RRG3b5E5o4psXoNWowXG+uNkmTLhX
IBOtH4TcjbLXspLWUiNtBNlJ2dDKxit9ye1Z/9cTwpfaNyAmtb0aPBN4sZ8r6Bmg
d44Vx0nSL4kAlQMFEDPw5OoYpviqjmcaIQEBJ/UEALXebkpbO3GE/jGb41qzMcoT
VXt3kqh1mY1yJloPEllXstP1yO83uczLfPhhKUKAGg/WZS5eFrYTRvIqu2HZ7F0P
fTqqReKUUr7GFb+QUTzt178DQzfIyTHT+43CIMF6NPGbdWFkwzMaUjXBewEX2eTN
g1fRSoYC64rPvSEXFnnpiQCVAwUQM/Dpk3rVLQac9JW5AQHcZgQAqveziPJciVrz
danmUHGt8La2rl1qXoYtYAcS51gVD2Dxle/J1SIvyRWysTE0+s8X+zgw71zQXm54
KUKdoFTvEyerc65NnVVCgPUpNN8/H0XUpNd1oZ2KKIzz3mxQbVwa50sRKvYBFUo9
mUfbv+alFK4yrWaqAF3Dx38KiQrqOa2JAD8DBRAz8PHwuLBHYcSRQwcRAu+bAJoD
EDaxddtU35mekCglNjbHLmOR+gCgiYpy0fB8JtNJE0k3xQDuW0H8uG2JAJUDBRAz
8Om31Fm8Ub+2PWEBASbZA/9wYDYTmvtoSuvI0yOITGgmh8kSCOMAmXikhI6ASZy8
GhkPX7OY2ybX2Iw7XXApL0mcuDr13Fm+xrt9TymyYAbRnmPjbPn1GoYVM/orN+R/
t/mblfdb+eklvMKnChA7eNFfYNUz+V+lRPkH156EnBXYwmzlYsKEerGjxJLoyQEr
sokAPwMFEDPyrNgi3EpiOkv3cBECoIcAnjmNq8NznK0HYgwicWYUjDAmte6QAKCK
6txKW+VHWRJ2cSf2maRkf0TmmokAlQMFEDPxEHR/tdR0mmHbCQEBigQD/i0ZA1Qs
FjQqQABTmoOqLt0phX8Q9fakXyz245Zt5y5OsGL20lwVadVVzESZHZgl0sTHtL6N
a8QjKC+uqlbrch60oInzzzegGDTyk0zVMeaNApOcV3+D1qMvHH78qyibXf8A4uEc
n1jrGTWClQH9SLW2bHtuNyArIDAHbs2S4MoKmQGhBDPvjDARBAD82RXM1EyVSEpL
6mpDMyxI8Scc22yVqRYL+Ckv0SXHEPaZNIgQblVx32jyfnmGIZeVYK2sDRTB6vXJ
t1k+R5HRRhTG7fB0f309gT/Zgmk64zC7L4nLQp6fNEVJLfxRdrwXCOPfBf56Y8vK
BFZSvwK4qLNHurMP2MVUuYfCl2UpHwCg/6WzFTHW34HvDKgD+3k0ap0lMq8EAME9
i5IEdwTnGO2zsyyc/gw6QKoSGNEkbGmciZukAQTulVKQpYMv1jIm6Uy91HbsR0mU
WxPzCBPCvJzvZOW0O+AJq4m/h1dQD2kdIHt+nYAdfZjY26YUpB6gfFmQucGhH/o8
GfhkmN6Lw21+gx4lctfia2/46poasCNo961yKyuQA/ID6qpHargBoOk2n/av9jV1
Rox8vhYVGwQhmVpYVUMzdw8ldo3CejaqyW97IyOU7tZo4WUzJ2Z3sG0DHdim+Voe
Djb5hsd34MzoGL7KjRFGldbNr2H/DhmItLyzxJ5YXgMXNGy3IhfOjCwZsGhZ1eTd
dxbD7rb7+VN/ROhTpCSXtEdDaXNjbyBTeXN0ZW1zIFByb2R1Y3QgU2VjdXJpdHkg
SW5jaWRlbnQgUmVzcG9uc2UgVGVhbSA8cHNpcnRAY2lzY28uY29tPrRQQ2lzY28g
U3lzdGVtcyBwcm9kdWN0IHNlY3VyaXR5IGluY2lkZW50L2J1ZyByZXBvcnRpbmcg
PHNlY3VyaXR5LWFsZXJ0QGNpc2NvLmNvbT65Ag0EM++MTxAIANfnEviV6GSqF/7S
MetsaCkKUe/TmcEtoYRdE9ZorvLlruvSaFHMgXCg4SqyC689BJJBaKN2MTYIV0T3
idlbHp4mXHDyU28tTEFenA9m4ER0PxEO/wITI3XoOO7SCxUnxyvxPy8Jn9PYBHMp
F+iWqUbzLsX4tZI7LJj73i0vi+5tGNaBBFu4cD2UJis7lb/CSK7bb4RJ6lHYVWHt
bcFApwSRheeusvN0YwKpPg5hy6gwaUSKtddJDadcJcQ/G2I820onsqgYRfDncEBY
uLavuu2h5CuR+Qz6jrwNUAX1f6UxC2WYY7tsp+wzQJ9VuTnKQEFPc6GIoiSSeyV3
KibzVZ8AAgIIAKDBdTFi6kQSB1+x7XQgQ8SNL0HFjtr25TMJr/eeU6m1NkrtCVg3
llA+lhTmpork6ZDu3GXp/IW02o246G57Z23pHU1VkEwjsWl1sdUY5QH+wIV6uZJu
bZW1TroDI86l0m7WeWC+mqQXn6GuvkX+YpF5qU1OCY9Pnen6sWkYXiqE5LW3USyY
xglTac8EQqcs3JYevV1/M6oTWXdMSEDV2/Bqd9g5qZBYQFkkftdW6YsJPMGgn2EI
yu4kTyazk3UafH/yqemCbGX6S5j3krCoIMwfUpeOHPB1OxACLB0loA2cwCpq5p7W
hXUCyRuqdXYN50NUrmKDo8+hsL/e89PofQU=
=AsFg
-----END PGP PUBLIC KEY BLOCK-----
Return-Path: <owner-bugtraq@NETSPACE.ORG.>
Delivered-To: admin@skyway.ru
Received: (qmail 1743 invoked from network); 12 Nov 1997 01:02:03 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 12 Nov 1997 01:02:03 -0000
Received: by scylla.sovam.com id AA19126
  (5.67b8s3p1/IDA-1.5 for admin@skyway.ru); Tue, 11 Nov 1997 22:35:11 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA18905
  (5.67b8s3p1/IDA-1.5 for <admin@skyway.ru.>); Tue, 11 Nov 1997 22:32:56 +0300
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
        by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id AAA04275
        for <mc@CONJURER.TYUMEN.RU.>; Wed, 12 Nov 1997 00:31:25 +0500 (ES)
Received: from unknown@netspace.org (port 58972 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <97559-10014>; Tue, 11 Nov 1997 13:38:20 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 5552640 for BUGTRAQ@NETSPACE.ORG; Tue, 11 Nov 1997 13:33:36
          -0500
Received: from brimstone.netspace.org (brimstone.netspace.org
          [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
          NAA18848 for <BUGTRAQ@NETSPACE.ORG.>; Tue, 11 Nov 1997 13:31:27 -0500
Received: from unknown@netspace.org (port 58972 [128.148.157.6]) by
          brimstone.netspace.org with ESMTP id <97319-10011>; Tue, 11 Nov 1997
          13:29:41 -0500
Approved-By: aleph1@UNDERGROUND.ORG
Received: from primus.paranoia.com (primus.paranoia.com [204.145.225.20]) by
          netspace.org (8.8.7/8.8.2) with SMTP id FAA30185 for
          <bugtraq@netspace.org.>; Tue, 11 Nov 1997 05:37:33 -0500
Received: (from ice9@localhost) by primus.paranoia.com (v2) id EAA12696 for
          bugtraq@netspace.org; Tue, 11 Nov 1997 04:37:31 -0600
X-Mailer: ELM [version 2.4 PL24]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <199711111037.EAA12696@primus.paranoia.com.>
Date: 	Tue, 11 Nov 1997 04:37:30 -0600
Reply-To: ice9 <ice9@PARANOIA.COM.>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG.>
From: ice9 <ice9@PARANOIA.COM.>
Subject:      Re: Cisco IOS password encryption facts
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To:  <19971111003936.1179.qmail@susan.cisco.com.> from "John Bashinski"
              at Nov 10, 97 04:39:36 pm
Status:   
X-PMFLAGS: 34078848 0

This is why, if you are worried about security, perhaps TACACS+ would be a good option.  Even if the router can't reach the TACACS server, with proper configuration, you will still need the enable passwd just to enter maintenance mode...

And I would hope that would be configured using enable-secret.

But even if you were using level 7 encryption for your maint passwd, a maintenance mode user is rather limited in what he can do...

>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> A non-Cisco source has recently released a new program to decrypt user
> passwords (and other passwords) in Cisco configuration files. The program
> will not decrypt passwords set with the "enable secret" command.
>
> The unexpected concern that this program has caused among Cisco customers
> has led us to suspect that many customers are relying on Cisco password
> encryption for more security than it was designed to provide. This document
> explains the security model behind Cisco password encryption, and the
> security limitations of that encryption.
>
> User Passwords
> - --------------
> User passwords and most other passwords (*not* enable secrets) in Cisco IOS
> configuration files are encrypted using a scheme that's very weak by modern
> cryptographic standards.
>
> Although Cisco does not distribute a decryption program, at least two
> different decryption programs for Cisco IOS passwords are available to the
> public on the Internet; the first public release of such a program of which
> Cisco is aware was in early 1995. We would expect any amateur cryptographer
> to be able to create a new program with no more than a few hours' work.
>
> The scheme used by IOS for user passwords was never intended to resist a
> determined, intelligent attack; it was designed to avoid casual
> "over-the-shoulder" password theft. The threat model was someone reading a
> password from an administrator's screen. The scheme was never supposed to
> protect against someone conducting a determined analysis of the
> configuration file.
>
> Because of the weak encryption algorithm, it has always been Cisco's
> position that customers should treat any configuration file containing
> passwords as sensitive information, the same way they would treat a
> cleartext list of passwords.
>
> Enable Secret Passwords
> - -----------------------
> Enable secrets are hashed using the MD5 algorithm. As far as anyone at
> Cisco knows, it is impossible to recover an enable secret based on the
> contents of a configuration file (other than by obvious dictionary
> attacks).
>
> Note that this applies only to passwords set with "enable secret", *not*
> to passwords set with "enable password". Indeed, the strength of the
> encryption used is the only significant difference between the two
> commands.
>
> Other Passwords
> - ---------------
> Almost all passwords and other authentication strings in Cisco IOS
> configuration files are encrypted using the weak, reversible scheme used
> for user passwords. To determine which scheme has been used to encrypt a
> specific password, check the digit preceding the encrypted string in the
> configuration file. If that digit is a 7, the password has been encrypted
> using the weak algorithm. If the digit is a 5, the password has been hashed
> using the stronger MD5 algorithm.
>
> For example, in the configuration command
>
>     enable secret 5 $1$iUjJ$cDZ03KKGh7mHfX2RSbDqP.
>
> The enable secret has been hashed with MD5, whereas in the command
>
>     username jbash password 7 07362E590E1B1C041B1E124C0A2F2E206832752E1A01134D
>
> The password has been encrypted using the weak reversible algorithm.
>
> Can the algorithm be changed?
> - -----------------------------
> Cisco has no immediate plans to support a stronger encryption algorithm for
> IOS user passwords. Should Cisco decide to introduce such a feature in the
> future, that feature will definitely impose an additional ongoing
> administrative burden on users who choose to take advantage of it.
>
> It is not, in the general case, possible to switch user passwords over to
> the MD5-based algorithm used for enable secrets, because MD5 is a one-way
> hash, and the password can't be recovered from the encrypted data at all.
> In order to support certain authentication protocols (notably CHAP), the
> system needs access to the clear text of user passwords, and therefore must
> store them using a reversible algorithm.
>
> Key management issues would make it a nontrivial task to switch over to a
> stronger reversible algorithm, such as DES. Although it would be easy to
> modify IOS to use DES to encrypt passwords, there would be no security
> advantage in doing so if all IOS systems used the same DES key. If
> different keys were used by different systems, an administrative burden
> would be introduced for all IOS network administrators, and portability of
> configuration files between systems would be damaged. Customer demand
> for stronger reversible password encryption has been small.
>
> November 10, 1997
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP for Personal Privacy 5.0
> Charset: noconv
>
> iQEVAwUBNGen1wyPsuGbHvEpAQFYHwgAtIs5PykwbZ11H3kzKxpl67I4OX4Kngli
> wKL7PHxbKMvB12l/oiFoTcrOqWXVWN6AQ3ObbkJ+GD02zHbW+5rU/2/dys86GQAi
> MGBLS/7pKrb9oPjeI5P+ZZIGfaM/Cs6y6nRN2jeC2ZSglGmlsaWua0Sm+9ytvz1b
> x730JE1yGybxnBHYGsonSpRNQ8xx8RKjG+HZ5gFROWkY/gsBeqiEcz/y+XJq0qwO
> 6ULpwAKVV9jld4m93ZJe3LzyjrOUM7+pk3UzNAZu1IfUoy1L3J/VfehbBc7BmMy7
> 0AylJwuhNd3mlCe3Vl0VgCG/qC/hjX+860QY9CWb411Nstc+pyjcqw==
> =JdSr
> -----END PGP SIGNATURE-----
>
> -----BEGIN PGP PUBLIC KEY BLOCK-----
> Version: PGP for Personal Privacy 5.0
>
> mQENAzPvjNgBbQEIANK7KlAHQsajB9t0ddYhrZNmaOnyPL8T5JZRDq7uSf3HfXZ9
> gcE+DU3/2/TuCa7l/P0fblpUtxOo2FScjdg6Zd/V+8FH++wfH7GP+M2lJIw1N/UN
> hLfqUe7RJZtAvAb2VRpA3pV816ngk0H7tb2RyAsu3H7MvwTDZaZ/dzhM/40uDz2b
> OUjkaoxC/cKLsP+ODLydPK3XPzjq9XipC3AX8zDLbjAMSyNTpQP4c2NvIf6X4Q4Q
> D+yZJu0dYA8i/QC2F9cb4sT6fKtoRENwVLQhHwkxwKLqmyokLLOZ7QvQw1Rqs8ZU
> E4o5OFdf0XvqW2+C1+CWQ5Z987ZHDI+y4Zse8SkABRG0R0Npc2NvIFN5c3RlbXMg
> UHJvZHVjdCBTZWN1cml0eSBJbmNpZGVudCBSZXNwb25zZSBUZWFtIDxwc2lydEBj
> aXNjby5jb20+iQEVAwUQM++M2AyPsuGbHvEpAQFlYwgAk9yGvvH1Rsz3dQAgbzBR
> iA68u5YYX/b8/n5aTrtxK1Z9KltjdDjcU/rv2fqmwhsc9Q2JYE1re/iiUUuxTTXc
> xCdnLfZ75w6P7v1XaE8HbaXvUbYmFuKxvhzI6gnZ3OWEqVQ/P1RB7zzSwHtvMAOm
> rkty+vFz8g432tDeU/WEif0PAeNassVjIBE3mSFcnoF9PwR7+983oLI+QUTz+KZ3
> po7r7ETFXBaie8MY5vMo2a0ds6GUsrMVpFiJ2zruSCJQJvVVoe9VT9pg92fHw6vS
> YZBf6jcPd+3kUjAcAZQj5Jkuo5QtDc+JpCs6A4JS+nk2UPYisFOfxHjR2bv396ym
> lYkAPwMFEDPvjPSWgad8PVLgfxEC85sAoLW7FY3dWWXLiZD6FbN3G81/SYm2AKC3
> EPPlj+zNMt83UlBIR06BWOhPmYkAPwMFEDPvjehhWBbFOs5V/hEChMsAoIHN2sJN
> Nso+kYr3G2BZ90KJ++7HAJ9vQkdJRwI7HSyL+iyfQS3YV4ivKYkAlQMFEDPvuil3
> prw+JwB2/QEBujkEAKvxs8A5OMk/TD8tuQMATILDxnj0ZGepAV0wbJjJx8bYQ54s
> hF6r4OlyWEVPOn9sMn81QyWOeaprpJfYWgqntyJ8aO4Mh2gfI4uKzKn5hJ9n424g
> L3cOcJUKmARBGFgL4gB6QZU6k+52qubv08gHYBDUTpxbtYy09/bieET6Tu6NiQB1
> AwUQM/DnKABQXdL3LtV5AQEB1gMAntCpluUCoH9Spn+4RBKQU9qVYjZL9ye7Qd9z
> 8uKIUGM7VFMD/ECavREEd6ggYFCX2t1YV1j6805+oROx/xhxCe4OSG2PX6NQx3Mc
> hMWgQSiBKFikfxXcbDTwU4HGk/U8iQCVAwUQM/Dk3Rim+KqOZxohAQFO0AP+PkRZ
> AMsuGJ62XOmO27ZwoB1yMB+LahS9zWlVUuCrBs0NloC0Uc9aydw+tWqr5PU8972O
> ZmMI1mPnjsAao7hJeVFEKmNpJ+nPFx56fmO138D6h+1eYYsXMEkx4FNHYmr/hP9R
> T7JuqFChB4eHAtL37GDo6pUqIpRdbI6imU+TGWSJAJUDBRAz8OmMetUtBpz0lbkB
> AZnqA/9Vcjr5qpxELEwYmJhBih4Eha0bPebxDpT/wDQlWF8KQVT+dVa4/kXDZDSQ
> EOcV+Q+Z0YAxqFFaWHI1CYr2pR+jDqzxxdsxvwLPaJ2Yq2vnb/UozPzCYXaRr8dK
> E2LaRpUIe/frpaKggGfT+HP35WWSAkS4yP91I+9xw2xAHC7F/IkAPwMFEDPw8Uu4
> sEdhxJFDBxECSu4An0Vs1WvZhg1+F9gXVAdWeZeQwjPjAJ9kiB4mUt6PeE1Yafo0
> y9h1h25z44kAlQMFEDPw6arUWbxRv7Y9YQEBrGYD/AyYF/uH6EJVZww/oASl5pxt
> 2Q9YR5Kb60f7RsMOi48SgIV0lrUCk8rEN7HiEMlMSzjqtCuAPbxc85ltYA2V8GMB
> uz16DZ+LshmN2Bdo5HvlJ7oONRfTznAaeKVH40MYI+4oj0Z+mXbhIT48OkQUaWAx
> +XxdzLufxNNU8oForJ/FiQEVAwUQM/NXXx9quvkcD7cJAQHDZwgAkh5R/OS8SzEV
> WOOlnUPSaI/PNPSeKdEOOvU5K6u8DMsb/M5775fg9paCGi+UngRiL3xWjykJzfrp
> 94F/0d4PpdkcQUEao6+uZBgIbDK9S/W0bDAFCgCnwy20JPXxJgdikQb0GLBzP+31
> WHl4JSMXTuNAFJ8z7Uc/a2JWe3QZ+w8uZP5IyASimYYLu+19Hxo4fYT/bOOQ975z
> arCgaDO6b4HU68GG3WqytmuBj6Vpu1x5Ia9cNpxgPmtM4wg83zmx06fDTGN89EYH
> rt7dluxCBesxPhUsmZn071Xdq1zMYIzHns4jxwCREp5kNMtPsUKA8dSA4UO2BdkO
> q5IX6scTOokAPwMFEDPyrMUi3EpiOkv3cBECgNEAn0dTtLw0NDPHn/XPgxz8jcnR
> szjkAJ0bHBmB26616zdcrgPZrYtvac9gVYkAlQMFEDPxEE1/tdR0mmHbCQEBO2YE
> APGeRsytUHeL7tUbdDgLmz6fcroNkJk6sjQLAw0HYqnHbwhfXCvFQmAb00Whw4xQ
> cSXej3JUJSwXDyEJ5AhOD3IdTkKJnJA81xJzYJXhp8kJTF09M5voB5eZg1Fp0bcE
> w3a2MXy3SWRWfJ7SSA2De7dBpf2oOZeI9AuRltHfVmKPtFBDaXNjbyBTeXN0ZW1z
> IHByb2R1Y3Qgc2VjdXJpdHkgaW5jaWRlbnQvYnVnIHJlcG9ydGluZyA8c2VjdXJp
> dHktYWxlcnRAY2lzY28uY29tPokBFQMFEDPvjV0Mj7Lhmx7xKQEBCCsH/3i8JxEV
> xwj+F/fff2lCRDD83fJTGhYNYvOACxYaRSs1hwZ1pAWSLUzN+cc3Iqub+dT9zgbu
> brHFP8kYB5oPxEh92myV7d0ijLI82RNc7yrql9MI2H9yIYdgrT2aP98KbGulxri3
> U9HQ1AnVPE43eu8F96fgiOggRqDKi7lWP9ADvcaKO3a1aDk/X2EO1I0jSJMTfZ1c
> yMlpmrnTs3i5x2lX+42GHjpgA3tWGlTN6DFWa5k2dU7TzE3dKL1qz5Zdu81WMdT4
> xDbk2Q6Z8rGu2oKA+YXprSlF0dBsG3qFTKSFgnHijTT4fJI2+gebEzpe8vGUf4FJ
> XQmjZ+bG2dTdUKyJAD8DBRAz7410loGnfD1S4H8RAqdjAJ9VVM6GixYnpOpZMvvp
> uKk3OHowKACfQxP/Dcmqg5KtDPnd6hHMaVbEBAaJAD8DBRAz7435YVgWxTrOVf4R
> AhkwAKDWgIbBaQ/qoR9F/CMhmpYztcsMBwCg2DThE7h3j5HGvsiwy8MsZZmLq5mJ
> AJUDBRAz77opd6a8PicAdv0BAXKbA/9uZcSak/u41uFuow5uwkydjkfHz7XRFK49
> HX7ozwoJbVydzlURMIOvbwpf6ws/bFTyhM1RRG3b5E5o4psXoNWowXG+uNkmTLhX
> IBOtH4TcjbLXspLWUiNtBNlJ2dDKxit9ye1Z/9cTwpfaNyAmtb0aPBN4sZ8r6Bmg
> d44Vx0nSL4kAlQMFEDPw5OoYpviqjmcaIQEBJ/UEALXebkpbO3GE/jGb41qzMcoT
> VXt3kqh1mY1yJloPEllXstP1yO83uczLfPhhKUKAGg/WZS5eFrYTRvIqu2HZ7F0P
> fTqqReKUUr7GFb+QUTzt178DQzfIyTHT+43CIMF6NPGbdWFkwzMaUjXBewEX2eTN
> g1fRSoYC64rPvSEXFnnpiQCVAwUQM/Dpk3rVLQac9JW5AQHcZgQAqveziPJciVrz
> danmUHGt8La2rl1qXoYtYAcS51gVD2Dxle/J1SIvyRWysTE0+s8X+zgw71zQXm54
> KUKdoFTvEyerc65NnVVCgPUpNN8/H0XUpNd1oZ2KKIzz3mxQbVwa50sRKvYBFUo9
> mUfbv+alFK4yrWaqAF3Dx38KiQrqOa2JAD8DBRAz8PHwuLBHYcSRQwcRAu+bAJoD
> EDaxddtU35mekCglNjbHLmOR+gCgiYpy0fB8JtNJE0k3xQDuW0H8uG2JAJUDBRAz
> 8Om31Fm8Ub+2PWEBASbZA/9wYDYTmvtoSuvI0yOITGgmh8kSCOMAmXikhI6ASZy8
> GhkPX7OY2ybX2Iw7XXApL0mcuDr13Fm+xrt9TymyYAbRnmPjbPn1GoYVM/orN+R/
> t/mblfdb+eklvMKnChA7eNFfYNUz+V+lRPkH156EnBXYwmzlYsKEerGjxJLoyQEr
> sokAPwMFEDPyrNgi3EpiOkv3cBECoIcAnjmNq8NznK0HYgwicWYUjDAmte6QAKCK
> 6txKW+VHWRJ2cSf2maRkf0TmmokAlQMFEDPxEHR/tdR0mmHbCQEBigQD/i0ZA1Qs
> FjQqQABTmoOqLt0phX8Q9fakXyz245Zt5y5OsGL20lwVadVVzESZHZgl0sTHtL6N
> a8QjKC+uqlbrch60oInzzzegGDTyk0zVMeaNApOcV3+D1qMvHH78qyibXf8A4uEc
> n1jrGTWClQH9SLW2bHtuNyArIDAHbs2S4MoKmQGhBDPvjDARBAD82RXM1EyVSEpL
> 6mpDMyxI8Scc22yVqRYL+Ckv0SXHEPaZNIgQblVx32jyfnmGIZeVYK2sDRTB6vXJ
> t1k+R5HRRhTG7fB0f309gT/Zgmk64zC7L4nLQp6fNEVJLfxRdrwXCOPfBf56Y8vK
> BFZSvwK4qLNHurMP2MVUuYfCl2UpHwCg/6WzFTHW34HvDKgD+3k0ap0lMq8EAME9
> i5IEdwTnGO2zsyyc/gw6QKoSGNEkbGmciZukAQTulVKQpYMv1jIm6Uy91HbsR0mU
> WxPzCBPCvJzvZOW0O+AJq4m/h1dQD2kdIHt+nYAdfZjY26YUpB6gfFmQucGhH/o8
> GfhkmN6Lw21+gx4lctfia2/46poasCNo961yKyuQA/ID6qpHargBoOk2n/av9jV1
> Rox8vhYVGwQhmVpYVUMzdw8ldo3CejaqyW97IyOU7tZo4WUzJ2Z3sG0DHdim+Voe
> Djb5hsd34MzoGL7KjRFGldbNr2H/DhmItLyzxJ5YXgMXNGy3IhfOjCwZsGhZ1eTd
> dxbD7rb7+VN/ROhTpCSXtEdDaXNjbyBTeXN0ZW1zIFByb2R1Y3QgU2VjdXJpdHkg
> SW5jaWRlbnQgUmVzcG9uc2UgVGVhbSA8cHNpcnRAY2lzY28uY29tPrRQQ2lzY28g
> U3lzdGVtcyBwcm9kdWN0IHNlY3VyaXR5IGluY2lkZW50L2J1ZyByZXBvcnRpbmcg
> PHNlY3VyaXR5LWFsZXJ0QGNpc2NvLmNvbT65Ag0EM++MTxAIANfnEviV6GSqF/7S
> MetsaCkKUe/TmcEtoYRdE9ZorvLlruvSaFHMgXCg4SqyC689BJJBaKN2MTYIV0T3
> idlbHp4mXHDyU28tTEFenA9m4ER0PxEO/wITI3XoOO7SCxUnxyvxPy8Jn9PYBHMp
> F+iWqUbzLsX4tZI7LJj73i0vi+5tGNaBBFu4cD2UJis7lb/CSK7bb4RJ6lHYVWHt
> bcFApwSRheeusvN0YwKpPg5hy6gwaUSKtddJDadcJcQ/G2I820onsqgYRfDncEBY
> uLavuu2h5CuR+Qz6jrwNUAX1f6UxC2WYY7tsp+wzQJ9VuTnKQEFPc6GIoiSSeyV3
> KibzVZ8AAgIIAKDBdTFi6kQSB1+x7XQgQ8SNL0HFjtr25TMJr/eeU6m1NkrtCVg3
> llA+lhTmpork6ZDu3GXp/IW02o246G57Z23pHU1VkEwjsWl1sdUY5QH+wIV6uZJu
> bZW1TroDI86l0m7WeWC+mqQXn6GuvkX+YpF5qU1OCY9Pnen6sWkYXiqE5LW3USyY
> xglTac8EQqcs3JYevV1/M6oTWXdMSEDV2/Bqd9g5qZBYQFkkftdW6YsJPMGgn2EI
> yu4kTyazk3UafH/yqemCbGX6S5j3krCoIMwfUpeOHPB1OxACLB0loA2cwCpq5p7W
> hXUCyRuqdXYN50NUrmKDo8+hsL/e89PofQU=
> =AsFg
> -----END PGP PUBLIC KEY BLOCK-----
>


