|
Vulnerability Cisco Passwords Affected CISCO 1020, 1600 (others?) Description Derek Grocke posted following. A work colleague of his bought a Cisco 1600 from an auction, one of the small frisbee looking types. The Cisco had a password protection which was unknown, so the unit was more or less useless. Cisco was called to find out if there was any way to reset the unit, as there is way to reset many older/bigger Cisco routers from the console port by getting into the monitor / debug section. However, answer was rather interesting. Quote: telnet to the Cisco login as 'guest' Password 'guestNNNANNNAAN' N= Numeric A= Character Del Log file to reset system Next time you rlogin to the Cisco you are presented with the default blank Mac page for you to fill in. If the router is compromised then crippled, then this would just be inconvenient and or loss of service, but if someone was able to substitute themselves as say the boot server or rewrite the routing table, then this could be a very bad situation. Note that the password is looked up from a database at Cisco after suppling the units serial number. An algorithm is behind the serial number to password conversion/lookup. Given that this is accessible from a telnet session, what is stopping potential anarchist and hackers from exploiting this "Feature". Why spoof a router when you can set the routing table up yourself? Norman Hoy reported same behaviour for 1020. You can still break the cisco from the console port and changing the boot pointer. Solution Given that every potentially vulnerable area should have some sort of proxy/firewall with maybe a DMZ between two or more good routers, this may not be a huge security issue. Well except re-routing of mail or IP tunnelling information to another site. Although it makes it difficult to administer from remote areas you may usually leave instructions on how to set a password on the site. The password instructions are for setting the password for the vty 0 4. The remote site requires me to give them the enable password and you should have snmp turned on to monitor status of the router. The reason for this is why don't set a password for the router on vty 0 4. This stops ALL telnet sessions. Cisco won't allow a telnet session to a device that dosn't have a password set. This prevents the exploitation above.