Bugtraq mailing list archives
Re: Cisco Security Advisory: IOS HTTP authorization vulnerability
From: Eric Vyncke <evyncke () cisco com>
Date: Fri, 29 Jun 2001 10:00:54 +0200
At 00:22 28/06/2001 +0200, David Hyams wrote: ...%<....%<.... lot of valid comments deleted ....
* It's well known that the encryption algorithm for vty passwords is very weak. Numerous software tools exist to decrypt the vty password. Isn't it time to abandon this algorithm and implement a real encryption algorithm for ALL passwords (not just the "enable secret" command)? If an attacker can get the device config, then it's far too easy to decrypt the password (assuming of course that it is encrypted! See above)
David,As you probably know, for some password (used notably for SNMP, CHAP, PAP, IKE, ...) there is a protocol need to get those passwords in the clear. Hence, the obfuscation mechanism will always be reversible. Even using 3DES will require a hard coded key hidden somewhere in the IOS code (and a 'simple' reverse engineering will expose this key).
Of course, suggestions are welcome Just my 0.01 BEF (still 6 months to live) -eric
regards David Hyams -- david.hyams () kmu-security ch http://www.kmu-security.ch
Current thread:
- Cisco Security Advisory: IOS HTTP authorization vulnerability Cisco Systems Product Security Incident Response Team (Jun 27)
- <Possible follow-ups>
- Re: Cisco Security Advisory: IOS HTTP authorization vulnerability David Hyams (Jun 28)
- RE: Cisco Security Advisory: IOS HTTP authorization vulnerability Oliver Petruzel (Jun 29)
- Re: Cisco Security Advisory: IOS HTTP authorization vulnerability David Hyams (Jun 29)
- Re: Cisco Security Advisory: IOS HTTP authorization vulnerability Eric Vyncke (Jun 29)
- RE: Cisco Security Advisory: IOS HTTP authorization vulnerability Oliver Petruzel (Jun 29)