-
At least three customers have reported losing their enable passwords upon upgrading to version 1.6.3 of Cisco's LocalDirector product. Affected systems allow users to enter privileged mode without providing the correct enable password; any string will suffice as a password. This applies only to the privileged-mode enable password; the Telnet access password does not appear to be affected. The reported behavior was total loss of the configured enable password; the systems in question were simply left without enable passwords.
An earlier version of this notice attributed this to a possible software malfunction, and suggested that users refrain from upgrading to version 1.6.3, and that they disable Telnet access to their LocalDirectors by nonadministrative users.
Cisco has conducted an investigation, and now believes that the reported LocalDirector password losses were most probably caused by user error. Because a LocalDirector with no enable password set will still ask the user for a password, and will accept any string, any accidental loss of the enable password is likely to persist. Cisco will continue investigating this matter in order to make absolutely certain that the LocalDirector software does not lose passwords, but recommends that customers stand down from alert status and proceed cautiously with LocalDirector upgrades.
Cisco will modify the LocalDirector software to make it more difficult for users to lose their enable passwords without knowing it.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-19971117-ld-pass.
-
This section provides details on affected products.
Vulnerable Products
Although we believe that the reported incidents were probably caused by user error, such errors are easy to make. All LocalDirector customers should check to see that their enable passwords are being enforced properly. Use the enable command to enter privileged mode, and give an invalid password. If the invalid password is not accepted, you are not affected.
If the invalid password is accepted, make sure you have an enable password set, using the write terminal command. If your enable password appears as a string of zeroes followed by the word "encrypted", then you have no enable password set. If you have a password set, or if you are absolutely sure that you had a password that had been set and saved to the nonvolatile configuration, but that password has now disappeared without any intervention on your part, please contact Cisco Systems immediately via e-mail to "security-alert@cisco.com."
In the unlikely event that there actually is a software error, that error probably affects all 1.6.x versions of the LocalDirector software. However, version 1.6.3 is the only 1.6.x version that has been released to Cisco's general customer base, and Cisco discourages the use of other 1.6.x versions because of possible software instability.
Because the LocalDirector code is almost entirely separate from the code used in other Cisco products, it is nearly impossible that any product other than the LocalDirector is affected by any software error, although of course user errors can happen with any product. Classic \cisco IOS, as used on Cisco routers, shares absolutely no password or configuration management code with the LocalDirector, and is therefore definitely not affected. WAN-BU and WBU products, including Catalyst switches and FastPacket switches, are likewise definitely not affected.
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
Cisco's investigation of this issue has included:
-
Extensive and repeated attempts by independent groups in customer
support and in software development to reproduce the problem in the laboratory,
using a number of LocalDirectors under a variety of conditions.
-
Telephone and/or e-mail discussion with all the reporting users.
-
A review of the system source code by the software development group.
One of the Cisco groups trying to reproduce the problem believed that they had seen it recur. However, this was during a very early phase of the laboratory work, just as the test configuration was being set up, and before detailed experimental records were being kept. Since confusion and error are very common in such situations, Cisco believes it to be entirely plausible that the observation was an error, perhaps caused by failure to issue a write command. Cisco has been otherwise unable to induce a LocalDirector to lose a password, despite aggressive attempts to do so.
None of the reporting users has been able to reproduce the problem, or to provide Cisco with an exact account of the conditions under which her password may have been lost. Each customer observed that a LocalDirector which was believed formerly to have had an enable password no longer had such a password, but none could give a detailed sequence of events or provide enough information to allow the problem to be reproduced.
-
In one of the three cases, the password loss had occurred at an
undetermined time, perhaps long in the past, and the user thought that it was
possible that the password loss error scenario below might apply.
-
In the second case, the user was unsure of the sequence of
events.
-
In the third case, the user's password apparently had not actually
been lost.
The source code review identified no problems. The code in question is relatively straightforward, and appears to have little potential for hidden bugs.
Password Loss Scenarios
We've come up with two scenarios in which a LocalDirector might end up without an enable password when a user thought that it should have such a password. The first possibility is that the user confuses the password command, which sets the password for remote access, with the enable password command, which sets the password for administrative access. If this happened, there would be no enable password, but the user might think one had been set.
The second scenario is particularly plausible in an upgrade. If a user saved the configuration from a running LocalDirector by saving the output of show config, and then erased the LocalDirector's configuration memory, upgraded the software, and pasted the saved configuration back into the system, the passwords would be lost. This is because show config does not display any password-related information.
Because a LocalDirector with no enable password set will accept any string, either of these mistakes might easily go unnoticed for a very long time.
-
Extensive and repeated attempts by independent groups in customer
support and in software development to reproduce the problem in the laboratory,
using a number of LocalDirectors under a variety of conditions.
-
Cisco recommends that customers take the following steps. Most of these are things that should be done regardless of whether or not there's any problem with the LocalDirector software.
-
Check to make sure that enable passwords are being enforced by all
LocalDirectors.
If you find that a LocalDirector is not enforcing its enable password, changing the password using the enable password configuration command should reactivate the password. Remember to save the new password using the write memory command.
Recheck password enforcement after any software upgrade or downgrade.
If you are certain that a formerly working enable password has been lost by the software, please contact Cisco via e-mail to security-alert@cisco.com.
-
Make sure that you have configured a Telnet access password for your
LocalDirector using the password configuration
command.
If you're not sure of the secrecy of your Telnet password, consider changing it. Do not give untrustworthy persons Telnet access to your LocalDirector.
-
Consider using firewalling devices to block Telnet access from
untrusted hosts, and/or restricting access from remote hosts using the
address-and-mask feature of the LocalDirector telnet
configuration command.
If you have a dial-in modem connected to your LocalDirector's console port, or if you have the console port connected to a network device that allows remote access, protect the console using the authentication features of the modem or network device to which it is connected.
-
Check to make sure that enable passwords are being enforced by all
LocalDirectors.
-
Cisco will continue working to verify that the LocalDirector password maintenance software is error free. Updated versions of this notice will be posted on Cisco's Worldwide Web site if more information becomes available. Notice will be posted widely if any genuine password loss problem is found.
Cisco will modify the LocalDirector software's password prompting and checking behavior in the case where a password is not set; the new software will no longer accept any string as a password in this case. We expect that this will make it more difficult for a user to lose a password without knowing it. The change is tentatively scheduled for the first quarter of 1998, but that schedule is subject to change.
-
Cisco has had no reports of malicious exploitation of this vulnerability, if indeed any vulnerability exists.
This issue was first brought to Cisco's attention by a public announcement on the bugtraq@netspace.org mailing list on Thursday, November 13, 1997. There has been some subsequent discussion on that mailing list. Cisco issued a preliminary notice about this issue on November 16, 1997.
Cisco issued a preliminary notice about this issue on November 16, 1997.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 4.0
1997-November-25
Updated notice. Password losses formerly attributed to software failure now attributed to user error.
Revision 2.0
1997-November-17
Initial public release.
This notice is copyright 1997 by Cisco Systems, Inc. This notice may be redistributed freely provided that redistributed copies are complete and unmodified, including all date and version information.
Show Less
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.