--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
      ice9@paranoia.com      http://www.paranoia.com/~ice9
My opinion may not reflect that of any living person, but its the
only one that counts!!
                      main() {for(;;fork());}
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Return-Path: <owner-bugtraq@NETSPACE.ORG.>
Delivered-To: admin@skyway.ru
Received: (qmail 1713 invoked from network); 12 Nov 1997 01:01:42 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 12 Nov 1997 01:01:42 -0000
Received: by scylla.sovam.com id AA19048
  (5.67b8s3p1/IDA-1.5 for admin@skyway.ru); Tue, 11 Nov 1997 22:34:46 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA18888
  (5.67b8s3p1/IDA-1.5 for <admin@skyway.ru.>); Tue, 11 Nov 1997 22:32:19 +0300
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
        by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id AAA04267
        for <mc@CONJURER.TYUMEN.RU.>; Wed, 12 Nov 1997 00:31:01 +0500 (ES)
Received: from unknown@netspace.org (port 58972 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <97004-10013>; Tue, 11 Nov 1997 13:25:17 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 5552126 for BUGTRAQ@NETSPACE.ORG; Tue, 11 Nov 1997 13:21:43
          -0500
Received: from brimstone.netspace.org (brimstone.netspace.org
          [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
          NAA17361 for <BUGTRAQ@NETSPACE.ORG.>; Tue, 11 Nov 1997 13:19:06 -0500
Received: from unknown@netspace.org (port 58972 [128.148.157.6]) by
          brimstone.netspace.org with ESMTP id <96146-10010>; Tue, 11 Nov 1997
          13:18:14 -0500
Approved-By: aleph1@UNDERGROUND.ORG
Received: from banknet.banknet.net (banknet.banknet.net [193.131.100.7]) by
          netspace.org (8.8.7/8.8.2) with SMTP id GAA00727 for
          <bugtraq@netspace.org.>; Tue, 11 Nov 1997 06:44:57 -0500
Received: by banknet.banknet.net (4.1/PIPEX simple 1.19(26.05.95)) id AA03583;
          Tue, 11 Nov 97 12:27:07 +0100
Message-Id: <9711111127.AA03583@banknet.banknet.net.>
Date: 	Tue, 11 Nov 1997 12:27:07 +0100
Reply-To: Janos Zsako <zsako@banknet.net.>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG.>
From: Janos Zsako <zsako@banknet.net.>
Subject:      Re: cisco passwords
X-To:         jared@puck.nether.net
To: BUGTRAQ@NETSPACE.ORG
Status:   
X-PMFLAGS: 33554560 0

>   From owner-bugtraq@netspace.org Sun Nov  2 02:09:47 1997
>   From: Jared Mauch <jared@puck.nether.net.>

>           I've done a few code cleanups on the decryption stuff and put
>   it up for ftp with these fixes.. i have a few more to make
>   so it'll just grab it from bgp sessions, ospf keys, etc..
>
>           Get it from ftp://puck.nether.net/pub/jared/decrypt.c

It does not work reliably for passwords longer than eight characters.
The problem is that Cisco passwords can be 11 character long, and if the
initial seed is larger than 10, the translation table is too short.
The full translation table is as follows:

char xlat[] = {
        0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f,
        0x41, 0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72,
        0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44, 0x48, 0x53 , 0x55, 0x42
};

This copes also with the case when the passwords that are 11 character long and
the seed is 15.

Janos Zsako

PS. The passwords longer than 11 characters are allowed, however they are
truncated to the first 11 characters (just as they are to 8 in most Unix
implementations).
Return-Path: <owner-bugtraq@NETSPACE.ORG.>
Delivered-To: admin@skyway.ru
Received: (qmail 24990 invoked from network); 13 Nov 1997 03:16:33 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 13 Nov 1997 03:16:33 -0000
Received: by scylla.sovam.com id AA27292
  (5.67b8s3p1/IDA-1.5 for admin@skyway.ru); Thu, 13 Nov 1997 03:55:31 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA27255
  (5.67b8s3p1/IDA-1.5 for <admin@skyway.ru.>); Thu, 13 Nov 1997 03:53:15 +0300
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
        by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id FAA08495
        for <mc@CONJURER.TYUMEN.RU.>; Thu, 13 Nov 1997 05:52:14 +0500 (ES)
Received: from unknown@netspace.org (port 12859 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <70121-14078>; Wed, 12 Nov 1997 16:47:53 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 5589965 for BUGTRAQ@NETSPACE.ORG; Wed, 12 Nov 1997 16:46:32
          -0500
Received: from brimstone.netspace.org (brimstone.netspace.org
          [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
          QAA22569 for <BUGTRAQ@NETSPACE.ORG.>; Wed, 12 Nov 1997 16:46:11 -0500
Received: from unknown@netspace.org (port 12859 [128.148.157.6]) by
          brimstone.netspace.org with ESMTP id <69918-14080>; Wed, 12 Nov 1997
          16:46:10 -0500
Approved-By: aleph1@UNDERGROUND.ORG
Received: from canuck.gen.nz (canuck.gen.nz [202.37.194.1]) by netspace.org
          (8.8.7/8.8.2) with ESMTP id UAA11246 for <BUGTRAQ@NETSPACE.ORG.>; Tue,
          11 Nov 1997 20:13:54 -0500
Received: from canuck.gen.nz (ankh@canuck.gen.nz [202.37.194.1]) by
          canuck.gen.nz (8.8.7/8.8.7) with SMTP id OAA06908 for
          <BUGTRAQ@NETSPACE.ORG.>; Wed, 12 Nov 1997 14:13:49 +1300
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.3.96.971112140655.6821B-100000@canuck.gen.nz.>
Date: 	Wed, 12 Nov 1997 14:13:49 +1300
Reply-To: "J. Sean Connell" <ankh@canuck.gen.nz.>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG.>
From: "J. Sean Connell" <ankh@canuck.gen.nz.>
Subject:      Re: Cisco IOS password encryption facts
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To:  <199711111037.EAA12696@primus.paranoia.com.>
Status:   
X-PMFLAGS: 34078848 0

On Tue, 11 Nov 1997, ice9 wrote:

> This is why, if you are worried about security, perhaps TACACS+ would be
> a good option.  Even if the router can't reach the TACACS server, with
> proper configuration, you will still need the enable passwd just to enter
> maintenance mode...

Not necessarily.  If you use TACACS+ for AAA and enable AAA accounting,
you will (at least in my humble experience) be unable to get in - the cisco
must send an accounting record to the TACACS+ server, but it can't reach
the TACACS+ server, so it refuses to let you in.  (If anyone knows how to
get around this without turning off aaa accounting, *please* let me know! =)

(Also note that I may have any and/or all of the above wrong - it's so long
that I can't quite remember all the exact details...)

--
J. S. Connell      | Systems Adminstrator, ICONZ.  Any opinions stated above
ankh@canuck.gen.nz | are not my employers', not my boyfriends', my God's, my
ankh@iconz.co.nz   | friends', and probably not even my own.
-------------------+---------------------------------------------------------
            PGP key at http://www.canuck.gen.nz/~ankh/pgpkey.html
Return-Path: <owner-bugtraq@NETSPACE.ORG.>
Delivered-To: admin@skyway.ru
Received: (qmail 13063 invoked from network); 14 Nov 1997 01:01:34 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 14 Nov 1997 01:01:34 -0000
Received: by scylla.sovam.com id AA23262
  (5.67b8s3p1/IDA-1.5 for admin@skyway.ru); Fri, 14 Nov 1997 03:52:48 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA23243
  (5.67b8s3p1/IDA-1.5 for <admin@skyway.ru.>); Fri, 14 Nov 1997 03:49:52 +0300
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
        by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id FAA29259
        for <mc@CONJURER.TYUMEN.RU.>; Fri, 14 Nov 1997 05:47:58 +0500 (ES)
Received: from unknown@netspace.org (port 25452 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <1031-19081>; Thu, 13 Nov 1997 15:07:20 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 5621893 for BUGTRAQ@NETSPACE.ORG; Thu, 13 Nov 1997 14:58:05
          -0500
Received: from brimstone.netspace.org (brimstone.netspace.org
          [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
          OAA16384 for <BUGTRAQ@NETSPACE.ORG.>; Thu, 13 Nov 1997 14:45:35 -0500
Received: from unknown@netspace.org (port 25452 [128.148.157.6]) by
          brimstone.netspace.org with ESMTP id <96827-19078>; Thu, 13 Nov 1997
          14:44:15 -0500
Approved-By: aleph1@UNDERGROUND.ORG
Received: from natverket.natverket.com (www.natverket.com [194.23.84.72]) by
          netspace.org (8.8.7/8.8.2) with ESMTP id NAA06526 for
          <BUGTRAQ@NETSPACE.ORG.>; Thu, 13 Nov 1997 13:52:39 -0500
Received: from localhost (mide@localhost) by natverket.natverket.com
          (8.8.5/8.8.4) with SMTP id TAA17493; Thu, 13 Nov 1997 19:58:15 +0100
          (CET)
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSF.3.95q.971113194336.17453B-100000@natverket.natverket.com.>
Date: 	Thu, 13 Nov 1997 19:58:15 +0100
Reply-To: Michael Degerman <mide@natverket.com.>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG.>
From: Michael Degerman <mide@natverket.com.>
Subject:      Re: Cisco IOS password encryption facts
X-To:         "J. Sean Connell" <ankh@canuck.gen.nz.>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To:  <Pine.LNX.3.96.971112140655.6821B-100000@canuck.gen.nz.>
Status:   
X-PMFLAGS: 34078848 0

> Not necessarily.  If you use TACACS+ for AAA and enable AAA accounting,
> you will (at least in my humble experience) be unable to get in - the cisco
> must send an accounting record to the TACACS+ server, but it can't reach
> the TACACS+ server, so it refuses to let you in.  (If anyone knows how to
> get around this without turning off aaa accounting, *please* let me know! =)

If you don't put a "login" line on the vty's in the Cisco box then you
will have problems, like the senario you just describe. But if you put
a "login" line on the vty's the Cisco will start with the tacacs+ login
prompt and then after trying to get a respons from the tacacs+ it will
time-out and give you a default login..
It's also depending on how you implement the tacacs+ login which
password you have as backup.. Some times you got too have a password
defined on the vty's as well because it's the default setting if noting
else is specified.



>
> (Also note that I may have any and/or all of the above wrong - it's so long
> that I can't quite remember all the exact details...)

Hey! It might be easy to learn but it's a lot easier to forget!

//Michael Degerman
------------------------------------------------------------------------
A lonely guy with a lot on the mind!
Return-Path: <best-of-security-request@cyber.com.au.>
Delivered-To: admin@skyway.ru
Received: (qmail 2927 invoked from network); 16 Nov 1997 14:46:36 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 16 Nov 1997 14:46:36 -0000
Received: by scylla.sovam.com id AA15707
  (5.67b8s3p1/IDA-1.5 for admin@skyway.ru); Sun, 16 Nov 1997 17:12:50 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA15441
  (5.67b8s3p1/IDA-1.5 for <admin@skyway.ru.>); Sun, 16 Nov 1997 17:09:56 +0300
Received: from plum.cyber.com.au (plum.cyber.com.au [203.7.155.24])
        by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id TAA14427
        for <mc@conjurer.tyumen.ru.>; Sun, 16 Nov 1997 19:09:36 +0500 (ES)
Received: (from slist@localhost)
        by plum.cyber.com.au (8.8.6/8.8.6) id AAA05768;
        Mon, 17 Nov 1997 00:37:30 +1100 (EST)
Resent-Date: Mon, 17 Nov 1997 00:37:30 +1100 (EST)
Delivered-To: mc@conjurer.tyumen.ru
Old-X-Envelope-From: rafi@tavor.openu.ac.il  Wed Nov 12 10:02:05 1997
Date: Tue, 11 Nov 1997 12:02:22 +0200 (IST)
From: Rafi Sadowsky <rafi@tavor.openu.ac.il.>
Reply-To: "Rafi Sadowsky(oumail)" <rafi@oumail.openu.ac.il.>
Message-Id: <Pine.SOL.3.93.971111120039.4643L-100000@sol.openu.ac.il.>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: darrenr@cyber.com.au
Old-Status: O
Old-X-Originally-To: To: Best Of Security List <best-of-security@suburbia.net.>
Old-X-Originated-From: From: Rafi Sadowsky <rafi@tavor.openu.ac.il.>
Resent-Message-Id: <"M2SrRC.A.vjG.Jlqb0"@plum>
X-Loop: best-of-security@cyber.com.au
Errors-To: best-of-security-request@cyber.com.au
Precedence: list
Resent-Sender: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
X-Mailing-List: <best-of-security@cyber.com.au.> ftp://ftp.cyber.com.au/pub/archive/b-o-s/
X-Subscription: To unsubscribe from this fine mailing list mail best-of-security-request@cyber.com.au with Subject: unsubscribe
Subject: BoS: Cisco IOS password encryption facts (fwd)
Status:   
X-PMFLAGS: 34078848 0


---------- Forwarded message ----------
Date: Mon, 10 Nov 1997 16:39:36 -0800
From: John Bashinski <jbash@CISCO.COM.>
Subject: Cisco IOS password encryption facts

-----BEGIN PGP SIGNED MESSAGE-----

A non-Cisco source has recently released a new program to decrypt user
passwords (and other passwords) in Cisco configuration files. The program
will not decrypt passwords set with the "enable secret" command.

The unexpected concern that this program has caused among Cisco customers
has led us to suspect that many customers are relying on Cisco password
encryption for more security than it was designed to provide. This document
explains the security model behind Cisco password encryption, and the
security limitations of that encryption.

User Passwords
- --------------
User passwords and most other passwords (*not* enable secrets) in Cisco IOS
configuration files are encrypted using a scheme that's very weak by modern
cryptographic standards.

Although Cisco does not distribute a decryption program, at least two
different decryption programs for Cisco IOS passwords are available to the
public on the Internet; the first public release of such a program of which
Cisco is aware was in early 1995. We would expect any amateur cryptographer
to be able to create a new program with no more than a few hours' work.

The scheme used by IOS for user passwords was never intended to resist a
determined, intelligent attack; it was designed to avoid casual
"over-the-shoulder" password theft. The threat model was someone reading a
password from an administrator's screen. The scheme was never supposed to
protect against someone conducting a determined analysis of the
configuration file.

Because of the weak encryption algorithm, it has always been Cisco's
position that customers should treat any configuration file containing
passwords as sensitive information, the same way they would treat a
cleartext list of passwords.

Enable Secret Passwords
- -----------------------
Enable secrets are hashed using the MD5 algorithm. As far as anyone at
Cisco knows, it is impossible to recover an enable secret based on the
contents of a configuration file (other than by obvious dictionary
attacks).

Note that this applies only to passwords set with "enable secret", *not*
to passwords set with "enable password". Indeed, the strength of the
encryption used is the only significant difference between the two
commands.

Other Passwords
- ---------------
Almost all passwords and other authentication strings in Cisco IOS
configuration files are encrypted using the weak, reversible scheme used
for user passwords. To determine which scheme has been used to encrypt a
specific password, check the digit preceding the encrypted string in the
configuration file. If that digit is a 7, the password has been encrypted
using the weak algorithm. If the digit is a 5, the password has been hashed
using the stronger MD5 algorithm.

For example, in the configuration command

    enable secret 5 $1$iUjJ$cDZ03KKGh7mHfX2RSbDqP.


The enable secret has been hashed with MD5, whereas in the command

    username jbash password 7 07362E590E1B1C041B1E124C0A2F2E206832752E1A01134D


The password has been encrypted using the weak reversible algorithm.

Can the algorithm be changed?
- -----------------------------
Cisco has no immediate plans to support a stronger encryption algorithm for
IOS user passwords. Should Cisco decide to introduce such a feature in the
future, that feature will definitely impose an additional ongoing
administrative burden on users who choose to take advantage of it.

It is not, in the general case, possible to switch user passwords over to
the MD5-based algorithm used for enable secrets, because MD5 is a one-way
hash, and the password can't be recovered from the encrypted data at all.
In order to support certain authentication protocols (notably CHAP), the
system needs access to the clear text of user passwords, and therefore must
store them using a reversible algorithm.

Key management issues would make it a nontrivial task to switch over to a
stronger reversible algorithm, such as DES. Although it would be easy to
modify IOS to use DES to encrypt passwords, there would be no security
advantage in doing so if all IOS systems used the same DES key. If
different keys were used by different systems, an administrative burden
would be introduced for all IOS network administrators, and portability of
configuration files between systems would be damaged. Customer demand
for stronger reversible password encryption has been small.

November 10, 1997

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQEVAwUBNGen1wyPsuGbHvEpAQFYHwgAtIs5PykwbZ11H3kzKxpl67I4OX4Kngli
wKL7PHxbKMvB12l/oiFoTcrOqWXVWN6AQ3ObbkJ+GD02zHbW+5rU/2/dys86GQAi
MGBLS/7pKrb9oPjeI5P+ZZIGfaM/Cs6y6nRN2jeC2ZSglGmlsaWua0Sm+9ytvz1b
x730JE1yGybxnBHYGsonSpRNQ8xx8RKjG+HZ5gFROWkY/gsBeqiEcz/y+XJq0qwO
6ULpwAKVV9jld4m93ZJe3LzyjrOUM7+pk3UzNAZu1IfUoy1L3J/VfehbBc7BmMy7
0AylJwuhNd3mlCe3Vl0VgCG/qC/hjX+860QY9CWb411Nstc+pyjcqw==
=JdSr
-----END PGP SIGNATURE-----

