Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Cisco IOS
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Security and vulnerabilities == Because IOS needs to know the cleartext password for certain uses, (e.g., [[Challenge-handshake authentication protocol|CHAP]] authentication) passwords entered into the CLI by default are weakly encrypted as 'Type 7' ciphertext, such as "<code>Router(config)#username jdoe password 7 ''0832585B1910010713181F''</code>". This is designed to prevent "shoulder-surfing" attacks when viewing router configurations and is not secure β they are easily decrypted using software called "getpass" available since 1995, or "ios7crypt",<ref>{{Cite web|url=https://github.com/mcandre/ios7crypt|title=ios7crypt|website=[[GitHub]] |access-date=2012-09-19|archive-date=2017-03-25|archive-url=https://web.archive.org/web/20170325082046/https://github.com/mcandre/ios7crypt|url-status=live}}</ref> a modern variant, although the passwords can be decoded by the router using the "key chain" command and entering the type 7 password as the key, and then issuing a "show key" command; the above example decrypts to "stupidpass".<ref>{{Cite web|url=https://insecure.org/sploits/cisco.passwords.html|title=Cisco password decryption|website=insecure.org|access-date=2024-04-10|archive-date=2023-09-27|archive-url=https://web.archive.org/web/20230927043705/https://insecure.org/sploits/cisco.passwords.html|url-status=live}}</ref> However, the program will not decrypt 'Type 5' passwords or passwords set with the <code>enable secret</code> command, which uses [[Salt (cryptography)|salted]] [[Crypt (Unix)#MD5-based scheme|MD5 hashes]].<ref>{{cite web|title=Cisco IOS Password Encryption Facts|url=https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/107614-64.html|access-date=12 September 2017|archive-date=13 September 2017|archive-url=https://web.archive.org/web/20170913135006/https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/107614-64.html|url-status=live}}</ref> Cisco recommends that all Cisco IOS devices implement the authentication, authorization, and accounting (AAA) security model. AAA can use local, [[RADIUS]], and [[TACACS+]] databases. However, a local account is usually still required for emergency situations.<ref>{{cite web|title=Cisco 500-052 Test|url=https://www.mrcerts.com/500-052-test.html|access-date=21 February 2017|archive-date=22 February 2017|archive-url=https://web.archive.org/web/20170222053408/https://www.mrcerts.com/500-052-test.html|url-status=live}}</ref> At the [[Black Hat Briefings]] conference in July 2005, Michael Lynn, working for [[IBM Internet Security Systems|Internet Security Systems]] at the time, presented information about a vulnerability in IOS.<ref>{{Cite magazine |title= Router Flaw Is a Ticking Bomb |author= Kim Zetter |date= August 1, 2005 |magazine= Wired |url= http://archive.wired.com/politics/security/news/2005/08/68365 |access-date= August 9, 2014 |archive-date= September 4, 2014 |archive-url= https://web.archive.org/web/20140904195123/http://archive.wired.com/politics/security/news/2005/08/68365 |url-status= live }}</ref> Cisco had already issued a patch, but asked that the flaw not be disclosed.<ref>{{Cite magazine |title= Cisco Security Hole a Whopper |author= Kim Zetter |date= July 27, 2005 |magazine= Wired |url= http://archive.wired.com/politics/security/news/2005/07/68328 |access-date= August 9, 2014 |archive-date= September 5, 2014 |archive-url= https://web.archive.org/web/20140905005527/http://archive.wired.com/politics/security/news/2005/07/68328 |url-status= live }}</ref> Cisco filed a lawsuit, but settled after an injunction was issued to prevent further disclosures.<ref>{{Cite news |title= Statement on Federal District Court Injunction (Black Hat Presentation) |publisher= Cisco Systems |date= July 28, 2005 |work= Press release |url= http://newsroom.cisco.com/dlls/2005/corp_072805.html |access-date= June 18, 2013 |url-status= dead |archive-url= https://web.archive.org/web/20120205042354/http://newsroom.cisco.com/dlls/2005/corp_072805.html |archive-date= February 5, 2012 }}</ref> With IOS being phased out on devices, IOS-XE adopted many improvements including updated defaults. Some use cases can now store secrets as [https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/17-14/configuration%20guide/sec/b%201714%20sec%209200%20cg/controlling%20switch%20access%20with%20passwords%20and%20privilege%20levels.html one-way hashes].
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)