We'll be fixing the user interface to make it more difficult to lose your
password without knowing it. We'll also be doing some more testing to make
sure the software isn't really broken. At this point, however, we believe
the initial report to have been an error. A formal update to the field
notice is attached to this message.
-- John B
-----BEGIN PGP SIGNED MESSAGE-----
Field Notice:
Cisco LocalDirector Enable Password Loss
November 25, 1997, 10:00 AM US/Pacific, Revision 4
- ------------------------------------------------------------
Summary
- -----
At least three customers have reported losing their enable passwords upon
upgrading to version 1.6.3 of Cisco's LocalDirector product. Affected
systems allow users to enter privileged mode without providing the correct
enable password; any string will suffice as a password. This applies only to
the privileged-mode enable password; the Telnet access password does not
appear to be affected. The reported behavior was total loss of the
configured enable password; the systems in question were simply left without
enable passwords.
An earlier version of this notice attributed this to a possible software
malfunction, and suggested that users refrain from upgrading to version
1.6.3, and that they disable Telnet access to their LocalDirectors by
nonadministrative users.
Cisco has conducted an investigation, and now believes that the reported
LocalDirector password losses were most probably caused by user error.
Because a LocalDirector with no enable password set will still ask the user
for a password, and will accept any string, any accidental loss of the
enable password is likely to persist. Cisco will continue investigating this
matter in order to make absolutely certain that the LocalDirector software
does not lose passwords, but recommends that customers stand down from alert
status and proceed cautiously with LocalDirector upgrades.
Cisco will modify the LocalDirector software to make it more difficult for
users to lose their enable passwords without knowing it.
Who Is Affected
- -------------
Although we believe that the reported incidents were probably caused by user
error, such errors are easy to make. All LocalDirector customers should
check to see that their enable passwords are being enforced properly. Use
the enable command to enter privileged mode, and give an invalid password.
If the invalid password is not accepted, you are not affected.
If the invalid password is accepted, make sure you have an enable password
set, using the write terminal command. If your enable password appears as a
string of zeroes followed by the word "encrypted", then you have no enable
password set. If you have a password set, or if you are absolutely sure that
you had a password that had been set and saved to the nonvolatile
configuration, but that password has now disappeared without any
intervention on your part, please contact Cisco Systems immediately via
e-mail to "security-alert@cisco.com."
In the unlikely event that there actually is a software error, that error
probably affects all 1.6.x versions of the LocalDirector software. However,
version 1.6.3 is the only 1.6.x version that has been released to Cisco's
general customer base, and Cisco discourages the use of other 1.6.x versions
because of possible software instability.
Because the LocalDirector code is almost entirely separate from the code
used in other Cisco products, it is nearly impossible that any product other
than the LocalDirector is affected by any software error, although of course
user errors can happen with any product. Classic \cisco IOS, as used on
Cisco routers, shares absolutely no password or configuration management
code with the LocalDirector, and is therefore definitely not affected.
WAN-BU and WBU products, including Catalyst switches and FastPacket
switches, are likewise definitely not affected.
Impact
- ----
If a LocalDirector has no enable password, then any person who can log into
the system via Telnet or over its its console port can reconfigure or shut
down the LocalDirector.
Workarounds
- ---------
Cisco recommends that customers take the following steps. Most of these are
things that should be done regardless of whether or not there's any problem
with the LocalDirector software.
1. Check to make sure that enable passwords are being enforced by all
LocalDirectors. If you find that a LocalDirector is not enforcing its
enable password, changing the password using the enable password
configuration command should reactivate the password. Remember to save
the new password using the write memory command.
Recheck password enforcement after any software upgrade or downgrade.
If you are certain that a formerly working enable password has been
lost by the software, please contact Cisco via e-mail to
security-alert@cisco.com.
2. Make sure that you have configured a Telnet access password for your
LocalDirector using the password configuration command. If you're not
sure of the secrecy of your Telnet password, consider changing it. Do
not give untrustworthy persons Telnet access to your LocalDirector.
3. Consider using firewalling devices to block Telnet access from
untrusted hosts, and/or restricting access from remote hosts using the
address-and-mask feature of the LocalDirector telnet configuration
command. If you have a dial-in modem connected to your LocalDirector's
console port, or if you have the console port connected to a network
device that allows remote access, protect the console using the
authentication features of the modem or network device to which it is
connected.
