Advisory ID: cisco-sa-19971117-ld-pass
For Public Release 1997 November 17 17:00 UTC (GMT)
Vulnerability Scoring Details
Software Versions and Fixes
Obtaining Fixed Software
Exploitation and Public Announcements
Status of this Notice: Final
Cisco Security Procedures
At least three customers have reported losing their enable passwords upon upgrading to version 1.6.3 of Cisco's LocalDirector product. Affected systems allow users to enter privileged mode without providing the correct enable password; any string will suffice as a password. This applies only to the privileged-mode enable password; the Telnet access password does not appear to be affected. The reported behavior was total loss of the configured enable password; the systems in question were simply left without enable passwords.
An earlier version of this notice attributed this to a possible software malfunction, and suggested that users refrain from upgrading to version 1.6.3, and that they disable Telnet access to their LocalDirectors by nonadministrative users.
Cisco has conducted an investigation, and now believes that the reported LocalDirector password losses were most probably caused by user error. Because a LocalDirector with no enable password set will still ask the user for a password, and will accept any string, any accidental loss of the enable password is likely to persist. Cisco will continue investigating this matter in order to make absolutely certain that the LocalDirector software does not lose passwords, but recommends that customers stand down from alert status and proceed cautiously with LocalDirector upgrades.
Cisco will modify the LocalDirector software to make it more difficult for users to lose their enable passwords without knowing it.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-19971117-ld-pass.
This section provides details on affected products.
Although we believe that the reported incidents were probably caused by user error, such errors are easy to make. All LocalDirector customers should check to see that their enable passwords are being enforced properly. Use the enable command to enter privileged mode, and give an invalid password. If the invalid password is not accepted, you are not affected.
If the invalid password is accepted, make sure you have an enable password set, using the write terminal command. If your enable password appears as a string of zeroes followed by the word "encrypted", then you have no enable password set. If you have a password set, or if you are absolutely sure that you had a password that had been set and saved to the nonvolatile configuration, but that password has now disappeared without any intervention on your part, please contact Cisco Systems immediately via e-mail to "firstname.lastname@example.org."
In the unlikely event that there actually is a software error, that error probably affects all 1.6.x versions of the LocalDirector software. However, version 1.6.3 is the only 1.6.x version that has been released to Cisco's general customer base, and Cisco discourages the use of other 1.6.x versions because of possible software instability.
Because the LocalDirector code is almost entirely separate from the code used in other Cisco products, it is nearly impossible that any product other than the LocalDirector is affected by any software error, although of course user errors can happen with any product. Classic \cisco IOS, as used on Cisco routers, shares absolutely no password or configuration management code with the LocalDirector, and is therefore definitely not affected. WAN-BU and WBU products, including Catalyst switches and FastPacket switches, are likewise definitely not affected.
No other Cisco products are currently known to be affected by these vulnerabilities.
Cisco's investigation of this issue has included:
- Extensive and repeated attempts by independent groups in customer support and in software development to reproduce the problem in the laboratory, using a number of LocalDirectors under a variety of conditions.
- Telephone and/or e-mail discussion with all the reporting users.
- A review of the system source code by the software development group.
One of the Cisco groups trying to reproduce the problem believed that they had seen it recur. However, this was during a very early phase of the laboratory work, just as the test configuration was being set up, and before detailed experimental records were being kept. Since confusion and error are very common in such situations, Cisco believes it to be entirely plausible that the observation was an error, perhaps caused by failure to issue a write command. Cisco has been otherwise unable to induce a LocalDirector to lose a password, despite aggressive attempts to do so.
None of the reporting users has been able to reproduce the problem, or to provide Cisco with an exact account of the conditions under which her password may have been lost. Each customer observed that a LocalDirector which was believed formerly to have had an enable password no longer had such a password, but none could give a detailed sequence of events or provide enough information to allow the problem to be reproduced.
- In one of the three cases, the password loss had occurred at an undetermined time, perhaps long in the past, and the user thought that it was possible that the password loss error scenario below might apply.
- In the second case, the user was unsure of the sequence of events.
- In the third case, the user's password apparently had not actually been lost.
The source code review identified no problems. The code in question is relatively straightforward, and appears to have little potential for hidden bugs.
