x
Optical/IP

Cisco Passwords Get Makeover

Adding to its recent security woes, has reset user passwords on its Website in response to a potential vulnerability.

Partners and customers attempting to log on to Cisco.com today were greeted by a notice saying all passwords had been reset by Cisco. The reason: a flaw on the site that could have been used to expose those passwords.

"Cisco has determined that Cisco.com password protection has been compromised. As a precautionary measure, Cisco has reset your password," states one of the logon notices. "This incident does not appear to be due to a weakness in Cisco products or technologies."

Users on the North American Network Operators' Group (NANOG) mailing list were reporting little success today in getting their new passwords. "Because of a large number of requests, registered Cisco.com users may experience delays in receiving the new passwords," the Cisco warning helpfully points out.

Cisco has corrected the flaw, which was in the search engine used on the Cisco site and doesn't appear to stem from Cisco's routers or its Internetwork Operating System (IOS) software, a Cisco spokesman says. The problem was disclosed by "a third-party research organization," he says.

Cisco is describing the password reset as a precautionary measure. "We don't believe there have been any active exploitations" of the vulnerability, the spokesman says.

Speculation on the NANOG mailing list is that the password resets are related to last week's Black Hat Briefings controversy, where researcher Michael Lynn showed that it's possible to take over a Cisco router that's running IOS. But Cisco doesn't believe there's a connection, the spokesman notes (see Cisco Faces Security Flap and Cisco Reveals 'Black Hat' Flaw).

At the same time, it seems likely that the Lynn case has sparked new interest in hacking Cisco's network to get at some IOS code, something that has previously been accomplished (see Cisco's IOS Code 'Compromised', Cisco Code Hacker Arrested, and Black Market Offers Cisco's PIX). "We're fully aware there's increased activity, so we've taken every measure to protect our networks," the spokesman says.

Lynn has settled with Cisco and his former employer, , agreeing not to discuss the matter any further.

Meanwhile, Websites posting what appears to be Lynn's presentation claim they're being hit with cease-and-desist orders from DLA Piper Rudnick Gray Carey, a law firm representing ISS. One such site, infowarrior.org, has replaced the presentation with a copy of the cease-and-desist letter from the firm. Attorney Andrew Valentine, who purportedly sent the letter, did not return a call for comment.

— Craig Matsumoto, Senior Editor, Light Reading

turing 12/5/2012 | 3:06:27 AM
re: Cisco Passwords Get Makeover Funny... so if you can get yourself to be a man-in-the-middle along any of the carrier networks or large enterprises along the SMTP path over the next few days, you'll probably be able to grab a few new passwords for cisco accounts. How convenient.
zher 12/5/2012 | 3:06:29 AM
re: Cisco Passwords Get Makeover Craig,

Here is the official explaination from CCO about the password reset,

IMPORTANT NOTICE:

Cisco has determined that Cisco.com password protection has been compromised.
As a precautionary measure, Cisco has reset your password. To receive your new password, send a blank e-mail, from the account which you entered upon registration, to [email protected] Account details with a new random password will be e-mailed to you.
Because of a large number of requests, registered Cisco.com users may experience delays in receiving the new passwords.
This incident does not appear to be due to a weakness in Cisco products or technologies.
If you receive a request for additional information it is because there are more than one User ID in the Cisco.com database associated with your email address. Please follow the instructions provided.
Pete Baldwin 12/5/2012 | 3:06:31 AM
re: Cisco Passwords Get Makeover I brought up Black Hat because people elsewhere were making the connection, and I wanted to point out that they're probably wrong.

You're right that a CCO account can't get at IOS source code. But any security-related issue happening this soon after Black Hat is likely to spark worst-case theories about IOS; I figured readers would ask me about this, so I had to ask Cisco.
signmeup 12/5/2012 | 3:06:33 AM
re: Cisco Passwords Get Makeover The flaw announced today is the result of a flaw in the way the search function on the Cisco web page could be exploited. The result was that user passwords can be compromised. The flaw discussed at the black hat conference was a bug in the IPv6 code that could be used to compromise the router. Where is the supposed correlation being suggested in the article???

Secondly, the flaw on the search page would AT MOST allow unauthorized users access to compiled IOS code, NOT source code. The external web site at Cisco does NOT contain source code, nor do the user id's on the external site correspond to internal user id's. They are separate systems for obvious reasons. The real reason Cisco decided to reset the passwords is to prevent unauthorized users access to newer versions of code without paying for it. Cisco makes a ton of money on their software support services and don't want to jepordize that revenue stream.

I swear, people will do anything to generate interest on a slow news day...

signmeup
HOME
Sign In
SEARCH
CLOSE
MORE
CLOSE