search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Cisco Adaptive Security Appliance insecurely logs passwords

Vulnerability Note VU#563673

Original Release Date: 2007-09-05 | Last Revised: 2007-10-01

Overview

The Cisco Adaptive Security Appliance (ASA) firewall may log user credentials, including passwords, as plain text when AAA authentication is enabled.

Description

The Cisco Adapative Security Appliance (ASA) is a firewall with Intrusion Protection System (IPS), Stateful Packet Inspection (SPI), and routing features. The Cisco ASA includes Authentication, Authorization and Accounting (AAA) support that allows adminsitrators and users to use a single set of credentials to manage multiple devices.


When setting up or troubleshooting the ASA server's AAA authentication features, the test button can be used to confirm that the AAA service is functioning properly.

When the test button is clicked, the AAA username and password will be sent to the syslog service in plain text. If remote syslog is enabled, the credentials will be transmitted across the network in plain text, and stored on the syslog server in plain text.

In the below screenshot, the vulnerable input box has been highlighted.

Impact

Authentication credentials may be stored in plain text, possibly on remote servers. The credentials may also be sent unencrypted over the network.

Solution

See the "Sytems Affected" section of this document for more information about obtaining updates.

The following workarounds may partially mitigate this vulnerability:

    • Check log files for stored AAA credentials, and change passwords if needed.
    • Use management VLANs to seperate syslog network traffic from other devices on the network.
    • Use access controls, file permissions, and physical security to ensure that syslog files can not be read by unauthorized individuals.

Vendor Information

563673
 
Affected   Unknown   Unaffected

Cisco Systems, Inc.

Notified:  July 11, 2007 Updated:  September 05, 2007

Status

  Vulnerable

Vendor Statement

This issue is documented as CSCsj72903 - "Additional sanitization needed for syslog message %ASA-5-111008". Customers with support contracts can read the details at

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsj72903

For those customers without service contracts, here is the full Release Note of said bug:

Symptom:
Executing the command

test aaa-server authentication server_tag host ip_address username username password password

from either the command line of a PIX/ASA device or from the ASDM GUI will result in the following message being sent to the syslog server (if one is configured) and/or the internal logging buffer (if configured)

%ASA-5-111008: User 'administrator' executed the 'test aaa-server authentication TACACS username testuser password testpassword' command.

being 'testuser' the username and 'testpassword' the password provided as arguments to the command.

Conditions:
The issue only happens when a privileged user (one with a privilege level allowing it to execute the "test aaa" command, by default, level 15) executes the "test aaa" command and the device is configured to log events at level 5 (notifications) or above.

Workaround:
Configure the PIX/ASA device not to log a message 111008 by entering the following command in global configuration mode:

no logging message 111008

Not logging message 111008 does NOT affect the functioning of the "test aaa-server" command.

Further Problem Description:
Starting with release 8.0.2.11 for the 8.0 train, 7.2.2.34 for the 7.2 train, 7.1.2.61 for the 7.1 train and 7.0.7.1 for the 7.0 train, the password is replaced with asterisks. Versions of the PIX software pre-7.0 are NOT affected by this issue.

Cisco Systems would like to thank CERT/CC for bringing this issue to our attention.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

This vulnerability was reported and discovered by Lisa Sittler of CERT/CC.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: None
Severity Metric: 0.13
Date Public: 2007-09-05
Date First Published: 2007-09-05
Date Last Updated: 2007-10-01 23:05 UTC
Document Revision: 20

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.