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP for Personal Privacy 5.0

mQENAzPvjNgBbQEIANK7KlAHQsajB9t0ddYhrZNmaOnyPL8T5JZRDq7uSf3HfXZ9
gcE+DU3/2/TuCa7l/P0fblpUtxOo2FScjdg6Zd/V+8FH++wfH7GP+M2lJIw1N/UN
hLfqUe7RJZtAvAb2VRpA3pV816ngk0H7tb2RyAsu3H7MvwTDZaZ/dzhM/40uDz2b
OUjkaoxC/cKLsP+ODLydPK3XPzjq9XipC3AX8zDLbjAMSyNTpQP4c2NvIf6X4Q4Q
D+yZJu0dYA8i/QC2F9cb4sT6fKtoRENwVLQhHwkxwKLqmyokLLOZ7QvQw1Rqs8ZU
E4o5OFdf0XvqW2+C1+CWQ5Z987ZHDI+y4Zse8SkABRG0R0Npc2NvIFN5c3RlbXMg
UHJvZHVjdCBTZWN1cml0eSBJbmNpZGVudCBSZXNwb25zZSBUZWFtIDxwc2lydEBj
aXNjby5jb20+iQEVAwUQM++M2AyPsuGbHvEpAQFlYwgAk9yGvvH1Rsz3dQAgbzBR
iA68u5YYX/b8/n5aTrtxK1Z9KltjdDjcU/rv2fqmwhsc9Q2JYE1re/iiUUuxTTXc
xCdnLfZ75w6P7v1XaE8HbaXvUbYmFuKxvhzI6gnZ3OWEqVQ/P1RB7zzSwHtvMAOm
rkty+vFz8g432tDeU/WEif0PAeNassVjIBE3mSFcnoF9PwR7+983oLI+QUTz+KZ3
po7r7ETFXBaie8MY5vMo2a0ds6GUsrMVpFiJ2zruSCJQJvVVoe9VT9pg92fHw6vS
YZBf6jcPd+3kUjAcAZQj5Jkuo5QtDc+JpCs6A4JS+nk2UPYisFOfxHjR2bv396ym
lYkAPwMFEDPvjPSWgad8PVLgfxEC85sAoLW7FY3dWWXLiZD6FbN3G81/SYm2AKC3
EPPlj+zNMt83UlBIR06BWOhPmYkAPwMFEDPvjehhWBbFOs5V/hEChMsAoIHN2sJN
Nso+kYr3G2BZ90KJ++7HAJ9vQkdJRwI7HSyL+iyfQS3YV4ivKYkAlQMFEDPvuil3
prw+JwB2/QEBujkEAKvxs8A5OMk/TD8tuQMATILDxnj0ZGepAV0wbJjJx8bYQ54s
hF6r4OlyWEVPOn9sMn81QyWOeaprpJfYWgqntyJ8aO4Mh2gfI4uKzKn5hJ9n424g
L3cOcJUKmARBGFgL4gB6QZU6k+52qubv08gHYBDUTpxbtYy09/bieET6Tu6NiQB1
AwUQM/DnKABQXdL3LtV5AQEB1gMAntCpluUCoH9Spn+4RBKQU9qVYjZL9ye7Qd9z
8uKIUGM7VFMD/ECavREEd6ggYFCX2t1YV1j6805+oROx/xhxCe4OSG2PX6NQx3Mc
hMWgQSiBKFikfxXcbDTwU4HGk/U8iQCVAwUQM/Dk3Rim+KqOZxohAQFO0AP+PkRZ
AMsuGJ62XOmO27ZwoB1yMB+LahS9zWlVUuCrBs0NloC0Uc9aydw+tWqr5PU8972O
ZmMI1mPnjsAao7hJeVFEKmNpJ+nPFx56fmO138D6h+1eYYsXMEkx4FNHYmr/hP9R
T7JuqFChB4eHAtL37GDo6pUqIpRdbI6imU+TGWSJAJUDBRAz8OmMetUtBpz0lbkB
AZnqA/9Vcjr5qpxELEwYmJhBih4Eha0bPebxDpT/wDQlWF8KQVT+dVa4/kXDZDSQ
EOcV+Q+Z0YAxqFFaWHI1CYr2pR+jDqzxxdsxvwLPaJ2Yq2vnb/UozPzCYXaRr8dK
E2LaRpUIe/frpaKggGfT+HP35WWSAkS4yP91I+9xw2xAHC7F/IkAPwMFEDPw8Uu4
sEdhxJFDBxECSu4An0Vs1WvZhg1+F9gXVAdWeZeQwjPjAJ9kiB4mUt6PeE1Yafo0
y9h1h25z44kAlQMFEDPw6arUWbxRv7Y9YQEBrGYD/AyYF/uH6EJVZww/oASl5pxt
2Q9YR5Kb60f7RsMOi48SgIV0lrUCk8rEN7HiEMlMSzjqtCuAPbxc85ltYA2V8GMB
uz16DZ+LshmN2Bdo5HvlJ7oONRfTznAaeKVH40MYI+4oj0Z+mXbhIT48OkQUaWAx
+XxdzLufxNNU8oForJ/FiQEVAwUQM/NXXx9quvkcD7cJAQHDZwgAkh5R/OS8SzEV
WOOlnUPSaI/PNPSeKdEOOvU5K6u8DMsb/M5775fg9paCGi+UngRiL3xWjykJzfrp
94F/0d4PpdkcQUEao6+uZBgIbDK9S/W0bDAFCgCnwy20JPXxJgdikQb0GLBzP+31
WHl4JSMXTuNAFJ8z7Uc/a2JWe3QZ+w8uZP5IyASimYYLu+19Hxo4fYT/bOOQ975z
arCgaDO6b4HU68GG3WqytmuBj6Vpu1x5Ia9cNpxgPmtM4wg83zmx06fDTGN89EYH
rt7dluxCBesxPhUsmZn071Xdq1zMYIzHns4jxwCREp5kNMtPsUKA8dSA4UO2BdkO
q5IX6scTOokAPwMFEDPyrMUi3EpiOkv3cBECgNEAn0dTtLw0NDPHn/XPgxz8jcnR
szjkAJ0bHBmB26616zdcrgPZrYtvac9gVYkAlQMFEDPxEE1/tdR0mmHbCQEBO2YE
APGeRsytUHeL7tUbdDgLmz6fcroNkJk6sjQLAw0HYqnHbwhfXCvFQmAb00Whw4xQ
cSXej3JUJSwXDyEJ5AhOD3IdTkKJnJA81xJzYJXhp8kJTF09M5voB5eZg1Fp0bcE
w3a2MXy3SWRWfJ7SSA2De7dBpf2oOZeI9AuRltHfVmKPtFBDaXNjbyBTeXN0ZW1z
IHByb2R1Y3Qgc2VjdXJpdHkgaW5jaWRlbnQvYnVnIHJlcG9ydGluZyA8c2VjdXJp
dHktYWxlcnRAY2lzY28uY29tPokBFQMFEDPvjV0Mj7Lhmx7xKQEBCCsH/3i8JxEV
xwj+F/fff2lCRDD83fJTGhYNYvOACxYaRSs1hwZ1pAWSLUzN+cc3Iqub+dT9zgbu
brHFP8kYB5oPxEh92myV7d0ijLI82RNc7yrql9MI2H9yIYdgrT2aP98KbGulxri3
U9HQ1AnVPE43eu8F96fgiOggRqDKi7lWP9ADvcaKO3a1aDk/X2EO1I0jSJMTfZ1c
yMlpmrnTs3i5x2lX+42GHjpgA3tWGlTN6DFWa5k2dU7TzE3dKL1qz5Zdu81WMdT4
xDbk2Q6Z8rGu2oKA+YXprSlF0dBsG3qFTKSFgnHijTT4fJI2+gebEzpe8vGUf4FJ
XQmjZ+bG2dTdUKyJAD8DBRAz7410loGnfD1S4H8RAqdjAJ9VVM6GixYnpOpZMvvp
uKk3OHowKACfQxP/Dcmqg5KtDPnd6hHMaVbEBAaJAD8DBRAz7435YVgWxTrOVf4R
AhkwAKDWgIbBaQ/qoR9F/CMhmpYztcsMBwCg2DThE7h3j5HGvsiwy8MsZZmLq5mJ
AJUDBRAz77opd6a8PicAdv0BAXKbA/9uZcSak/u41uFuow5uwkydjkfHz7XRFK49
HX7ozwoJbVydzlURMIOvbwpf6ws/bFTyhM1RRG3b5E5o4psXoNWowXG+uNkmTLhX
IBOtH4TcjbLXspLWUiNtBNlJ2dDKxit9ye1Z/9cTwpfaNyAmtb0aPBN4sZ8r6Bmg
d44Vx0nSL4kAlQMFEDPw5OoYpviqjmcaIQEBJ/UEALXebkpbO3GE/jGb41qzMcoT
VXt3kqh1mY1yJloPEllXstP1yO83uczLfPhhKUKAGg/WZS5eFrYTRvIqu2HZ7F0P
fTqqReKUUr7GFb+QUTzt178DQzfIyTHT+43CIMF6NPGbdWFkwzMaUjXBewEX2eTN
g1fRSoYC64rPvSEXFnnpiQCVAwUQM/Dpk3rVLQac9JW5AQHcZgQAqveziPJciVrz
danmUHGt8La2rl1qXoYtYAcS51gVD2Dxle/J1SIvyRWysTE0+s8X+zgw71zQXm54
KUKdoFTvEyerc65NnVVCgPUpNN8/H0XUpNd1oZ2KKIzz3mxQbVwa50sRKvYBFUo9
mUfbv+alFK4yrWaqAF3Dx38KiQrqOa2JAD8DBRAz8PHwuLBHYcSRQwcRAu+bAJoD
EDaxddtU35mekCglNjbHLmOR+gCgiYpy0fB8JtNJE0k3xQDuW0H8uG2JAJUDBRAz
8Om31Fm8Ub+2PWEBASbZA/9wYDYTmvtoSuvI0yOITGgmh8kSCOMAmXikhI6ASZy8
GhkPX7OY2ybX2Iw7XXApL0mcuDr13Fm+xrt9TymyYAbRnmPjbPn1GoYVM/orN+R/
t/mblfdb+eklvMKnChA7eNFfYNUz+V+lRPkH156EnBXYwmzlYsKEerGjxJLoyQEr
sokAPwMFEDPyrNgi3EpiOkv3cBECoIcAnjmNq8NznK0HYgwicWYUjDAmte6QAKCK
6txKW+VHWRJ2cSf2maRkf0TmmokAlQMFEDPxEHR/tdR0mmHbCQEBigQD/i0ZA1Qs
FjQqQABTmoOqLt0phX8Q9fakXyz245Zt5y5OsGL20lwVadVVzESZHZgl0sTHtL6N
a8QjKC+uqlbrch60oInzzzegGDTyk0zVMeaNApOcV3+D1qMvHH78qyibXf8A4uEc
n1jrGTWClQH9SLW2bHtuNyArIDAHbs2S4MoKmQGhBDPvjDARBAD82RXM1EyVSEpL
6mpDMyxI8Scc22yVqRYL+Ckv0SXHEPaZNIgQblVx32jyfnmGIZeVYK2sDRTB6vXJ
t1k+R5HRRhTG7fB0f309gT/Zgmk64zC7L4nLQp6fNEVJLfxRdrwXCOPfBf56Y8vK
BFZSvwK4qLNHurMP2MVUuYfCl2UpHwCg/6WzFTHW34HvDKgD+3k0ap0lMq8EAME9
i5IEdwTnGO2zsyyc/gw6QKoSGNEkbGmciZukAQTulVKQpYMv1jIm6Uy91HbsR0mU
WxPzCBPCvJzvZOW0O+AJq4m/h1dQD2kdIHt+nYAdfZjY26YUpB6gfFmQucGhH/o8
GfhkmN6Lw21+gx4lctfia2/46poasCNo961yKyuQA/ID6qpHargBoOk2n/av9jV1
Rox8vhYVGwQhmVpYVUMzdw8ldo3CejaqyW97IyOU7tZo4WUzJ2Z3sG0DHdim+Voe
Djb5hsd34MzoGL7KjRFGldbNr2H/DhmItLyzxJ5YXgMXNGy3IhfOjCwZsGhZ1eTd
dxbD7rb7+VN/ROhTpCSXtEdDaXNjbyBTeXN0ZW1zIFByb2R1Y3QgU2VjdXJpdHkg
SW5jaWRlbnQgUmVzcG9uc2UgVGVhbSA8cHNpcnRAY2lzY28uY29tPrRQQ2lzY28g
U3lzdGVtcyBwcm9kdWN0IHNlY3VyaXR5IGluY2lkZW50L2J1ZyByZXBvcnRpbmcg
PHNlY3VyaXR5LWFsZXJ0QGNpc2NvLmNvbT65Ag0EM++MTxAIANfnEviV6GSqF/7S
MetsaCkKUe/TmcEtoYRdE9ZorvLlruvSaFHMgXCg4SqyC689BJJBaKN2MTYIV0T3
idlbHp4mXHDyU28tTEFenA9m4ER0PxEO/wITI3XoOO7SCxUnxyvxPy8Jn9PYBHMp
F+iWqUbzLsX4tZI7LJj73i0vi+5tGNaBBFu4cD2UJis7lb/CSK7bb4RJ6lHYVWHt
bcFApwSRheeusvN0YwKpPg5hy6gwaUSKtddJDadcJcQ/G2I820onsqgYRfDncEBY
uLavuu2h5CuR+Qz6jrwNUAX1f6UxC2WYY7tsp+wzQJ9VuTnKQEFPc6GIoiSSeyV3
KibzVZ8AAgIIAKDBdTFi6kQSB1+x7XQgQ8SNL0HFjtr25TMJr/eeU6m1NkrtCVg3
llA+lhTmpork6ZDu3GXp/IW02o246G57Z23pHU1VkEwjsWl1sdUY5QH+wIV6uZJu
bZW1TroDI86l0m7WeWC+mqQXn6GuvkX+YpF5qU1OCY9Pnen6sWkYXiqE5LW3USyY
xglTac8EQqcs3JYevV1/M6oTWXdMSEDV2/Bqd9g5qZBYQFkkftdW6YsJPMGgn2EI
yu4kTyazk3UafH/yqemCbGX6S5j3krCoIMwfUpeOHPB1OxACLB0loA2cwCpq5p7W
hXUCyRuqdXYN50NUrmKDo8+hsL/e89PofQU=
=AsFg
-----END PGP PUBLIC KEY BLOCK-----

-+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+
This message was posted through the FIRST mailing list server.  If you
wish to unsubscribe from this mailing list, send the message body of
"unsubscribe first-teams" to first-majordomo@FIRST.ORG
-+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+




Return-Path: <best-of-security-request@cyber.com.au.>
Delivered-To: admin@skyway.ru
Received: (qmail 23277 invoked from network); 16 Nov 1997 01:01:37 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 16 Nov 1997 01:01:37 -0000
Received: by scylla.sovam.com id AA25761
  (5.67b8s3p1/IDA-1.5 for admin@skyway.ru); Sun, 16 Nov 1997 00:14:18 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA25746
  (5.67b8s3p1/IDA-1.5 for <admin@skyway.ru.>); Sun, 16 Nov 1997 00:12:16 +0300
Received: from plum.cyber.com.au (plum.cyber.com.au [203.7.155.24])
        by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id CAA08663
        for <mc@conjurer.tyumen.ru.>; Sun, 16 Nov 1997 02:11:01 +0500 (ES)
Received: (from slist@localhost)
        by plum.cyber.com.au (8.8.6/8.8.6) id HAA03668;
        Sun, 16 Nov 1997 07:47:11 +1100 (EST)
Resent-Date: Sun, 16 Nov 1997 07:47:11 +1100 (EST)
Delivered-To: mc@conjurer.tyumen.ru
Message-Id: <19971111003936.1179.qmail@susan.cisco.com.>
Date: 	Mon, 10 Nov 1997 16:39:36 -0800
Reply-To: John Bashinski <jbash@CISCO.COM.>
Sender: avalon@cyber.com.au
From: John Bashinski <jbash@CISCO.COM.>
Old-X-Originally-To: To: BUGTRAQ@NETSPACE.ORG
Old-X-Originated-From: From: John Bashinski <jbash@CISCO.COM.>
Resent-Message-Id: <"Y_sXYD.A.adE.dwab0"@plum>
X-Loop: best-of-security@cyber.com.au
Errors-To: best-of-security-request@cyber.com.au
Precedence: list
Resent-Sender: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
X-Mailing-List: <best-of-security@cyber.com.au.> ftp://ftp.cyber.com.au/pub/archive/b-o-s/
X-Subscription: To unsubscribe from this fine mailing list mail best-of-security-request@cyber.com.au with Subject: unsubscribe
Subject: BoS:      Cisco IOS password encryption facts
Status:   
X-PMFLAGS: 33554560 0


-----BEGIN PGP SIGNED MESSAGE-----

A non-Cisco source has recently released a new program to decrypt user
passwords (and other passwords) in Cisco configuration files. The program
will not decrypt passwords set with the "enable secret" command.

The unexpected concern that this program has caused among Cisco customers
has led us to suspect that many customers are relying on Cisco password
encryption for more security than it was designed to provide. This document
explains the security model behind Cisco password encryption, and the
security limitations of that encryption.

User Passwords
- --------------
User passwords and most other passwords (*not* enable secrets) in Cisco IOS
configuration files are encrypted using a scheme that's very weak by modern
cryptographic standards.

Although Cisco does not distribute a decryption program, at least two
different decryption programs for Cisco IOS passwords are available to the
public on the Internet; the first public release of such a program of which
Cisco is aware was in early 1995. We would expect any amateur cryptographer
to be able to create a new program with no more than a few hours' work.

The scheme used by IOS for user passwords was never intended to resist a
determined, intelligent attack; it was designed to avoid casual
"over-the-shoulder" password theft. The threat model was someone reading a
password from an administrator's screen. The scheme was never supposed to
protect against someone conducting a determined analysis of the
configuration file.

Because of the weak encryption algorithm, it has always been Cisco's
position that customers should treat any configuration file containing
passwords as sensitive information, the same way they would treat a
cleartext list of passwords.

Enable Secret Passwords
- -----------------------
Enable secrets are hashed using the MD5 algorithm. As far as anyone at
Cisco knows, it is impossible to recover an enable secret based on the
contents of a configuration file (other than by obvious dictionary
attacks).

Note that this applies only to passwords set with "enable secret", *not*
to passwords set with "enable password". Indeed, the strength of the
encryption used is the only significant difference between the two
commands.

Other Passwords
- ---------------
Almost all passwords and other authentication strings in Cisco IOS
configuration files are encrypted using the weak, reversible scheme used
for user passwords. To determine which scheme has been used to encrypt a
specific password, check the digit preceding the encrypted string in the
configuration file. If that digit is a 7, the password has been encrypted
using the weak algorithm. If the digit is a 5, the password has been hashed
using the stronger MD5 algorithm.

For example, in the configuration command

    enable secret 5 $1$iUjJ$cDZ03KKGh7mHfX2RSbDqP.


The enable secret has been hashed with MD5, whereas in the command

    username jbash password 7 07362E590E1B1C041B1E124C0A2F2E206832752E1A01134D


The password has been encrypted using the weak reversible algorithm.

Can the algorithm be changed?
- -----------------------------
Cisco has no immediate plans to support a stronger encryption algorithm for
IOS user passwords. Should Cisco decide to introduce such a feature in the
future, that feature will definitely impose an additional ongoing
administrative burden on users who choose to take advantage of it.

It is not, in the general case, possible to switch user passwords over to
the MD5-based algorithm used for enable secrets, because MD5 is a one-way
hash, and the password can't be recovered from the encrypted data at all.
In order to support certain authentication protocols (notably CHAP), the
system needs access to the clear text of user passwords, and therefore must
store them using a reversible algorithm.

Key management issues would make it a nontrivial task to switch over to a
stronger reversible algorithm, such as DES. Although it would be easy to
modify IOS to use DES to encrypt passwords, there would be no security
advantage in doing so if all IOS systems used the same DES key. If
different keys were used by different systems, an administrative burden
would be introduced for all IOS network administrators, and portability of
configuration files between systems would be damaged. Customer demand
for stronger reversible password encryption has been small.

November 10, 1997

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQEVAwUBNGen1wyPsuGbHvEpAQFYHwgAtIs5PykwbZ11H3kzKxpl67I4OX4Kngli
wKL7PHxbKMvB12l/oiFoTcrOqWXVWN6AQ3ObbkJ+GD02zHbW+5rU/2/dys86GQAi
MGBLS/7pKrb9oPjeI5P+ZZIGfaM/Cs6y6nRN2jeC2ZSglGmlsaWua0Sm+9ytvz1b
x730JE1yGybxnBHYGsonSpRNQ8xx8RKjG+HZ5gFROWkY/gsBeqiEcz/y+XJq0qwO
6ULpwAKVV9jld4m93ZJe3LzyjrOUM7+pk3UzNAZu1IfUoy1L3J/VfehbBc7BmMy7
0AylJwuhNd3mlCe3Vl0VgCG/qC/hjX+860QY9CWb411Nstc+pyjcqw==
=JdSr
-----END PGP SIGNATURE-----

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP for Personal Privacy 5.0

mQENAzPvjNgBbQEIANK7KlAHQsajB9t0ddYhrZNmaOnyPL8T5JZRDq7uSf3HfXZ9
gcE+DU3/2/TuCa7l/P0fblpUtxOo2FScjdg6Zd/V+8FH++wfH7GP+M2lJIw1N/UN
hLfqUe7RJZtAvAb2VRpA3pV816ngk0H7tb2RyAsu3H7MvwTDZaZ/dzhM/40uDz2b
OUjkaoxC/cKLsP+ODLydPK3XPzjq9XipC3AX8zDLbjAMSyNTpQP4c2NvIf6X4Q4Q
D+yZJu0dYA8i/QC2F9cb4sT6fKtoRENwVLQhHwkxwKLqmyokLLOZ7QvQw1Rqs8ZU
E4o5OFdf0XvqW2+C1+CWQ5Z987ZHDI+y4Zse8SkABRG0R0Npc2NvIFN5c3RlbXMg
UHJvZHVjdCBTZWN1cml0eSBJbmNpZGVudCBSZXNwb25zZSBUZWFtIDxwc2lydEBj
aXNjby5jb20+iQEVAwUQM++M2AyPsuGbHvEpAQFlYwgAk9yGvvH1Rsz3dQAgbzBR
iA68u5YYX/b8/n5aTrtxK1Z9KltjdDjcU/rv2fqmwhsc9Q2JYE1re/iiUUuxTTXc
xCdnLfZ75w6P7v1XaE8HbaXvUbYmFuKxvhzI6gnZ3OWEqVQ/P1RB7zzSwHtvMAOm
rkty+vFz8g432tDeU/WEif0PAeNassVjIBE3mSFcnoF9PwR7+983oLI+QUTz+KZ3
po7r7ETFXBaie8MY5vMo2a0ds6GUsrMVpFiJ2zruSCJQJvVVoe9VT9pg92fHw6vS
YZBf6jcPd+3kUjAcAZQj5Jkuo5QtDc+JpCs6A4JS+nk2UPYisFOfxHjR2bv396ym
lYkAPwMFEDPvjPSWgad8PVLgfxEC85sAoLW7FY3dWWXLiZD6FbN3G81/SYm2AKC3
EPPlj+zNMt83UlBIR06BWOhPmYkAPwMFEDPvjehhWBbFOs5V/hEChMsAoIHN2sJN
Nso+kYr3G2BZ90KJ++7HAJ9vQkdJRwI7HSyL+iyfQS3YV4ivKYkAlQMFEDPvuil3
prw+JwB2/QEBujkEAKvxs8A5OMk/TD8tuQMATILDxnj0ZGepAV0wbJjJx8bYQ54s
hF6r4OlyWEVPOn9sMn81QyWOeaprpJfYWgqntyJ8aO4Mh2gfI4uKzKn5hJ9n424g
L3cOcJUKmARBGFgL4gB6QZU6k+52qubv08gHYBDUTpxbtYy09/bieET6Tu6NiQB1
AwUQM/DnKABQXdL3LtV5AQEB1gMAntCpluUCoH9Spn+4RBKQU9qVYjZL9ye7Qd9z
8uKIUGM7VFMD/ECavREEd6ggYFCX2t1YV1j6805+oROx/xhxCe4OSG2PX6NQx3Mc
hMWgQSiBKFikfxXcbDTwU4HGk/U8iQCVAwUQM/Dk3Rim+KqOZxohAQFO0AP+PkRZ
AMsuGJ62XOmO27ZwoB1yMB+LahS9zWlVUuCrBs0NloC0Uc9aydw+tWqr5PU8972O
ZmMI1mPnjsAao7hJeVFEKmNpJ+nPFx56fmO138D6h+1eYYsXMEkx4FNHYmr/hP9R
T7JuqFChB4eHAtL37GDo6pUqIpRdbI6imU+TGWSJAJUDBRAz8OmMetUtBpz0lbkB
AZnqA/9Vcjr5qpxELEwYmJhBih4Eha0bPebxDpT/wDQlWF8KQVT+dVa4/kXDZDSQ
EOcV+Q+Z0YAxqFFaWHI1CYr2pR+jDqzxxdsxvwLPaJ2Yq2vnb/UozPzCYXaRr8dK
E2LaRpUIe/frpaKggGfT+HP35WWSAkS4yP91I+9xw2xAHC7F/IkAPwMFEDPw8Uu4
sEdhxJFDBxECSu4An0Vs1WvZhg1+F9gXVAdWeZeQwjPjAJ9kiB4mUt6PeE1Yafo0
y9h1h25z44kAlQMFEDPw6arUWbxRv7Y9YQEBrGYD/AyYF/uH6EJVZww/oASl5pxt
2Q9YR5Kb60f7RsMOi48SgIV0lrUCk8rEN7HiEMlMSzjqtCuAPbxc85ltYA2V8GMB
uz16DZ+LshmN2Bdo5HvlJ7oONRfTznAaeKVH40MYI+4oj0Z+mXbhIT48OkQUaWAx
+XxdzLufxNNU8oForJ/FiQEVAwUQM/NXXx9quvkcD7cJAQHDZwgAkh5R/OS8SzEV
WOOlnUPSaI/PNPSeKdEOOvU5K6u8DMsb/M5775fg9paCGi+UngRiL3xWjykJzfrp
94F/0d4PpdkcQUEao6+uZBgIbDK9S/W0bDAFCgCnwy20JPXxJgdikQb0GLBzP+31
WHl4JSMXTuNAFJ8z7Uc/a2JWe3QZ+w8uZP5IyASimYYLu+19Hxo4fYT/bOOQ975z
arCgaDO6b4HU68GG3WqytmuBj6Vpu1x5Ia9cNpxgPmtM4wg83zmx06fDTGN89EYH
rt7dluxCBesxPhUsmZn071Xdq1zMYIzHns4jxwCREp5kNMtPsUKA8dSA4UO2BdkO
q5IX6scTOokAPwMFEDPyrMUi3EpiOkv3cBECgNEAn0dTtLw0NDPHn/XPgxz8jcnR
szjkAJ0bHBmB26616zdcrgPZrYtvac9gVYkAlQMFEDPxEE1/tdR0mmHbCQEBO2YE
APGeRsytUHeL7tUbdDgLmz6fcroNkJk6sjQLAw0HYqnHbwhfXCvFQmAb00Whw4xQ
cSXej3JUJSwXDyEJ5AhOD3IdTkKJnJA81xJzYJXhp8kJTF09M5voB5eZg1Fp0bcE
w3a2MXy3SWRWfJ7SSA2De7dBpf2oOZeI9AuRltHfVmKPtFBDaXNjbyBTeXN0ZW1z
IHByb2R1Y3Qgc2VjdXJpdHkgaW5jaWRlbnQvYnVnIHJlcG9ydGluZyA8c2VjdXJp
dHktYWxlcnRAY2lzY28uY29tPokBFQMFEDPvjV0Mj7Lhmx7xKQEBCCsH/3i8JxEV
xwj+F/fff2lCRDD83fJTGhYNYvOACxYaRSs1hwZ1pAWSLUzN+cc3Iqub+dT9zgbu
brHFP8kYB5oPxEh92myV7d0ijLI82RNc7yrql9MI2H9yIYdgrT2aP98KbGulxri3
U9HQ1AnVPE43eu8F96fgiOggRqDKi7lWP9ADvcaKO3a1aDk/X2EO1I0jSJMTfZ1c
yMlpmrnTs3i5x2lX+42GHjpgA3tWGlTN6DFWa5k2dU7TzE3dKL1qz5Zdu81WMdT4
xDbk2Q6Z8rGu2oKA+YXprSlF0dBsG3qFTKSFgnHijTT4fJI2+gebEzpe8vGUf4FJ
XQmjZ+bG2dTdUKyJAD8DBRAz7410loGnfD1S4H8RAqdjAJ9VVM6GixYnpOpZMvvp
uKk3OHowKACfQxP/Dcmqg5KtDPnd6hHMaVbEBAaJAD8DBRAz7435YVgWxTrOVf4R
AhkwAKDWgIbBaQ/qoR9F/CMhmpYztcsMBwCg2DThE7h3j5HGvsiwy8MsZZmLq5mJ
AJUDBRAz77opd6a8PicAdv0BAXKbA/9uZcSak/u41uFuow5uwkydjkfHz7XRFK49
HX7ozwoJbVydzlURMIOvbwpf6ws/bFTyhM1RRG3b5E5o4psXoNWowXG+uNkmTLhX
IBOtH4TcjbLXspLWUiNtBNlJ2dDKxit9ye1Z/9cTwpfaNyAmtb0aPBN4sZ8r6Bmg
d44Vx0nSL4kAlQMFEDPw5OoYpviqjmcaIQEBJ/UEALXebkpbO3GE/jGb41qzMcoT
VXt3kqh1mY1yJloPEllXstP1yO83uczLfPhhKUKAGg/WZS5eFrYTRvIqu2HZ7F0P
fTqqReKUUr7GFb+QUTzt178DQzfIyTHT+43CIMF6NPGbdWFkwzMaUjXBewEX2eTN
g1fRSoYC64rPvSEXFnnpiQCVAwUQM/Dpk3rVLQac9JW5AQHcZgQAqveziPJciVrz
danmUHGt8La2rl1qXoYtYAcS51gVD2Dxle/J1SIvyRWysTE0+s8X+zgw71zQXm54
KUKdoFTvEyerc65NnVVCgPUpNN8/H0XUpNd1oZ2KKIzz3mxQbVwa50sRKvYBFUo9
mUfbv+alFK4yrWaqAF3Dx38KiQrqOa2JAD8DBRAz8PHwuLBHYcSRQwcRAu+bAJoD
EDaxddtU35mekCglNjbHLmOR+gCgiYpy0fB8JtNJE0k3xQDuW0H8uG2JAJUDBRAz
8Om31Fm8Ub+2PWEBASbZA/9wYDYTmvtoSuvI0yOITGgmh8kSCOMAmXikhI6ASZy8
GhkPX7OY2ybX2Iw7XXApL0mcuDr13Fm+xrt9TymyYAbRnmPjbPn1GoYVM/orN+R/
t/mblfdb+eklvMKnChA7eNFfYNUz+V+lRPkH156EnBXYwmzlYsKEerGjxJLoyQEr
sokAPwMFEDPyrNgi3EpiOkv3cBECoIcAnjmNq8NznK0HYgwicWYUjDAmte6QAKCK
6txKW+VHWRJ2cSf2maRkf0TmmokAlQMFEDPxEHR/tdR0mmHbCQEBigQD/i0ZA1Qs
FjQqQABTmoOqLt0phX8Q9fakXyz245Zt5y5OsGL20lwVadVVzESZHZgl0sTHtL6N
a8QjKC+uqlbrch60oInzzzegGDTyk0zVMeaNApOcV3+D1qMvHH78qyibXf8A4uEc
n1jrGTWClQH9SLW2bHtuNyArIDAHbs2S4MoKmQGhBDPvjDARBAD82RXM1EyVSEpL
6mpDMyxI8Scc22yVqRYL+Ckv0SXHEPaZNIgQblVx32jyfnmGIZeVYK2sDRTB6vXJ
t1k+R5HRRhTG7fB0f309gT/Zgmk64zC7L4nLQp6fNEVJLfxRdrwXCOPfBf56Y8vK
BFZSvwK4qLNHurMP2MVUuYfCl2UpHwCg/6WzFTHW34HvDKgD+3k0ap0lMq8EAME9
i5IEdwTnGO2zsyyc/gw6QKoSGNEkbGmciZukAQTulVKQpYMv1jIm6Uy91HbsR0mU
WxPzCBPCvJzvZOW0O+AJq4m/h1dQD2kdIHt+nYAdfZjY26YUpB6gfFmQucGhH/o8
GfhkmN6Lw21+gx4lctfia2/46poasCNo961yKyuQA/ID6qpHargBoOk2n/av9jV1
Rox8vhYVGwQhmVpYVUMzdw8ldo3CejaqyW97IyOU7tZo4WUzJ2Z3sG0DHdim+Voe
Djb5hsd34MzoGL7KjRFGldbNr2H/DhmItLyzxJ5YXgMXNGy3IhfOjCwZsGhZ1eTd
dxbD7rb7+VN/ROhTpCSXtEdDaXNjbyBTeXN0ZW1zIFByb2R1Y3QgU2VjdXJpdHkg
SW5jaWRlbnQgUmVzcG9uc2UgVGVhbSA8cHNpcnRAY2lzY28uY29tPrRQQ2lzY28g
U3lzdGVtcyBwcm9kdWN0IHNlY3VyaXR5IGluY2lkZW50L2J1ZyByZXBvcnRpbmcg
PHNlY3VyaXR5LWFsZXJ0QGNpc2NvLmNvbT65Ag0EM++MTxAIANfnEviV6GSqF/7S
MetsaCkKUe/TmcEtoYRdE9ZorvLlruvSaFHMgXCg4SqyC689BJJBaKN2MTYIV0T3
idlbHp4mXHDyU28tTEFenA9m4ER0PxEO/wITI3XoOO7SCxUnxyvxPy8Jn9PYBHMp
F+iWqUbzLsX4tZI7LJj73i0vi+5tGNaBBFu4cD2UJis7lb/CSK7bb4RJ6lHYVWHt
bcFApwSRheeusvN0YwKpPg5hy6gwaUSKtddJDadcJcQ/G2I820onsqgYRfDncEBY
uLavuu2h5CuR+Qz6jrwNUAX1f6UxC2WYY7tsp+wzQJ9VuTnKQEFPc6GIoiSSeyV3
KibzVZ8AAgIIAKDBdTFi6kQSB1+x7XQgQ8SNL0HFjtr25TMJr/eeU6m1NkrtCVg3
llA+lhTmpork6ZDu3GXp/IW02o246G57Z23pHU1VkEwjsWl1sdUY5QH+wIV6uZJu
bZW1TroDI86l0m7WeWC+mqQXn6GuvkX+YpF5qU1OCY9Pnen6sWkYXiqE5LW3USyY
xglTac8EQqcs3JYevV1/M6oTWXdMSEDV2/Bqd9g5qZBYQFkkftdW6YsJPMGgn2EI
yu4kTyazk3UafH/yqemCbGX6S5j3krCoIMwfUpeOHPB1OxACLB0loA2cwCpq5p7W
hXUCyRuqdXYN50NUrmKDo8+hsL/e89PofQU=
=AsFg
-----END PGP PUBLIC KEY BLOCK-----


