A password encryption meant to increase the resistance of Cisco System’s IOS operating system to brute force attacks actually left devices vulnerable due to a to an implementation error by the company.
The problem concerning the new algorithm called Type 4 which is used on Cisco IOS and IOS XE devices was first discovered March 12 by researchers Philipp Schmidt and Jens Steube of Hashcat Project , developers of hash cracker and password recovery tools.
In a post on its Web site yesterday, Cisco thanks Schmidt and Steube for sharing their research with the company and “working towards a coordinated disclosure of the issue.”
Type 4 was designed to be a stronger alternative to existing Type 5 and Type 7 algorithms to increase the resiliency of passwords against brute force attacks.
Is there a fix for the password problem
Password breach lawsuit vs. LinkedIn dismissed
“Due to an implementation issue, the Type 4 password algorithm does not use PEKDF 2 and does not use a salt, but instead performs as single iteration of SHA-256 over the user provided plaintext password,” Cisco said. “This approach caused a Type 4 password to be less resilient to brute-force attacks than a Type 5 password of equivalent complexity.”
The implementation of Type 4 passwords caused the following:
- A device running a Cisco IOS or IOS XE release with support for Type 4 passwords lost the capability to create a Type 5 password from a user-provided plaintext password
- Backward compatibility problems may arise when downgrading from a device running a Cisco IOS or Cisco XE release with Type 4 passwords
- Depending on the specific device configuration, the administrator may not be able to log on into the device or change over to privileged EXEC mode. This would then require a password recovery process to be performed
Cisco said also provided instructions for administrators to help them determine whether a Cisco IOS or Cisco XE release supports Type 4 password and whether a device has any Type 4 passwords. The advisory also has detailed instructions on how to replace Type 4 passwords with a Type 5 password.
Because of the flaw, Cisco said, future IOS and IOS XE releases will no longer generate Type 4 passwords and the company will introduced a new password type.
However, to maintain backward compatibility, Type 4 passwords will be parsed and accepted customers will need to manually remove the existing Type 4 password from their configuration.