Bugtraq archives for 4th quarter (Oct-Dec) 1997: Re: Preliminary Notice: Cisco LocalDirector enable password loss
Re: Preliminary Notice: Cisco LocalDirector enable password loss
Lloyd Vancil (
lev
APPLE.COM)
Mon, 17 Nov 1997 08:37:47 -0800
Being one of the customers involved in the below mentioned incident I
feel I must make a full confession ;)
Testing from the console and from a telnet session this morning shows
that the properly set and written to memory password appears secure.
None of my tests this morning succeeded in entering enable mode without a
full and valid password entry. I do not know what state the device was
in when the attempt outlined below succeeded and I have not been able to
duplicate it without removing the password and writing to memory without
a password set.
I would like to thank Cisco and John for their quick attention to this
matter. Cisco remains one of the most professional outfits out there.
Sincerly
Lloyd Vancil
>-----BEGIN PGP SIGNED MESSAGE-----
>
>Preliminary Notice:
>Cisco LocalDirector Enable Password Loss
>
>November 15, 1997, 09:00 AM US/Pacific, Revision 1
>- ------------------------------------------------------------------------
>
>This is a preliminary notice describing a security problem about which there
>has been customer concern. Cisco does not yet have full information about
>this problem. Customers should use great caution in relying on the
>information in this notice.
>
>Summary
>- -----
>At least two customers have reported failures in the enable password
>mechanism in version 1.6.3 of Cisco's LocalDirector product. Affected
>systems allow users to enter privileged mode without providing the correct
>enable password; any string will suffice as a password. This applies only to
>the privileged-mode enable password; the TELNET access password does not
>appear to be affected.
>
>The failure has been reproduced in Cisco's laboratory, but not consistently.
>The conditions under which the failure occurs are not known in detail.
>
>Based on the information presently available, the source of the problem
>seems to be that the LocalDirector "forgets" its configured enable password
>upon being upgraded to version 1.6.x from an older software version. A
>LocalDirector without a configured enable password still does prompt for a
>password, even though that password is not checked. This means that the
>system's administrator may not notice that the password has been lost for
>quite some time, if ever.
>
>Who is Affected
>- -------------
>All LocalDirector customers should check to see that their enable passwords
>are being enforced properly. Use the "enable" command to enter privileged
>mode, and give an invalid password. If the invalid password is accepted, you
>are affected.
>
>If the invalid password is not accepted, you are not affected at present...
>but bear in mind that we do not yet fully understand the conditions under
>which passwords are lost. Until the problem is better understood, we suggest
>that all LocalDirector customers, and especially all LocalDirector 1.6.3
>customers, take special precautions as outlined in the "Workarounds" section
>below.
>
>This problem probably affects all 1.6.x versions of the LocalDirector
>software. However, version 1.6.3 is the only 1.6.x version that has been
>released to Cisco's general customer base.
>
>Because the LocalDirector code is almost entirely separate from the code
>used in other Cisco products, it is extremely unlikely that any product
>other than the LocalDirector is affected. Classic IOS, as used on Cisco
>routers, shares absolutely no password or configuration management code with
>the LocalDirector, and is therefore definitely not affected. Catalyst
>switches and FastPacket switches are likewise definitely not affected.
>
>Impact
>- ----
>Any person who can log into an affected LocalDirector via TELNET or over its
>its console port can reconfigure or shut down the LocalDirector.
>
>Workarounds
>- ---------
>Cisco recommends that customers take the following steps:
>
> 1. Consider postponing any scheduled software upgrades to version 1.6.3.
> 2. Check to make sure that enable passwords are being enforced by all
> LocalDirectors. If you find that a LocalDirector is not enforcing its
> enable password, changing the password using the "enable password"
> configuration command should reactivate the password. Remember to save
> the new password using the "write memory" command. Recheck password
> enforcement after any software upgrade or downgrade.
> 3. Make sure that you have configured a TELNET access password for your
> LocalDirector using the "password" configuration command. If you're not
> sure of the secrecy of your TELNET password, consider changing it. If
> you allow unprivileged TELNET access by users who should not have
> privileged access, consider denying those users access temporarily by
> changing the TELNET password.
> 4. If you have a dialin modem connected to your LocalDirector's console
> port, or if you have the console port connected to a network device
> that allows remote access, either disconnect the console or protect it
> using the authentication features of the modem or network device to
> which it is connected.