Return-Path: <owner-bugtraq@NETSPACE.ORG.>
Delivered-To: admin@skyway.ru
Received: (qmail 10901 invoked from network); 17 Nov 1997 01:01:34 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 17 Nov 1997 01:01:34 -0000
Received: by scylla.sovam.com id AA11171
  (5.67b8s3p1/IDA-1.5 for admin@skyway.ru); Mon, 17 Nov 1997 02:00:19 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA11003
  (5.67b8s3p1/IDA-1.5 for <admin@skyway.ru.>); Mon, 17 Nov 1997 01:54:51 +0300
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
        by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id DAA27375
        for <mc@CONJURER.TYUMEN.RU.>; Mon, 17 Nov 1997 03:53:13 +0500 (ES)
Received: from unknown@netspace.org (port 29760 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <95923-1726>; Sun, 16 Nov 1997 15:21:12 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 5686093 for BUGTRAQ@NETSPACE.ORG; Sun, 16 Nov 1997 15:20:10
          -0500
Received: from brimstone.netspace.org (brimstone.netspace.org
          [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
          PAA18814 for <BUGTRAQ@NETSPACE.ORG.>; Sun, 16 Nov 1997 15:09:45 -0500
Received: from unknown@netspace.org (port 29760 [128.148.157.6]) by
          brimstone.netspace.org with ESMTP id <81511-1723>; Sun, 16 Nov 1997
          15:09:44 -0500
Approved-By: aleph1@UNDERGROUND.ORG
Received: from susan.cisco.com (jbash-pc-home.cisco.com [171.69.139.3]) by
          netspace.org (8.8.7/8.8.2) with SMTP id MAA04660 for
          <bugtraq@netspace.org.>; Sun, 16 Nov 1997 12:19:11 -0500
Received: (qmail 8996 invoked by uid 1225); 16 Nov 1997 17:16:05 -0000
Message-Id: <19971116171605.8994.qmail@susan.cisco.com.>
Date: 	Sun, 16 Nov 1997 09:16:05 -0800
Reply-To: John Bashinski <jbash@CISCO.COM.>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG.>
From: John Bashinski <jbash@CISCO.COM.>
Subject:      CORRECTED Preliminary Notice: Cisco LocalDirector enable password
              loss
X-To:         cisco@spot.colorado.edu, first-teams@first.org
X-Cc:         field-alert-ext@cisco.com
To: BUGTRAQ@NETSPACE.ORG
Status:   
X-PMFLAGS: 33554560 0

The version I just sent out was a draft; I sent it by mistake. It contains
no factual errors that I know of, but differs slightly in its
recommendations and administrative information. Please use the attached
version instead.

                                        -- John B.


-----BEGIN PGP SIGNED MESSAGE-----

Preliminary Notice:
Cisco LocalDirector Enable Password Loss

November 16, 1997, 09:00 AM US/Pacific, Revision 2

- ------------------------------------------------------------------------


This is a preliminary notice describing a security problem about which there
has been customer concern. Cisco does not yet have full information about
this problem. Customers should use great caution in relying on the
information in this notice.

Summary

At least two customers have reported failures in the enable password
mechanism in version 1.6.3 of Cisco's LocalDirector product. Affected
systems allow users to enter privileged mode without providing the correct
enable password; any string will suffice as a password. This applies only to
the privileged-mode enable password; the TELNET access password does not
appear to be affected.

The failure has been reproduced in Cisco's laboratory, but only once.
Unfortunately the problem was reproduced only in the most preliminary stages
of Cisco's investigation. The conditions under which the failure occurs are
not known in detail.

Based on the information presently available, the source of the problem
seems to be that the LocalDirector "forgets" its configured enable password
upon being upgraded to version 1.6.x from an older software version. A
LocalDirector without a configured enable password still does prompt for a
password, even though that password is not checked. This means that the
system's administrator may not notice that the password has been lost for
quite some time, if ever.

Who is Affected

All LocalDirector customers should check to see that their enable passwords
are being enforced properly. Use the "enable" command to enter privileged
mode, and give an invalid password. If the invalid password is accepted, you
are affected.

If the invalid password is not accepted, you are not affected at present...
but bear in mind that we do not yet fully understand the conditions under
which passwords are lost. Until the problem is better understood, we suggest
that all LocalDirector customers, and especially all LocalDirector 1.6.3
customers, take special precautions as outlined in the "Workarounds" section
below.

This problem probably affects all 1.6.x versions of the LocalDirector
software. However, version 1.6.3 is the only 1.6.x version that has been
released to Cisco's general customer base, and Cisco discourages the use of
other 1.6.x versions because of possible software instability.

Because the LocalDirector code is almost entirely separate from the code
used in other Cisco products, it is extremely unlikely that any product
other than the LocalDirector is affected. Classic IOS, as used on Cisco
routers, shares absolutely no password or configuration management code with
the LocalDirector, and is therefore definitely not affected. WANBU and WBU
products, including Catalyst switches and FastPacket switches, are likewise
definitely not affected.

Impact

Any person who can log into an affected LocalDirector via TELNET or over its
its console port can reconfigure or shut down the LocalDirector.

Workarounds

Cisco recommends that customers take the following steps:

  1. Consider putting off any software upgrades to version 1.6.3 that may be
     scheduled for the week of November 17, 1997, pending new information.
     We hope to have better information within a few working days.
  2. Check to make sure that enable passwords are being enforced by all
     LocalDirectors. If you find that a LocalDirector is not enforcing its
     enable password, changing the password using the "enable password"
     configuration command should reactivate the password. Remember to save
     the new password using the "write memory" command. Recheck password
     enforcement after any software upgrade or downgrade.
  3. Make sure that you have configured a TELNET access password for your
     LocalDirector using the "password" configuration command. If you're not
     sure of the secrecy of your TELNET password, consider changing it. If
     you allow unprivileged TELNET access by users who should not have
     privileged access, consider denying those users access temporarily by
     changing the TELNET password.
  4. Consider disabling TELNET access altogether, and/or using firewalling
     devices to block TELNET access from untrusted hosts, and/or restricting
     access from remote hosts using the address-and-mask feature of the
     LocalDirector "telnet" configuration command.
  5. If you have a dialin modem connected to your LocalDirector's console
     port, or if you have the console port connected to a network device
     that allows remote access, either disconnect the console or protect it
     using the authentication features of the modem or network device to
     which it is connected.

Exploitation and Public Announcements

Cisco has had no reports of malicious exploitation of this vulnerability.

This vulernability was first brought to Cisco's attention by a public
announcement on the "bugtraq@netspace.org" mailing list on Thursday,
November 13, 1997. There has been some subsequent discussion on that mailing
list.

Future Work and Updates

Cisco will continue working to characterize this problem and to produce a
software fix. Updated versions of this notice will be posted on Cisco's
Worldwide Web site as more information becomes available.  We hope to have
more information by 17:00 US/Pacific time on Monday, November 17, 1997, but
because of the unknown nature of the problem, we can make no guarantees.

Distribution of this Notice

This notice is being sent to the following Internet mailing lists and
newsgroups:

   * cisco@spot.colorado.edu
   * comp.dcom.sys.cisco
   * bugtraq@netspace.org
   * first-teams@first.org (includes CERT/CC)


Updates will be sent to some or all of these, as appropriate.

This notice will be posted in the "Field Notices" section of Cisco's
Worldwide Web site, which can be found under "Technical Tips" in the
"Service and Support" section.. The copy on the Worldwide Web will be
updated as appropriate. For this notice only, Web posting is likely to lag
somewhat behind e-mail.

This notice is copyright 1997 by Cisco Systems, Inc. This notice may be
redistributed freely provided that redistributed copies are complete and
unmodified, including all date and version information.

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQEVAwUBNG8ptwyPsuGbHvEpAQGyZQf/R3gvG/Gr60i67uG9uYQU5yfrZ05UYPxK
EYbC3pNnV0Uf3jHq4PChGTV46ipnw4FHSzwzXsEGNNZ0NKgB+8h+BCTaquNoEqOC
QXvcayjyqtlXjEmuzBMMaBufsv15/YZfouowCT49BVvV8tCDe1/VEimAUqshxGz4
L/EXL4jLgenjMVpsAD2uggXJ0iOyPmbEgGqsgW9zXd7hMvYVwbO/7sAgHe5v5vrE
RzfcKTv0l+Ap+qJdKGJO5cVVzohujohwm6BEn8Zo5fR7B3NkYEOzPFJXMv1Q1Fw7
u2diNcit2lZ5a+GGk1KFB/axRnpH8FIm2riLqYbxHJKRYrGA1L+xcg==
=BLSY
-----END PGP SIGNATURE-----

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP for Personal Privacy 5.0

mQGhBDPvjDARBAD82RXM1EyVSEpL6mpDMyxI8Scc22yVqRYL+Ckv0SXHEPaZNIgQ
blVx32jyfnmGIZeVYK2sDRTB6vXJt1k+R5HRRhTG7fB0f309gT/Zgmk64zC7L4nL
Qp6fNEVJLfxRdrwXCOPfBf56Y8vKBFZSvwK4qLNHurMP2MVUuYfCl2UpHwCg/6Wz
FTHW34HvDKgD+3k0ap0lMq8EAME9i5IEdwTnGO2zsyyc/gw6QKoSGNEkbGmciZuk
AQTulVKQpYMv1jIm6Uy91HbsR0mUWxPzCBPCvJzvZOW0O+AJq4m/h1dQD2kdIHt+
nYAdfZjY26YUpB6gfFmQucGhH/o8GfhkmN6Lw21+gx4lctfia2/46poasCNo961y
KyuQA/ID6qpHargBoOk2n/av9jV1Rox8vhYVGwQhmVpYVUMzdw8ldo3CejaqyW97
IyOU7tZo4WUzJ2Z3sG0DHdim+VoeDjb5hsd34MzoGL7KjRFGldbNr2H/DhmItLyz
xJ5YXgMXNGy3IhfOjCwZsGhZ1eTddxbD7rb7+VN/ROhTpCSXtEdDaXNjbyBTeXN0
ZW1zIFByb2R1Y3QgU2VjdXJpdHkgSW5jaWRlbnQgUmVzcG9uc2UgVGVhbSA8cHNp
cnRAY2lzY28uY29tPrRQQ2lzY28gU3lzdGVtcyBwcm9kdWN0IHNlY3VyaXR5IGlu
Y2lkZW50L2J1ZyByZXBvcnRpbmcgPHNlY3VyaXR5LWFsZXJ0QGNpc2NvLmNvbT65
Ag0EM++MTxAIANfnEviV6GSqF/7SMetsaCkKUe/TmcEtoYRdE9ZorvLlruvSaFHM
gXCg4SqyC689BJJBaKN2MTYIV0T3idlbHp4mXHDyU28tTEFenA9m4ER0PxEO/wIT
I3XoOO7SCxUnxyvxPy8Jn9PYBHMpF+iWqUbzLsX4tZI7LJj73i0vi+5tGNaBBFu4
cD2UJis7lb/CSK7bb4RJ6lHYVWHtbcFApwSRheeusvN0YwKpPg5hy6gwaUSKtddJ
DadcJcQ/G2I820onsqgYRfDncEBYuLavuu2h5CuR+Qz6jrwNUAX1f6UxC2WYY7ts
p+wzQJ9VuTnKQEFPc6GIoiSSeyV3KibzVZ8AAgIIAKDBdTFi6kQSB1+x7XQgQ8SN
L0HFjtr25TMJr/eeU6m1NkrtCVg3llA+lhTmpork6ZDu3GXp/IW02o246G57Z23p
HU1VkEwjsWl1sdUY5QH+wIV6uZJubZW1TroDI86l0m7WeWC+mqQXn6GuvkX+YpF5
qU1OCY9Pnen6sWkYXiqE5LW3USyYxglTac8EQqcs3JYevV1/M6oTWXdMSEDV2/Bq
d9g5qZBYQFkkftdW6YsJPMGgn2EIyu4kTyazk3UafH/yqemCbGX6S5j3krCoIMwf
UpeOHPB1OxACLB0loA2cwCpq5p7WhXUCyRuqdXYN50NUrmKDo8+hsL/e89PofQWZ
AQ0DM++M2AFtAQgA0rsqUAdCxqMH23R11iGtk2Zo6fI8vxPkllEOru5J/cd9dn2B
wT4NTf/b9O4JruX8/R9uWlS3E6jYVJyN2Dpl39X7wUf77B8fsY/4zaUkjDU39Q2E
t+pR7tElm0C8BvZVGkDelXzXqeCTQfu1vZHICy7cfsy/BMNlpn93OEz/jS4PPZs5
SORqjEL9wouw/44MvJ08rdc/OOr1eKkLcBfzMMtuMAxLI1OlA/hzY28h/pfhDhAP
7Jkm7R1gDyL9ALYX1xvixPp8q2hEQ3BUtCEfCTHAouqbKiQss5ntC9DDVGqzxlQT
ijk4V1/Re+pbb4LX4JZDln3ztkcMj7Lhmx7xKQAFEbRHQ2lzY28gU3lzdGVtcyBQ
cm9kdWN0IFNlY3VyaXR5IEluY2lkZW50IFJlc3BvbnNlIFRlYW0gPHBzaXJ0QGNp
c2NvLmNvbT6JARUDBRAz74zYDI+y4Zse8SkBAWVjCACT3Ia+8fVGzPd1ACBvMFGI
Dry7lhhf9vz+flpOu3ErVn0qW2N0ONxT+u/Z+qbCGxz1DYlgTWt7+KJRS7FNNdzE
J2ct9nvnDo/u/VdoTwdtpe9RtiYW4rG+HMjqCdnc5YSpVD8/VEHvPNLAe28wA6au
S3L68XPyDjfa0N5T9YSJ/Q8B41qyxWMgETeZIVyegX0/BHv73zegsj5BRPP4pnem
juvsRMVcFqJ7wxjm8yjZrR2zoZSysxWkWInbOu5IIlAm9VWh71VP2mD3Z8fDq9Jh
kF/qNw937eRSMBwBlCPkmS6jlC0Nz4mkKzoDglL6eTZQ9iKwU5/EeNHZu/f3rKaV
iQA/AwUQM++M9JaBp3w9UuB/EQLzmwCgtbsVjd1ZZcuJkPoVs3cbzX9JibYAoLcQ
8+WP7M0y3zdSUEhHToFY6E+ZiQA/AwUQM++N6GFYFsU6zlX+EQKEywCggc3awk02
yj6RivcbYFn3Qon77scAn29CR0lHAjsdLIv6LJ9BLdhXiK8piQCVAwUQM++6KXem
vD4nAHb9AQG6OQQAq/GzwDk4yT9MPy25AwBMgsPGePRkZ6kBXTBsmMnHxthDniyE
Xqvg6XJYRU86f2wyfzVDJY55qmukl9haCqe3Inxo7gyHaB8ji4rMqfmEn2fjbiAv
dw5wlQqYBEEYWAviAHpBlTqT7naq5u/TyAdgENROnFu1jLT39uJ4RPpO7o2JAHUD
BRAz8OcoAFBd0vcu1XkBAQHWAwCe0KmW5QKgf1Kmf7hEEpBT2pViNkv3J7tB33Py
4ohQYztUUwP8QJq9EQR3qCBgUJfa3VhXWPrzTn6hE7H/GHEJ7g5IbY9fo1DHcxyE
xaBBKIEoWKR/FdxsNPBTgcaT9TyJAJUDBRAz8OTdGKb4qo5nGiEBAU7QA/4+RFkA
yy4YnrZc6Y7btnCgHXIwH4tqFL3NaVVS4KsGzQ2WgLRRz1rJ3D61aqvk9Tz3vY5m
YwjWY+eOwBqjuEl5UUQqY2kn6c8XHnp+Y7XfwPqH7V5hixcwSTHgU0diav+E/1FP
sm6oUKEHh4cC0vfsYOjqlSoilF1sjqKZT5MZZIkAlQMFEDPw6Yx61S0GnPSVuQEB
meoD/1VyOvmqnEQsTBiYmEGKHgSFrRs95vEOlP/ANCVYXwpBVP51Vrj+RcNkNJAQ
5xX5D5nRgDGoUVpYcjUJivalH6MOrPHF2zG/As9onZira+dv9SjM/MJhdpGvx0oT
YtpGlQh79+uloqCAZ9P4c/flZZICRLjI/3Uj73HDbEAcLsX8iQA/AwUQM/DxS7iw
R2HEkUMHEQJK7gCfRWzVa9mGDX4X2BdUB1Z5l5DCM+MAn2SIHiZS3o94TVhp+jTL
2HWHbnPjiQCVAwUQM/DpqtRZvFG/tj1hAQGsZgP8DJgX+4foQlVnDD+gBKXmnG3Z
D1hHkpvrR/tGww6LjxKAhXSWtQKTysQ3seIQyUxLOOq0K4A9vFzzmW1gDZXwYwG7
PXoNn4uyGY3YF2jke+Unug41F9POcBp4pUfjQxgj7iiPRn6ZduEhPjw6RBRpYDH5
fF3Mu5/E01TygWisn8WJARUDBRAz81dfH2q6+RwPtwkBAcNnCACSHlH85LxLMRVY
46WdQ9Joj8809J4p0Q469Tkrq7wMyxv8znvvl+D2loIaL5SeBGIvfFaPKQnN+un3
gX/R3g+l2RxBQRqjr65kGAhsMr1L9bRsMAUKAKfDLbQk9fEmB2KRBvQYsHM/7fVY
eXglIxdO40AUnzPtRz9rYlZ7dBn7Dy5k/kjIBKKZhgu77X0fGjh9hP9s45D3vnNq
sKBoM7pvgdTrwYbdarK2a4GPpWm7XHkhr1w2nGA+a0zjCDzfObHTp8NMY3z0Rgeu
3t2W7EIF6zE+FSyZmfTvVd2rXMxgjMeeziPHAJESnmQ0y0+xQoDx1IDhQ7YF2Q6r
khfqxxM6iQA/AwUQM/KsxSLcSmI6S/dwEQKA0QCfR1O0vDQ0M8ef9c+DHPyNydGz
OOQAnRscGYHbrrXrN1yuA9mti29pz2BViQCVAwUQM/EQTX+11HSaYdsJAQE7ZgQA
8Z5GzK1Qd4vu1Rt0OAubPp9yug2QmTqyNAsDDQdiqcdvCF9cK8VCYBvTRaHDjFBx
Jd6PclQlLBcPIQnkCE4Pch1OQomckDzXEnNgleGnyQlMXT0zm+gHl5mDUWnRtwTD
drYxfLdJZFZ8ntJIDYN7t0Gl/ag5l4j0C5GW0d9WYo+0UENpc2NvIFN5c3RlbXMg
cHJvZHVjdCBzZWN1cml0eSBpbmNpZGVudC9idWcgcmVwb3J0aW5nIDxzZWN1cml0
eS1hbGVydEBjaXNjby5jb20+iQEVAwUQM++NXQyPsuGbHvEpAQEIKwf/eLwnERXH
CP4X999/aUJEMPzd8lMaFg1i84ALFhpFKzWHBnWkBZItTM35xzciq5v51P3OBu5u
scU/yRgHmg/ESH3abJXt3SKMsjzZE1zvKuqX0wjYf3Ihh2CtPZo/3wpsa6XGuLdT
0dDUCdU8Tjd67wX3p+CI6CBGoMqLuVY/0AO9xoo7drVoOT9fYQ7UjSNIkxN9nVzI
yWmaudOzeLnHaVf7jYYeOmADe1YaVM3oMVZrmTZ1TtPMTd0ovWrPll27zVYx1PjE
NuTZDpnysa7agoD5hemtKUXR0GwbeoVMpIWCceKNNPh8kjb6B5sTOl7y8ZR/gUld
CaNn5sbZ1N1QrIkAPwMFEDPvjXSWgad8PVLgfxECp2MAn1VUzoaLFiek6lky++m4
qTc4ejAoAJ9DE/8NyaqDkq0M+d3qEcxpVsQEBokAPwMFEDPvjflhWBbFOs5V/hEC
GTAAoNaAhsFpD+qhH0X8IyGaljO1ywwHAKDYNOETuHePkca+yLDLwyxlmYurmYkA
lQMFEDPvuil3prw+JwB2/QEBcpsD/25lxJqT+7jW4W6jDm7CTJ2OR8fPtdEUrj0d
fujPCgltXJ3OVREwg69vCl/rCz9sVPKEzVFEbdvkTmjimxeg1ajBcb642SZMuFcg
E60fhNyNsteyktZSI20E2UnZ0MrGK33J7Vn/1xPCl9o3ICa1vRo8E3ixnyvoGaB3
jhXHSdIviQCVAwUQM/Dk6him+KqOZxohAQEn9QQAtd5uSls7cYT+MZvjWrMxyhNV
e3eSqHWZjXImWg8SWVey0/XI7ze5zMt8+GEpQoAaD9ZlLl4WthNG8iq7YdnsXQ99
OqpF4pRSvsYVv5BRPO3XvwNDN8jJMdP7jcIgwXo08Zt1YWTDMxpSNcF7ARfZ5M2D
V9FKhgLris+9IRcWeemJAJUDBRAz8OmTetUtBpz0lbkBAdxmBACq97OI8lyJWvN1
qeZQca3wtrauXWpehi1gBxLnWBUPYPGV78nVIi/JFbKxMTT6zxf7ODDvXNBebngp
Qp2gVO8TJ6tzrk2dVUKA9Sk03z8fRdSk13WhnYoojPPebFBtXBrnSxEq9gEVSj2Z
R9u/5qUUrjKtZqoAXcPHfwqJCuo5rYkAPwMFEDPw8fC4sEdhxJFDBxEC75sAmgMQ
NrF121TfmZ6QKCU2NscuY5H6AKCJinLR8Hwm00kTSTfFAO5bQfy4bYkAlQMFEDPw
6bfUWbxRv7Y9YQEBJtkD/3BgNhOa+2hK68jTI4hMaCaHyRII4wCZeKSEjoBJnLwa
GQ9fs5jbJtfYjDtdcCkvSZy4OvXcWb7Gu31PKbJgBtGeY+Ns+fUahhUz+is35H+3
+ZuV91v56SW8wqcKEDt40V9g1TP5X6VE+QfXnoScFdjCbOViwoR6saPEkujJASuy
iQA/AwUQM/Ks2CLcSmI6S/dwEQKghwCeOY2rw3OcrQdiDCJxZhSMMCa17pAAoIrq
3Epb5UdZEnZxJ/aZpGR/ROaaiQCVAwUQM/EQdH+11HSaYdsJAQGKBAP+LRkDVCwW
NCpAAFOag6ou3SmFfxD19qRfLPbjlm3nLk6wYvbSXBVp1VXMRJkdmCXSxMe0vo1r
xCMoL66qVutyHrSgifPPN6AYNPKTTNUx5o0Ck5xXf4PWoy8cfvyrKJtd/wDi4Ryf
WOsZNYKVAf1ItbZse243ICsgMAduzZLgygo=
=OrTt
-----END PGP PUBLIC KEY BLOCK-----
Return-Path: <owner-bugtraq@NETSPACE.ORG.>
Delivered-To: admin@skyway.ru
Received: (qmail 10902 invoked from network); 17 Nov 1997 01:01:35 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 17 Nov 1997 01:01:35 -0000
Received: by scylla.sovam.com id AA11165
  (5.67b8s3p1/IDA-1.5 for admin@skyway.ru); Mon, 17 Nov 1997 02:00:18 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA11018
  (5.67b8s3p1/IDA-1.5 for <admin@skyway.ru.>); Mon, 17 Nov 1997 01:56:13 +0300
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
        by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id DAA27393
        for <mc@CONJURER.TYUMEN.RU.>; Mon, 17 Nov 1997 03:55:48 +0500 (ES)
Received: from unknown@netspace.org (port 29760 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <97405-1726>; Sun, 16 Nov 1997 15:27:59 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 5686110 for BUGTRAQ@NETSPACE.ORG; Sun, 16 Nov 1997 15:24:16
          -0500
Received: from brimstone.netspace.org (brimstone.netspace.org
          [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
          PAA18816 for <BUGTRAQ@NETSPACE.ORG.>; Sun, 16 Nov 1997 15:09:46 -0500
Received: from unknown@netspace.org (port 29760 [128.148.157.6]) by
          brimstone.netspace.org with ESMTP id <81365-1723>; Sun, 16 Nov 1997
          15:09:44 -0500
Approved-By: aleph1@UNDERGROUND.ORG
Received: from susan.cisco.com (jbash-pc-home.cisco.com [171.69.139.3]) by
          netspace.org (8.8.7/8.8.2) with SMTP id MAA03798 for
          <bugtraq@netspace.org.>; Sun, 16 Nov 1997 12:09:10 -0500
Received: (qmail 8935 invoked by uid 1225); 16 Nov 1997 17:06:03 -0000
Message-Id: <19971116170603.8933.qmail@susan.cisco.com.>
Date: 	Sun, 16 Nov 1997 09:06:02 -0800
Reply-To: John Bashinski <jbash@CISCO.COM.>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG.>
From: John Bashinski <jbash@CISCO.COM.>
Subject:      Preliminary Notice: Cisco LocalDirector enable password loss
X-To:         cisco@spot.colorado.edu, first-teams@first.org
X-Cc:         field-alert-ext@cisco.com
To: BUGTRAQ@NETSPACE.ORG
Status:   
X-PMFLAGS: 33554560 0

