-
A vulnerability in the Cisco VCO/4K exposes the passwords of authorized users in an easily decrypted format in response to a read-only SNMP query.
All currently supported releases prior to VCO/4K software version 5.1.4 are vulnerable to this defect. Version 5.1.4, currently available, contains a fix that prevents the display of the weakly encrypted passwords. Version 5.2, to become available in early December 2000, includes that fix as well as multiple improvements to password encryption and handling.
Free software upgrades are offered to all affected VCO/4K customers. The defect can be worked around by limiting access to the SNMP service on the VCO/4K.
This vulnerability is documented as Cisco Bug ID CSCds55790.
No other Cisco product is affected by this vulnerability.
This advisory is available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20001026-vco4k-password .
-
This section provides details on affected products.
Vulnerable Products
All currently supported releases prior to software version 5.1.4 for the Cisco VCO/4K are vulnerable due to this defect. Version 5.1.4 was released to customers in mid-August 2000.
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
The Cisco VCO/4K (Virtual Central Office 4000) is a programmable switch that provides voice services such as integrated messaging, operates as a core infrastructure switch for wireline or wireless networks, or acts as a gateway in mixed circuit- and packet-switched networks. The VCO/4K was developed by Summa Four, which was acquired by Cisco Systems in November 1998.
The usernames and encrypted passwords on the VCO/4K can be displayed remotely in response to an SNMP (Simple Network Management Protocol) query over the network. However, the passwords are encrypted using a substitution cipher that can be easily decrypted. This defect is documented as Cisco Bug ID CSCds55790.
The VCO/4K software has been patched to prevent the retrieval of the usernames and encrypted passwords via SNMP queries, and the password encryption has been replaced with the "Type 5" password encryption available in Cisco IOS software. Type 5 passwords are based on MD5, a secure one-way hash, and are considerably more resilient to unauthorized disclosure than a substitution cipher. In addition, the newer password encryption has been applied to multiple forms of access to the VCO/4K, and access control to the system has been improved in general.
-
The threat can be reduced by restricting SNMP queries to the VCO/4K, but the fixed software provides much better protection. Customers are strongly encouraged to upgrade to VCO/4K software version 5.1.4 as soon as possible, and to version 5.2 as soon as it becomes available.
-
Cisco VCO/4K software version 5.1.4 contains a partial fix in which the encrypted passwords are no longer returned in response to a SNMP query. This version became available in mid-August 2000.
Version 5.2, scheduled for release 2000-12-04, continues to prevent passwords from unauthorized disclosure via SNMP, and contains improvements to VCO/4K password encryption processing equivalent to the Type 5 password encryption in Cisco IOS software.
-
This vulnerability was reported to the Cisco PSIRT by @Stake, Inc., which discovered it during an audit of a customer network.
The Cisco PSIRT is not aware of any malicious use of this vulnerability.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.