>
>Exploitation and Public Announcements
>- -----------------------------------
>Cisco has had no reports of malicious exploitation of this vulnerability.
>
>This vulernability was first brought to Cisco's attention by a public
>announcement on the "bugtraqnetspace.org" mailing list on Thursday,
>November 13. There has been some subsequent discussion on that mailing list.
>
>Future Work and Updates
>- ---------------------
>Cisco will continue working to characterize this problem and to produce a
>software fix. Updated versions of this notice will be posted on Cisco's
>Worldwide Web site as more information becomes available.
>
>Distribution of this Notice
>- -------------------------
>This notice is being sent to the following Internet mailing lists and
>newsgroups:
>
> * ciscospot.colorado.edu
> * comp.dcom.sys.cisco
> * bugtraqnetspace.org
> * first-teamsfirst.org (includes CERT/CC)
>
>Updates will be sent to some or all of these, as appropriate.
>
>This notice will be posted in the "Field Alerts" section of Cisco's
>Worldwide Web site. The copy on the Worldwide Web will be updated as
>appropriate.
>
>This notice is copyright 1997 by Cisco Systems, Inc. This notice may be
>redistributed freely provided that redistributed copies are complete and
>unmodified, including all date and version information.
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGP for Personal Privacy 5.0
>Charset: noconv
>
>iQEVAwUBNG8nJAyPsuGbHvEpAQFGbwf/dDIhvFlUb2nNVKtIIWZtitrmN7vL1XDd
>tFR4RvHvqB+oqRlMBWc7G2ShGdG+PcQSRaUBKer7z+SXZuzBxlKb/I1iDMMhXO3h
>bZF08g2TSvf2TMvd6szx53BCdmPmYo6tMyMd4zIkfZ89swJzxHouUKLXgE0KqLds
>4LhShE7k/bujmYmXSahQxX9Mcl1R81Sk9fpvs/szTBI1Dync7zN+Hr1YCUQe+5YP
>6sVCI85AlBsQ60Fwyi2Ug4eqhv3eeNGs3pUXlZ4YFcN986RVsDjTt6QSDLXP65bf
>FS0fbK+c7DlOwzC36LdI8SiqoStczdo4hJaQXt1iIhDjv+UWADywsw==
>=HX4x
>-----END PGP SIGNATURE-----
>
>-----BEGIN PGP PUBLIC KEY BLOCK-----
>Version: PGP for Personal Privacy 5.0
>
>mQGhBDPvjDARBAD82RXM1EyVSEpL6mpDMyxI8Scc22yVqRYL+Ckv0SXHEPaZNIgQ
>blVx32jyfnmGIZeVYK2sDRTB6vXJt1k+R5HRRhTG7fB0f309gT/Zgmk64zC7L4nL
>Qp6fNEVJLfxRdrwXCOPfBf56Y8vKBFZSvwK4qLNHurMP2MVUuYfCl2UpHwCg/6Wz
