Thursday, March 21, 2013

Cisco announces about poorly hashed passwords in its IOS-devices

The actual implementation of technology Password hashing not meet the standards set out in the description of the company's products.

One type (Type 4) passwords in certain devices, Cisco IOS and Cisco IOS XE hashed not the right way and do not meet the standards outlined in the product description. Thus, they are vulnerable to a number of common attacks, said the developers.

Implementation feature passwords Type 4, as follows from the description of Cisco, involves the use of technologies Password-Based Key Derivation Function 2 (PBKDF2), according to which the user's password hash is done using encryption standards SHA-256, 80-bit "salt" and the iteration hash algorithm, a thousand times. However, the actual implementation is a hash function without "salt" with the SHA-256, and a single iteration.

Experts Cisco said, these passwords are very vulnerable, even for such simple attacks like brute force.

The developers also noted that the vulnerable are the only devices that enabled passwords Type 4, and the team «enable secret» and «username secret».

In order to improve security Cisco recommends that customers change passwords vulnerable to Type 5. The company also said that in future versions of IOS and IOS XE ability to generate passwords Type 4 will be disabled.


No comments:

Post a Comment