-----BEGIN PGP SIGNED MESSAGE-----

Preliminary Notice:
Cisco LocalDirector Enable Password Loss

November 15, 1997, 09:00 AM US/Pacific, Revision 1
- ------------------------------------------------------------------------

This is a preliminary notice describing a security problem about which there
has been customer concern. Cisco does not yet have full information about
this problem. Customers should use great caution in relying on the
information in this notice.

Summary
- -----
At least two customers have reported failures in the enable password
mechanism in version 1.6.3 of Cisco's LocalDirector product. Affected
systems allow users to enter privileged mode without providing the correct
enable password; any string will suffice as a password. This applies only to
the privileged-mode enable password; the TELNET access password does not
appear to be affected.

The failure has been reproduced in Cisco's laboratory, but not consistently.
The conditions under which the failure occurs are not known in detail.

Based on the information presently available, the source of the problem
seems to be that the LocalDirector "forgets" its configured enable password
upon being upgraded to version 1.6.x from an older software version. A
LocalDirector without a configured enable password still does prompt for a
password, even though that password is not checked. This means that the
system's administrator may not notice that the password has been lost for
quite some time, if ever.

Who is Affected
- -------------
All LocalDirector customers should check to see that their enable passwords
are being enforced properly. Use the "enable" command to enter privileged
mode, and give an invalid password. If the invalid password is accepted, you
are affected.

If the invalid password is not accepted, you are not affected at present...
but bear in mind that we do not yet fully understand the conditions under
which passwords are lost. Until the problem is better understood, we suggest
that all LocalDirector customers, and especially all LocalDirector 1.6.3
customers, take special precautions as outlined in the "Workarounds" section
below.

This problem probably affects all 1.6.x versions of the LocalDirector
software. However, version 1.6.3 is the only 1.6.x version that has been
released to Cisco's general customer base.

Because the LocalDirector code is almost entirely separate from the code
used in other Cisco products, it is extremely unlikely that any product
other than the LocalDirector is affected. Classic IOS, as used on Cisco
routers, shares absolutely no password or configuration management code with
the LocalDirector, and is therefore definitely not affected. Catalyst
switches and FastPacket switches are likewise definitely not affected.

Impact
- ----
Any person who can log into an affected LocalDirector via TELNET or over its
its console port can reconfigure or shut down the LocalDirector.

Workarounds
- ---------
Cisco recommends that customers take the following steps:

  1. Consider postponing any scheduled software upgrades to version 1.6.3.
  2. Check to make sure that enable passwords are being enforced by all
     LocalDirectors. If you find that a LocalDirector is not enforcing its
     enable password, changing the password using the "enable password"
     configuration command should reactivate the password. Remember to save
     the new password using the "write memory" command. Recheck password
     enforcement after any software upgrade or downgrade.
  3. Make sure that you have configured a TELNET access password for your
     LocalDirector using the "password" configuration command. If you're not
     sure of the secrecy of your TELNET password, consider changing it. If
     you allow unprivileged TELNET access by users who should not have
     privileged access, consider denying those users access temporarily by
     changing the TELNET password.
  4. If you have a dialin modem connected to your LocalDirector's console
     port, or if you have the console port connected to a network device
     that allows remote access, either disconnect the console or protect it
     using the authentication features of the modem or network device to
     which it is connected.

Exploitation and Public Announcements
- -----------------------------------
Cisco has had no reports of malicious exploitation of this vulnerability.

This vulernability was first brought to Cisco's attention by a public
announcement on the "bugtraq@netspace.org" mailing list on Thursday,
November 13. There has been some subsequent discussion on that mailing list.

Future Work and Updates
- ---------------------
Cisco will continue working to characterize this problem and to produce a
software fix. Updated versions of this notice will be posted on Cisco's
Worldwide Web site as more information becomes available.

Distribution of this Notice
- -------------------------
This notice is being sent to the following Internet mailing lists and
newsgroups:

   * cisco@spot.colorado.edu
   * comp.dcom.sys.cisco
   * bugtraq@netspace.org
   * first-teams@first.org (includes CERT/CC)


Updates will be sent to some or all of these, as appropriate.

This notice will be posted in the "Field Alerts" section of Cisco's
Worldwide Web site. The copy on the Worldwide Web will be updated as
appropriate.

This notice is copyright 1997 by Cisco Systems, Inc. This notice may be
redistributed freely provided that redistributed copies are complete and
unmodified, including all date and version information.

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQEVAwUBNG8nJAyPsuGbHvEpAQFGbwf/dDIhvFlUb2nNVKtIIWZtitrmN7vL1XDd
tFR4RvHvqB+oqRlMBWc7G2ShGdG+PcQSRaUBKer7z+SXZuzBxlKb/I1iDMMhXO3h
bZF08g2TSvf2TMvd6szx53BCdmPmYo6tMyMd4zIkfZ89swJzxHouUKLXgE0KqLds
4LhShE7k/bujmYmXSahQxX9Mcl1R81Sk9fpvs/szTBI1Dync7zN+Hr1YCUQe+5YP
6sVCI85AlBsQ60Fwyi2Ug4eqhv3eeNGs3pUXlZ4YFcN986RVsDjTt6QSDLXP65bf
FS0fbK+c7DlOwzC36LdI8SiqoStczdo4hJaQXt1iIhDjv+UWADywsw==
=HX4x
-----END PGP SIGNATURE-----

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP for Personal Privacy 5.0

mQGhBDPvjDARBAD82RXM1EyVSEpL6mpDMyxI8Scc22yVqRYL+Ckv0SXHEPaZNIgQ
blVx32jyfnmGIZeVYK2sDRTB6vXJt1k+R5HRRhTG7fB0f309gT/Zgmk64zC7L4nL
Qp6fNEVJLfxRdrwXCOPfBf56Y8vKBFZSvwK4qLNHurMP2MVUuYfCl2UpHwCg/6Wz
FTHW34HvDKgD+3k0ap0lMq8EAME9i5IEdwTnGO2zsyyc/gw6QKoSGNEkbGmciZuk
AQTulVKQpYMv1jIm6Uy91HbsR0mUWxPzCBPCvJzvZOW0O+AJq4m/h1dQD2kdIHt+
nYAdfZjY26YUpB6gfFmQucGhH/o8GfhkmN6Lw21+gx4lctfia2/46poasCNo961y
KyuQA/ID6qpHargBoOk2n/av9jV1Rox8vhYVGwQhmVpYVUMzdw8ldo3CejaqyW97
IyOU7tZo4WUzJ2Z3sG0DHdim+VoeDjb5hsd34MzoGL7KjRFGldbNr2H/DhmItLyz
xJ5YXgMXNGy3IhfOjCwZsGhZ1eTddxbD7rb7+VN/ROhTpCSXtEdDaXNjbyBTeXN0
ZW1zIFByb2R1Y3QgU2VjdXJpdHkgSW5jaWRlbnQgUmVzcG9uc2UgVGVhbSA8cHNp
cnRAY2lzY28uY29tPrRQQ2lzY28gU3lzdGVtcyBwcm9kdWN0IHNlY3VyaXR5IGlu
Y2lkZW50L2J1ZyByZXBvcnRpbmcgPHNlY3VyaXR5LWFsZXJ0QGNpc2NvLmNvbT65
Ag0EM++MTxAIANfnEviV6GSqF/7SMetsaCkKUe/TmcEtoYRdE9ZorvLlruvSaFHM
gXCg4SqyC689BJJBaKN2MTYIV0T3idlbHp4mXHDyU28tTEFenA9m4ER0PxEO/wIT
I3XoOO7SCxUnxyvxPy8Jn9PYBHMpF+iWqUbzLsX4tZI7LJj73i0vi+5tGNaBBFu4
cD2UJis7lb/CSK7bb4RJ6lHYVWHtbcFApwSRheeusvN0YwKpPg5hy6gwaUSKtddJ
DadcJcQ/G2I820onsqgYRfDncEBYuLavuu2h5CuR+Qz6jrwNUAX1f6UxC2WYY7ts
p+wzQJ9VuTnKQEFPc6GIoiSSeyV3KibzVZ8AAgIIAKDBdTFi6kQSB1+x7XQgQ8SN
L0HFjtr25TMJr/eeU6m1NkrtCVg3llA+lhTmpork6ZDu3GXp/IW02o246G57Z23p
HU1VkEwjsWl1sdUY5QH+wIV6uZJubZW1TroDI86l0m7WeWC+mqQXn6GuvkX+YpF5
qU1OCY9Pnen6sWkYXiqE5LW3USyYxglTac8EQqcs3JYevV1/M6oTWXdMSEDV2/Bq
d9g5qZBYQFkkftdW6YsJPMGgn2EIyu4kTyazk3UafH/yqemCbGX6S5j3krCoIMwf
UpeOHPB1OxACLB0loA2cwCpq5p7WhXUCyRuqdXYN50NUrmKDo8+hsL/e89PofQWZ
AQ0DM++M2AFtAQgA0rsqUAdCxqMH23R11iGtk2Zo6fI8vxPkllEOru5J/cd9dn2B
wT4NTf/b9O4JruX8/R9uWlS3E6jYVJyN2Dpl39X7wUf77B8fsY/4zaUkjDU39Q2E
t+pR7tElm0C8BvZVGkDelXzXqeCTQfu1vZHICy7cfsy/BMNlpn93OEz/jS4PPZs5
SORqjEL9wouw/44MvJ08rdc/OOr1eKkLcBfzMMtuMAxLI1OlA/hzY28h/pfhDhAP
7Jkm7R1gDyL9ALYX1xvixPp8q2hEQ3BUtCEfCTHAouqbKiQss5ntC9DDVGqzxlQT
ijk4V1/Re+pbb4LX4JZDln3ztkcMj7Lhmx7xKQAFEbRHQ2lzY28gU3lzdGVtcyBQ
cm9kdWN0IFNlY3VyaXR5IEluY2lkZW50IFJlc3BvbnNlIFRlYW0gPHBzaXJ0QGNp
c2NvLmNvbT6JARUDBRAz74zYDI+y4Zse8SkBAWVjCACT3Ia+8fVGzPd1ACBvMFGI
Dry7lhhf9vz+flpOu3ErVn0qW2N0ONxT+u/Z+qbCGxz1DYlgTWt7+KJRS7FNNdzE
J2ct9nvnDo/u/VdoTwdtpe9RtiYW4rG+HMjqCdnc5YSpVD8/VEHvPNLAe28wA6au
S3L68XPyDjfa0N5T9YSJ/Q8B41qyxWMgETeZIVyegX0/BHv73zegsj5BRPP4pnem
juvsRMVcFqJ7wxjm8yjZrR2zoZSysxWkWInbOu5IIlAm9VWh71VP2mD3Z8fDq9Jh
kF/qNw937eRSMBwBlCPkmS6jlC0Nz4mkKzoDglL6eTZQ9iKwU5/EeNHZu/f3rKaV
iQA/AwUQM++M9JaBp3w9UuB/EQLzmwCgtbsVjd1ZZcuJkPoVs3cbzX9JibYAoLcQ
8+WP7M0y3zdSUEhHToFY6E+ZiQA/AwUQM++N6GFYFsU6zlX+EQKEywCggc3awk02
yj6RivcbYFn3Qon77scAn29CR0lHAjsdLIv6LJ9BLdhXiK8piQCVAwUQM++6KXem
vD4nAHb9AQG6OQQAq/GzwDk4yT9MPy25AwBMgsPGePRkZ6kBXTBsmMnHxthDniyE
Xqvg6XJYRU86f2wyfzVDJY55qmukl9haCqe3Inxo7gyHaB8ji4rMqfmEn2fjbiAv
dw5wlQqYBEEYWAviAHpBlTqT7naq5u/TyAdgENROnFu1jLT39uJ4RPpO7o2JAHUD
BRAz8OcoAFBd0vcu1XkBAQHWAwCe0KmW5QKgf1Kmf7hEEpBT2pViNkv3J7tB33Py
4ohQYztUUwP8QJq9EQR3qCBgUJfa3VhXWPrzTn6hE7H/GHEJ7g5IbY9fo1DHcxyE
xaBBKIEoWKR/FdxsNPBTgcaT9TyJAJUDBRAz8OTdGKb4qo5nGiEBAU7QA/4+RFkA
yy4YnrZc6Y7btnCgHXIwH4tqFL3NaVVS4KsGzQ2WgLRRz1rJ3D61aqvk9Tz3vY5m
YwjWY+eOwBqjuEl5UUQqY2kn6c8XHnp+Y7XfwPqH7V5hixcwSTHgU0diav+E/1FP
sm6oUKEHh4cC0vfsYOjqlSoilF1sjqKZT5MZZIkAlQMFEDPw6Yx61S0GnPSVuQEB
meoD/1VyOvmqnEQsTBiYmEGKHgSFrRs95vEOlP/ANCVYXwpBVP51Vrj+RcNkNJAQ
5xX5D5nRgDGoUVpYcjUJivalH6MOrPHF2zG/As9onZira+dv9SjM/MJhdpGvx0oT
YtpGlQh79+uloqCAZ9P4c/flZZICRLjI/3Uj73HDbEAcLsX8iQA/AwUQM/DxS7iw
R2HEkUMHEQJK7gCfRWzVa9mGDX4X2BdUB1Z5l5DCM+MAn2SIHiZS3o94TVhp+jTL
2HWHbnPjiQCVAwUQM/DpqtRZvFG/tj1hAQGsZgP8DJgX+4foQlVnDD+gBKXmnG3Z
D1hHkpvrR/tGww6LjxKAhXSWtQKTysQ3seIQyUxLOOq0K4A9vFzzmW1gDZXwYwG7
PXoNn4uyGY3YF2jke+Unug41F9POcBp4pUfjQxgj7iiPRn6ZduEhPjw6RBRpYDH5
fF3Mu5/E01TygWisn8WJARUDBRAz81dfH2q6+RwPtwkBAcNnCACSHlH85LxLMRVY
46WdQ9Joj8809J4p0Q469Tkrq7wMyxv8znvvl+D2loIaL5SeBGIvfFaPKQnN+un3
gX/R3g+l2RxBQRqjr65kGAhsMr1L9bRsMAUKAKfDLbQk9fEmB2KRBvQYsHM/7fVY
eXglIxdO40AUnzPtRz9rYlZ7dBn7Dy5k/kjIBKKZhgu77X0fGjh9hP9s45D3vnNq
sKBoM7pvgdTrwYbdarK2a4GPpWm7XHkhr1w2nGA+a0zjCDzfObHTp8NMY3z0Rgeu
3t2W7EIF6zE+FSyZmfTvVd2rXMxgjMeeziPHAJESnmQ0y0+xQoDx1IDhQ7YF2Q6r
khfqxxM6iQA/AwUQM/KsxSLcSmI6S/dwEQKA0QCfR1O0vDQ0M8ef9c+DHPyNydGz
OOQAnRscGYHbrrXrN1yuA9mti29pz2BViQCVAwUQM/EQTX+11HSaYdsJAQE7ZgQA
8Z5GzK1Qd4vu1Rt0OAubPp9yug2QmTqyNAsDDQdiqcdvCF9cK8VCYBvTRaHDjFBx
Jd6PclQlLBcPIQnkCE4Pch1OQomckDzXEnNgleGnyQlMXT0zm+gHl5mDUWnRtwTD
drYxfLdJZFZ8ntJIDYN7t0Gl/ag5l4j0C5GW0d9WYo+0UENpc2NvIFN5c3RlbXMg
cHJvZHVjdCBzZWN1cml0eSBpbmNpZGVudC9idWcgcmVwb3J0aW5nIDxzZWN1cml0
eS1hbGVydEBjaXNjby5jb20+iQEVAwUQM++NXQyPsuGbHvEpAQEIKwf/eLwnERXH
CP4X999/aUJEMPzd8lMaFg1i84ALFhpFKzWHBnWkBZItTM35xzciq5v51P3OBu5u
scU/yRgHmg/ESH3abJXt3SKMsjzZE1zvKuqX0wjYf3Ihh2CtPZo/3wpsa6XGuLdT
0dDUCdU8Tjd67wX3p+CI6CBGoMqLuVY/0AO9xoo7drVoOT9fYQ7UjSNIkxN9nVzI
yWmaudOzeLnHaVf7jYYeOmADe1YaVM3oMVZrmTZ1TtPMTd0ovWrPll27zVYx1PjE
NuTZDpnysa7agoD5hemtKUXR0GwbeoVMpIWCceKNNPh8kjb6B5sTOl7y8ZR/gUld
CaNn5sbZ1N1QrIkAPwMFEDPvjXSWgad8PVLgfxECp2MAn1VUzoaLFiek6lky++m4
qTc4ejAoAJ9DE/8NyaqDkq0M+d3qEcxpVsQEBokAPwMFEDPvjflhWBbFOs5V/hEC
GTAAoNaAhsFpD+qhH0X8IyGaljO1ywwHAKDYNOETuHePkca+yLDLwyxlmYurmYkA
lQMFEDPvuil3prw+JwB2/QEBcpsD/25lxJqT+7jW4W6jDm7CTJ2OR8fPtdEUrj0d
fujPCgltXJ3OVREwg69vCl/rCz9sVPKEzVFEbdvkTmjimxeg1ajBcb642SZMuFcg
E60fhNyNsteyktZSI20E2UnZ0MrGK33J7Vn/1xPCl9o3ICa1vRo8E3ixnyvoGaB3
jhXHSdIviQCVAwUQM/Dk6him+KqOZxohAQEn9QQAtd5uSls7cYT+MZvjWrMxyhNV
e3eSqHWZjXImWg8SWVey0/XI7ze5zMt8+GEpQoAaD9ZlLl4WthNG8iq7YdnsXQ99
OqpF4pRSvsYVv5BRPO3XvwNDN8jJMdP7jcIgwXo08Zt1YWTDMxpSNcF7ARfZ5M2D
V9FKhgLris+9IRcWeemJAJUDBRAz8OmTetUtBpz0lbkBAdxmBACq97OI8lyJWvN1
qeZQca3wtrauXWpehi1gBxLnWBUPYPGV78nVIi/JFbKxMTT6zxf7ODDvXNBebngp
Qp2gVO8TJ6tzrk2dVUKA9Sk03z8fRdSk13WhnYoojPPebFBtXBrnSxEq9gEVSj2Z
R9u/5qUUrjKtZqoAXcPHfwqJCuo5rYkAPwMFEDPw8fC4sEdhxJFDBxEC75sAmgMQ
NrF121TfmZ6QKCU2NscuY5H6AKCJinLR8Hwm00kTSTfFAO5bQfy4bYkAlQMFEDPw
6bfUWbxRv7Y9YQEBJtkD/3BgNhOa+2hK68jTI4hMaCaHyRII4wCZeKSEjoBJnLwa
GQ9fs5jbJtfYjDtdcCkvSZy4OvXcWb7Gu31PKbJgBtGeY+Ns+fUahhUz+is35H+3
+ZuV91v56SW8wqcKEDt40V9g1TP5X6VE+QfXnoScFdjCbOViwoR6saPEkujJASuy
iQA/AwUQM/Ks2CLcSmI6S/dwEQKghwCeOY2rw3OcrQdiDCJxZhSMMCa17pAAoIrq
3Epb5UdZEnZxJ/aZpGR/ROaaiQCVAwUQM/EQdH+11HSaYdsJAQGKBAP+LRkDVCwW
NCpAAFOag6ou3SmFfxD19qRfLPbjlm3nLk6wYvbSXBVp1VXMRJkdmCXSxMe0vo1r
xCMoL66qVutyHrSgifPPN6AYNPKTTNUx5o0Ck5xXf4PWoy8cfvyrKJtd/wDi4Ryf
WOsZNYKVAf1ItbZse243ICsgMAduzZLgygo=
=OrTt
-----END PGP PUBLIC KEY BLOCK-----
Return-Path: <owner-bugtraq@NETSPACE.ORG.>
Delivered-To: admin@skyway.ru
Received: (qmail 2008 invoked from network); 15 Nov 1997 01:01:41 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 15 Nov 1997 01:01:40 -0000
Received: by scylla.sovam.com id AA20584
  (5.67b8s3p1/IDA-1.5 for admin@skyway.ru); Sat, 15 Nov 1997 00:30:49 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA20547
  (5.67b8s3p1/IDA-1.5 for <admin@skyway.ru.>); Sat, 15 Nov 1997 00:28:49 +0300
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
        by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id CAA17491
        for <mc@CONJURER.TYUMEN.RU.>; Sat, 15 Nov 1997 02:28:17 +0500 (ES)
Received: from unknown@netspace.org (port 21775 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <69562-22951>; Fri, 14 Nov 1997 13:09:21 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 5650896 for BUGTRAQ@NETSPACE.ORG; Fri, 14 Nov 1997 13:08:22
          -0500
Received: from brimstone.netspace.org (brimstone.netspace.org
          [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
          MAA31501 for <BUGTRAQ@NETSPACE.ORG.>; Fri, 14 Nov 1997 12:56:17 -0500
Received: from unknown@netspace.org (port 21775 [128.148.157.6]) by
          brimstone.netspace.org with ESMTP id <96122-22950>; Fri, 14 Nov 1997
          12:56:09 -0500
Approved-By: aleph1@UNDERGROUND.ORG
Received: from susan.cisco.com (jbash-pc-home.cisco.com [171.69.139.3]) by
          netspace.org (8.8.7/8.8.2) with SMTP id KAA07951 for
          <BUGTRAQ@NETSPACE.ORG.>; Fri, 14 Nov 1997 10:05:20 -0500
Received: (qmail 7435 invoked by uid 1225); 14 Nov 1997 15:02:31 -0000
Message-Id: <19971114150231.7433.qmail@susan.cisco.com.>
Date: 	Fri, 14 Nov 1997 07:02:30 -0800
Reply-To: John Bashinski <jbash@CISCO.COM.>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG.>
From: John Bashinski <jbash@CISCO.COM.>
Subject:      Re: What to do when you forget your cisco LD password...
X-To:         Dustin Sallings <dustin@spy.net.>
X-Cc:         cs-security@cisco.com, eck@cisco.com
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To:  Your message of "14 Nov 1997 01:37:50 GMT."
              <ML-3.3-SPY.879471470.6838.dustin@bleu.west.spy.net.>
Status:   
X-PMFLAGS: 33554560 0

>         If you're like me, you've got a lot of passwords to remember, and
> sometimes, well, we forget.  There's good news, though!  For a limited time
> only, you can enable on your cisco LocalDirector with the magic ^C password.
>
>         I noticed this on a 1.6.3 LocalDirector where I mistyped the enable
> password by mistake and hit ^C to start over, but I didn't have to, took me
> right in, and let me make my configuration changes.  Later experimentation
> showed that you don't even have to type in a partially invalid password, ^C
> alone seems to do the trick in all cases we tried.

