Cisco PIX/ASA Firewall password modification

cisco-pix-password-modification (28540) The risk level is classified as MediumMedium Risk

Description:

Multiple Cisco Firewall products could have passwords stored in the startup configuration changed by the system, caused by a software error. If two or more users make configuration changes concurrently or the software crashes, multiple passwords stored in the startup configuration could be changed without user interaction. This would result in administrator's being locked out of the device or possible unauthorized access to the device if an attacker could guess the new password.

Platforms Affected:

  • Cisco, 5500 Adaptive Security Appliance
  • Cisco, PIX Firewall 501
  • Cisco, PIX Firewall 506
  • Cisco, PIX Firewall 515
  • Cisco, PIX Firewall 515E
  • Cisco, PIX Firewall 520
  • Cisco, PIX Firewall 525 6.3
  • Cisco, PIX Firewall 525
  • Cisco, PIX Firewall 535

Remedy:

Refer to cisco-sa-20060823-firewall for upgrade or suggested workaround information. See References.

Consequences:

Other

References:

  • cisco-sa-20060823-firewall, Cisco Security Advisory: Unintentional Password Modification Vulnerability in Cisco Firewall Products at http://www.cisco.com/warp/public/707/cisco-sa-20060823-firewall.shtml.
  • BID-19681: Cisco Multiple Firewall Appliances Authentication Bypass Vulnerability
  • CVE-2006-4312: Cisco PIX 500 Series Security Appliances and ASA 5500 Series Adaptive Security Appliances, when running 7.0(x) up to 7.0(5) and 7.1(x) up to 7.1(2.4), and Firewall Services Module (FWSM) 3.1(x) up to 3.1(1.6), causes the EXEC password, local user passwords, and the enable password to be changed to a non-random value under certain circumstances, which causes administrators to be locked out and might allow attackers to gain access.
  • OSVDB ID: 28143: Cisco Multiple Product Unintentional Password Modification
  • SA21616: Cisco Firewall Products Unintentional Password Modification
  • SECTRACK ID: 1016738: Cisco Firewall Services Module May Change Certain Passwords
  • SECTRACK ID: 1016739: Cisco ASA May Change Certain Passwords
  • SECTRACK ID: 1016740: Cisco PIX Firewall May Change Certain Passwords
  • VUPEN/ADV-2006-3367: Cisco Multiple Products Unintentional Startup Configuration Passwords Modification Issue

Reported:

Aug 23, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page