Cisco issued a warning about serious password weaknesses in some of its routers, switches and appliances, following research that has found them susceptible to brute-force attacks.
The networking giant said a limited number of Cisco IOS and Cisco IOS XE releases fail to salt passwords, instead encrypting the plain text password using the SHA-256 cryptographic hash function. However, the lack of salting makes the passwords particularly vulnerable to brute-force attacks conducted by automated tools, Cisco said in a security advisory issued Tuesday.
Cisco plans to issue a release eliminating support of Type 4 passwords. Cisco engineers also are working on a new password type with the proper implementation of Type 4 passwords that includes an 80-bit salt. Users of the devices using Type 4 passwords on their device configuration may want to replace them with Type 5 passwords in advance of deploying the update, the company said.
"Type 4 passwords will be deprecated," Cisco said. "Future Cisco IOS and Cisco IOS XE releases will not generate Type 4 passwords. However, to maintain backward compatibility, existing Type 4 passwords will be parsed and accepted. Customers will need to manually remove the existing Type 4 passwords from their configuration."
Cisco credited security researchers Philipp Schmidt and Jens Steube of the Hashcat Project password cracking tool, with discovering the weaknesses.
Schmidt told CRN that the Cisco passwords had no salting at all and contained no multihashing for additional protection. An attacker can use a well-designed system and password-cracking tool powerful enough to cycle through more than 2.8 billion passwords per second, Schmidt said. "Our discoveries show that the problems around type 4 secrets are severe," Schmidt said. "One could crack a Cisco type 4 hash list [quickly] and is only limited by the hardware."
Cisco said the problem stems from an implementation issue. Releases based on the Cisco IOS 15 code base use Type 4 algorithm, designed to be a stronger alternative to existing Type 5 and Type 7 algorithms to hash plaintext passwords, but a problem causes the operating system to fail to use the latest cryptographic key function or add a salt to the password.
"A Cisco IOS or Cisco IOS XE release with support for Type 4 passwords does not allow the generation of a Type 5 password from a plain text password on the device itself," Cisco said. "Customers who need to replace a Type 4 password with a Type 5 password must generate the Type 5 password outside the device and then copy the Type 5 password to the device configuration."
The implementation error also causes a variety of other issues, the company said.
"A device running a Cisco IOS or IOS XE release with support for Type 4 passwords lost the capability to create a Type 5 password from a user-provided plain text password," Cisco said.
Backward compatibility issues may also cause problems for network administrators, Cisco said.
"Depending on the specific device configuration, the administrator may not be able to log in to the device or to change into privileged EXEC mode, requiring a password recovery process to be performed," the company said.
PUBLISHED MARCH 19, 2013