Password Configuration authentication Bypass vulnerability in Cisco devices

Affected Systems:

Cisco Firewall Services Module 3.1 (x) <= 3.1 (1.6)

Cisco Pix/asa 7.1 (x) <= 7.1 (2.4)

Cisco Pix/asa 7.0 (x) <= 7.0 (5)

Describe:

Cisco PIX, ASA, and FWSM are very popular firewall devices that provide firewall services that enable stateful packet filtering and deep message checking.

Bugs may exist in some versions of the software used by these devices, which in some environments can cause the EXEC command to be changed without user intervention, the local user's password defined, and the enable password stored in the startup configuration.

There are only two scenarios that can trigger this software bug:

Software crashes, which are usually caused by software bugs. Please note that not all software crashes can lead to these undesirable results.

Two or more users make configuration changes at the same time on the same device. Regardless of the method used to access the device (command-line interface [CLI], Adaptive security Device Manager [ASDM], Firewall Management Center, and so on), a vulnerability will be triggered.

Note that the password in the boot configuration is changed when you save the configuration in the stable medium for the storage boot configuration through the Write memory or copy running-config startup-config command. In normal operation, the password in the boot configuration is not changed without saving the configuration that is running.

Once the password in the boot configuration is changed, if the exec and enable permission credentials are dependent on the password or the local account stored in the boot configuration, the administrator is locked out after the next device overload. If you are authenticating with a AAA server (RADIUS or tacacs+), whether or not you configure local authentication as fallback (fallback), changing the password in the boot configuration only when the AAA server is unavailable can cause these undesirable results.

This software vulnerability could cause the exec password to be changed without user intervention, the local user's password defined, and the Enable password in the boot configuration. If the authentication is configured to use the password stored in the boot configuration, this can cause the administrator to not be able to log on to the device.

If a malicious user can guess the new password and reboot the device, either because of an automatic restart caused by a software crash or a manual reboot by a network administrator, you can access the device without authorization.

Vendor Patch:

Cisco has issued a security bulletin (Cisco-sa-20060823-firewall) and a corresponding patch for this: Cisco-sa-20060823-firewall:unintentional Password Modification in Cisco Firewall products

Link: http://www.cisco.com/warp/public/707/cisco-sa-20060823-firewall.shtml