Guest

Cisco PIX 500 Series Security Appliances

Cisco Security Notice: Response to BugTraq - Weak Cisco PIX Enable Password Encryption Algorithm

Document ID: 60561


Revision 1.0

Last Updated 2003 November 10



Contents

Summary
Details
Cisco Security Procedures

Summary

This document is provided to simplify access to Cisco responses to possible product security vulnerability issues posted in public forums for Cisco customers. This does not imply that Cisco perceives each of these issues as an actual product security vulnerability. This notice is provided on an "as is" basis and does not imply any kind of guarantee or warranty. Your use of the information on the page or materials linked from this page are at your own risk. Cisco reserves the right to change or update this page without notice at any time.

Details

Original Report: http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0121.html leavingcisco.com. Cisco responded with the following, which is also archived at http://www.cisco.com/warp/public/707/pixresponse.html:

When considering the published report, consider the following:

  • The password length and quality is very important.
    Using passwords with ten characters or more make brute force attacks much harder up to the point when they become computationally unfeasible using the present algorithms and general purpose computers. Using passwords that are not easy to guess, with a mixture of lower and upper case letters and numbers, make off line dictionary attacks much harder.
  • This attack is effective only if an attacker can capture the configuration file.
    In order to prevent interception of the configuration files for the PIX, particularly during transfer between devices, customers should review their policies and practices concerning storage and transfer of PIX configuration files. Critical points of review should include firewall management systems and backup procedures (including media and disposal).
  • By default, PIX does not accept interactive connections on any port except the console port.
    Even if an attacker possesses the password, an interactive administrative session must be established to the trusted/protected (or externally via IPSec or SSH) interface of the PIX, in order to take advantage of this. Cisco configuration guides recommend explicit and careful configuration of permitted administrative hosts, and default configuration requires the administration hosts to be explicitly configured.
  • Users are encouraged to use the local database that uses "salted" passwords. The example of a configuration is present here:
    username <user> password <secret password>
    aaa authentication enable console LOCAL
    Alternatively, users can consider using TACACS+ or RADIUS for authentication.
    The practice of having a single, shared enable password should be discouraged in favor of creating a separate usernames with the appropriate privilege level. Additionally, a practice of sharing the same configuration file among multiple PIXes should be reconsidered. For the exact syntax of PIX command consult Cisco PIX Firewall Command Reference, Version 6.2.

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.



Updated: Oct 08, 2004 Document ID: 60561