Exploitation and Public Announcements
- -----------------------------------
Cisco has had no reports of malicious exploitation of this vulnerability, if
indeed any vulnerability exists.
This issue was first brought to Cisco's attention by a public announcement
on the bugtraq@netspace.org mailing list on Thursday, November 13, 1997.
There has been some subsequent discussion on that mailing list.
Cisco issued a preliminary notice about this issue on November 16, 1997.
Investigation Details
- -------------------
Cisco's investigation of this issue has included:
* Extensive and repeated attempts by independent groups in customer
support and in software development to reproduce the problem in the
laboratory, using a number of LocalDirectors under a variety of
conditions.
* Telephone and/or e-mail discussion with all the reporting users.
* A review of the system source code by the software development group.
One of the Cisco groups trying to reproduce the problem believed that they
had seen it recur. However, this was during a very early phase of the
laboratory work, just as the test configuration was being set up, and before
detailed experimental records were being kept. Since confusion and error are
very common in such situations, Cisco believes it to be entirely plausible
that the observation was an error, perhaps caused by failure to issue a
write command. Cisco has been otherwise unable to induce a LocalDirector to
lose a password, despite aggressive attempts to do so.
None of the reporting users has been able to reproduce the problem, or to
provide Cisco with an exact account of the conditions under which her
password may have been lost. Each customer observed that a LocalDirector
which was believed formerly to have had an enable password no longer had
such a password, but none could give a detailed sequence of events or
provide enough information to allow the problem to be reproduced.
* In one of the three cases, the password loss had occurred at an
undetermined time, perhaps long in the past, and the user thought that
it was possible that the password loss error scenario below might
apply.
* In the second case, the user was unsure of the sequence of events.
* In the third case, the user's password apparently had not actually been
lost.
The source code review identified no problems. The code in question is
relatively straightforward, and appears to have little potential for hidden
bugs.
Password Loss Scenarios
- ---------------------
We've come up with two scenarios in which a LocalDirector might end up
without an enable password when a user thought that it should have such a
password. The first possibility is that the user confuses the password
command, which sets the password for remote access, with the enable password
command, which sets the password for administrative access. If this
happened, there would be no enable password, but the user might think one
had been set.
The second scenario is particularly plausible in an upgrade. If a user saved
the configuration from a running LocalDirector by saving the output of show
config, and then erased the LocalDirector's configuration memory, upgraded
the software, and pasted the saved configuration back into the system, the
passwords would be lost. This is because show config does not display any
password-related information.
Because a LocalDirector with no enable password set will accept any string,
either of these mistakes might easily go unnoticed for a very long time.
Future Work and Updates
- ---------------------
Cisco will continue working to verify that the LocalDirector password
maintenance software is error free. Updated versions of this notice will be
posted on Cisco's Worldwide Web site if more information becomes available.
Notice will be posted widely if any genuine password loss problem is found.
Cisco will modify the LocalDirector software's password prompting and
checking behavior in the case where a password is not set; the new software
will no longer accept any string as a password in this case. We expect that
this will make it more difficult for a user to lose a password without
knowing it. The change is tentatively scheduled for the first quarter of
1998, but that schedule is subject to change.
Distribution of This Notice
- -------------------------
This notice is being sent to the following Internet mailing lists and
newsgroups:
* cisco@spot.colorado.edu
* comp.dcom.sys.cisco
* bugtraq@netspace.org
* first-teams@first.org (includes CERT/CC)
Updates will be sent to some or all of these, as appropriate.
This notice will be posted in the Field Notices section of Cisco's Worldwide
Web site, CCO, which can be found under Technical Tips in the Service and
Support section. The copy on the Worldwide Web will be updated as
appropriate. The URL is http://www.cisco.com/warp/public/770/ldpass-pub.shtml.
Cisco Security Procedures
- -----------------------
Please report security issues with Cisco products, and/or sensitive security
intrusion emergencies involving Cisco products, to security-alert@cisco.com.
Reports may be encrypted using PGP; public RSA and DSS keys for
security-alert@cisco.com are on the public PGP keyservers.
