Cisco Systems, Inc. Information for VU#563673

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsj72903

For those customers without service contracts, here is the full Release Note of said bug:

Symptom:
Executing the command

test aaa-server authentication server_tag host ip_address username username password password

from either the command line of a PIX/ASA device or from the ASDM GUI will result in the following message being sent to the syslog server (if one is configured) and/or the internal logging buffer (if configured)

%ASA-5-111008: User 'administrator' executed the 'test aaa-server authentication TACACS username testuser password testpassword' command.

being 'testuser' the username and 'testpassword' the password provided as arguments to the command.

Conditions:
The issue only happens when a privileged user (one with a privilege level allowing it to execute the "test aaa" command, by default, level 15) executes the "test aaa" command and the device is configured to log events at level 5 (notifications) or above.

Workaround:
Configure the PIX/ASA device not to log a message 111008 by entering the following command in global configuration mode:

no logging message 111008

Not logging message 111008 does NOT affect the functioning of the "test aaa-server" command.

Further Problem Description:
Starting with release 8.0.2.11 for the 8.0 train, 7.2.2.34 for the 7.2 train, 7.1.2.61 for the 7.1 train and 7.0.7.1 for the 7.0 train, the password is replaced with asterisks. Versions of the PIX software pre-7.0 are NOT affected by this issue.

Cisco Systems would like to thank CERT/CC for bringing this issue to our attention.

Vendor Information

If you have feedback, comments, or additional information about this vulnerability, please send us email.