The password hashing algorithm used in some versions of the Cisco IOS system running on its routers and switches is vulnerable to brute-force attacks, Cisco warned in an advisory.
Cisco added a new password algorithm in its IOS and IOS XE operating system to protect routers and switches from brute-force attacks, but it turns out the company forgot to salt the passwords, or add random bits of data to the plain text password, before generating its cryptographic key, Cisco said in an advisory. The company originally used Type 5 algorithm in its IOS devices but decided to switch to the Type 4 algorithm in order to increase the resiliency of encrypted passwords against brute-force attacks.
Cisco’s newer scheme was supposed to base the algorithm on the Password-Based Key Derivation Function v2 (PBKDF2) standard, where 80 bits of random data are appended to plaintext passwords and then passed through the SHA-256 hashing function through 1,000 iterations. Instead, it turned out Cisco’s implementation of Type 4 did not use PBKDF2, did not have a salt (80-bit random data), and passed through the SHA-256 hash function only once, Cisco admitted.
“This approach causes a Type 4 password to be less resilient to brute-force attacks than a Type 5 password of equivalent complexity,” Cisco said in its advisory.
Type 5 uses the older MD5 hashing function, which has known security weaknesses and is vulnerable to attack, but at least its implementation used salting and 1,000 iterations through the hash function.
Salting and hash iterations are accepted-methods for generating passwords which are harder to crack because they become more costly to brute-force. In order to brute-force a password hash that has gone through 1,000 hashing iterations, the attacker would have to compute the hash 1,000 times for every guessed password, making this a computationally and more time-intensive exercise.
Philipp Schmidt and Jens Steube of the Hashcat Project, a password recovery application, discovered the problem and notified Cisco.
The good news for Cisco is that only a handful of IOS and IOS XE releases based on Cisco IOS 15 codebase support Type 4, according to the advisory. Devices which have enabled support for both Type 4 passwords and the “enable secret” and “username secret” commands are vulnerable, according to Cisco.
The company did not provide a specific list of affected products, but gave some detailed instructions on how to determine whether the router is configured to use the weaker encryption scheme. Cisco also provided instruction of finding out whether there are any passwords using the erroneous implementation.
“Issues apply only to devices running Cisco IOS or Cisco IOS XE releases with support for Type 4 passwords, and only to the ‘enable secret’ and ‘username secret’ commands,” the company said.
Administrators should stick with Type 5 passwords for now. Affected devices who have already created Type 4 passwords cannot generate Type 5 passwords from plain-text input, so administrators will have to use a different device (without Type 4 support), and then copy the generated password back to the device, Cisco said.
The company will be deprecating Type 4 passwords by removing the ability to generate them from future versions of IOS and IOS XE, the company said. Since there are plenty of devices using the flawed implementation, the company can’t just go ahead and fix it.
Instead, Cisco will introduce another new password type, which will “implement the original design intended for Type 4 passwords, which is PBKDF2 with SHA-256, an 80-bit salt, and 1,000 iterations,” according to the advisory. “The exact type is yet to be determined.”