-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.0402
             Cisco IOS and Cisco IOS XE Type 4 Passwords Issue
                               19 March 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco IOS and Cisco IOS XE
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Reduced Security -- Remote/Unauthenticated
Resolution:        Mitigation

Original Bulletin: 
   http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20130318-type4

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Security Response

Cisco IOS and Cisco IOS XE Type 4 Passwords Issue

Document ID: 33464

http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20130318-type4

Revision 1.0

For Public Release 2013 March 18 16:00  UTC (GMT)

Contents

Response

Additional Information

Status of this Notice: Final

Revision History

Cisco Security Procedures

Cisco Response

This is the Cisco response to research performed by Mr. Philipp Schmidt and Mr.
Jens Steube from the Hashcat Project on the weakness of Type 4 passwords on 
Cisco IOS and Cisco IOS XE devices. Mr. Schmidt and Mr. Steube reported this 
issue to the Cisco PSIRT on March 12, 2013.

Cisco would like to thank Mr. Schmidt and Mr. Steube for sharing their research
with Cisco and working toward a coordinated disclosure of this issue.

This Cisco Security Response is available at 
http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20130318-type4

Additional Information

A limited number of Cisco IOS and Cisco IOS XE releases based on the Cisco IOS
15 code base include support for a new algorithm to hash user-provided 
plaintext passwords. This algorithm is called Type 4, and a password hashed 
using this algorithm is referred to as a Type 4 password. The Type 4 algorithm
was designed to be a stronger alternative to the existing Type 5 and Type 7
algorithms to increase the resiliency of passwords used for the enable secret 
password and username username secret password commands against brute-force 
attacks.

The design called for using Password-Based Key Derivation Function version 2 
(PBKDF2), as described in RFC 2898 section 5.1, with the following input 
values:

    Hash algorithm = SHA-256
    Password = the user-provided plaintext password
    Salt = 80 bits (generated by calling a cryptographically secure random 
    number generator)
    Iteration count = 1,000 (one thousand)

Due to an implementation issue, the Type 4 password algorithm does not use 
PBKDF2 and does not use a salt, but instead performs a single iteration of
SHA-256 over the user-provided plaintext password. This approach causes a Type
4 password to be less resilient to brute-force attacks than a Type 5 password 
of equivalent complexity.

The following issues were also introduced because of the implementation of Type
4 passwords:

    A device running a Cisco IOS or IOS XE release with support for Type 4 
    passwords lost the capability to create a Type 5 password from a 
    user-provided plaintext password

    Backward compatibility problems may arise when downgrading from a device
    running a Cisco IOS or IOS XE release with Type 4 password support and Type
    4 passwords configured to a Cisco IOS or Cisco IOS XE release that does not
    support Type 4 passwords. Depending on the specific device configuration,
    the administrator may not be able to log in to the device or to change into
    privileged EXEC mode, requiring a password recovery process to be 
    performed.

All the preceding issues apply only to devices running Cisco IOS or Cisco IOS 
XE releases with support for Type 4 passwords, and only to the "enable secret 
<password>" and "username <username> secret <password>" commands. No other 
Cisco IOS or IOS XE features use this algorithm to hash passwords or keys. For
example, these issues do not affect Open Shortest Path First (OSPF), Border 
Gateway Protocol (BGP), Routing Information Protocol (RIP), any other routing 
protocol keys, or pre-shared keys for IPsec.

These issues do not apply to devices running a Cisco IOS or Cisco IOS XE 
release without support for Type 4 passwords.

Determining Whether a Cisco IOS or Cisco IOS XE Release Supports Type 4 
Passwords

Administrators can use the following procedure to determine whether the Cisco 
IOS or Cisco IOS XE release running on a given device includes support for 
Type 4 passwords:

1) Log in to the device and execute the show version | include IOS command:

    router#show version | include IOS
    Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 15.3(1)T, RELEASE SOFTWARE (fc1)
    router#

If the version number starts with "15" proceed to the next step. Otherwise, the
Cisco IOS or Cisco IOS XE release running on the device does not include 
support for Type 4 passwords.

