Document ID: 44161
For Public Release 2003 July 24
It is possible to enumerate all locally defined users, which are used for authentication, on a Cisco IOS®-based device if aaa new-model is not used. This behavior is common to all Cisco IOS releases starting from the 11.x release onwards. This behavior has been changed by the Cisco bug ID CSCdz29724 (registered customers only) . These are the first available IOS releases that are not affected by this exposure:
You are using a local database if your configuration file contains the following lines:
username guest password 0 secretpassword line vty 0 5 login local
If somebody tries to Telnet to the device, configured in the above fashion, using a non existent username the following will happen:
User Access Verification Username: not_defined_username % Login invalid
In contrast to this, if somebody tries to log in using a defined username, but with an invalid password, the result will be different as shown here:
User Access Verification Username: an_existing_username Password: % Login invalid
By repeating this process an adversary can effectively guess all defined usernames. This knowledge can be used to try to further guess the associated passwords or for some other avenues of attack (e.g., social engineering).
The preferred workaround is to disable Telnet access and use SSH instead. Please note that not all IOS software supports SSH. Registered users may check if their image supports SSH by visiting http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp (registered customers only) . This can be accomplished like this:
Router(config)# hostname myRouter myRouter(config)# ip domain name your-domain myRouter(config)# crypto key generate rsa The name for the keys will be: myRouter.your-domain Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus : 1024 % Generating 1024 bit RSA keys ...[OK] myRouter(config)# line vty 0 5 myRouter(config-line)# transport input ssh
Note: The first two lines are optional. If you already have defined a hostname that is not Router and have defined domain name then you do not have to type them again.
The free version of SSH software can be obtained from http://www.openssh.org . Alternatively, you can buy a commercial software from various commercial vendors.
An optional workarond is to use "aaa new-model". Before applying the workaround you may want to consult the following document Cisco IOS Security Configuration Guide, Release 12.2 -- Part 1: Authentication, Authorization, and Accounting (AAA) that is at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/index.htm.
Router(config)# aaa new-model Router(config)# username guest password 0 secretpassword Router(config)# aaa authentication login telnet-group local Router(config)# line vty 0 5 Router(config-line)# login authentication telnet-group
Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.
|Updated: Oct 13, 2004||Document ID: 44161|