COMMAND
PPP/CHAP
SYSTEMS AFFECTED
CISCO IOS software (details below)
PROBLEM
Following is based on CISCO notice. A serious security
vulnerability (bug ID CSCdi91594) exists in PPP CHAP
authentication in all "classic" Cisco IOS software versions (the
software used on Cisco non-switch products with product numbers
greater than or equal to 1000, on the AGS/AGS+/CGS/MGS, and on
the CS-500, but not on Catalyst switches or on 7xx or 9xx
routers) starting with the introduction of CHAP support in
release 9.1(1). The vulnerability permits attackers with
appropriate skills and knowledge to completely circumvent CHAP
authentication. Other PPP authentication methods are not
affected.
A related vulnerability exists in Cisco IOS/700 software (the
software used on 7xx routers). A configuration workaround exists
for IOS/700, and a complete fix for 76x and 77x routers will be
included in software version 4.1(2), due to be released by
December, 1997. A fix for 75x routers is scheduled for the first
half of 1998.
A moderately sophisticated programmer with appropriate knowledge
can set up an unauthorized PPP connection to any system that is
running vulnerable software, and that depends on CHAP for
authentication. To gain this unauthorized access, an attacker must
have the following:
* Knowledge of the details of this vulnerability
* Access to modifiable code (generally meaning source code)
for a PPP/CHAP implementation, and sufficient programming
skill to make simple changes to that code. Note that such
source code is widely available on the Internet.
* A modest amount of information about the configuration of
the network to be attacked, including such things as
usernames and IP addresses.
This vulnerability cannot be exploited by an attacker who is using
an unmodified, properly functioning PPP/CHAP implementation; the
attacker must make modifications to his or her software to exploit
this vulnerability.
Vulnerable are all systems running "classic" Cisco IOS Software
releases older than those listed below in Solution section, and
which rely on CHAP for PPP authentication, are vulnerable. Cisco
believes that the greatest practical risk is to dialin services
using, for example, ISDN or POTS modems.
Systems running IOS/700 software are vulnerable to a related
attack if they are using CHAP bidirectionally to authenticate
both calling and called systems.
Further details will be available to interested parties after
March 31, 1998. by Cisco. The Cisco bug tracking number for the
Cisco IOS software vulnerability is CSCdi91594. The bug tracking
number for the error in the 10.3(19) fix is CSCdj37314.
SOLUTION
Systems using PAP for PPP authentication are not vulnerable.
Systems not configured for PPP are not vulnerable. If the keywords
"ppp" and "chap" do not both appear in your system configuration
file, you are not vulnerable.
This problem has been corrected in the following classic Cisco IOS
software releases:
Major First Repaired Recommended Maintenance Releases
Release Maintenance Release For Installation
------- ------------------- ----------------
Cisco IOS
10.3 10.3(19a) 10.3(19a)
Cisco IOS
11.0 11.0(17), 11.0(17)BT 11.0(17), 11.0(17)BT
Cisco IOS 11.1(13), 11.1(13)AA, 11.1(14), 11.1(14)AA, 11.1(14)CA,
11.1 11.1(13)CA, 11.1(13)IA 11.1(14)IA
Cisco IOS 11.2(8), 11.2(8)P, 11.2(8), 11.2(8)P, 11.2(4)F1.
11.2 11.2(4)F1 (replaces 11.2(9) not recommended for CHAP
11.2(4)F) users.
Cisco Systems strongly recommends that all customers using classic
IOS PPP with CHAP authentication upgrade to one of these or to a
newer release, and that all users of IOS/700 PPP with CHAP
authentication install the configuration workarounds described in
below.
The 11.2(4)F1 release will be available by Monday, October 6,
1997. Users of 11.2F releases are encouraged to move to 11.2 or
11.2P releases if at all possible. All the other releases
mentioned above are available. For Classic IOS Software Upgrade
Notes see Cisco Systems Field Notice: Vulnerabilities in Cisco
CHAP Authentication.
Workarounds - Classic IOS
-------------------------
Cisco knows of no generally usable workarounds for the classic IOS
vulnerability. Affected users who wish to protect themselves must
upgrade their software or stop using CHAP authentication.
Alternatives to CHAP authentication include PAP authentication
and reliance on "Caller ID" information. The security differences
between these methods are complex and situation dependent, and
are beyond the scope of this document.
Workarounds - IOS/700
---------------------
The IOS/700 vulnerability may be avoided by making any of the
following configuration changes:
* Prevent the routers in question from receiving any incoming
calls, perhaps by changing the ISDN switch configuration,
or by relying on caller ID and using the "set callerid" and
"set callidreceive" commands
* Prevent routers that receive calls from authenticating
themselves to the calling systems using CHAP. You can
effectively do this by using the "set ppp secret client"
command to set the CHAP secret that would be used for such
authentication to some randomly chosen "garbage" value.
* Configure the routers such that different CHAP secrets are
used in each direction on each link. You can do this using
the "set ppp secret client" and "set ppp secret host"
commands. Note that this method cannot be used on 7xx
routers that need to communicate with classic IOS routers,
since classic IOS does not support asymmetric CHAP secrets.
Any one of these changes should be sufficient. The changes may be
removed after the release and installation of IOS/700 software
version 4.1(2).