2) While logged in to the device as a privileged user, enter configuration mode
and execute an enable secret ? command:

    router#configure terminal
    Enter configuration commands, one per line.  End with CNTL/Z.
    router#(config)#enable secret ?
      0      Specifies an UNENCRYPTED password will follow
      4      Specifies an SHA256 ENCRYPTED secret will follow
      5      Specifies a MD5 ENCRYPTED secret will follow
      LINE   The UNENCRYPTED (cleartext) 'enable' secret
      level  Set exec level password

    router(config)#

In the preceding example, the line "4   Specifies an SHA256 ENCRYPTED secret 
will follow" indicates the Cisco IOS or Cisco IOS XE release running on the 
device does supports Type 4 passwords.

    router#conf t
    Enter configuration commands, one per line.  End with CNTL/Z.
    router#(config)#enable secret ?
      0      Specifies an UNENCRYPTED password will follow
      5      Specifies a MD5 ENCRYPTED secret will follow
      LINE   The UNENCRYPTED (cleartext) 'enable' secret
      level  Set exec level password

    router(config)#

In the preceding example, there is no "4   Specifies an SHA256 ENCRYPTED secret
will follow" in the help output of the enable secret command. This output 
indicates the Cisco IOS or Cisco IOS XE release running on this device does not
support Type 4 passwords.

Determining Whether a Device Has Any Type 4 Passwords Configured

A device running a Cisco IOS or Cisco IOS XE release with support for Type 4 
passwords may not actually have any Type 4 passwords in the device 
configuration. A device that was upgraded from a Cisco IOS or Cisco IOS XE 
release without support for Type 4 passwords to a Cisco IOS or Cisco IOS XE 
release that does support Type 4 passwords may contain an enable secret 
password command and zero or more username username secret password commands 
that have Type 5 passwords because they were configured before the upgrade.

The following command can be used to determine whether any Type 4 passwords are
present on the device configuration:

    show running-config | include ^(enable secret 4|username.*secret.4)

The following example shows a device without any Type 4 passwords configured:

    router#show running-config | include ^(enable secret 4|username.*secret.4)
    router#

The following example shows a device with Type 4 passwords configured for both
the "enable secret <password>" and the "username <username> secret <password>" 
commands. The presence of a Type 4 password is indicated by the number 4 that 
immediately follows the secret keyword:

    router#show running-config | include ^(enable secret 4|username.*secret.4)
    enable secret 4 ohKCwRDiX5YiRkTbLspqXvQkxiL91lDUlt.JzPd33RY
    username demo secret 4 ohKCwRDiX5YiRkTbLspqXvQkxiL91lDUlt.JzPd33RY
    router#

Behavior of a Cisco IOS or Cisco IOS XE Release with Support for Type 4 
Passwords

A device running a Cisco IOS or Cisco IOS XE release with support for Type 4 
passwords will exhibit the following behavior:

1) Configuring an enable secret password or username username secret password
command (with password being a plaintext password) will cause a Type 4 password
to be generated:

    router#configure terminal
    Enter configuration commands, one per line.  End with CNTL/Z.
    router(config)#enable secret Th1z#1s+53kri7
    router(config)#username demo secret Th1z#1s+53kri7
    router(config)#do show running-config | include ^(enable|username)
    enable secret 4 ohKCwRDiX5YiRkTbLspqXvQkxiL91lDUlt.JzPd33RY
    username demo secret 4 ohKCwRDiX5YiRkTbLspqXvQkxiL91lDUlt.JzPd33RY
    router(config)#

Note: There is no way to supply a plaintext password as an argument to either
the enable secret password or username username secret password and indicate 
that a Type 5 password should be generated. The only way to configure either an
enable secret password or username username secret password with a Type 5 
password is using the enable secret 5 password or username username secret 5
password commands, where password is a previously generated Type 5 password.

2) Configuring an enable secret 5 password or username username secret 5 
password (where password is a previously generated Type 5 password) will result
in a warning, but the password will be correctly parsed, added to the 
configuration, and fully functional. The generated warning can safely be 
ignored. An example follows:

    router#configure terminal
    Enter configuration commands, one per line.  End with CNTL/Z.
    router(config)#enable secret 5 $1$YXEj$Fr7OC1Jh62xJRb/rdIm9d0
     Warning: The CLI will be deprecated soon
     'enable secret 5 $1$YXEj$Fr7OC1Jh62xJRb/rdIm9d0'
     Please move to 'enable secret <password>' CLI
    router(config)#username demo secret 5 $1$Gd0I$VJkZkCRG1d1FvY7we7dzM.
     Warning: MD5 encryption will be deprecated soon.Please move to SHA256 encryption.
    router(config)#do show running-config | include ^(enable|username)
    enable secret 5 $1$YXEj$Fr7OC1Jh62xJRb/rdIm9d0
    username demo secret 5 $1$Gd0I$VJkZkCRG1d1FvY7we7dzM.
    router(config)#

