COMMAND

     PPP/CHAP

SYSTEMS AFFECTED

    CISCO IOS software (details below)

PROBLEM

    Following  is   based  on   CISCO  notice.   A  serious   security
    vulnerability   (bug   ID   CSCdi91594)   exists   in   PPP   CHAP
    authentication in all "classic"  Cisco IOS software versions  (the
    software used  on Cisco  non-switch products  with product numbers
    greater than  or equal  to 1000,  on the  AGS/AGS+/CGS/MGS, and on
    the  CS-500,  but  not  on  Catalyst  switches  or  on  7xx or 9xx
    routers)  starting  with  the  introduction  of  CHAP  support  in
    release  9.1(1).   The  vulnerability   permits  attackers    with
    appropriate  skills  and  knowledge  to completely circumvent CHAP
    authentication.   Other   PPP  authentication   methods  are   not
    affected.

    A  related  vulnerability  exists  in  Cisco IOS/700 software (the
    software used on 7xx  routers). A configuration workaround  exists
    for IOS/700, and a  complete fix for 76x  and 77x routers will  be
    included  in  software  version  4.1(2),  due  to  be  released by
    December, 1997. A fix for  75x routers is scheduled for  the first
    half of 1998.

    A moderately sophisticated  programmer with appropriate  knowledge
    can set up  an unauthorized PPP  connection to any  system that is
    running  vulnerable  software,  and  that  depends  on  CHAP   for
    authentication. To gain this unauthorized access, an attacker must
    have the following:

        * Knowledge of the details of this vulnerability
        * Access  to modifiable  code (generally  meaning source code)
          for a  PPP/CHAP implementation,  and sufficient  programming
          skill to make  simple changes to  that code. Note  that such
          source code is widely available on the Internet.
        * A modest  amount of information  about the configuration  of
          the  network  to  be  attacked,  including  such  things  as
          usernames and IP addresses.

    This vulnerability cannot be exploited by an attacker who is using
    an unmodified, properly  functioning PPP/CHAP implementation;  the
    attacker must make modifications to his or her software to exploit
    this vulnerability.

    Vulnerable are  all systems  running "classic"  Cisco IOS Software
    releases older than  those listed below  in Solution section,  and
    which rely on CHAP for PPP authentication, are vulnerable.   Cisco
    believes that the  greatest practical risk  is to dialin  services
    using, for example, ISDN or POTS modems.

    Systems  running  IOS/700  software  are  vulnerable  to a related
    attack  if  they  are  using  CHAP bidirectionally to authenticate
    both calling and called systems.

    Further  details  will  be  available  to interested parties after
    March 31, 1998. by Cisco.   The Cisco bug tracking number for  the
    Cisco IOS software vulnerability  is CSCdi91594. The bug  tracking
    number for the error in the 10.3(19) fix is CSCdj37314.

SOLUTION

    Systems  using  PAP  for  PPP  authentication  are not vulnerable.
    Systems not configured for PPP are not vulnerable. If the keywords
    "ppp" and "chap" do not  both appear in your system  configuration
    file, you are not vulnerable.

    This problem has been corrected in the following classic Cisco IOS
    software releases:

    Major         First Repaired             Recommended Maintenance Releases
    Release       Maintenance Release        For Installation
    -------       -------------------        ----------------
    Cisco IOS
    10.3          10.3(19a)                  10.3(19a)

    Cisco IOS
    11.0          11.0(17), 11.0(17)BT       11.0(17), 11.0(17)BT

    Cisco IOS     11.1(13), 11.1(13)AA,      11.1(14), 11.1(14)AA, 11.1(14)CA,
    11.1          11.1(13)CA, 11.1(13)IA     11.1(14)IA

    Cisco IOS     11.2(8), 11.2(8)P,         11.2(8), 11.2(8)P, 11.2(4)F1.
    11.2          11.2(4)F1 (replaces        11.2(9) not recommended for CHAP
                  11.2(4)F)                  users.

    Cisco Systems strongly recommends that all customers using classic
    IOS PPP with CHAP authentication upgrade  to one of these or to  a
    newer  release,  and  that  all  users  of  IOS/700  PPP with CHAP
    authentication install the configuration workarounds described  in
    below.

    The  11.2(4)F1  release  will  be  available by Monday, October 6,
    1997.  Users of 11.2F releases  are encouraged to move to 11.2  or
    11.2P  releases  if  at  all  possible.  All  the  other  releases
    mentioned above are available.   For Classic IOS Software  Upgrade
    Notes see  Cisco Systems  Field Notice:  Vulnerabilities in  Cisco
    CHAP Authentication.

    Workarounds - Classic IOS
    -------------------------
    Cisco knows of no generally usable workarounds for the classic IOS
    vulnerability. Affected users who wish to protect themselves  must
    upgrade  their  software  or   stop  using  CHAP   authentication.
    Alternatives  to  CHAP  authentication  include PAP authentication
    and reliance on "Caller ID" information. The security  differences
    between these  methods are  complex and  situation dependent,  and
    are beyond the scope of this document.

    Workarounds - IOS/700
    ---------------------
    The IOS/700  vulnerability may  be avoided  by making  any of  the
    following configuration changes:

        * Prevent the routers in question from receiving any  incoming
          calls, perhaps  by changing  the ISDN  switch configuration,
          or by relying on caller ID and using the "set callerid"  and
          "set callidreceive" commands
        * Prevent  routers  that  receive  calls  from  authenticating
          themselves  to  the  calling  systems  using  CHAP.  You can
          effectively do  this by  using the  "set ppp  secret client"
          command to set the CHAP  secret that would be used  for such
          authentication to some randomly chosen "garbage" value.
        * Configure the routers  such that different CHAP  secrets are
          used in each direction on  each link. You can do  this using
          the  "set  ppp  secret  client"  and  "set  ppp secret host"
          commands.   Note  that  this  method  cannot  be used on 7xx
          routers that need to  communicate with classic IOS  routers,
          since classic IOS does not support asymmetric CHAP secrets.

    Any one of these changes should be sufficient. The changes may  be
    removed after  the release  and installation  of IOS/700  software
    version 4.1(2).