The alias security-alert@cisco.com is used only for reports incoming to
Cisco. Mail sent to security-alert@cisco.com goes only to a very small group
of users within Cisco. Neither outside users nor unauthorized Cisco
employees may subscribe to security-alert@cisco.com. We will shortly be
creating a security announcement mailing list for outgoing information. When
that list is created, an announcement will be sent to appropriate Internet
forums.
Revision History
- --------------
Revision 2, 09:00, Preliminary notice
16-NOV-1997
Revision 4, 10:00, Updated notice. Password losses formerly
25-NOV-1997 attributed to software failure now attributed
to user error.
This notice is copyright 1997 by Cisco Systems, Inc. This notice may be
redistributed freely provided that redistributed copies are complete and
unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQEVAwUBNHs7SwyPsuGbHvEpAQFeLwf/eH7Wzfy2tH3ieX3WmcmxJ53AkriXZge0
K5stvsZxIaYi8kalh39/bjpe9/looHbMtmMtlQfy1fY9CFD3fZ9UZa1DZi1NEMa4
78xAH7jgo885qBT9/a1vFU+FHobmkUXxEBFLW1//qGjFWtoeV/YTKpE7TqQTy/E0
R6zJlZJ9NSAQq6xv/h0aBVHlxQPJggBe6BRyJvXS7nuL98IPw1ttY35IeppT2Bqy
q46FxjqejPDSnuYlxu6fmm7pEDRaqRRajLgptKwW4H6broT7N2p73BWqCPUeXNOX
NSQqyWyhopA9PoU7jPK5Ql3b9ZUKSxI3VChTlHYCGzSLseGOGk38JA==
=uLHt
-----END PGP SIGNATURE-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP for Personal Privacy 5.0
mQGhBDPvjDARBAD82RXM1EyVSEpL6mpDMyxI8Scc22yVqRYL+Ckv0SXHEPaZNIgQ
blVx32jyfnmGIZeVYK2sDRTB6vXJt1k+R5HRRhTG7fB0f309gT/Zgmk64zC7L4nL
Qp6fNEVJLfxRdrwXCOPfBf56Y8vKBFZSvwK4qLNHurMP2MVUuYfCl2UpHwCg/6Wz
FTHW34HvDKgD+3k0ap0lMq8EAME9i5IEdwTnGO2zsyyc/gw6QKoSGNEkbGmciZuk
AQTulVKQpYMv1jIm6Uy91HbsR0mUWxPzCBPCvJzvZOW0O+AJq4m/h1dQD2kdIHt+
nYAdfZjY26YUpB6gfFmQucGhH/o8GfhkmN6Lw21+gx4lctfia2/46poasCNo961y
KyuQA/ID6qpHargBoOk2n/av9jV1Rox8vhYVGwQhmVpYVUMzdw8ldo3CejaqyW97
IyOU7tZo4WUzJ2Z3sG0DHdim+VoeDjb5hsd34MzoGL7KjRFGldbNr2H/DhmItLyz
