COMMAND

    Cisco Passwords

SYSTEMS AFFECTED

    CISCO 1020, 1600 (others?)

PROBLEM

    Derek Grocke posted following.   A work colleague of his  bought a
    Cisco  1600  from  an  auction,  one  of the small frisbee looking
    types.  The Cisco had a password protection which was unknown,  so
    the unit was more or less  useless.  Cisco was called to  find out
    if there was any way to reset  the unit, as there is way to  reset
    many older/bigger Cisco routers  from the console port  by getting
    into the  monitor /  debug section.   However, answer  was  rather
    interesting.

    Quote:

        telnet to the Cisco
        login as 'guest'
        Password 'guestNNNANNNAAN'       N= Numeric A= Character
        Del Log file to reset system

    Next  time  you  rlogin  to  the  Cisco you are presented with the
    default blank Mac page for you to fill in.

    If the router is compromised  then crippled, then this would  just
    be inconvenient and or loss of service, but if someone was able to
    substitute  themselves  as  say  the  boot  server  or rewrite the
    routing table, then this could be a very bad situation.

    Note that the password is looked up from a database at Cisco after
    suppling the  units serial  number.   An algorithm  is behind  the
    serial number to password conversion/lookup.

    Given  that  this  is  accessible  from  a telnet session, what is
    stopping  potential  anarchist  and  hackers  from exploiting this
    "Feature". Why spoof a router  when you can set the  routing table
    up yourself?   Norman Hoy reported  same behaviour for  1020.  You
    can still break the cisco  from the console port and  changing the
    boot pointer.

SOLUTION

    Given  that  every  potentially  vulnerable  area should have some
    sort of proxy/firewall with maybe  a DMZ between two or  more good
    routers,  this  may  not  be  a  huge  security issue. Well except
    re-routing of mail or IP tunnelling information to another site.

    Although it  makes it  difficult to  administer from  remote areas
    you may  usually leave  instructions on  how to  set a password on
    the site.  The password instructions are for setting the  password
    for the vty  0 4.   The remote site  requires me to  give them the
    enable password  and you  should have  snmp turned  on to  monitor
    status of the router.

    The reason for this is why don't set a password for the router  on
    vty  0  4.  This  stops  ALL  telnet sessions. Cisco won't allow a
    telnet session to a device  that dosn't have a password  set. This
    prevents the exploitation above.