We've come up with two scenarios in which a LocalDirector might end up without an enable password when a user thought that it should have such a password. The first possibility is that the user confuses the password command, which sets the password for remote access, with the enable password command, which sets the password for administrative access. If this happened, there would be no enable password, but the user might think one had been set.
The second scenario is particularly plausible in an upgrade. If a user saved the configuration from a running LocalDirector by saving the output of show config, and then erased the LocalDirector's configuration memory, upgraded the software, and pasted the saved configuration back into the system, the passwords would be lost. This is because show config does not display any password-related information.
Because a LocalDirector with no enable password set will accept any string, either of these mistakes might easily go unnoticed for a very long time.
CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding CVSS at
Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at
If a LocalDirector has no enable password, then any person who can log into the system via Telnet or over its its console port can reconfigure or shut down the LocalDirector.
Cisco will continue working to verify that the LocalDirector password maintenance software is error free. Updated versions of this notice will be posted on Cisco's Worldwide Web site if more information becomes available. Notice will be posted widely if any genuine password loss problem is found.
Cisco will modify the LocalDirector software's password prompting and checking behavior in the case where a password is not set; the new software will no longer accept any string as a password in this case. We expect that this will make it more difficult for a user to lose a password without knowing it. The change is tentatively scheduled for the first quarter of 1998, but that schedule is subject to change.
Cisco recommends that customers take the following steps. Most of these are things that should be done regardless of whether or not there's any problem with the LocalDirector software.
- Check to make sure that enable passwords are being enforced by all LocalDirectors.
If you find that a LocalDirector is not enforcing its enable password, changing the password using the enable password configuration command should reactivate the password. Remember to save the new password using the write memory command.
Recheck password enforcement after any software upgrade or downgrade.
If you are certain that a formerly working enable password has been lost by the software, please contact Cisco via e-mail to email@example.com.
- Make sure that you have configured a Telnet access password for your LocalDirector using the password configuration command.
If you're not sure of the secrecy of your Telnet password, consider changing it. Do not give untrustworthy persons Telnet access to your LocalDirector.
- Consider using firewalling devices to block Telnet access from untrusted hosts, and/or restricting access from remote hosts using the address-and-mask feature of the LocalDirector telnet configuration command.
If you have a dial-in modem connected to your LocalDirector's console port, or if you have the console port connected to a network device that allows remote access, protect the console using the authentication features of the modem or network device to which it is connected.
Cisco has made free software available to address this vulnerability for affected customers. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact either "firstname.lastname@example.org" or "email@example.com" for software upgrades.
Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com.
Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed.
Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows.
- +1 800 553 2447 (toll free from within North America)
- +1 408 526 7209 (toll call from anywhere in the world)
- e-mail: firstname.lastname@example.org
Have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages.
Cisco has had no reports of malicious exploitation of this vulnerability, if indeed any vulnerability exists.
This issue was first brought to Cisco's attention by a public announcement on the email@example.com mailing list on Thursday, November 13, 1997. There has been some subsequent discussion on that mailing list. Cisco issued a preliminary notice about this issue on November 16, 1997.
Cisco issued a preliminary notice about this issue on November 16, 1997.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.
This notice is being sent to the following Internet mailing lists and newsgroups:
- firstname.lastname@example.org (includes CERT/CC)
Updates will be sent to some or all of these, as appropriate.
This notice will be posted in the Field Notices section of Cisco's Worldwide Web site, Cisco.com, which can be found under the Technical Support section. The copy on the Worldwide Web will be updated as appropriate. The URL is http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-19971117-ld-pass.
Updated notice. Password losses formerly attributed to software failure now attributed to user error.
Initial public release.
This notice is copyright 1997 by Cisco Systems, Inc. This notice may be redistributed freely provided that redistributed copies are complete and unmodified, including all date and version information.
Please report security issues with Cisco products, and/or sensitive security intrusion emergencies involving Cisco products, to email@example.com. Reports may be encrypted using PGP; public RSA and DSS keys for firstname.lastname@example.org are on the public PGP keyservers.
The alias email@example.com is used only for reports incoming to Cisco. Mail sent to firstname.lastname@example.org goes only to a very small group of users within Cisco. Neither outside users nor unauthorized Cisco employees may subscribe to email@example.com. We will shortly be creating a security announcement mailing list for outgoing information. When that list is created, an announcement will be sent to appropriate Internet forums.