I am not a LocalDirector expert and don't have access to a test machine,
but I just checked this with the Those Who Know. I am informed that
control-C will work as an enable password only if you haven't actually
set a password. In fact, *any* string will work if you haven't set a
password. If you've set an enable password on the box, control-C will
not work. This was verified by testing on a 1.6.3 LocalDirector.

If control-C worked for you on a machine with a password properly set,
*please* contact me directly with details of how you configured it.

You're right, however, that you shouldn't let people you don't trust log
in to your equipment in the first place.

                                        -- John B.
Return-Path: <owner-bugtraq@NETSPACE.ORG.>
Delivered-To: admin@skyway.ru
Received: (qmail 30428 invoked from network); 18 Nov 1997 01:03:08 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 18 Nov 1997 01:03:08 -0000
Received: by scylla.sovam.com id AA13234
  (5.67b8s3p1/IDA-1.5 for admin@skyway.ru); Tue, 18 Nov 1997 01:06:55 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA13154
  (5.67b8s3p1/IDA-1.5 for <admin@skyway.ru.>); Tue, 18 Nov 1997 01:04:53 +0300
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
        by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id DAA15831
        for <mc@CONJURER.TYUMEN.RU.>; Tue, 18 Nov 1997 03:04:14 +0500 (ES)
Received: from unknown@netspace.org (port 9531 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <97052-9532>; Mon, 17 Nov 1997 12:26:23 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 5690999 for BUGTRAQ@NETSPACE.ORG; Mon, 17 Nov 1997 12:25:03
          -0500
Received: from brimstone.netspace.org (brimstone.netspace.org
          [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
          MAA00982 for <BUGTRAQ@NETSPACE.ORG.>; Mon, 17 Nov 1997 12:13:05 -0500
Received: from unknown@netspace.org (port 9531 [128.148.157.6]) by
          brimstone.netspace.org with ESMTP id <96141-9534>; Mon, 17 Nov 1997
          12:13:06 -0500
Approved-By: aleph1@UNDERGROUND.ORG
Received: from mail-out1.apple.com (mail-out1.apple.com [17.254.0.52]) by
          netspace.org (8.8.7/8.8.2) with ESMTP id MAA00196 for
          <BUGTRAQ@NETSPACE.ORG.>; Mon, 17 Nov 1997 12:07:03 -0500
Received: from scv4.apple.com (A17-128-100-142.apple.com [17.128.100.142]) by
          mail-out1.apple.com (8.8.5/8.8.5) with ESMTP id IAA10070; Mon, 17 Nov
          1997 08:37:49 -0800
Received: from [17.219.12.91] (pendragon.apple.com [17.219.12.91]) by
          scv4.apple.com (8.8.5/8.8.5) with SMTP id IAA30552; Mon, 17 Nov 1997
          08:37:46 -0800
X-Sender: lev@mail.apple.com
X-Mailer: Claris Emailer 2.0, March 15, 1997
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <199711171637.IAA30552@scv4.apple.com.>
Date: 	Mon, 17 Nov 1997 08:37:47 -0800
Reply-To: Lloyd Vancil <lev@apple.com.>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG.>
From: Lloyd Vancil <lev@apple.com.>
Subject:      Re: Preliminary Notice: Cisco LocalDirector enable password loss
X-To:         John Bashinski <jbash@cisco.com.>
To: BUGTRAQ@NETSPACE.ORG
Status:   
X-PMFLAGS: 34078848 0


Being one of the customers involved in the below mentioned incident I
feel I must make a full confession ;)

Testing from the console and from a telnet session this morning shows
that the properly set and written to memory password appears secure.
None of my tests this morning succeeded in entering enable mode without a
full and valid password entry.  I do not know what state the device was
in when the attempt outlined below succeeded and I have not been able to
duplicate it without removing the password and writing to memory without
a password set.

I would like to thank Cisco and John for their quick attention to this
matter.  Cisco remains one of the most professional outfits out there.



Sincerly
Lloyd Vancil







>-----BEGIN PGP SIGNED MESSAGE-----
>
>Preliminary Notice:
>Cisco LocalDirector Enable Password Loss
>
>November 15, 1997, 09:00 AM US/Pacific, Revision 1
>- ------------------------------------------------------------------------
>
>This is a preliminary notice describing a security problem about which there
>has been customer concern. Cisco does not yet have full information about
>this problem. Customers should use great caution in relying on the
>information in this notice.
>
>Summary
>- -----
>At least two customers have reported failures in the enable password
>mechanism in version 1.6.3 of Cisco's LocalDirector product. Affected
>systems allow users to enter privileged mode without providing the correct
>enable password; any string will suffice as a password. This applies only to
>the privileged-mode enable password; the TELNET access password does not
>appear to be affected.
>
>The failure has been reproduced in Cisco's laboratory, but not consistently.
>The conditions under which the failure occurs are not known in detail.
>
>Based on the information presently available, the source of the problem
>seems to be that the LocalDirector "forgets" its configured enable password
>upon being upgraded to version 1.6.x from an older software version. A
>LocalDirector without a configured enable password still does prompt for a
>password, even though that password is not checked. This means that the
>system's administrator may not notice that the password has been lost for
>quite some time, if ever.
>
>Who is Affected
>- -------------
>All LocalDirector customers should check to see that their enable passwords
>are being enforced properly. Use the "enable" command to enter privileged
>mode, and give an invalid password. If the invalid password is accepted, you
>are affected.
>
>If the invalid password is not accepted, you are not affected at present...
>but bear in mind that we do not yet fully understand the conditions under
>which passwords are lost. Until the problem is better understood, we suggest
>that all LocalDirector customers, and especially all LocalDirector 1.6.3
>customers, take special precautions as outlined in the "Workarounds" section
>below.
>
>This problem probably affects all 1.6.x versions of the LocalDirector
>software. However, version 1.6.3 is the only 1.6.x version that has been
>released to Cisco's general customer base.
>
>Because the LocalDirector code is almost entirely separate from the code
>used in other Cisco products, it is extremely unlikely that any product
>other than the LocalDirector is affected. Classic IOS, as used on Cisco
>routers, shares absolutely no password or configuration management code with
>the LocalDirector, and is therefore definitely not affected. Catalyst
>switches and FastPacket switches are likewise definitely not affected.
>
>Impact
>- ----
>Any person who can log into an affected LocalDirector via TELNET or over its
>its console port can reconfigure or shut down the LocalDirector.
>
>Workarounds
>- ---------
>Cisco recommends that customers take the following steps:
>
>  1. Consider postponing any scheduled software upgrades to version 1.6.3.
>  2. Check to make sure that enable passwords are being enforced by all
>     LocalDirectors. If you find that a LocalDirector is not enforcing its
>     enable password, changing the password using the "enable password"
>     configuration command should reactivate the password. Remember to save
>     the new password using the "write memory" command. Recheck password
>     enforcement after any software upgrade or downgrade.
>  3. Make sure that you have configured a TELNET access password for your
>     LocalDirector using the "password" configuration command. If you're not
>     sure of the secrecy of your TELNET password, consider changing it. If
>     you allow unprivileged TELNET access by users who should not have
>     privileged access, consider denying those users access temporarily by
>     changing the TELNET password.
>  4. If you have a dialin modem connected to your LocalDirector's console
>     port, or if you have the console port connected to a network device
>     that allows remote access, either disconnect the console or protect it
>     using the authentication features of the modem or network device to
>     which it is connected.
>
>Exploitation and Public Announcements
>- -----------------------------------
>Cisco has had no reports of malicious exploitation of this vulnerability.
>
>This vulernability was first brought to Cisco's attention by a public
>announcement on the "bugtraq@netspace.org" mailing list on Thursday,
>November 13. There has been some subsequent discussion on that mailing list.
>
>Future Work and Updates
>- ---------------------
>Cisco will continue working to characterize this problem and to produce a
>software fix. Updated versions of this notice will be posted on Cisco's
>Worldwide Web site as more information becomes available.
>
>Distribution of this Notice
>- -------------------------
>This notice is being sent to the following Internet mailing lists and
>newsgroups:
>
>   * cisco@spot.colorado.edu
>   * comp.dcom.sys.cisco
>   * bugtraq@netspace.org
>   * first-teams@first.org (includes CERT/CC)
>
>Updates will be sent to some or all of these, as appropriate.
>
>This notice will be posted in the "Field Alerts" section of Cisco's
>Worldwide Web site. The copy on the Worldwide Web will be updated as
>appropriate.
>
>This notice is copyright 1997 by Cisco Systems, Inc. This notice may be
>redistributed freely provided that redistributed copies are complete and
>unmodified, including all date and version information.
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGP for Personal Privacy 5.0
>Charset: noconv
>
>iQEVAwUBNG8nJAyPsuGbHvEpAQFGbwf/dDIhvFlUb2nNVKtIIWZtitrmN7vL1XDd
>tFR4RvHvqB+oqRlMBWc7G2ShGdG+PcQSRaUBKer7z+SXZuzBxlKb/I1iDMMhXO3h
>bZF08g2TSvf2TMvd6szx53BCdmPmYo6tMyMd4zIkfZ89swJzxHouUKLXgE0KqLds
>4LhShE7k/bujmYmXSahQxX9Mcl1R81Sk9fpvs/szTBI1Dync7zN+Hr1YCUQe+5YP
>6sVCI85AlBsQ60Fwyi2Ug4eqhv3eeNGs3pUXlZ4YFcN986RVsDjTt6QSDLXP65bf
>FS0fbK+c7DlOwzC36LdI8SiqoStczdo4hJaQXt1iIhDjv+UWADywsw==
>=HX4x
>-----END PGP SIGNATURE-----
>
>-----BEGIN PGP PUBLIC KEY BLOCK-----
>Version: PGP for Personal Privacy 5.0
>
>mQGhBDPvjDARBAD82RXM1EyVSEpL6mpDMyxI8Scc22yVqRYL+Ckv0SXHEPaZNIgQ
>blVx32jyfnmGIZeVYK2sDRTB6vXJt1k+R5HRRhTG7fB0f309gT/Zgmk64zC7L4nL
>Qp6fNEVJLfxRdrwXCOPfBf56Y8vKBFZSvwK4qLNHurMP2MVUuYfCl2UpHwCg/6Wz
>FTHW34HvDKgD+3k0ap0lMq8EAME9i5IEdwTnGO2zsyyc/gw6QKoSGNEkbGmciZuk
>AQTulVKQpYMv1jIm6Uy91HbsR0mUWxPzCBPCvJzvZOW0O+AJq4m/h1dQD2kdIHt+
>nYAdfZjY26YUpB6gfFmQucGhH/o8GfhkmN6Lw21+gx4lctfia2/46poasCNo961y
>KyuQA/ID6qpHargBoOk2n/av9jV1Rox8vhYVGwQhmVpYVUMzdw8ldo3CejaqyW97
>IyOU7tZo4WUzJ2Z3sG0DHdim+VoeDjb5hsd34MzoGL7KjRFGldbNr2H/DhmItLyz
>xJ5YXgMXNGy3IhfOjCwZsGhZ1eTddxbD7rb7+VN/ROhTpCSXtEdDaXNjbyBTeXN0
>ZW1zIFByb2R1Y3QgU2VjdXJpdHkgSW5jaWRlbnQgUmVzcG9uc2UgVGVhbSA8cHNp
>cnRAY2lzY28uY29tPrRQQ2lzY28gU3lzdGVtcyBwcm9kdWN0IHNlY3VyaXR5IGlu
>Y2lkZW50L2J1ZyByZXBvcnRpbmcgPHNlY3VyaXR5LWFsZXJ0QGNpc2NvLmNvbT65
>Ag0EM++MTxAIANfnEviV6GSqF/7SMetsaCkKUe/TmcEtoYRdE9ZorvLlruvSaFHM
>gXCg4SqyC689BJJBaKN2MTYIV0T3idlbHp4mXHDyU28tTEFenA9m4ER0PxEO/wIT
>I3XoOO7SCxUnxyvxPy8Jn9PYBHMpF+iWqUbzLsX4tZI7LJj73i0vi+5tGNaBBFu4
>cD2UJis7lb/CSK7bb4RJ6lHYVWHtbcFApwSRheeusvN0YwKpPg5hy6gwaUSKtddJ
>DadcJcQ/G2I820onsqgYRfDncEBYuLavuu2h5CuR+Qz6jrwNUAX1f6UxC2WYY7ts
>p+wzQJ9VuTnKQEFPc6GIoiSSeyV3KibzVZ8AAgIIAKDBdTFi6kQSB1+x7XQgQ8SN
>L0HFjtr25TMJr/eeU6m1NkrtCVg3llA+lhTmpork6ZDu3GXp/IW02o246G57Z23p
>HU1VkEwjsWl1sdUY5QH+wIV6uZJubZW1TroDI86l0m7WeWC+mqQXn6GuvkX+YpF5
>qU1OCY9Pnen6sWkYXiqE5LW3USyYxglTac8EQqcs3JYevV1/M6oTWXdMSEDV2/Bq
>d9g5qZBYQFkkftdW6YsJPMGgn2EIyu4kTyazk3UafH/yqemCbGX6S5j3krCoIMwf
>UpeOHPB1OxACLB0loA2cwCpq5p7WhXUCyRuqdXYN50NUrmKDo8+hsL/e89PofQWZ
>AQ0DM++M2AFtAQgA0rsqUAdCxqMH23R11iGtk2Zo6fI8vxPkllEOru5J/cd9dn2B
>wT4NTf/b9O4JruX8/R9uWlS3E6jYVJyN2Dpl39X7wUf77B8fsY/4zaUkjDU39Q2E
>t+pR7tElm0C8BvZVGkDelXzXqeCTQfu1vZHICy7cfsy/BMNlpn93OEz/jS4PPZs5
>SORqjEL9wouw/44MvJ08rdc/OOr1eKkLcBfzMMtuMAxLI1OlA/hzY28h/pfhDhAP
>7Jkm7R1gDyL9ALYX1xvixPp8q2hEQ3BUtCEfCTHAouqbKiQss5ntC9DDVGqzxlQT
>ijk4V1/Re+pbb4LX4JZDln3ztkcMj7Lhmx7xKQAFEbRHQ2lzY28gU3lzdGVtcyBQ
>cm9kdWN0IFNlY3VyaXR5IEluY2lkZW50IFJlc3BvbnNlIFRlYW0gPHBzaXJ0QGNp
>c2NvLmNvbT6JARUDBRAz74zYDI+y4Zse8SkBAWVjCACT3Ia+8fVGzPd1ACBvMFGI
>Dry7lhhf9vz+flpOu3ErVn0qW2N0ONxT+u/Z+qbCGxz1DYlgTWt7+KJRS7FNNdzE
>J2ct9nvnDo/u/VdoTwdtpe9RtiYW4rG+HMjqCdnc5YSpVD8/VEHvPNLAe28wA6au
>S3L68XPyDjfa0N5T9YSJ/Q8B41qyxWMgETeZIVyegX0/BHv73zegsj5BRPP4pnem
>juvsRMVcFqJ7wxjm8yjZrR2zoZSysxWkWInbOu5IIlAm9VWh71VP2mD3Z8fDq9Jh
>kF/qNw937eRSMBwBlCPkmS6jlC0Nz4mkKzoDglL6eTZQ9iKwU5/EeNHZu/f3rKaV
>iQA/AwUQM++M9JaBp3w9UuB/EQLzmwCgtbsVjd1ZZcuJkPoVs3cbzX9JibYAoLcQ
>8+WP7M0y3zdSUEhHToFY6E+ZiQA/AwUQM++N6GFYFsU6zlX+EQKEywCggc3awk02
>yj6RivcbYFn3Qon77scAn29CR0lHAjsdLIv6LJ9BLdhXiK8piQCVAwUQM++6KXem
>vD4nAHb9AQG6OQQAq/GzwDk4yT9MPy25AwBMgsPGePRkZ6kBXTBsmMnHxthDniyE
>Xqvg6XJYRU86f2wyfzVDJY55qmukl9haCqe3Inxo7gyHaB8ji4rMqfmEn2fjbiAv
>dw5wlQqYBEEYWAviAHpBlTqT7naq5u/TyAdgENROnFu1jLT39uJ4RPpO7o2JAHUD
>BRAz8OcoAFBd0vcu1XkBAQHWAwCe0KmW5QKgf1Kmf7hEEpBT2pViNkv3J7tB33Py
>4ohQYztUUwP8QJq9EQR3qCBgUJfa3VhXWPrzTn6hE7H/GHEJ7g5IbY9fo1DHcxyE
>xaBBKIEoWKR/FdxsNPBTgcaT9TyJAJUDBRAz8OTdGKb4qo5nGiEBAU7QA/4+RFkA
>yy4YnrZc6Y7btnCgHXIwH4tqFL3NaVVS4KsGzQ2WgLRRz1rJ3D61aqvk9Tz3vY5m
>YwjWY+eOwBqjuEl5UUQqY2kn6c8XHnp+Y7XfwPqH7V5hixcwSTHgU0diav+E/1FP
>sm6oUKEHh4cC0vfsYOjqlSoilF1sjqKZT5MZZIkAlQMFEDPw6Yx61S0GnPSVuQEB
>meoD/1VyOvmqnEQsTBiYmEGKHgSFrRs95vEOlP/ANCVYXwpBVP51Vrj+RcNkNJAQ
>5xX5D5nRgDGoUVpYcjUJivalH6MOrPHF2zG/As9onZira+dv9SjM/MJhdpGvx0oT
>YtpGlQh79+uloqCAZ9P4c/flZZICRLjI/3Uj73HDbEAcLsX8iQA/AwUQM/DxS7iw
>R2HEkUMHEQJK7gCfRWzVa9mGDX4X2BdUB1Z5l5DCM+MAn2SIHiZS3o94TVhp+jTL
>2HWHbnPjiQCVAwUQM/DpqtRZvFG/tj1hAQGsZgP8DJgX+4foQlVnDD+gBKXmnG3Z
>D1hHkpvrR/tGww6LjxKAhXSWtQKTysQ3seIQyUxLOOq0K4A9vFzzmW1gDZXwYwG7
>PXoNn4uyGY3YF2jke+Unug41F9POcBp4pUfjQxgj7iiPRn6ZduEhPjw6RBRpYDH5
>fF3Mu5/E01TygWisn8WJARUDBRAz81dfH2q6+RwPtwkBAcNnCACSHlH85LxLMRVY
>46WdQ9Joj8809J4p0Q469Tkrq7wMyxv8znvvl+D2loIaL5SeBGIvfFaPKQnN+un3
>gX/R3g+l2RxBQRqjr65kGAhsMr1L9bRsMAUKAKfDLbQk9fEmB2KRBvQYsHM/7fVY
>eXglIxdO40AUnzPtRz9rYlZ7dBn7Dy5k/kjIBKKZhgu77X0fGjh9hP9s45D3vnNq
>sKBoM7pvgdTrwYbdarK2a4GPpWm7XHkhr1w2nGA+a0zjCDzfObHTp8NMY3z0Rgeu
>3t2W7EIF6zE+FSyZmfTvVd2rXMxgjMeeziPHAJESnmQ0y0+xQoDx1IDhQ7YF2Q6r
>khfqxxM6iQA/AwUQM/KsxSLcSmI6S/dwEQKA0QCfR1O0vDQ0M8ef9c+DHPyNydGz
>OOQAnRscGYHbrrXrN1yuA9mti29pz2BViQCVAwUQM/EQTX+11HSaYdsJAQE7ZgQA
>8Z5GzK1Qd4vu1Rt0OAubPp9yug2QmTqyNAsDDQdiqcdvCF9cK8VCYBvTRaHDjFBx
>Jd6PclQlLBcPIQnkCE4Pch1OQomckDzXEnNgleGnyQlMXT0zm+gHl5mDUWnRtwTD
>drYxfLdJZFZ8ntJIDYN7t0Gl/ag5l4j0C5GW0d9WYo+0UENpc2NvIFN5c3RlbXMg
>cHJvZHVjdCBzZWN1cml0eSBpbmNpZGVudC9idWcgcmVwb3J0aW5nIDxzZWN1cml0
>eS1hbGVydEBjaXNjby5jb20+iQEVAwUQM++NXQyPsuGbHvEpAQEIKwf/eLwnERXH
>CP4X999/aUJEMPzd8lMaFg1i84ALFhpFKzWHBnWkBZItTM35xzciq5v51P3OBu5u
>scU/yRgHmg/ESH3abJXt3SKMsjzZE1zvKuqX0wjYf3Ihh2CtPZo/3wpsa6XGuLdT
>0dDUCdU8Tjd67wX3p+CI6CBGoMqLuVY/0AO9xoo7drVoOT9fYQ7UjSNIkxN9nVzI
>yWmaudOzeLnHaVf7jYYeOmADe1YaVM3oMVZrmTZ1TtPMTd0ovWrPll27zVYx1PjE
>NuTZDpnysa7agoD5hemtKUXR0GwbeoVMpIWCceKNNPh8kjb6B5sTOl7y8ZR/gUld
>CaNn5sbZ1N1QrIkAPwMFEDPvjXSWgad8PVLgfxECp2MAn1VUzoaLFiek6lky++m4
>qTc4ejAoAJ9DE/8NyaqDkq0M+d3qEcxpVsQEBokAPwMFEDPvjflhWBbFOs5V/hEC
>GTAAoNaAhsFpD+qhH0X8IyGaljO1ywwHAKDYNOETuHePkca+yLDLwyxlmYurmYkA
>lQMFEDPvuil3prw+JwB2/QEBcpsD/25lxJqT+7jW4W6jDm7CTJ2OR8fPtdEUrj0d
>fujPCgltXJ3OVREwg69vCl/rCz9sVPKEzVFEbdvkTmjimxeg1ajBcb642SZMuFcg
>E60fhNyNsteyktZSI20E2UnZ0MrGK33J7Vn/1xPCl9o3ICa1vRo8E3ixnyvoGaB3
>jhXHSdIviQCVAwUQM/Dk6him+KqOZxohAQEn9QQAtd5uSls7cYT+MZvjWrMxyhNV
>e3eSqHWZjXImWg8SWVey0/XI7ze5zMt8+GEpQoAaD9ZlLl4WthNG8iq7YdnsXQ99
>OqpF4pRSvsYVv5BRPO3XvwNDN8jJMdP7jcIgwXo08Zt1YWTDMxpSNcF7ARfZ5M2D
>V9FKhgLris+9IRcWeemJAJUDBRAz8OmTetUtBpz0lbkBAdxmBACq97OI8lyJWvN1
>qeZQca3wtrauXWpehi1gBxLnWBUPYPGV78nVIi/JFbKxMTT6zxf7ODDvXNBebngp
>Qp2gVO8TJ6tzrk2dVUKA9Sk03z8fRdSk13WhnYoojPPebFBtXBrnSxEq9gEVSj2Z
>R9u/5qUUrjKtZqoAXcPHfwqJCuo5rYkAPwMFEDPw8fC4sEdhxJFDBxEC75sAmgMQ
>NrF121TfmZ6QKCU2NscuY5H6AKCJinLR8Hwm00kTSTfFAO5bQfy4bYkAlQMFEDPw
>6bfUWbxRv7Y9YQEBJtkD/3BgNhOa+2hK68jTI4hMaCaHyRII4wCZeKSEjoBJnLwa
>GQ9fs5jbJtfYjDtdcCkvSZy4OvXcWb7Gu31PKbJgBtGeY+Ns+fUahhUz+is35H+3
>+ZuV91v56SW8wqcKEDt40V9g1TP5X6VE+QfXnoScFdjCbOViwoR6saPEkujJASuy
>iQA/AwUQM/Ks2CLcSmI6S/dwEQKghwCeOY2rw3OcrQdiDCJxZhSMMCa17pAAoIrq
>3Epb5UdZEnZxJ/aZpGR/ROaaiQCVAwUQM/EQdH+11HSaYdsJAQGKBAP+LRkDVCwW
>NCpAAFOag6ou3SmFfxD19qRfLPbjlm3nLk6wYvbSXBVp1VXMRJkdmCXSxMe0vo1r
>xCMoL66qVutyHrSgifPPN6AYNPKTTNUx5o0Ck5xXf4PWoy8cfvyrKJtd/wDi4Ryf
>WOsZNYKVAf1ItbZse243ICsgMAduzZLgygo=
>=OrTt
>-----END PGP PUBLIC KEY BLOCK-----


-------------------------------------------------------------
* Why is 'abbreviation' such a long word?
-------------------------------------------------------------
                lev@apple.com
Return-Path: <owner-bugtraq@NETSPACE.ORG.>
Delivered-To: admin@skyway.ru
Received: (qmail 851 invoked from network); 21 Nov 1997 10:16:39 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 21 Nov 1997 10:16:39 -0000
Received: by scylla.sovam.com id AA08335
  (5.67b8s3p1/IDA-1.5 for admin@skyway.ru); Fri, 21 Nov 1997 12:06:55 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA08018
  (5.67b8s3p1/IDA-1.5 for <admin@skyway.ru.>); Fri, 21 Nov 1997 12:03:55 +0300
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
        by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id OAA19519
        for <mc@CONJURER.TYUMEN.RU.>; Fri, 21 Nov 1997 14:00:56 +0500 (ES)
Received: from unknown@netspace.org (port 53767 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <1313-6399>; Fri, 21 Nov 1997 02:29:16 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 5775431 for BUGTRAQ@NETSPACE.ORG; Fri, 21 Nov 1997 02:24:07
          -0500
Received: from brimstone.netspace.org (brimstone.netspace.org
          [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
          CAA09666 for <BUGTRAQ@NETSPACE.ORG.>; Fri, 21 Nov 1997 02:13:29 -0500
Received: from unknown@netspace.org (port 53767 [128.148.157.6]) by
          brimstone.netspace.org with ESMTP id <96368-6396>; Fri, 21 Nov 1997
          02:13:02 -0500
Approved-By: aleph1@UNDERGROUND.ORG
Received: from jupiter.caffrey.net (jupiter.caffrey.net [207.43.5.17]) by
          netspace.org (8.8.7/8.8.2) with ESMTP id BAA01869 for
          <bugtraq@netspace.org.>; Fri, 21 Nov 1997 01:38:12 -0500
Received: from localhost (eric@localhost) by jupiter.caffrey.net (8.8.7/8.8.5)
          with SMTP id AAA04241 for <bugtraq@netspace.org.>; Fri, 21 Nov 1997
          00:38:12 -0600 (CST)
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSF.3.96.971121003203.4236B-100000@jupiter.caffrey.net.>
Date: 	Fri, 21 Nov 1997 00:38:10 -0600
Reply-To: Eric Thacker <eric@CAFFREY.NET.>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG.>
From: Eric Thacker <eric@CAFFREY.NET.>
Subject:      Land and Cisco Routers.
To: BUGTRAQ@NETSPACE.ORG
Status:   
X-PMFLAGS: 34078848 0

I just tested land.c on a cisco 753 router running version 4.0 of the os.
It DID freeze the router when I hit it on port 23.  The router wasn't able
to reach the internal lan or the wan and some lights on the front of the
router were frozen also.  I couldn't ping or telnet to the router, the
only way to restart it is a hard reboot.