3) If the device was upgraded from a previous Cisco IOS or Cisco IOS XE release
without support for Type 4 passwords, and the configuration included the 
commands enable secret 5 password or  username username secret 5 password, 
those Type 5 passwords will be parsed, added to the configuration, and fully 
functional. There is no automatic conversion of existing Type 5 passwords to
Type 4 passwords after upgrading a device to a Cisco IOS or Cisco IOS XE 
release that has support for Type 4 passwords.

Replacing a Type 4 Password with a Type 5 Password

Customers running a Cisco IOS or Cisco IOS XE release with support for Type 4 
passwords and currently using Type 4 passwords on their device configuration 
may want to replace those Type 4 passwords with Type 5 passwords. Reasons 
include the following:

    Preparation for a device downgrade to a Cisco IOS or Cisco IOS XE release 
    that does not support Type 4 passwords

    Compatibility with network management systems or other tools that cannot 
    handle a device configuration that includes Type 4 passwords

    An organizational security policy that dictates the use of Type 5 passwords

    Concerns about the resiliency of Type 4 passwords versus Type 5 passwords 
    against brute-force attacks

As mentioned previously, a Cisco IOS or Cisco IOS XE release with support for
Type 4 passwords does not allow the generation of a Type 5 password from a 
plaintext password on the device itself. Customers who need to replace a Type 4
password with a Type 5 password must generate the Type 5 password outside the 
device and then copy the Type 5 password to the device configuration.

There are two options to generate a Type 5 password:

    Using another device running a Cisco IOS or Cisco IOS XE release without 
    Type 4 support
    Using the openssl command-line tool (part of the OpenSSL Project)

In either case, administrators will need access to the plaintext version of the
password to generate the Type 5 password.

Using Another Device to Generate a Type 5 Password

1) Either the enable secret password or the username username secret password 
command can be used to generate a Type 5 password from a plaintext password. 
The administrator must log in to the device using credentials that allow the 
administrator to go into configuration mode and execute the chosen command. The
following example shows the username username secret password command and the
string Th1z#1s+53kri7 as the plaintext password:

    router#configure terminal
    Enter configuration commands, one per line.  End with CNTL/Z.
    router(config)#username demo secret Th1z#1s+53kri7
    router(config)#do show running-config | include username demo.*secret 5
    username demo secret 5 $1$M/wf$iqBnv/g3GuVUsCpWcDFS20
    router(config)#no username demo
    router(config)#

2) Copy the resulting Type 5 password (which is $1$M/wf$iqBnv/g3GuVUsCpWcDFS20
in the preceding example).

Using the openssl Tool to Generate a Type 5 Password

1) The openssl tool can generate a Type 5 password when using a specific set of
command-line arguments, as follows:

    openssl passwd -salt `openssl rand -base64 3` -1 PLAINTEXT_PASSWORD

Administrators must replace the string PLAINTEXT_PASSWORD with the appropriate
plaintext password. The following example uses the string Th1z#1s+53kri7 as the
plaintext password:

    hostname$ openssl passwd -salt `openssl rand -base64 3` -1 Th1z#1s+53kri7
    $1$dxVt$FSJmj1O6JUZdbUjxZkIuD.

2) Copy the resulting Type 5 password (which is $1$dxVt$FSJmj1O6JUZdbUjxZkIuD.
in the preceding example).

Note: Depending on the characters in the plaintext password, you may need to 
enclose it between quotes.

Copying the Type 5 Password to the Targeted Device

Paste the previously generated Type 5 password into the appropriate command, 
either enable secret 5 password or username username secret 5 password. 
Remember to specify the type of encryption by adding the number 5 after the 
secret keyword in both commands. Otherwise, the provided password will be 
interpreted as a plaintext password.