>FTHW34HvDKgD+3k0ap0lMq8EAME9i5IEdwTnGO2zsyyc/gw6QKoSGNEkbGmciZuk
>AQTulVKQpYMv1jIm6Uy91HbsR0mUWxPzCBPCvJzvZOW0O+AJq4m/h1dQD2kdIHt+
>nYAdfZjY26YUpB6gfFmQucGhH/o8GfhkmN6Lw21+gx4lctfia2/46poasCNo961y
>KyuQA/ID6qpHargBoOk2n/av9jV1Rox8vhYVGwQhmVpYVUMzdw8ldo3CejaqyW97
>IyOU7tZo4WUzJ2Z3sG0DHdim+VoeDjb5hsd34MzoGL7KjRFGldbNr2H/DhmItLyz
>xJ5YXgMXNGy3IhfOjCwZsGhZ1eTddxbD7rb7+VN/ROhTpCSXtEdDaXNjbyBTeXN0
>ZW1zIFByb2R1Y3QgU2VjdXJpdHkgSW5jaWRlbnQgUmVzcG9uc2UgVGVhbSA8cHNp
>cnRAY2lzY28uY29tPrRQQ2lzY28gU3lzdGVtcyBwcm9kdWN0IHNlY3VyaXR5IGlu
>Y2lkZW50L2J1ZyByZXBvcnRpbmcgPHNlY3VyaXR5LWFsZXJ0QGNpc2NvLmNvbT65
>Ag0EM++MTxAIANfnEviV6GSqF/7SMetsaCkKUe/TmcEtoYRdE9ZorvLlruvSaFHM
>gXCg4SqyC689BJJBaKN2MTYIV0T3idlbHp4mXHDyU28tTEFenA9m4ER0PxEO/wIT
>I3XoOO7SCxUnxyvxPy8Jn9PYBHMpF+iWqUbzLsX4tZI7LJj73i0vi+5tGNaBBFu4
>cD2UJis7lb/CSK7bb4RJ6lHYVWHtbcFApwSRheeusvN0YwKpPg5hy6gwaUSKtddJ
>DadcJcQ/G2I820onsqgYRfDncEBYuLavuu2h5CuR+Qz6jrwNUAX1f6UxC2WYY7ts
>p+wzQJ9VuTnKQEFPc6GIoiSSeyV3KibzVZ8AAgIIAKDBdTFi6kQSB1+x7XQgQ8SN
>L0HFjtr25TMJr/eeU6m1NkrtCVg3llA+lhTmpork6ZDu3GXp/IW02o246G57Z23p
>HU1VkEwjsWl1sdUY5QH+wIV6uZJubZW1TroDI86l0m7WeWC+mqQXn6GuvkX+YpF5
>qU1OCY9Pnen6sWkYXiqE5LW3USyYxglTac8EQqcs3JYevV1/M6oTWXdMSEDV2/Bq
>d9g5qZBYQFkkftdW6YsJPMGgn2EIyu4kTyazk3UafH/yqemCbGX6S5j3krCoIMwf
>UpeOHPB1OxACLB0loA2cwCpq5p7WhXUCyRuqdXYN50NUrmKDo8+hsL/e89PofQWZ
>AQ0DM++M2AFtAQgA0rsqUAdCxqMH23R11iGtk2Zo6fI8vxPkllEOru5J/cd9dn2B
>wT4NTf/b9O4JruX8/R9uWlS3E6jYVJyN2Dpl39X7wUf77B8fsY/4zaUkjDU39Q2E
>t+pR7tElm0C8BvZVGkDelXzXqeCTQfu1vZHICy7cfsy/BMNlpn93OEz/jS4PPZs5
>SORqjEL9wouw/44MvJ08rdc/OOr1eKkLcBfzMMtuMAxLI1OlA/hzY28h/pfhDhAP
>7Jkm7R1gDyL9ALYX1xvixPp8q2hEQ3BUtCEfCTHAouqbKiQss5ntC9DDVGqzxlQT
>ijk4V1/Re+pbb4LX4JZDln3ztkcMj7Lhmx7xKQAFEbRHQ2lzY28gU3lzdGVtcyBQ
>cm9kdWN0IFNlY3VyaXR5IEluY2lkZW50IFJlc3BvbnNlIFRlYW0gPHBzaXJ0QGNp
>c2NvLmNvbT6JARUDBRAz74zYDI+y4Zse8SkBAWVjCACT3Ia+8fVGzPd1ACBvMFGI
>Dry7lhhf9vz+flpOu3ErVn0qW2N0ONxT+u/Z+qbCGxz1DYlgTWt7+KJRS7FNNdzE
>J2ct9nvnDo/u/VdoTwdtpe9RtiYW4rG+HMjqCdnc5YSpVD8/VEHvPNLAe28wA6au
>S3L68XPyDjfa0N5T9YSJ/Q8B41qyxWMgETeZIVyegX0/BHv73zegsj5BRPP4pnem