If anyone knows if this also affects larger cisco routers (1000 series
through 7500) let me know or post it back here on bugtraq.  As you can
see, there is a great potential of damage using this bug seeing as many of
the internet backbones are made up of cisco routers.

Eric Thacker              |   -= Stupid unix command #47 =-
System Administrator      |     $ drink < bottle; opener
Caffrey/Digilink Networks |     bottle: cannot open
eric@caffrey.net          |     opener: not found
Return-Path: <owner-bugtraq@NETSPACE.ORG.>
Delivered-To: admin@skyway.ru
Received: (qmail 31896 invoked from network); 23 Nov 1997 01:01:39 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 23 Nov 1997 01:01:39 -0000
Received: by scylla.sovam.com id AA29419
  (5.67b8s3p1/IDA-1.5 for admin@skyway.ru); Sun, 23 Nov 1997 03:04:55 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA29398
  (5.67b8s3p1/IDA-1.5 for <admin@skyway.ru.>); Sun, 23 Nov 1997 03:03:50 +0300
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
        by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id FAA27509
        for <mc@CONJURER.TYUMEN.RU.>; Sun, 23 Nov 1997 05:01:09 +0500 (ES)
Received: from unknown@netspace.org (port 19009 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <97266-15162>; Sat, 22 Nov 1997 17:44:17 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 5806359 for BUGTRAQ@NETSPACE.ORG; Sat, 22 Nov 1997 17:43:09
          -0500
Received: from brimstone.netspace.org (brimstone.netspace.org
          [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
          RAA27898 for <BUGTRAQ@NETSPACE.ORG.>; Sat, 22 Nov 1997 17:32:31 -0500
Received: from unknown@netspace.org (port 19009 [128.148.157.6]) by
          brimstone.netspace.org with ESMTP id <80981-15163>; Sat, 22 Nov 1997
          17:32:06 -0500
Approved-By: aleph1@UNDERGROUND.ORG
Received: from susan.cisco.com (jbash-pc-home.cisco.com [171.69.139.3]) by
          netspace.org (8.8.7/8.8.2) with SMTP id NAA14826 for
          <bugtraq@netspace.org.>; Sat, 22 Nov 1997 13:59:44 -0500
Received: (qmail 5610 invoked by uid 1225); 22 Nov 1997 18:55:37 -0000
Message-Id: <19971122185537.5608.qmail@susan.cisco.com.>
Date: 	Sat, 22 Nov 1997 10:55:37 -0800
Reply-To: John Bashinski <jbash@CISCO.COM.>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG.>
From: John Bashinski <jbash@CISCO.COM.>
Subject:      Updated notice on Cisco and land.c
X-To:         cisco@spot.colorado.edu, first-teams@first.org, nanog@merit.edu
X-Cc:         ahh@cisco.com, billw@cisco.com, ce-group@cisco.com,
              dslice@cisco.com, dweather@cisco.com, field-alert-ext@cisco.com,
              hyen@cisco.com, kai@cisco.com, psirt@cisco.com, psiac@cisco.com,
              ricarlso@cisco.com, ruwhite@cisco.com, sales-eng@cisco.com,
              trhall@cisco.com, wtsao@cisco.com
To: BUGTRAQ@NETSPACE.ORG
Status:   
X-PMFLAGS: 33554560 0

This is an update to the previous notice. I originally planned just to have
this updated on the Web site and to post a pointer to the updated Web page,
but the Web posting seems to be taking a really long time, and I don't want
to delay the notice any longer. This version will eventually (probably by the
time most of you read this) be posted at

   http://www.cisco.com/warp/public/770/land-pub.shtml

That URL will be updated with future versions. We probably won't send the
whole text out again.

Important differences between this notice and the last one:

   o There are definitely versions of classis Cisco IOS software that are
     badly affected by the land.c attack.

   o The notice contains detailed information about which IOS versions are
     affected.

   o Catalyst 5000s, and probably other Catalyst switches, are affected.

   o Various editing and advice changes... nothing really substantive.

                                -- John B.


-----BEGIN PGP SIGNED MESSAGE-----

Field Notice:
TCP loopback DoS Attack (land.c) and Cisco Devices

November 22, 1997, 08:00 AM US/Pacific, Revision 2


Summary
=======
Somebody has released a program, known as land.c, which  can be used to
launch denial of service attacks against various TCP implementations. The
program sends a TCP SYN packet (a connection initiation), giving the target
host's address as both source and destination, and using the same port on
the target host as both source and destination.

Classic Cisco IOS software (used on Cisco routers with product numbers
greater than 1000, on the CGS/MGS/AGS+,  and on the CS-500) is vulnerable to
this attack, depending on the software version. See the section on
"Affected Cisco IOS Software Versions" in this document for information on
affected versions.

Cisco IOS/700 software (used on Cisco 7xx routers) is also vulnerable. The
7xx vulnerability is more devastating than the classic Cisco IOS software
vulnerability, but probably less dangerous for most customers, since
firewalls separate most 7xx routers from the Internet.

Cisco Catalyst 5000 LAN switches are vulnerable. Other Cisco Catalyst
LAN switches are probably also vulnerable.

The PIX firewall appears does not appear to be affected. Initial testing of
the Centri firewall tends to indicate that it is not affected.

We're working on characterizing other products' vulnerability to attack.
Updates will be issued as information becomes available.

Who is Affected
===============
All  Cisco IOS/700 software and Cisco Catalyst systems that can be reached
via TCP from untrusted hosts are affected. Cisco IOS software systems that
are running vulnerable versions and that can be reached via TCP from
untrusted hosts are affected.  In all cases, the TCP ports reachable by the
attack must be ports on which services are actually being provided (such as
the TELNET port, for most systems). The attack requires spoofing the
targets's own address, so systems behind effective anti-spoofing firewalls
are safe.

Impact
======
This vulnerability allows attackers to deny service to legitimate users and
to administrators. Recovery may require physically visiting the affected
hardware. Appropriate firewalls can block this attack.

Classic Cisco IOS Software
- ------------------------
Classic Cisco IOS software versions fall into three groups in terms of
vulnerability. Highly vulnerable releases may hang indefinitely, requiring
hardware resets, when attacked. Moderately vulnerable releases will not
accept any new TCP connections for about 30 seconds after receiving an
attack packet, but will recover and will continue to forward packets.
Largely invulnerable releases will continue to operate normally with
negligible performance impact. See the section "Affected Cisco IOS Software
Versions" in this document for information on exactly which versions are
affected.

A configuration workaround for classic Cisco IOS software can prevent the
problem entirely, subject to performance restrictions, for any version from
9.21 onward. Cisco has already released software fixes that protect some
Cisco IOS software versions, and plans to release those fixes for other
affected versions.

Cisco IOS/700 Software and 7xx Systems
- ------------------------------------
Cisco 7xx systems subjected to the attack will hang indefinitely and must be
physically reset.  A configuration workaround for Cisco IOS/700 software can
prevent the problem entirely. Cisco plans to release a software fix for this
problem.

Cisco Catalyst LAN Switches
- -------------------------
Cisco Catalyst switches subjected to the attack will hang indefinitely and
must be reset. Not all Catalyst products have been tested, but this is
definitely true of the Catalyst 5000 series, and is expected to be true of
all Catalyst switches. The only workaround is to remove the IP address from
the Catalyst switch, or to protect the switch by firewalling it using router
access lists or dedicated firewall products. Cisco plans to release a
software fix for this problem.

Other Cisco Products

Initial tests indicate that the PIX firewall is not vulnerable to this
attack. Tests have been conducted with versions 4.1.3.245 and 4.0.7.

Initial tests indicate that the Centri  firewall  (build 4.110) is not
vulnerable to this attack with no exposed services configured. We have not
yet tested the Centri product with exposed services.

Cisco IOS Software Details


Affected Cisco IOS Software Versions and Software Upgrades
- --------------------------------------------------------
There are two bugs that make Cisco IOS software vulnerable to this attack.
Fixes exist in the field for both bugs. Bug ID CSCdi71085 makes systems
highly vulnerable to the attack. Bug ID CSCdi87533 makes systems moderately
vulnerable. Bug ID CSCdj61324 is a newly-created bug ID that is being used
as a tag for integration of  the fix for CSCdi87533, plus a largely cosmetic
change that prevents even the temporary creation of a half-open
connection.The fix for CSCdj61324 has not yet been integrated into any
released code, but is not necessary if the fix for CSCdi87533 is present.

CSCdi71085 and CSCdj87533 divide Cisco IOS software versions into three
vulnerability classes. Versions that do not have the fix for bug ID
CSCdi71085 are highly vulnerable, and may hang indefinitely, requiring
hardware resets, when attacked. This includes all releases before release
10.3, as well as early 10.3, 11.0, 11.1, and 11.2 versions.

Versions in which CSCdi71085 has been fixed, but in which CSCdi87533 is
still present, are moderately vulnerable to the attack. These versions will
not accept any new TCP connections for about 30 seconds after any attack
packet is received, but will not hang completely, will continue to forward
packets without interruption, and will recover with no long-term effects.
CSCdi87533 has thus far been fixed only in 11.2-based releases; the fix was
integrated in 11.2(3.4), 11.2(3.4)F, and 11.2(3.4)P.

Versions in which both CSCdi71085 and CSCdi87533 have been fixed are largely
invulnerable to this attack. These versions will create half-open TCP
connections upon receiving attack packets, but will continue to accept
legitimate TCP connections, and will delete the half-open connections within
about 30 seconds. The performance impact of such a half-open connection
during its lifetime is believed to be negligible.

Future versions in which CSCdj61324 has been fixed will be invulnerable to
the attack, and will not create half-open connections in response to attack
packets. We believe the security advantage of the CSCdj61324 fix over the
CSCdj87533 fix to be negligible; CSCdj61324 is largely a placeholder to be
used for integrating fixes in future non-11.2 releases.

If you believe that there is any possibility of hostile attack against your
system, and if you cannot protect yourself using the configuration
workaround given above, we strongly recommend that you upgrade to a versions
containing the fix for CSCdi71085, since the impact of CSCdi71085 under this
attack is very high. The fix for CSCdi71085 is available for releases based
on 10.3, 11.0, 11.1, and 11.2, and has been in the field for quite some
time.  Users of 11.2-based releases should upgrade to post-11.2(4) versions,
thereby getting the fix for CSCdi87533 as well.

Cisco intends to release fixes for CSCdj61324 (equivalent to CSCdi87533) on
non-11.2 releases. The timetable for releasing these fixes has not yet been
set.

At the time of this writing, the following releases are recommended:

                 First released versions with
                 all existing fixes (*= fix for      Recommended for most
 Base Release    CSCdi87533)                         installations
 ------------    ------------------------------      --------------------
 10.3            10.3(16)                            10.3(19a)


 11.0            11.0(12), 11.0(12a)BT               11.0(17), 11.0(17)BT

 11.1            11.1(7), 11.1(7)AA, 11.1(7)CA,      11.1(15), 11.1(15)AA,
                 11.1(9)IA                           11.1(15)CA, 11.1(15)IA

 11.2            11.2(4)*, 11.2(4)F*, 11.2           11.2(10), 11.2(9)P,
                                                     11.2(4)F1

 Before 10.3     End of engineering                  10.3(19a)

As with any software upgrade, you should make sure your system configuration
is supported by the new software before upgrading. It's especially important
to make sure that your system has sufficient memory to support the new
software. Upgrade planning assistance is available from Cisco's Worldwide
Web site at http://www.cisco.com/.

Workaround for Classic Cisco IOS Software
- ---------------------------------------
Classic Cisco IOS software users can use input access lists on their
interfaces to prevent the attack packets from entering their TCP stacks.
Input access lists are available in all Cisco IOS software versions from
9.21 onward. Using an input access list will prevent the attack entirely,
but may have unacceptable performance impacts on heavily loaded high-end
routers. Traffic will still be fast-switched, but higher-speed switching
modes may be disabled by the use of the input access lists. Use care in
deploying this workaround on heavily loaded routers.

If you have no existing input access lists, create a new IP extended access
list. Use a presently-unused number between 100 and 199. The access list
must have an entry for each IP address configured on the system. Deny
packets from each address to itself.  For example:

    access-list 101 deny tcp 1.2.3.4 0.0.0.0 1.2.3.4 0.0.0.0
    access-list 101 deny tcp 5.6.7.8 0.0.0.0 5.6.7.8 0.0.0.0
    access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255


If you have existing access lists, you'll need to merge the new entries in
an appropriate way, generally at the top of the list. The access list should
be applied incoming on all interfaces, so a fragment of a total router
configuration might look like this:

    interface ethernet 0
    ip address 1.2.3.4 255.255.255.0
    ip access-group 101 in
    !
    interface ethernet 1
    ip address 5.6.7.8
    ip access-group 101 in
    !
    access-list 101 deny tcp 1.2.3.4 0.0.0.0 1.2.3.4 0.0.0.0
    access-list 101 deny tcp 5.6.7.8 0.0.0.0 5.6.7.8 0.0.0.0
    access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255


Cisco IOS/700 Software Details

All Cisco IOS/700 software versions are vulnerable to this attack. Cisco
plans to release a software fix. The time of release has not been set.

Workaround for Cisco IOS/700
- --------------------------
Add the following configuration command to any profile that may be active
when connected to a potentially hostile network:

   set ip filter tcp in source <7xx IP address> destination <7xx IP address> block

This will completely protect the 7xx system. We believe that 7xx
configurations in which this command has unacceptable performance or other
impact are extremely rare if they exist at all.

Cisco Catalyst LAN Switch Details

Cisco Catalyst 5000 LAN switches are vulnerable to attack. Other Cisco
Catalyst LAN switches are believed to be vulnerable. Cisco plans to release
software fixes for the vulnerability. The time of release has not been set.

The attack may be avoided by not assigning an IP address to the Catalyst
switch. However, this has the effect of disabling all remote management.

Depending on its location in the network, it may be possible to protect the
switch with router access lists or dedicated firewalls. An example of an
appropriate Cisco router access list entry for specifically protecting an
individual switch would be:

    access-list 101 deny ip <switch-address> 0.0.0.0 <switch-address> 0.0.0.0


Note that this is not a complete access list. Other, more general filters
are feasible.

Using Cisco Products to Protect Other Systems

We do not believe that this attack can be used against systems behind our
dedicated firewall products, the PIX and Centri firewalls, unless
general-purpose tunnels have been enabled through the firewalls.  Such
configurations are not recommended and we believe them to be uncommon.

Properly designed anti-spoofing access lists at border routers can be used
to prevent the attack from entering a private network from the Internet. Use
the access lists to filter out packets whose IP source addresses are on your
internal net, but which are arriving from interfaces connected to the
outside Internet.

Exploitation and Public Announcements

Cisco has had multiple reports of this vulnerability.

Most exploitation seems to be using the original program, which sends one
packet at a time. Floods of invalid packets have not been reported.

This issue has been widely discussed in a variety of Internet forums.
Exploitation code is widely available to the public.

Cisco first heard of this problem on the morning of Friday, November 21.

Distribution of this Notice

This notice is being sent to the following Internet mailing lists and
newsgroups:

   * cisco@spot.colorado.edu
   * comp.dcom.sys.cisco
   * bugtraq@netspace.org
   * first-teams@first.org (includes CERT/CC)
   * nanog@merit.edu


Updates will be sent to some or all of these, as appropriate.

This notice will be posted in the "Field Notices" section of Cisco's
Worldwide Web site, which can be found under "Technical Tips" in the
"Service and Support" section. The URL will be

     http://www.cisco.com/warp/public/770/land-pub.shtml


The copy on the Worldwide Web will be updated as appropriate.

Cisco Security Procedures

Please report security issues with Cisco products to
security-alert@cisco.com.

Revision History
================

 Revision 1, 14:00,
 21-NOV-1997               Initial revision

 Revision 2, 08:00         Add information about highly vulnerable
 22-NOV-1997               IOS versions. Add detailed information about
                           affected version numbers. Add specific bug IDs.
                           Add upgrade recommendations. Add first
                           information about Catalyst LAN switches. General
                           editing and reformatting.

This notice is copyright 1997 by Cisco Systems, Inc. This notice may be
redistributed freely provided that redistributed copies are complete and
unmodified, including all date and version information.

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQEVAwUBNHcosQyPsuGbHvEpAQH1NQf+OJAF/qMwaCSwYysR5qu36iZ3K04bAJ9r
MsqAxdlY10yyN//L2P8Ntz3AYOtOih6EZKBYmmz/kyTp7zMr2J3ZCw01O5s2LfTX
1McIBV8kzf0kMYh4c+0rsjqS6jlXC0OakCNav6P+rO13nb+FTfhWoDOzcFCxr4sB
5gQqAClQyvWhempObDRpLE0gHKnLyyB4wWkhBDbA9tQz4TmTDfwRiIDeWAuuYY7k
87BqS5a7g7G2MZRmeiKIJV8F66USN4vSpAJxIdzXAyyUjxZBdv9B4BHCb9/LUvTM
cHr06PppMDm4mNJAP3sedVtOnQHR/rEPuBMfKAE6xg8zyyNvG/B93w==
=SKCo
-----END PGP SIGNATURE-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP for Personal Privacy 5.0