xJ5YXgMXNGy3IhfOjCwZsGhZ1eTddxbD7rb7+VN/ROhTpCSXtEdDaXNjbyBTeXN0
ZW1zIFByb2R1Y3QgU2VjdXJpdHkgSW5jaWRlbnQgUmVzcG9uc2UgVGVhbSA8cHNp
cnRAY2lzY28uY29tPrRQQ2lzY28gU3lzdGVtcyBwcm9kdWN0IHNlY3VyaXR5IGlu
Y2lkZW50L2J1ZyByZXBvcnRpbmcgPHNlY3VyaXR5LWFsZXJ0QGNpc2NvLmNvbT65
Ag0EM++MTxAIANfnEviV6GSqF/7SMetsaCkKUe/TmcEtoYRdE9ZorvLlruvSaFHM
gXCg4SqyC689BJJBaKN2MTYIV0T3idlbHp4mXHDyU28tTEFenA9m4ER0PxEO/wIT
I3XoOO7SCxUnxyvxPy8Jn9PYBHMpF+iWqUbzLsX4tZI7LJj73i0vi+5tGNaBBFu4
cD2UJis7lb/CSK7bb4RJ6lHYVWHtbcFApwSRheeusvN0YwKpPg5hy6gwaUSKtddJ
DadcJcQ/G2I820onsqgYRfDncEBYuLavuu2h5CuR+Qz6jrwNUAX1f6UxC2WYY7ts
p+wzQJ9VuTnKQEFPc6GIoiSSeyV3KibzVZ8AAgIIAKDBdTFi6kQSB1+x7XQgQ8SN
L0HFjtr25TMJr/eeU6m1NkrtCVg3llA+lhTmpork6ZDu3GXp/IW02o246G57Z23p
HU1VkEwjsWl1sdUY5QH+wIV6uZJubZW1TroDI86l0m7WeWC+mqQXn6GuvkX+YpF5
qU1OCY9Pnen6sWkYXiqE5LW3USyYxglTac8EQqcs3JYevV1/M6oTWXdMSEDV2/Bq
d9g5qZBYQFkkftdW6YsJPMGgn2EIyu4kTyazk3UafH/yqemCbGX6S5j3krCoIMwf
UpeOHPB1OxACLB0loA2cwCpq5p7WhXUCyRuqdXYN50NUrmKDo8+hsL/e89PofQWZ
AQ0DM++M2AFtAQgA0rsqUAdCxqMH23R11iGtk2Zo6fI8vxPkllEOru5J/cd9dn2B
wT4NTf/b9O4JruX8/R9uWlS3E6jYVJyN2Dpl39X7wUf77B8fsY/4zaUkjDU39Q2E
t+pR7tElm0C8BvZVGkDelXzXqeCTQfu1vZHICy7cfsy/BMNlpn93OEz/jS4PPZs5
SORqjEL9wouw/44MvJ08rdc/OOr1eKkLcBfzMMtuMAxLI1OlA/hzY28h/pfhDhAP
7Jkm7R1gDyL9ALYX1xvixPp8q2hEQ3BUtCEfCTHAouqbKiQss5ntC9DDVGqzxlQT
ijk4V1/Re+pbb4LX4JZDln3ztkcMj7Lhmx7xKQAFEbRHQ2lzY28gU3lzdGVtcyBQ
cm9kdWN0IFNlY3VyaXR5IEluY2lkZW50IFJlc3BvbnNlIFRlYW0gPHBzaXJ0QGNp
c2NvLmNvbT6JARUDBRAz74zYDI+y4Zse8SkBAWVjCACT3Ia+8fVGzPd1ACBvMFGI
Dry7lhhf9vz+flpOu3ErVn0qW2N0ONxT+u/Z+qbCGxz1DYlgTWt7+KJRS7FNNdzE
J2ct9nvnDo/u/VdoTwdtpe9RtiYW4rG+HMjqCdnc5YSpVD8/VEHvPNLAe28wA6au
S3L68XPyDjfa0N5T9YSJ/Q8B41qyxWMgETeZIVyegX0/BHv73zegsj5BRPP4pnem
juvsRMVcFqJ7wxjm8yjZrR2zoZSysxWkWInbOu5IIlAm9VWh71VP2mD3Z8fDq9Jh
kF/qNw937eRSMBwBlCPkmS6jlC0Nz4mkKzoDglL6eTZQ9iKwU5/EeNHZu/f3rKaV
iQA/AwUQM++M9JaBp3w9UuB/EQLzmwCgtbsVjd1ZZcuJkPoVs3cbzX9JibYAoLcQ