>juvsRMVcFqJ7wxjm8yjZrR2zoZSysxWkWInbOu5IIlAm9VWh71VP2mD3Z8fDq9Jh
>kF/qNw937eRSMBwBlCPkmS6jlC0Nz4mkKzoDglL6eTZQ9iKwU5/EeNHZu/f3rKaV
>iQA/AwUQM++M9JaBp3w9UuB/EQLzmwCgtbsVjd1ZZcuJkPoVs3cbzX9JibYAoLcQ
>8+WP7M0y3zdSUEhHToFY6E+ZiQA/AwUQM++N6GFYFsU6zlX+EQKEywCggc3awk02
>yj6RivcbYFn3Qon77scAn29CR0lHAjsdLIv6LJ9BLdhXiK8piQCVAwUQM++6KXem
>vD4nAHb9AQG6OQQAq/GzwDk4yT9MPy25AwBMgsPGePRkZ6kBXTBsmMnHxthDniyE
>Xqvg6XJYRU86f2wyfzVDJY55qmukl9haCqe3Inxo7gyHaB8ji4rMqfmEn2fjbiAv
>dw5wlQqYBEEYWAviAHpBlTqT7naq5u/TyAdgENROnFu1jLT39uJ4RPpO7o2JAHUD
>BRAz8OcoAFBd0vcu1XkBAQHWAwCe0KmW5QKgf1Kmf7hEEpBT2pViNkv3J7tB33Py
>4ohQYztUUwP8QJq9EQR3qCBgUJfa3VhXWPrzTn6hE7H/GHEJ7g5IbY9fo1DHcxyE
>xaBBKIEoWKR/FdxsNPBTgcaT9TyJAJUDBRAz8OTdGKb4qo5nGiEBAU7QA/4+RFkA
>yy4YnrZc6Y7btnCgHXIwH4tqFL3NaVVS4KsGzQ2WgLRRz1rJ3D61aqvk9Tz3vY5m
>YwjWY+eOwBqjuEl5UUQqY2kn6c8XHnp+Y7XfwPqH7V5hixcwSTHgU0diav+E/1FP
>sm6oUKEHh4cC0vfsYOjqlSoilF1sjqKZT5MZZIkAlQMFEDPw6Yx61S0GnPSVuQEB
>meoD/1VyOvmqnEQsTBiYmEGKHgSFrRs95vEOlP/ANCVYXwpBVP51Vrj+RcNkNJAQ
>5xX5D5nRgDGoUVpYcjUJivalH6MOrPHF2zG/As9onZira+dv9SjM/MJhdpGvx0oT
>YtpGlQh79+uloqCAZ9P4c/flZZICRLjI/3Uj73HDbEAcLsX8iQA/AwUQM/DxS7iw
>R2HEkUMHEQJK7gCfRWzVa9mGDX4X2BdUB1Z5l5DCM+MAn2SIHiZS3o94TVhp+jTL
>2HWHbnPjiQCVAwUQM/DpqtRZvFG/tj1hAQGsZgP8DJgX+4foQlVnDD+gBKXmnG3Z
>D1hHkpvrR/tGww6LjxKAhXSWtQKTysQ3seIQyUxLOOq0K4A9vFzzmW1gDZXwYwG7
>PXoNn4uyGY3YF2jke+Unug41F9POcBp4pUfjQxgj7iiPRn6ZduEhPjw6RBRpYDH5
>fF3Mu5/E01TygWisn8WJARUDBRAz81dfH2q6+RwPtwkBAcNnCACSHlH85LxLMRVY
>46WdQ9Joj8809J4p0Q469Tkrq7wMyxv8znvvl+D2loIaL5SeBGIvfFaPKQnN+un3
>gX/R3g+l2RxBQRqjr65kGAhsMr1L9bRsMAUKAKfDLbQk9fEmB2KRBvQYsHM/7fVY
>eXglIxdO40AUnzPtRz9rYlZ7dBn7Dy5k/kjIBKKZhgu77X0fGjh9hP9s45D3vnNq
>sKBoM7pvgdTrwYbdarK2a4GPpWm7XHkhr1w2nGA+a0zjCDzfObHTp8NMY3z0Rgeu
>3t2W7EIF6zE+FSyZmfTvVd2rXMxgjMeeziPHAJESnmQ0y0+xQoDx1IDhQ7YF2Q6r
>khfqxxM6iQA/AwUQM/KsxSLcSmI6S/dwEQKA0QCfR1O0vDQ0M8ef9c+DHPyNydGz
>OOQAnRscGYHbrrXrN1yuA9mti29pz2BViQCVAwUQM/EQTX+11HSaYdsJAQE7ZgQA
>8Z5GzK1Qd4vu1Rt0OAubPp9yug2QmTqyNAsDDQdiqcdvCF9cK8VCYBvTRaHDjFBx
>Jd6PclQlLBcPIQnkCE4Pch1OQomckDzXEnNgleGnyQlMXT0zm+gHl5mDUWnRtwTD
>drYxfLdJZFZ8ntJIDYN7t0Gl/ag5l4j0C5GW0d9WYo+0UENpc2NvIFN5c3RlbXMg