mQGhBDPvjDARBAD82RXM1EyVSEpL6mpDMyxI8Scc22yVqRYL+Ckv0SXHEPaZNIgQ
blVx32jyfnmGIZeVYK2sDRTB6vXJt1k+R5HRRhTG7fB0f309gT/Zgmk64zC7L4nL
Qp6fNEVJLfxRdrwXCOPfBf56Y8vKBFZSvwK4qLNHurMP2MVUuYfCl2UpHwCg/6Wz
FTHW34HvDKgD+3k0ap0lMq8EAME9i5IEdwTnGO2zsyyc/gw6QKoSGNEkbGmciZuk
AQTulVKQpYMv1jIm6Uy91HbsR0mUWxPzCBPCvJzvZOW0O+AJq4m/h1dQD2kdIHt+
nYAdfZjY26YUpB6gfFmQucGhH/o8GfhkmN6Lw21+gx4lctfia2/46poasCNo961y
KyuQA/ID6qpHargBoOk2n/av9jV1Rox8vhYVGwQhmVpYVUMzdw8ldo3CejaqyW97
IyOU7tZo4WUzJ2Z3sG0DHdim+VoeDjb5hsd34MzoGL7KjRFGldbNr2H/DhmItLyz
xJ5YXgMXNGy3IhfOjCwZsGhZ1eTddxbD7rb7+VN/ROhTpCSXtEdDaXNjbyBTeXN0
ZW1zIFByb2R1Y3QgU2VjdXJpdHkgSW5jaWRlbnQgUmVzcG9uc2UgVGVhbSA8cHNp
cnRAY2lzY28uY29tPrRQQ2lzY28gU3lzdGVtcyBwcm9kdWN0IHNlY3VyaXR5IGlu
Y2lkZW50L2J1ZyByZXBvcnRpbmcgPHNlY3VyaXR5LWFsZXJ0QGNpc2NvLmNvbT65
Ag0EM++MTxAIANfnEviV6GSqF/7SMetsaCkKUe/TmcEtoYRdE9ZorvLlruvSaFHM
gXCg4SqyC689BJJBaKN2MTYIV0T3idlbHp4mXHDyU28tTEFenA9m4ER0PxEO/wIT
I3XoOO7SCxUnxyvxPy8Jn9PYBHMpF+iWqUbzLsX4tZI7LJj73i0vi+5tGNaBBFu4
cD2UJis7lb/CSK7bb4RJ6lHYVWHtbcFApwSRheeusvN0YwKpPg5hy6gwaUSKtddJ
DadcJcQ/G2I820onsqgYRfDncEBYuLavuu2h5CuR+Qz6jrwNUAX1f6UxC2WYY7ts
p+wzQJ9VuTnKQEFPc6GIoiSSeyV3KibzVZ8AAgIIAKDBdTFi6kQSB1+x7XQgQ8SN
L0HFjtr25TMJr/eeU6m1NkrtCVg3llA+lhTmpork6ZDu3GXp/IW02o246G57Z23p
HU1VkEwjsWl1sdUY5QH+wIV6uZJubZW1TroDI86l0m7WeWC+mqQXn6GuvkX+YpF5
qU1OCY9Pnen6sWkYXiqE5LW3USyYxglTac8EQqcs3JYevV1/M6oTWXdMSEDV2/Bq
d9g5qZBYQFkkftdW6YsJPMGgn2EIyu4kTyazk3UafH/yqemCbGX6S5j3krCoIMwf
UpeOHPB1OxACLB0loA2cwCpq5p7WhXUCyRuqdXYN50NUrmKDo8+hsL/e89PofQWZ
AQ0DM++M2AFtAQgA0rsqUAdCxqMH23R11iGtk2Zo6fI8vxPkllEOru5J/cd9dn2B
wT4NTf/b9O4JruX8/R9uWlS3E6jYVJyN2Dpl39X7wUf77B8fsY/4zaUkjDU39Q2E
t+pR7tElm0C8BvZVGkDelXzXqeCTQfu1vZHICy7cfsy/BMNlpn93OEz/jS4PPZs5
SORqjEL9wouw/44MvJ08rdc/OOr1eKkLcBfzMMtuMAxLI1OlA/hzY28h/pfhDhAP
7Jkm7R1gDyL9ALYX1xvixPp8q2hEQ3BUtCEfCTHAouqbKiQss5ntC9DDVGqzxlQT
ijk4V1/Re+pbb4LX4JZDln3ztkcMj7Lhmx7xKQAFEbRHQ2lzY28gU3lzdGVtcyBQ
cm9kdWN0IFNlY3VyaXR5IEluY2lkZW50IFJlc3BvbnNlIFRlYW0gPHBzaXJ0QGNp
c2NvLmNvbT6JARUDBRAz74zYDI+y4Zse8SkBAWVjCACT3Ia+8fVGzPd1ACBvMFGI
Dry7lhhf9vz+flpOu3ErVn0qW2N0ONxT+u/Z+qbCGxz1DYlgTWt7+KJRS7FNNdzE
J2ct9nvnDo/u/VdoTwdtpe9RtiYW4rG+HMjqCdnc5YSpVD8/VEHvPNLAe28wA6au
S3L68XPyDjfa0N5T9YSJ/Q8B41qyxWMgETeZIVyegX0/BHv73zegsj5BRPP4pnem
juvsRMVcFqJ7wxjm8yjZrR2zoZSysxWkWInbOu5IIlAm9VWh71VP2mD3Z8fDq9Jh
kF/qNw937eRSMBwBlCPkmS6jlC0Nz4mkKzoDglL6eTZQ9iKwU5/EeNHZu/f3rKaV
iQA/AwUQM++M9JaBp3w9UuB/EQLzmwCgtbsVjd1ZZcuJkPoVs3cbzX9JibYAoLcQ
8+WP7M0y3zdSUEhHToFY6E+ZiQA/AwUQM++N6GFYFsU6zlX+EQKEywCggc3awk02
yj6RivcbYFn3Qon77scAn29CR0lHAjsdLIv6LJ9BLdhXiK8piQCVAwUQM++6KXem
vD4nAHb9AQG6OQQAq/GzwDk4yT9MPy25AwBMgsPGePRkZ6kBXTBsmMnHxthDniyE
Xqvg6XJYRU86f2wyfzVDJY55qmukl9haCqe3Inxo7gyHaB8ji4rMqfmEn2fjbiAv
dw5wlQqYBEEYWAviAHpBlTqT7naq5u/TyAdgENROnFu1jLT39uJ4RPpO7o2JAHUD
BRAz8OcoAFBd0vcu1XkBAQHWAwCe0KmW5QKgf1Kmf7hEEpBT2pViNkv3J7tB33Py
4ohQYztUUwP8QJq9EQR3qCBgUJfa3VhXWPrzTn6hE7H/GHEJ7g5IbY9fo1DHcxyE
xaBBKIEoWKR/FdxsNPBTgcaT9TyJAJUDBRAz8OTdGKb4qo5nGiEBAU7QA/4+RFkA
yy4YnrZc6Y7btnCgHXIwH4tqFL3NaVVS4KsGzQ2WgLRRz1rJ3D61aqvk9Tz3vY5m
YwjWY+eOwBqjuEl5UUQqY2kn6c8XHnp+Y7XfwPqH7V5hixcwSTHgU0diav+E/1FP
sm6oUKEHh4cC0vfsYOjqlSoilF1sjqKZT5MZZIkAlQMFEDPw6Yx61S0GnPSVuQEB
meoD/1VyOvmqnEQsTBiYmEGKHgSFrRs95vEOlP/ANCVYXwpBVP51Vrj+RcNkNJAQ
5xX5D5nRgDGoUVpYcjUJivalH6MOrPHF2zG/As9onZira+dv9SjM/MJhdpGvx0oT
YtpGlQh79+uloqCAZ9P4c/flZZICRLjI/3Uj73HDbEAcLsX8iQA/AwUQM/DxS7iw
R2HEkUMHEQJK7gCfRWzVa9mGDX4X2BdUB1Z5l5DCM+MAn2SIHiZS3o94TVhp+jTL
2HWHbnPjiQCVAwUQM/DpqtRZvFG/tj1hAQGsZgP8DJgX+4foQlVnDD+gBKXmnG3Z
D1hHkpvrR/tGww6LjxKAhXSWtQKTysQ3seIQyUxLOOq0K4A9vFzzmW1gDZXwYwG7
PXoNn4uyGY3YF2jke+Unug41F9POcBp4pUfjQxgj7iiPRn6ZduEhPjw6RBRpYDH5
fF3Mu5/E01TygWisn8WJARUDBRAz81dfH2q6+RwPtwkBAcNnCACSHlH85LxLMRVY
46WdQ9Joj8809J4p0Q469Tkrq7wMyxv8znvvl+D2loIaL5SeBGIvfFaPKQnN+un3
gX/R3g+l2RxBQRqjr65kGAhsMr1L9bRsMAUKAKfDLbQk9fEmB2KRBvQYsHM/7fVY
eXglIxdO40AUnzPtRz9rYlZ7dBn7Dy5k/kjIBKKZhgu77X0fGjh9hP9s45D3vnNq
sKBoM7pvgdTrwYbdarK2a4GPpWm7XHkhr1w2nGA+a0zjCDzfObHTp8NMY3z0Rgeu
3t2W7EIF6zE+FSyZmfTvVd2rXMxgjMeeziPHAJESnmQ0y0+xQoDx1IDhQ7YF2Q6r
khfqxxM6iQA/AwUQM/KsxSLcSmI6S/dwEQKA0QCfR1O0vDQ0M8ef9c+DHPyNydGz
OOQAnRscGYHbrrXrN1yuA9mti29pz2BViQCVAwUQM/EQTX+11HSaYdsJAQE7ZgQA
8Z5GzK1Qd4vu1Rt0OAubPp9yug2QmTqyNAsDDQdiqcdvCF9cK8VCYBvTRaHDjFBx
Jd6PclQlLBcPIQnkCE4Pch1OQomckDzXEnNgleGnyQlMXT0zm+gHl5mDUWnRtwTD
drYxfLdJZFZ8ntJIDYN7t0Gl/ag5l4j0C5GW0d9WYo+0UENpc2NvIFN5c3RlbXMg
cHJvZHVjdCBzZWN1cml0eSBpbmNpZGVudC9idWcgcmVwb3J0aW5nIDxzZWN1cml0
eS1hbGVydEBjaXNjby5jb20+iQEVAwUQM++NXQyPsuGbHvEpAQEIKwf/eLwnERXH
CP4X999/aUJEMPzd8lMaFg1i84ALFhpFKzWHBnWkBZItTM35xzciq5v51P3OBu5u
scU/yRgHmg/ESH3abJXt3SKMsjzZE1zvKuqX0wjYf3Ihh2CtPZo/3wpsa6XGuLdT
0dDUCdU8Tjd67wX3p+CI6CBGoMqLuVY/0AO9xoo7drVoOT9fYQ7UjSNIkxN9nVzI
yWmaudOzeLnHaVf7jYYeOmADe1YaVM3oMVZrmTZ1TtPMTd0ovWrPll27zVYx1PjE
NuTZDpnysa7agoD5hemtKUXR0GwbeoVMpIWCceKNNPh8kjb6B5sTOl7y8ZR/gUld
CaNn5sbZ1N1QrIkAPwMFEDPvjXSWgad8PVLgfxECp2MAn1VUzoaLFiek6lky++m4
qTc4ejAoAJ9DE/8NyaqDkq0M+d3qEcxpVsQEBokAPwMFEDPvjflhWBbFOs5V/hEC
GTAAoNaAhsFpD+qhH0X8IyGaljO1ywwHAKDYNOETuHePkca+yLDLwyxlmYurmYkA
lQMFEDPvuil3prw+JwB2/QEBcpsD/25lxJqT+7jW4W6jDm7CTJ2OR8fPtdEUrj0d
fujPCgltXJ3OVREwg69vCl/rCz9sVPKEzVFEbdvkTmjimxeg1ajBcb642SZMuFcg
E60fhNyNsteyktZSI20E2UnZ0MrGK33J7Vn/1xPCl9o3ICa1vRo8E3ixnyvoGaB3
jhXHSdIviQCVAwUQM/Dk6him+KqOZxohAQEn9QQAtd5uSls7cYT+MZvjWrMxyhNV
e3eSqHWZjXImWg8SWVey0/XI7ze5zMt8+GEpQoAaD9ZlLl4WthNG8iq7YdnsXQ99
OqpF4pRSvsYVv5BRPO3XvwNDN8jJMdP7jcIgwXo08Zt1YWTDMxpSNcF7ARfZ5M2D
V9FKhgLris+9IRcWeemJAJUDBRAz8OmTetUtBpz0lbkBAdxmBACq97OI8lyJWvN1
qeZQca3wtrauXWpehi1gBxLnWBUPYPGV78nVIi/JFbKxMTT6zxf7ODDvXNBebngp
Qp2gVO8TJ6tzrk2dVUKA9Sk03z8fRdSk13WhnYoojPPebFBtXBrnSxEq9gEVSj2Z
R9u/5qUUrjKtZqoAXcPHfwqJCuo5rYkAPwMFEDPw8fC4sEdhxJFDBxEC75sAmgMQ
NrF121TfmZ6QKCU2NscuY5H6AKCJinLR8Hwm00kTSTfFAO5bQfy4bYkAlQMFEDPw
6bfUWbxRv7Y9YQEBJtkD/3BgNhOa+2hK68jTI4hMaCaHyRII4wCZeKSEjoBJnLwa
GQ9fs5jbJtfYjDtdcCkvSZy4OvXcWb7Gu31PKbJgBtGeY+Ns+fUahhUz+is35H+3
+ZuV91v56SW8wqcKEDt40V9g1TP5X6VE+QfXnoScFdjCbOViwoR6saPEkujJASuy
iQA/AwUQM/Ks2CLcSmI6S/dwEQKghwCeOY2rw3OcrQdiDCJxZhSMMCa17pAAoIrq
3Epb5UdZEnZxJ/aZpGR/ROaaiQCVAwUQM/EQdH+11HSaYdsJAQGKBAP+LRkDVCwW
NCpAAFOag6ou3SmFfxD19qRfLPbjlm3nLk6wYvbSXBVp1VXMRJkdmCXSxMe0vo1r
xCMoL66qVutyHrSgifPPN6AYNPKTTNUx5o0Ck5xXf4PWoy8cfvyrKJtd/wDi4Ryf
WOsZNYKVAf1ItbZse243ICsgMAduzZLgygo=
=OrTt
-----END PGP PUBLIC KEY BLOCK-----
Return-Path: <owner-bugtraq@NETSPACE.ORG.>
Delivered-To: admin@skyway.ru
Received: (qmail 15121 invoked from network); 22 Nov 1997 03:16:38 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 22 Nov 1997 03:16:38 -0000
Received: by scylla.sovam.com id AA11462
  (5.67b8s3p1/IDA-1.5 for admin@skyway.ru); Sat, 22 Nov 1997 04:26:10 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA11409
  (5.67b8s3p1/IDA-1.5 for <admin@skyway.ru.>); Sat, 22 Nov 1997 04:23:41 +0300
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
        by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id GAA07616
        for <mc@CONJURER.TYUMEN.RU.>; Sat, 22 Nov 1997 06:21:00 +0500 (ES)
Received: from unknown@netspace.org (port 64837 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <69666-11250>; Fri, 21 Nov 1997 19:51:58 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 5797071 for BUGTRAQ@NETSPACE.ORG; Fri, 21 Nov 1997 19:50:33
          -0500
Received: from brimstone.netspace.org (brimstone.netspace.org
          [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
          TAA02850 for <BUGTRAQ@NETSPACE.ORG.>; Fri, 21 Nov 1997 19:39:49 -0500
Received: from unknown@netspace.org (port 64837 [128.148.157.6]) by
          brimstone.netspace.org with ESMTP id <80874-11250>; Fri, 21 Nov 1997
          19:38:09 -0500
Approved-By: aleph1@UNDERGROUND.ORG
Received: from susan.cisco.com (dhcp-k32-57.cisco.com [171.68.178.57]) by
          netspace.org (8.8.7/8.8.2) with SMTP id RAA08783 for
          <bugtraq@netspace.org.>; Fri, 21 Nov 1997 17:42:12 -0500
Received: (qmail 2018 invoked by uid 1225); 21 Nov 1997 22:38:15 -0000
Message-Id: <19971121223815.2016.qmail@susan.cisco.com.>
Date: 	Fri, 21 Nov 1997 14:38:14 -0800
Reply-To: John Bashinski <jbash@CISCO.COM.>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG.>
From: John Bashinski <jbash@CISCO.COM.>
Subject:      Field Notice: TCP loopback DoS Attack (land.c) and Cisco Devices
X-To:         cisco@spot.colorado.edu, first-teams@first.org, nanog@merit.edu
X-Cc:         psirt@cisco.com, psiac@cisco.com, sales@cisco.com,
              sales-eng@cisco.com, ce-group@cisco.com, field-alert-ext@cisco.com
To: BUGTRAQ@NETSPACE.ORG
Status:   
X-PMFLAGS: 33554560 0

-----BEGIN PGP SIGNED MESSAGE-----

Field Notice:
TCP loopback DoS Attack (land.c) and Cisco Devices

November 21, 1997, 14:00 AM US/Pacific, Revision 1
- --------------------------------------------------

Summary
- -----
Somebody has released a program, known as land.c, which  can be used to
launch denial of service attacks against various TCP implementations. The
program sends a TCP SYN packet (a connection initiation), giving the target
host's address as both source and destination, and using the same port on
the target host as both source and destination.

Classic IOS software (used on Cisco routers with product numbers greater
than 1000, on the CGS/MGS/AGS+,  and on the CS-500) is moderately vulnerable
to this attack.  For some IOS versions, if the attack is launched against a
TCP port that is actually listening (say the TELNET port), then invalid
connection data will be created, preventing further legitimate connections
for approximately 30 seconds. High CPU loads may result on some IOS
versions. We observed a complete hang on one 11.5 system, but have been
unable to reproduce that failure. Based on very preliminary data, the
router's packet forwarding functions are not generally affected.

IOS/700 (used on Cisco 7xx routers) is also vulnerable. The  7xx
vulnerability is more devastating than the classic IOS vulnerability, but
probably less dangerous for most customers, since firewalls separate most
7xx routers from the Internet.

The PIX firewall appears does not appear to be affected. Initial testing of
the Centri firewall tends to indicate that it is not affected.

We're working on characterizing other products' vulnerability to attack.
Updates will be issued as information becomes available.

Who is Affected
- -------------
All IOS and IOS/700 systems that can be reached via TCP from untrusted hosts
are affected, provided that the reachable TCP ports are ports on which IOS
ordinarily provides service. The attack requires spoofing the targets's own
address, so systems behind effective anti-spoofing firewalls are safe.

Impact
- ----
Classic IOS systems may experience slowdowns while under active attack. On
IOS software versions earlier than 11.2(4), new TCP connections will fail
for a period of about 30 seconds after any attack packet is received. IOS
versions later than 11.2(4), or that contain the fix for bug ID CSCdi87533,
may experience slowdowns, but should continue to accept new TCP connections
. Most IOS versions appear to recover completely within a few minutes of the
attack stopping, but we have not yet fully characterized the effect on all
IOS versions. One complete failure was observed; the version was 11.1(5).  A
configuration workaround for classic IOS can prevent the problem entirely,
subject to performance restrictions.

IOS/700 systems subjected to the attack will hang indefinitely and must be
physically reset.  A configuration workaround for IOS/700 can prevent the
problem entirely.

Initial tests indicate that the PIX firewall is not vulnerable to this
attack. Tests have been conducted with version 4.1.3.245 and 4.0.7.

Initial tests indicate that the Centri  firewall  (build 4.110) is not
vulnerable to this attack with no exposed service configured. We have not
yet tested the Centri product with exposed services.

Workaround for Classic IOS
- ------------------------
Classic IOS users can use input access lists on their interfaces to prevent
the attack packets from entering their TCP stacks. This will prevent the
attack entirely, but may have unacceptable performance impacts on heavily
loaded high-end routers. Traffic will still be fast-switched, but
higher-speed switching modes may be disabled. It should be tried with care.

If you have no existing input access lists, create a new IP extended access
list. Use a presently-unused number between 100 and 199. The access list
must have an entry for each of  the IP address configured on the system.
Deny packets from each address to itself.  For example:

    access-list 101 deny tcp 1.2.3.4 0.0.0.0 1.2.3.4 0.0.0.0
    access-list 101 deny tcp 5.6.7.8 0.0.0.0 5.6.7.8 0.0.0.0
    access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255


If you have existing access lists, you'll need to merge the new entries in
an appropriate way, generally at the top of the list. The access list should
be applied incoming on all interfaces, so a fragment of a total router
configuration might look like this:

    interface ethernet 0
    ip address 1.2.3.4 255.255.255.0
    ip access-group 101 in
    !
    interface ethernet 1
    ip address 5.6.7.8
    ip access-group 101 in
    !
    access-list 101 deny tcp 1.2.3.4 0.0.0.0 1.2.3.4 0.0.0.0
    access-list 101 deny tcp 5.6.7.8 0.0.0.0 5.6.7.8 0.0.0.0
    access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255


Workaround for IOS/700
- --------------------
Add the following configuration command to any profile that may be active
when connected to potentially hostile network:

set ip filter tcp in source <7xx IP address> destination <7xx IP address> block

Using Cisco Products to Protect Other Systems
- -------------------------------------------
We do not believe that this attack can be used against systems behind our
dedicated firewall products, the PIX and Centri firewalls, unless
general-purpose tunnels have been enabled through the firewalls.

Properly designed anti-spoofing access lists at border routers can be used
to prevent the attack from entering a private network from the Internet. Use
the access lists to filter out packets whose IP source addresses are on your
internal net, but which are arriving from interfaces connected to the
outside Internet.

Exploitation and Public Announcements
- -----------------------------------
Cisco has had multiple reports of this vulnerability.

Most exploitation seems to be using the original program, which sends one
packet at a time. Floods of invalid packets have not been reported.

This issue has been widely discussed in a variety of Internet fora.

Cisco first heard of this problem on the morning of Friday, November 21.

Distribution of this Notice
- -------------------------
This notice is being sent to the following Internet mailing lists and
newsgroups:

   * cisco@spot.colorado.edu
   * comp.dcom.sys.cisco
   * bugtraq@netspace.org
   * first-teams@first.org (includes CERT/CC)
   * nanog@merit.edu


Updates will be sent to some or all of these, as appropriate.

This notice will be posted in the "Field Notices" section of Cisco's
Worldwide Web site, which can be found under "Technical Tips" in the
"Service and Support" section. The URL will be

     http://www.cisco.com/warp/public/770/land-pub.shtml


The copy on the Worldwide Web will be updated as appropriate.

Cisco Security Procedures
- -----------------------
Please report security issues with Cisco products to
security-alert@cisco.com.

This notice is copyright 1997 by Cisco Systems, Inc. This notice may be
redistributed freely provided that redistributed copies are complete and
unmodified, including all date and version information.




-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQEVAwUBNHYMogyPsuGbHvEpAQHojQgAtU3nEwtn+2Xg8W8jLTcCIiF+q0oFhmMS
Z54T67xooTmsWbLzv409AYR73G/TbsNgflzQZa8amAXbz6EIUlzaYqJdHB2B7FsH
GFh8c7VFZZ7zp9r9UVJJYjSYwRENLpDaKb5kx//zOFF/9eh4G95cJ6zMMLukSreJ
MAA+5xc23SV+fpk+AmxEzWifAYoIz9KRsK0/GTHA93F17MZEvTIauVf3VxD8DSHV
zA7ndUNuxH0rg2oGOok4XbiBSSXK3glkkCAkJ0OzGEPt7RZ1EcJ+TpTJpETu+F7z
0XyJXF25TxoMAu8MmmM4IQvRtZzM0PGCA6X3XErg6wiUFJL1JFpejQ==
=SkPH
-----END PGP SIGNATURE-----
Return-Path: <owner-bugtraq@NETSPACE.ORG.>
Delivered-To: admin@skyway.ru
Received: (qmail 8825 invoked from network); 21 Nov 1997 19:16:32 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 21 Nov 1997 19:16:32 -0000
Received: by scylla.sovam.com id AA26574
  (5.67b8s3p1/IDA-1.5 for admin@skyway.ru); Fri, 21 Nov 1997 21:34:37 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA26516
  (5.67b8s3p1/IDA-1.5 for <admin@skyway.ru.>); Fri, 21 Nov 1997 21:31:48 +0300
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
        by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id XAA22908
        for <mc@CONJURER.TYUMEN.RU.>; Fri, 21 Nov 1997 23:28:57 +0500 (ES)
Received: from unknown@netspace.org (port 53767 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <96619-10585>; Fri, 21 Nov 1997 12:48:10 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 5786388 for BUGTRAQ@NETSPACE.ORG; Fri, 21 Nov 1997 12:47:03
          -0500
Received: from brimstone.netspace.org (brimstone.netspace.org
          [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
          MAA00569 for <BUGTRAQ@NETSPACE.ORG.>; Fri, 21 Nov 1997 12:46:54 -0500
Received: from unknown@netspace.org (port 53767 [128.148.157.6]) by
          brimstone.netspace.org with ESMTP id <80695-10583>; Fri, 21 Nov 1997
          12:46:46 -0500
Approved-By: aleph1@UNDERGROUND.ORG
Received: from ns.bis.bg (ns.bis.bg [194.133.83.3]) by netspace.org
          (8.8.7/8.8.2) with ESMTP id JAA27656 for <bugtraq@netspace.org.>; Fri,
          21 Nov 1997 09:55:28 -0500
Received: from localhost (stefan@localhost) by ns.bis.bg (8.8.6/8.8.5) with
          SMTP id RAA13697 for <bugtraq@netspace.org.>; Fri, 21 Nov 1997
          17:01:28 +0200
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.3.96.971121165058.13689A-100000@ns.bis.bg.>
Date: 	Fri, 21 Nov 1997 17:01:28 +0200
Reply-To: Stefan Stefanov <stefan@NS.BIS.BG.>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG.>
From: Stefan Stefanov <stefan@NS.BIS.BG.>
Subject:      land protection for cisco
To: BUGTRAQ@NETSPACE.ORG
Status:   
X-PMFLAGS: 34078848 0

hi.

Here is a simple protection against the land stuff for the cisco's. It's a
extended ip access list that should be put on all the intefaces on the
box.

Extended IP Access list 105
deny tcp host 111.111.111.111 host 111.111.111.111
permit ip any any

where 111.111.111.111 is the interface's ip address. This should be put
as
an input access-group.

Or if you don't get it here's what to type on your cisco's console.

rtr#config terminal
rtr(config)#access-list 105 deny tcp 111.111.111.111 0.0.0.0 111.111.111.111 0.0.0.0
rtr(config)#access-list 105 permit ip any any
rtr(config)#interface ethernet 0
rtr(config)#ip access-group 105 in
rtr(config)#exit
rtr(config)#interface serial 0
rtr(config)#ip access-group 105 in

and so on for the rest of the interfaces... Replace 105 with a free
extended access-list number.

I have tested it on our cisco 2511 and it works just ok.

Best regards, Stefan Stefanov.

WWW:    http://www.bis.bg/~stefan
E-mail: stefan@bis.bg
Return-Path: <owner-bugtraq@NETSPACE.ORG.>
Delivered-To: admin@skyway.ru
Received: (qmail 19412 invoked from network); 25 Nov 1997 08:02:46 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 25 Nov 1997 08:02:46 -0000
Received: by scylla.sovam.com id AA09417
  (5.67b8s3p1/IDA-1.5 for admin@skyway.ru); Tue, 25 Nov 1997 09:18:21 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA09050
  (5.67b8s3p1/IDA-1.5 for <admin@skyway.ru.>); Tue, 25 Nov 1997 09:16:05 +0300
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
        by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id LAA24533
        for <mc@CONJURER.TYUMEN.RU.>; Tue, 25 Nov 1997 11:14:07 +0500 (ES)
Received: from unknown@netspace.org (port 8523 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <97223-30843>; Mon, 24 Nov 1997 12:14:08 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 5834713 for BUGTRAQ@NETSPACE.ORG; Mon, 24 Nov 1997 12:11:20
          -0500
Received: from brimstone.netspace.org (brimstone.netspace.org
          [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
          LAA31094 for <BUGTRAQ@NETSPACE.ORG.>; Mon, 24 Nov 1997 11:58:54 -0500
Received: from unknown@netspace.org (port 8523 [128.148.157.6]) by
          brimstone.netspace.org with ESMTP id <96191-28890>; Mon, 24 Nov 1997
          11:58:40 -0500
Approved-By: aleph1@UNDERGROUND.ORG
Received: from iceland.it.earthlink.net (iceland-c.it.earthlink.net
          [204.119.177.28]) by netspace.org (8.8.7/8.8.2) with ESMTP id
          PAA05282 for <BUGTRAQ@NETSPACE.ORG.>; Fri, 21 Nov 1997 15:07:51 -0500
Received: from darmok (1Cust87.tnt9.nyc3.da.uu.net [153.37.128.87]) by
          iceland.it.earthlink.net (8.8.7/8.8.5) with SMTP id MAA04381; Fri, 21
          Nov 1997 12:06:35 -0800 (PST)
X-Sender: huddler@earthlink.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.2 (32)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <3.0.2.32.19971121150453.007d68e0@earthlink.net.>
Date: 	Fri, 21 Nov 1997 15:04:53 -0500
Reply-To: Richard Huddleston <huddler@EARTHLINK.NET.>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG.>
From: Richard Huddleston <huddler@EARTHLINK.NET.>
Subject:      Re: land protection for cisco
X-To:         Stefan Stefanov <stefan@NS.BIS.BG.>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To:  <Pine.LNX.3.96.971121165058.13689A-100000@ns.bis.bg.>
Status:   

Minor corrections:

1) Each interface typically belongs to a distinct network, and therefore
typically has a unique IP address.  Setting up a SINGLE access-group,
with the SINGLE address of one of your interfaces as its filtering rule,
and then applying that SINGLE access-group to each of your interfaces
(i.e., different IP addresses) won't work.  (A router already implements
such a "rule" by the very nature of what it does: by forwarding packets
for a given address through the proper route, it does not forward packets
through inappropriate routes.  The access-group rule given would be
vacuous for every interface except the one matching its IP address rule.)

I'd suggest that you create an access-group for EACH interface, and then
apply the appropriate one to the given interface.

2) If you're trying to protect internal devices, as well, you may as well
go ahead and filter for the entire subnet with the access-group definition.
That way, you'll nail both attempts to hit the router interface per se, and
block attempts to get through to internal machines.

./R*

At 05:01 PM 11/21/97 +0200, Stefan Stefanov wrote:
>hi.
>
>Here is a simple protection against the land stuff for the cisco's. It's a
>extended ip access list that should be put on all the intefaces on the
>box.
>
>Extended IP Access list 105
>deny tcp host 111.111.111.111 host 111.111.111.111
>permit ip any any
>
>where 111.111.111.111 is the interface's ip address. This should be put
>as
>an input access-group.
>
>Or if you don't get it here's what to type on your cisco's console.
>
>rtr#config terminal
>rtr(config)#access-list 105 deny tcp 111.111.111.111 0.0.0.0
111.111.111.111 0.0.0.0
>rtr(config)#access-list 105 permit ip any any
>rtr(config)#interface ethernet 0
>rtr(config)#ip access-group 105 in
>rtr(config)#exit
>rtr(config)#interface serial 0
>rtr(config)#ip access-group 105 in
>
>and so on for the rest of the interfaces... Replace 105 with a free
>extended access-list number.
>
>I have tested it on our cisco 2511 and it works just ok.
>
>Best regards, Stefan Stefanov.
>
>WWW:    http://www.bis.bg/~stefan
>E-mail: stefan@bis.bg
>
>
--
Somewhere lurking in the Ort Cloud there's a fifty-mile-wide asteroid
with our name on it.  We deserve it.    -- Alan C. Hines <ach@io.com.>

huddler at earth link dot net

<< Previous	INDEX	Search	src	Set bookmark	Go to bookmark	Next >>
Партнёры:
Хостинг:
Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру