nanog mailing list archives
Re: Cutting to the chase (was RE: ABOVE.NET SECURITY TRUTHS?)
From: Paul Ferguson <ferguson () cisco com>
Date: Fri, 28 Apr 2000 19:44:07 -0400
Well, yes, we have been trying to do "due diligence to ensure that we publicly notify our customers, and the public at-large, of any known security problems with our products. These are not dirty little secrets -- we believe that our customers deserve to know, as soon as possible, when we have found vulnerabilities in out products. As stated in most on the advisories, we post these security advisories to: cust-security-announce () cisco com bugtraq () securityfocus com first-teams () first org (includes CERT/CC) cisco () spot colorado edu comp.dcom.sys.cisco Various internal Cisco mailing lists Secondly, and to the best of my knowledge, I know of no instance where the Catalyst enable password vulnerability has been used by an attacker to exploit a customer's network. For further information, see: http://www.cisco.com/warp/public/707/advisory.html and http://www.cisco.com/warp/public/707/sec_incident_response.shtml Cheers, - paul At 02:16 PM 04/28/2000 -0700, Roland Dobbins wrote:
First of all, there -is- a bug in the Catalyst Supervisor software revision 5.4.1 which basically disables the functionality of the enable password. If someone has the login password to the router, they can use the same password to get to enable mode. Yes, someone has to either a) get his password sniffed internally or b) re-use the password on some external network which allows it to get sniffed or c) use a weak and/or easily-guessable password for this exploit to be used. But your blanket statement about the enable password on Cisco switches is incorrect. And while shared segments are generally a Bad Thing, there are certain instances in which they make sense. See http://www.cisco.com/warp/public/707/catos-enable-bypass-pub.shtml for more details. Secondly, there's also a bug in the Cisco telnet daemon for IOS 11.3AA, 12.0(2)-12.0(6) and 12.0(7), excluding 12.0(7)S, 12.0(7)T, and 12.0(7)XE, which allows a very easy DoS attacks against routers and switches running those revs. The bug ID is CSCdm70743, and more information can be found at http://www.cisco.com/warp/public/707/iostelnetopt-pub.shtml . Thirdly, 12-series IOSes can make use of ssh, but there are a lot of other issues with the 12.x revs (see the above paragraph for an example) which have prevented their wide-scale adoption. Kerberos is certainly an option, and a good one, but Monday-morning quarterbacking is really easy, especially when one doesn't have direct knowledge of all the various factors involved, nor any responsibility for maintaining the network in question.
Current thread:
- Cutting to the chase (was RE: ABOVE.NET SECURITY TRUTHS?) Roland Dobbins (Apr 28)
- Re: Cutting to the chase (was RE: ABOVE.NET SECURITY TRUTHS?) Paul Ferguson (Apr 28)
- Re: Cutting to the chase (was RE: ABOVE.NET SECURITY TRUTHS?) Paul Vixie (Apr 28)
- <Possible follow-ups>
- RE: Cutting to the chase (was RE: ABOVE.NET SECURITY TRUTHS?) Roland Dobbins (Apr 28)
- RE: Cutting to the chase (was RE: ABOVE.NET SECURITY TRUTHS?) Paul Ferguson (Apr 28)
- RE: Cutting to the chase (was RE: ABOVE.NET SECURITY TRUTHS?) Paul Ferguson (Apr 28)
- RE: Cutting to the chase (was RE: ABOVE.NET SECURITY TRUTHS?) Travis Pugh (Apr 29)
- RE: Cutting to the chase (was RE: ABOVE.NET SECURITY TRUTHS?) Paul Ferguson (Apr 28)
- Re: Cutting to the chase (was RE: ABOVE.NET SECURITY TRUTHS?) Danny McPherson (Apr 28)
- Re: Cutting to the chase (was RE: ABOVE.NET SECURITY TRUTHS?) Paul Ferguson (Apr 28)
- Re: Cutting to the chase (was RE: ABOVE.NET SECURITY TRUTHS?) Danny McPherson (Apr 28)
- Re: Cutting to the chase (was RE: ABOVE.NET SECURITY TRUTHS?) Paul Ferguson (Apr 28)