The following example uses the Type 5 password generated on another device as 
the enable secret password, and the Type 5 password generated by openssl 
becomes the user password for the user named demo:

    router#configure terminal
    Enter configuration commands, one per line.  End with CNTL/Z.
    router(config)#username demo secret 5 $1$dxVt$FSJmj1O6JUZdbUjxZkIuD.
     Warning: MD5 encryption will be deprecated soon.Please move to SHA256 encryption.
    router(config)#enable secret 5 $1$M/wf$iqBnv/g3GuVUsCpWcDFS20
     Warning: The CLI will be deprecated soon
     'enable secret 5 $1$M/wf$iqBnv/g3GuVUsCpWcDFS20'
     Please move to 'enable secret <password>' CLI
    router(config)#

Notes

    A deprecation warning will be generated when using a Type 5 password for 
    either the enable secret 5 command or the username username secret 5 
    password command. This warning can be safely ignored.
    If the deprecation warning for either the enable secret 5 command or the
    username username secret 5 password command does not occur, the device is 
    not interpreting the provided password as a Type 5 password. Make sure the
    number 5 is included after the secret keyword in either command.

The Future of Type 4 Passwords on Cisco IOS and Cisco IOS XE
Because of the issues discussed in this Security Response, Cisco is taking the
following actions for future Cisco IOS and Cisco IOS XE releases:

    Type 4 passwords will be deprecated: Future Cisco IOS and Cisco IOS XE 
    releases will not generate Type 4 passwords. However, to maintain backward 
    compatibility, existing Type 4 passwords will be parsed and accepted. 
    Customers will need to manually remove the existing Type 4 passwords from 
    their configuration.
    
    The enable secret password and username username secret password commands 
    will revert to their original behavior: Both commands, when provided with a
    plaintext password, will generate a Type 5 password. This will be the same
    behavior as before the introduction of Type 4 passwords. This step is being
    taken to preserve backward compatibility.
    
    Type 5 passwords will not be deprecated: This will be done to preserve 
    backward compatibility. The deprecation warning for Type 5 passwords will 
    be removed.
    
    A new password type will be introduced: This new password type will 
    implement the original design intended for Type 4 passwords, which is 
    PBKDF2 with SHA-256, an 80-bit salt, and 1,000 iterations. The exact type
    is yet to be determined.
    
    New command-line interface commands will be introduced: The new commands 
    will allow Cisco customers to configure the new password type for both
    enable secret password and username username secret password. This will 
    allow Cisco customers to gradually migrate to the new password type, while
    allowing them to use the existing syntax to preserve backward 
    compatibility. The exact syntax for the new commands is yet to be 
    determined.

Status of this Notice: Final

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF 
GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS
LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO 
CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the
distribution URL in the following section is an uncontrolled copy, and may lack
important information or contain factual errors.

Revision History

Revision 1.0 	2013-March-18 	Initial public release.

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products,
obtaining assistance with security incidents, and registering to receive security
information from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at http://www.cisco.com/go/psirt.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUUe49u4yVqjM2NGpAQLB6A//fS5X4wNxhn707DZNFJWygYqtcAJ4yu+V
CzfFeVlu9t2t2rPeeMBc3ApR3LwIGxbVW9KYrMGeqC/WIN3VtlP1OAs58+7iYfT9
e6x5C1kmh089UbD/GRf6v67tO0S5F0vn/+3qmMjydb1sn7u3exTMdoDnuGsxa5lZ
lP3lIoZ982R66/ZlgL3EanYprHG+COBTKfWupmQbRoqx+hPyJp5v8kiO60ucLiZ6
w6a+wteqFTN4HmMIuTMjkncRlcc8nstdojktpCto8vSrZnhUpulnSKr6b41xqBAq
/Zped3mI1QiGmXQJvcM/H+LypxYSFZrWRIgNqJvDDQZleu4b2FDTplhGTUSrxD7D
6P8AZVfkUebLdwpV7CJRaUiezjKZhyvNpxN5XAXu8I+Zv2iRICceiEOm9mcuyl0S
jbWX31GtGm61DQ9vdUfEn0ortAVqREwbD3X6sb5V7hnmDrCuZ+dubrZ8koDmZwFa
Yz9I28UDAxkXlyFLVZ03wpQn0BLlkdIQC2Jehc38lwMd+4nFZ82sQFuaM51pkQ6D
S1K1pQelsVI9h8FBByz+rH8J/ofJ8AAHyna+GFE78rBsHHXpvVVoaQsHIKAbuuU/
oiVvaq2VVw+0gTH7d3KUMKafmS+73NU26Jg0lyrovmvOblKOTH9IQhy6kQ9IcyyM
m93dPAzO/kU=
=eq7U
-----END PGP SIGNATURE-----