Cisco inadvertently weakens password encryption in its IOS operating system

The password encryption scheme used in newer Cisco IOS versions is weak, researchers find

The password encryption algorithm used in some recent versions of the Cisco IOS operating system is weaker than the algorithm it was designed to replace, Cisco revealed earlier this week.

The new encryption algorithm is called Type 4 and was supposed to increase the resiliency of encrypted passwords against brute-force attacks. "The Type 4 algorithm was designed to be a stronger alternative to the existing Type 5 and Type 7 algorithms," Cisco said Monday in a security response document published on its website.

However, due to an implementation error, the new algorithm generates password hashes -- cryptographic representations of passwords -- that are weaker than those generated by the Type 5 algorithm for equally complex passwords.

The issue was discovered by researchers Philipp Schmidt and Jens Steube of the Hashcat Project. Hashcat is a password recovery application.

The Type 4 algorithm was supposed to conform to the Password-Based Key Derivation Function version 2 (PBKDF2) standard in an implementation where 80 bits of random data are appended to the plaintext password -- a process known as salting -- and the resulting string is subjected to 1,000 iterations through the SHA-256 hashing function.

"Due to an implementation issue, the Type 4 password algorithm does not use PBKDF2 and does not use a salt, but instead performs a single iteration of SHA-256 over the user-provided plaintext password," Cisco said its advisory. "This approach causes a Type 4 password to be less resilient to brute-force attacks than a Type 5 password of equivalent complexity."

The Type 5 algorithm uses the MD5 hashing function that dates back to 1992 and has known security weaknesses, but its implementation uses salting and 1,000 iterations.

Salting and hash iteration are standard methods recommended by cryptography experts to make password hashes harder to crack and all password encryption algorithms should use them, Schmidt and Steube said Wednesday via email. If a password is passed through 1,000 hashing iterations, a brute-force attack would have to compute the hash 1,000 times for every password guess. This significantly increases the time and resources needed for a successful password recovery attack, the researchers said.

Only a limited number of Cisco IOS and Cisco IOS XE releases based on the Cisco IOS 15 code base support the Type 4 algorithm, Cisco said in its advisory. "Issues apply only to devices running Cisco IOS or Cisco IOS XE releases with support for Type 4 passwords, and only to the 'enable secret <password>' and 'username <username> secret <password>' commands," the company said. "No other Cisco IOS or IOS XE features use this algorithm to hash passwords or keys."

The company declined to name the exact affected products or IOS and IOS XE versions at this time. "We refer Cisco customers to our Security Response which provides important information on the use of Type 4 passwords in some Cisco IOS and IOS XE devices," a Cisco representative said Wednesday via email. "In some cases they may choose to revert to Type 5 passwords on these devices, so we have provided advice on how this can be achieved. We have also offered information on Cisco's plans to implement a new password type in future versions of IOS."

According to a Cisco IOS command reference manual found on the company's website, support for Type 4 encryption was first added to the "enable secret" command in Cisco IOS 15.0(1)S, 15.1(4)M and in Cisco IOS XE Release 3.1S.

Cisco included information on how to determine if a device uses Type 4 passwords and how to replace them with Type 5 passwords. However, while Type 5 passwords can be used on devices that support Type 4 passwords, they can't be generated on such devices.

"A Cisco IOS or Cisco IOS XE release with support for Type 4 passwords does not allow the generation of a Type 5 password from a plaintext password on the device itself," Cisco said. "Customers who need to replace a Type 4 password with a Type 5 password must generate the Type 5 password outside the device and then copy the Type 5 password to the device configuration."

Furthermore, backward compatibility issues might appear when downgrading from a device with Type 4 passwords configured to a device that doesn't support Type 4 passwords, Cisco said. "Depending on the specific device configuration, the administrator may not be able to log in to the device or to change into privileged EXEC mode, requiring a password recovery process to be performed."

Going forward, the Type 4 algorithm will be deprecated in favor of a new algorithm based on the correct design originally intended for Type 4, the company said. Until the new algorithm is put in place, the "enable secret" and "username" commands will revert back to their original behavior of generating Type 5 password hashes. Also, a warning displayed to users users of Cisco IOS devices about the deprecation of Type 5 passwords will be removed and these passwords will continue to be supported for backward compatibility reasons.

Schmidt and Steube contacted Cisco immediately after discovering the issue, which they describe as a "disastrous error," and followed the company's responsible disclosure policies. "Fortunately, the type 4 implementation was not yet present on all hardware devices and all IOS (XE) versions. Nevertheless, such an 'implementation mistake,' as Cisco calls it, should have never happened and the code should have never left the Cisco lab."

While investigating this issue the researchers found hundreds of Type 4 password hashes using Google search that had been leaked online by users who posted their Cisco device log files or terminal captures on various websites. Only around 10 of those hashes were generated from passwords that were complex enough for the hashes to be considered somewhat secure, the researchers said.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Cisco SystemsNetworkingsecurityAccess control and authenticationencryption

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?