Guest

Cisco IOS Software Releases 11.2

Cisco Security Notice: Enumerating Locally Defined Users in Cisco IOS

Document ID: 44161


Revision 1.0

For Public Release 2003 July 24



Contents

Summary
Workarounds
Cisco Security Procedures
Related Information

Summary

It is possible to enumerate all locally defined users, which are used for authentication, on a Cisco IOS®-based device if aaa new-model is not used. This behavior is common to all Cisco IOS releases starting from the 11.x release onwards. This behavior has been changed by the Cisco bug ID CSCdz29724 (registered customers only) . These are the first available IOS releases that are not affected by this exposure:

  • 12.0(24.2)S
  • 12.0(24)S1
  • 12.2(15)ZN
  • 12.2(14.5)
  • 12.2(16)B
  • 12.2(16.1)B
  • 12.2(15.1)S
  • 12.2(14.5)T
  • 12.2(11)JA1

You are using a local database if your configuration file contains the following lines:

username guest password 0 secretpassword
line vty 0 5
    login local

If somebody tries to Telnet to the device, configured in the above fashion, using a non existent username the following will happen:

User Access Verification

 Username: not_defined_username
 % Login invalid

In contrast to this, if somebody tries to log in using a defined username, but with an invalid password, the result will be different as shown here:

User Access Verification

 Username: an_existing_username
 Password: 
 % Login invalid

By repeating this process an adversary can effectively guess all defined usernames. This knowledge can be used to try to further guess the associated passwords or for some other avenues of attack (e.g., social engineering).

Workarounds

The preferred workaround is to disable Telnet access and use SSH instead. Please note that not all IOS software supports SSH. Registered users may check if their image supports SSH by visiting http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp (registered customers only) . This can be accomplished like this:

Router(config)# hostname myRouter
myRouter(config)# ip domain name your-domain

myRouter(config)# crypto key generate rsa
The name for the keys will be: myRouter.your-domain
Choose the size of the key modulus in the range of 360 to 2048 for your
 General Purpose Keys. Choosing a key modulus greater than 512 may take
 a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys ...[OK]
myRouter(config)# line vty 0 5
myRouter(config-line)# transport input ssh

Note: The first two lines are optional. If you already have defined a hostname that is not Router and have defined domain name then you do not have to type them again.

The free version of SSH software can be obtained from http://www.openssh.org leavingcisco.com. Alternatively, you can buy a commercial software from various commercial vendors.

An optional workarond is to use "aaa new-model". Before applying the workaround you may want to consult the following document Cisco IOS Security Configuration Guide, Release 12.2 -- Part 1: Authentication, Authorization, and Accounting (AAA) that is at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/index.htm.

Router(config)# aaa new-model
Router(config)# username guest password 0 secretpassword
Router(config)# aaa authentication login telnet-group local
Router(config)# line vty 0 5
Router(config-line)# login authentication telnet-group

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.


Related Information



Updated: Oct 13, 2004 Document ID: 44161