>cHJvZHVjdCBzZWN1cml0eSBpbmNpZGVudC9idWcgcmVwb3J0aW5nIDxzZWN1cml0
>eS1hbGVydEBjaXNjby5jb20+iQEVAwUQM++NXQyPsuGbHvEpAQEIKwf/eLwnERXH
>CP4X999/aUJEMPzd8lMaFg1i84ALFhpFKzWHBnWkBZItTM35xzciq5v51P3OBu5u
>scU/yRgHmg/ESH3abJXt3SKMsjzZE1zvKuqX0wjYf3Ihh2CtPZo/3wpsa6XGuLdT
>0dDUCdU8Tjd67wX3p+CI6CBGoMqLuVY/0AO9xoo7drVoOT9fYQ7UjSNIkxN9nVzI
>yWmaudOzeLnHaVf7jYYeOmADe1YaVM3oMVZrmTZ1TtPMTd0ovWrPll27zVYx1PjE
>NuTZDpnysa7agoD5hemtKUXR0GwbeoVMpIWCceKNNPh8kjb6B5sTOl7y8ZR/gUld
>CaNn5sbZ1N1QrIkAPwMFEDPvjXSWgad8PVLgfxECp2MAn1VUzoaLFiek6lky++m4
>qTc4ejAoAJ9DE/8NyaqDkq0M+d3qEcxpVsQEBokAPwMFEDPvjflhWBbFOs5V/hEC
>GTAAoNaAhsFpD+qhH0X8IyGaljO1ywwHAKDYNOETuHePkca+yLDLwyxlmYurmYkA
>lQMFEDPvuil3prw+JwB2/QEBcpsD/25lxJqT+7jW4W6jDm7CTJ2OR8fPtdEUrj0d
>fujPCgltXJ3OVREwg69vCl/rCz9sVPKEzVFEbdvkTmjimxeg1ajBcb642SZMuFcg
>E60fhNyNsteyktZSI20E2UnZ0MrGK33J7Vn/1xPCl9o3ICa1vRo8E3ixnyvoGaB3
>jhXHSdIviQCVAwUQM/Dk6him+KqOZxohAQEn9QQAtd5uSls7cYT+MZvjWrMxyhNV
>e3eSqHWZjXImWg8SWVey0/XI7ze5zMt8+GEpQoAaD9ZlLl4WthNG8iq7YdnsXQ99
>OqpF4pRSvsYVv5BRPO3XvwNDN8jJMdP7jcIgwXo08Zt1YWTDMxpSNcF7ARfZ5M2D
>V9FKhgLris+9IRcWeemJAJUDBRAz8OmTetUtBpz0lbkBAdxmBACq97OI8lyJWvN1
>qeZQca3wtrauXWpehi1gBxLnWBUPYPGV78nVIi/JFbKxMTT6zxf7ODDvXNBebngp
>Qp2gVO8TJ6tzrk2dVUKA9Sk03z8fRdSk13WhnYoojPPebFBtXBrnSxEq9gEVSj2Z
>R9u/5qUUrjKtZqoAXcPHfwqJCuo5rYkAPwMFEDPw8fC4sEdhxJFDBxEC75sAmgMQ
>NrF121TfmZ6QKCU2NscuY5H6AKCJinLR8Hwm00kTSTfFAO5bQfy4bYkAlQMFEDPw
>6bfUWbxRv7Y9YQEBJtkD/3BgNhOa+2hK68jTI4hMaCaHyRII4wCZeKSEjoBJnLwa
>GQ9fs5jbJtfYjDtdcCkvSZy4OvXcWb7Gu31PKbJgBtGeY+Ns+fUahhUz+is35H+3
>+ZuV91v56SW8wqcKEDt40V9g1TP5X6VE+QfXnoScFdjCbOViwoR6saPEkujJASuy
>iQA/AwUQM/Ks2CLcSmI6S/dwEQKghwCeOY2rw3OcrQdiDCJxZhSMMCa17pAAoIrq
>3Epb5UdZEnZxJ/aZpGR/ROaaiQCVAwUQM/EQdH+11HSaYdsJAQGKBAP+LRkDVCwW
>NCpAAFOag6ou3SmFfxD19qRfLPbjlm3nLk6wYvbSXBVp1VXMRJkdmCXSxMe0vo1r
>xCMoL66qVutyHrSgifPPN6AYNPKTTNUx5o0Ck5xXf4PWoy8cfvyrKJtd/wDi4Ryf
>WOsZNYKVAf1ItbZse243ICsgMAduzZLgygo=
>=OrTt
>-----END PGP PUBLIC KEY BLOCK-----
-------------------------------------------------------------
* Why is 'abbreviation' such a long word?
-------------------------------------------------------------
levapple.com