8+WP7M0y3zdSUEhHToFY6E+ZiQA/AwUQM++N6GFYFsU6zlX+EQKEywCggc3awk02
yj6RivcbYFn3Qon77scAn29CR0lHAjsdLIv6LJ9BLdhXiK8piQCVAwUQM++6KXem
vD4nAHb9AQG6OQQAq/GzwDk4yT9MPy25AwBMgsPGePRkZ6kBXTBsmMnHxthDniyE
Xqvg6XJYRU86f2wyfzVDJY55qmukl9haCqe3Inxo7gyHaB8ji4rMqfmEn2fjbiAv
dw5wlQqYBEEYWAviAHpBlTqT7naq5u/TyAdgENROnFu1jLT39uJ4RPpO7o2JAHUD
BRAz8OcoAFBd0vcu1XkBAQHWAwCe0KmW5QKgf1Kmf7hEEpBT2pViNkv3J7tB33Py
4ohQYztUUwP8QJq9EQR3qCBgUJfa3VhXWPrzTn6hE7H/GHEJ7g5IbY9fo1DHcxyE
xaBBKIEoWKR/FdxsNPBTgcaT9TyJAJUDBRAz8OTdGKb4qo5nGiEBAU7QA/4+RFkA
yy4YnrZc6Y7btnCgHXIwH4tqFL3NaVVS4KsGzQ2WgLRRz1rJ3D61aqvk9Tz3vY5m
YwjWY+eOwBqjuEl5UUQqY2kn6c8XHnp+Y7XfwPqH7V5hixcwSTHgU0diav+E/1FP
sm6oUKEHh4cC0vfsYOjqlSoilF1sjqKZT5MZZIkAlQMFEDPw6Yx61S0GnPSVuQEB
meoD/1VyOvmqnEQsTBiYmEGKHgSFrRs95vEOlP/ANCVYXwpBVP51Vrj+RcNkNJAQ
5xX5D5nRgDGoUVpYcjUJivalH6MOrPHF2zG/As9onZira+dv9SjM/MJhdpGvx0oT
YtpGlQh79+uloqCAZ9P4c/flZZICRLjI/3Uj73HDbEAcLsX8iQA/AwUQM/DxS7iw
R2HEkUMHEQJK7gCfRWzVa9mGDX4X2BdUB1Z5l5DCM+MAn2SIHiZS3o94TVhp+jTL
2HWHbnPjiQCVAwUQM/DpqtRZvFG/tj1hAQGsZgP8DJgX+4foQlVnDD+gBKXmnG3Z
D1hHkpvrR/tGww6LjxKAhXSWtQKTysQ3seIQyUxLOOq0K4A9vFzzmW1gDZXwYwG7
PXoNn4uyGY3YF2jke+Unug41F9POcBp4pUfjQxgj7iiPRn6ZduEhPjw6RBRpYDH5
fF3Mu5/E01TygWisn8WJARUDBRAz81dfH2q6+RwPtwkBAcNnCACSHlH85LxLMRVY
46WdQ9Joj8809J4p0Q469Tkrq7wMyxv8znvvl+D2loIaL5SeBGIvfFaPKQnN+un3
gX/R3g+l2RxBQRqjr65kGAhsMr1L9bRsMAUKAKfDLbQk9fEmB2KRBvQYsHM/7fVY
eXglIxdO40AUnzPtRz9rYlZ7dBn7Dy5k/kjIBKKZhgu77X0fGjh9hP9s45D3vnNq
sKBoM7pvgdTrwYbdarK2a4GPpWm7XHkhr1w2nGA+a0zjCDzfObHTp8NMY3z0Rgeu
3t2W7EIF6zE+FSyZmfTvVd2rXMxgjMeeziPHAJESnmQ0y0+xQoDx1IDhQ7YF2Q6r
khfqxxM6iQA/AwUQM/KsxSLcSmI6S/dwEQKA0QCfR1O0vDQ0M8ef9c+DHPyNydGz
OOQAnRscGYHbrrXrN1yuA9mti29pz2BViQCVAwUQM/EQTX+11HSaYdsJAQE7ZgQA
8Z5GzK1Qd4vu1Rt0OAubPp9yug2QmTqyNAsDDQdiqcdvCF9cK8VCYBvTRaHDjFBx
Jd6PclQlLBcPIQnkCE4Pch1OQomckDzXEnNgleGnyQlMXT0zm+gHl5mDUWnRtwTD
drYxfLdJZFZ8ntJIDYN7t0Gl/ag5l4j0C5GW0d9WYo+0UENpc2NvIFN5c3RlbXMg
