ID: 3364
Date: 30 August 2007 10:39
Title: 3364 - Cisco Security Response: VTY Authentication Bypass Vulnerability
Abstract: This is the Cisco PSIRT response to the NileSOFT Security Advisory entitled "Bypass Authentication Vulnerability on Cisco Catalyst 3750 12.2(25)", posted on 2007 August 29th at 0900 UTC (GMT).
Vendors affected:Cisco
Availability of fix: Available
Type of fix: Workaround
Source: Cisco
Reliability of source: Trusted
Source URL: http://www.cisco.com/warp/public/707/cisco-sr-20070829-vty.shtml
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Response: VTY Authentication Bypass Vulnerability
========================
http://www.cisco.com/warp/public/707/cisco-sr-20070829-vty.shtml
Revision 1.0
============
For Public Release 2007 August 29 1800 UTC (GMT)
Contents
========
Cisco Response
Additional Information
Revision History
Cisco Security Procedures
Cisco Response
==============
This is the Cisco PSIRT response to the NileSOFT Security Advisory entitled "Bypass Authentication Vulnerability on Cisco Catalyst 3750 12.2(25)", posted on 2007 August 29th at 0900 UTC (GMT).
The original advisory was posted to a Korean website.
This vulnerability was previously discovered and reported to Cisco by a customer in April 2005, and the contents of the Cisco bug ID have been available on Cisco.com since April 2005.
This vulnerability is documented in Cisco bug ID CSCsa91175.
This Cisco Security Response is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sr-20070829-vty.shtml.
Additional Information
======================
The contents of the Cisco bug ID CSCsa91175 release note enclosure is shown below:
Symptom
+------
If Authentication, Authorization and Accounting (AAA) is not enabled on a device and any configuration is entered under the VTY/AUX or CONSOLE line (except the "login" command), the command "no login" will appear under the VTY lines.
Conditions
+---------
This symptom will only occur if AAA is not enabled on the device and any configuration changes are made according to the Symptom description above.
Although the command "no login" will appear in the configuration, the device is not vulnerable until the running-configuration is saved to NVRAM and the device is reloaded.
Cisco IOS software releases within 12.2 E, F, and S release trains are affected if Cisco Bug ID CSCsa91175 is not integrated. Cisco recommends checking the device configuration to confirm that under the VTY lines configuration, the command "no login" is not present, unless this is the desired configuration. Provided below is a list of affected trains and the first fixed release.
+-----------------------------------------------------------------+
| Affected Release: | First Fixed Releases |
+--------------------+--------------------------------------------+
| 12.2E based trains | |
| EW | Vulnerable; apply workaround |
| EWA | Vulnerable; apply workaround |
| EU | Vulnerable; apply workaround |
| EX | Fixed in 12.2(35)EX |
| EY | Fixed in 12.2(37)EY |
+--------------------+--------------------------------------------+
| 12.2F based trains | |
| FX | Vulnerable; apply workaround |
| FY | Vulnerable; apply workaround |
| FZ | Vulnerable; apply workaround |
+--------------------+--------------------------------------------+
| 12.2S based trains | |
| S | Vulnerable; apply workaround |
| SB | Fixed in 12.2(31)SB |
| SBC | Vulnerable; apply workaround |
| SE | Fixed in 12.2(35)SE |
| SEA | Vulnerable; apply workaround |
| SED | Vulnerable; apply workaround |
| SEE | Vulnerable; apply workaround |
| SEF | Vulnerable; apply workaround |
| SEG | Vulnerable; apply workaround |
| SG | Fixed in 12.2(31)SG |
| SV | Vulnerable; apply workaround |
| SW | Vulnerable; apply workaround |
| SXD | Vulnerable; apply workaround |
| SXE | Fixed in 12.2(18)SXE4 and later |
| SZ | Vulnerable; apply workaround |
+--------------------+--------------------------------------------+
No other Cisco IOS release trains are known to be affected by this vulnerability.
For more information on the terms "releases" and "trains", consult the following URL:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper09186a008018305e.shtml
In order to check the device configuration, log in to the device and enter the privileged command "show running-config". Confirm under the VTY lines configuration that the command "no login" is not present, unless this is the desired configuration.
For further information on the "login" command please reference:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/tersv_r/ter_l1g.htm#wp998262
An example of a device that will allow terminal access without a password prompt is shown below:
Device#show running-config
<lines removed>
line VTY 0 4
no login
<lines removed>
Workaround
+---------
Configuring the VTY lines with "login" will ensure that any remote access is prompted for a password first.
Cisco recommends for customers to migrate to SSH as a best practice
- - where available and practical.
NOTE: If configured for AAA please consult the AAA configuration guides for additional commands that are used with the "login"
command.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
Revision History
================
+--------------------------------------------------------+
| Revision 1.0 | 2007-August-29 | Initial public release |
+--------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
iD8DBQFG1aSV8NUAbBmDaxQRAsRnAJ9ZG/QCH1EY+/RVyamvUyfUAysv9wCeONwO
YiQIGhXG3yEsw7irTCN64T0=
=FwhX
-----END PGP SIGNATURE-----
This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.
The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.
CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.