[SANOG] Cisco Security Response: Cisco IOS and Cisco IOS XE Type 4 Passwords Issue

Cisco Systems Product Security Incident Response Team psirt at cisco.com
Mon Mar 18 16:14:07 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Cisco IOS and Cisco IOS XE Type 4 Passwords Issue

Document ID: 33464

Revision 1.0

For Public Release 2013 March 18 16:00  UTC (GMT)
+---------------------------------------------------------------------

Cisco Response Summary
======================

This is the Cisco response to research performed by Mr. Philipp
Schmidt and Mr. Jens Steube from the Hashcat Project on the weakness
of Type 4 passwords on Cisco IOS and Cisco IOS XE devices. Mr. Schmidt
and Mr. Steube reported this issue to the Cisco PSIRT on March 12,
2013.

A limited number of Cisco IOS and Cisco IOS XE releases based on the
Cisco IOS 15 code base include support for a new algorithm to hash
user-provided plaintext passwords. This algorithm is called Type 4,
and a password hashed using this algorithm is referred to as a Type 4
password. The Type 4 algorithm was designed to be a stronger
alternative to the existing Type 5 and Type 7 algorithms to increase
the resiliency of passwords used for the 'enable secret password' and
'username username secret password' commands against brute-force
attacks.

For additional information please see the full Cisco Security Response
at the link below.

Cisco would like to thank Mr. Schmidt and Mr. Steube for sharing their
research with Cisco and working toward a coordinated disclosure of
this issue.

This Cisco Security Response is available at:
http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20130318-type4
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org

iF4EAREIAAYFAlFHFKYACgkQUddfH3/BbTpPQAD/S/gS0O+btwWu5rI7rugYeRzD
m38z8zGANgZ9IlEz/OoA/RZVrhrJJ1eRTlHo0/IHuYK3AYUtT5cA8PprIJoUX1Qg
=R0TE
-----END PGP SIGNATURE-----


More information about the sanog mailing list