lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-id: <20130318121405.cisco-sr-20130318-type4@psirt.cisco.com>
Date: Mon, 18 Mar 2013 12:14:07 -0400
From: Cisco Systems Product Security Incident Response Team <psirt@...co.com>
To: bugtraq@...urityfocus.com
Cc: psirt@...co.com
Subject: Cisco Security Response: Cisco IOS and Cisco IOS XE Type 4 Passwords Issue 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Cisco IOS and Cisco IOS XE Type 4 Passwords Issue

Document ID: 33464

Revision 1.0

For Public Release 2013 March 18 16:00  UTC (GMT)
+---------------------------------------------------------------------

Cisco Response Summary
======================

This is the Cisco response to research performed by Mr. Philipp
Schmidt and Mr. Jens Steube from the Hashcat Project on the weakness
of Type 4 passwords on Cisco IOS and Cisco IOS XE devices. Mr. Schmidt
and Mr. Steube reported this issue to the Cisco PSIRT on March 12,
2013.

A limited number of Cisco IOS and Cisco IOS XE releases based on the
Cisco IOS 15 code base include support for a new algorithm to hash
user-provided plaintext passwords. This algorithm is called Type 4,
and a password hashed using this algorithm is referred to as a Type 4
password. The Type 4 algorithm was designed to be a stronger
alternative to the existing Type 5 and Type 7 algorithms to increase
the resiliency of passwords used for the 'enable secret password' and
'username username secret password' commands against brute-force
attacks.

For additional information please see the full Cisco Security Response
at the link below.

Cisco would like to thank Mr. Schmidt and Mr. Steube for sharing their
research with Cisco and working toward a coordinated disclosure of
this issue.

This Cisco Security Response is available at:
http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20130318-type4
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org

iF4EAREIAAYFAlFHFKYACgkQUddfH3/BbTpPQAD/S/gS0O+btwWu5rI7rugYeRzD
m38z8zGANgZ9IlEz/OoA/RZVrhrJJ1eRTlHo0/IHuYK3AYUtT5cA8PprIJoUX1Qg
=R0TE
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