cHJvZHVjdCBzZWN1cml0eSBpbmNpZGVudC9idWcgcmVwb3J0aW5nIDxzZWN1cml0
eS1hbGVydEBjaXNjby5jb20+iQEVAwUQM++NXQyPsuGbHvEpAQEIKwf/eLwnERXH
CP4X999/aUJEMPzd8lMaFg1i84ALFhpFKzWHBnWkBZItTM35xzciq5v51P3OBu5u
scU/yRgHmg/ESH3abJXt3SKMsjzZE1zvKuqX0wjYf3Ihh2CtPZo/3wpsa6XGuLdT
0dDUCdU8Tjd67wX3p+CI6CBGoMqLuVY/0AO9xoo7drVoOT9fYQ7UjSNIkxN9nVzI
yWmaudOzeLnHaVf7jYYeOmADe1YaVM3oMVZrmTZ1TtPMTd0ovWrPll27zVYx1PjE
NuTZDpnysa7agoD5hemtKUXR0GwbeoVMpIWCceKNNPh8kjb6B5sTOl7y8ZR/gUld
CaNn5sbZ1N1QrIkAPwMFEDPvjXSWgad8PVLgfxECp2MAn1VUzoaLFiek6lky++m4
qTc4ejAoAJ9DE/8NyaqDkq0M+d3qEcxpVsQEBokAPwMFEDPvjflhWBbFOs5V/hEC
GTAAoNaAhsFpD+qhH0X8IyGaljO1ywwHAKDYNOETuHePkca+yLDLwyxlmYurmYkA
lQMFEDPvuil3prw+JwB2/QEBcpsD/25lxJqT+7jW4W6jDm7CTJ2OR8fPtdEUrj0d
fujPCgltXJ3OVREwg69vCl/rCz9sVPKEzVFEbdvkTmjimxeg1ajBcb642SZMuFcg
E60fhNyNsteyktZSI20E2UnZ0MrGK33J7Vn/1xPCl9o3ICa1vRo8E3ixnyvoGaB3
jhXHSdIviQCVAwUQM/Dk6him+KqOZxohAQEn9QQAtd5uSls7cYT+MZvjWrMxyhNV
e3eSqHWZjXImWg8SWVey0/XI7ze5zMt8+GEpQoAaD9ZlLl4WthNG8iq7YdnsXQ99
OqpF4pRSvsYVv5BRPO3XvwNDN8jJMdP7jcIgwXo08Zt1YWTDMxpSNcF7ARfZ5M2D
V9FKhgLris+9IRcWeemJAJUDBRAz8OmTetUtBpz0lbkBAdxmBACq97OI8lyJWvN1
qeZQca3wtrauXWpehi1gBxLnWBUPYPGV78nVIi/JFbKxMTT6zxf7ODDvXNBebngp
Qp2gVO8TJ6tzrk2dVUKA9Sk03z8fRdSk13WhnYoojPPebFBtXBrnSxEq9gEVSj2Z
R9u/5qUUrjKtZqoAXcPHfwqJCuo5rYkAPwMFEDPw8fC4sEdhxJFDBxEC75sAmgMQ
NrF121TfmZ6QKCU2NscuY5H6AKCJinLR8Hwm00kTSTfFAO5bQfy4bYkAlQMFEDPw
6bfUWbxRv7Y9YQEBJtkD/3BgNhOa+2hK68jTI4hMaCaHyRII4wCZeKSEjoBJnLwa
GQ9fs5jbJtfYjDtdcCkvSZy4OvXcWb7Gu31PKbJgBtGeY+Ns+fUahhUz+is35H+3
+ZuV91v56SW8wqcKEDt40V9g1TP5X6VE+QfXnoScFdjCbOViwoR6saPEkujJASuy
iQA/AwUQM/Ks2CLcSmI6S/dwEQKghwCeOY2rw3OcrQdiDCJxZhSMMCa17pAAoIrq
3Epb5UdZEnZxJ/aZpGR/ROaaiQCVAwUQM/EQdH+11HSaYdsJAQGKBAP+LRkDVCwW
NCpAAFOag6ou3SmFfxD19qRfLPbjlm3nLk6wYvbSXBVp1VXMRJkdmCXSxMe0vo1r
xCMoL66qVutyHrSgifPPN6AYNPKTTNUx5o0Ck5xXf4PWoy8cfvyrKJtd/wDi4Ryf
WOsZNYKVAf1ItbZse243ICsgMAduzZLgygo=
=OrTt
-----END PGP PUBLIC KEY BLOCK-----