<<< Date Index >>>     <<< Thread Index >>>

RE:Drive-by Pharming Threat



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Response: Potential exploitation of default administrative
                         credentials

Response ID: cisco-sr-20070215-http

http://www.cisco.com/warp/public/707/cisco-sr-20070215-http.shtml

Revision: 1.0

For Public Release 2007 Feb 15 1600 UTC (GMT)

- -------------------------------------------------------------------------

Contents
========

    Cisco Response
    Additional Information
    Revision History
    Cisco Security Procedures

- -------------------------------------------------------------------------

Cisco Response
==============

This is a response to a Symantec published research paper posted on their
website at:
http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby_pharming_how_clicking_1.html
  
and entitled 'Drive-by Pharming'. In particular, this response focuses on
the information in the Symantec paper, as relevant to certain of Cisco's 
non-consumer products.  These products are specified in the "Cisco 
Routers Impacted' section below.

Purpose of this Response
+-----------------------

As the paper does not disclose any new vulnerability in Cisco products, 
Cisco is issuing this response and not a Security Advisory.  The purpose 
of this response is to inform customers how to change any default 
credentials which may ship pre-configured on an impacted Cisco router 
(identified below), upon initial configuration and before the device is
connected to a public network.

This response is available at:
http://www.cisco.com/warp/public/707/cisco-sr-20070215-http.shtml
 

Cisco Routers Impacted
+---------------------

Several types of Cisco routers that are marketed for the Small Office/
Home Office (SOHO), Remote Office/Branch Office (ROBO) and Teleworker 
business segments may include either Cisco Router Web Setup tool (CRWS)
or Cisco Router and Security Device Manager (SDM), which are web-based 
device-management tools for Cisco IOS Software-based routers.

Those Cisco routers have the Cisco IOS HTTP server enabled by default, to
allow CRWS or SDM to communicate with the router.  With either CRWS or 
SDM installed at shipping, the routers configuration will have a default 
username and password that is used to access the router via the HTTP web
interface.

The following Cisco routers, whose configurations have been based on the
default IOS configuration shipped with any version of CRWS prior to  
version 3.3.0 build 31, may be affected by this attack methodology if the
default username and password have not been removed:

    * Cisco 806
    * Cisco 826
    * Cisco 827
    * Cisco 827H
    * Cisco 827-4v
    * Cisco 828
    * Cisco 831
    * Cisco 836
    * Cisco 837
    * Cisco SOHO 71
    * Cisco SOHO 76
    * Cisco SOHO 77
    * Cisco SOHO 77H
    * Cisco SOHO 78
    * Cisco SOHO 91
    * Cisco SOHO 96
    * Cisco SOHO 97

The following Cisco routers, whose configurations have been based on the
default IOS configuration shipped with any version of SDM prior to 
version 2.3.3, may be affected by this attack methodology if the default
username and password have not been removed.  


For details regarding which units have SDM default configurations enabled
at shipping, please consult Table 4: 'Ordering and Factory Shipping 
Options for Cisco SDM' at: 
http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_data_sheet0900aecd800fd118.html

+-----------------------------------------------------------------------+
| Cisco SDM-Supported Routers  | Cisco SDM-Supported Cisco IOS Releases |
+------------------------------+----------------------------------------+
| Cisco SB101                  |                                        |
| Cisco SB106                  |  12.3(8)YG, 12.4(2)T or later releases |
| Cisco SB107                  |                                        |
+------------------------------+----------------------------------------+
|                              |  12.2(13)ZH or later releases          |
| Cisco 831                    |  12.3(2)XA or later releases           |
| Cisco 837                    |  12.3(2)T or later releases            |
|                              |  12.4(2)T or later releases            |
+------------------------------+----------------------------------------+
|                              |  12.2(13)ZH or later releases          |
|                              |  12.3(2)XA or later releases           |
| Cisco 836                    |  12.3(4)T or later releases            |
|                              |  12.4(2)T or later releases            |
+------------------------------+----------------------------------------+
| Cisco 851                    |  12.3(8)YI                             |
| Cisco 857                    |  12.4(2)T or later releases            |
+------------------------------+----------------------------------------+
| Cisco 871                    |                                        |
| Cisco 876                    | 12.3(8)YI                              |
| Cisco 877                    | 12.4(2)T or later releases             |
| Cisco 878                    |                                        |
+-----------------------------------------------------------------------+
|                              | 12.2(13)ZH or later releases           |
|                              | 12.3(2)XA or later releases            |
|                              | (Cisco SDM does not support Cisco IOS  |
| Cisco 1701                   |  release 12.3(2)XF.)                   |
|                              |                                        |
|                              | 12.3(4)T or later releases             |
|                              | 12.4(2)T or later releases             |
+------------------------------+----------------------------------------+
|                              | 12.2(15)ZL or later releases           |
| Cisco 1711                   | 12.3(2)XA or later releases            |
| Cisco 1712                   | (Cisco SDM does not support Cisco IOS  |
|                              |  release 12.3(2)XF.)                   |
|                              | 12.4(2)T or later releases             |
+------------------------------+----------------------------------------+
|                              | 12.2(13)ZH or later releases           |
|                              | 12.3(2)XA or later releases            |
| Cisco 1710                   | (Cisco SDM does not support Cisco IOS  |
| Cisco 1721                   |  release 12.3(2)XF.)                   |
| Cisco 1751                   | 12.2(13)T3 or later releases           |
| Cisco 1751-v                 | 12.3(2)T or later releases             |
| Cisco 1760                   | 12.3(1)M or later releases             |
| Cisco 1760-v                 | 12.2(15)ZJ3 (not available for the     |
|                              |              Cisco 1710 or Cisco 1721) |
|                              | 12.4(2)T or later releases             |
+-----------------------------------------------------------------------+
| Cisco 1801                   |                                        |
| Cisco 1802                   | 12.3(8)YI                              |
| Cisco 1803                   | 12.4(2)T or later releases             |
| Cisco 1811                   |                                        |
+------------------------------+----------------------------------------+
| Cisco 1812                   | 12.3(8)YH or later releases            |
|                              | 12.4(2)T or later releases             |
+------------------------------+----------------------------------------+
| Cisco 1841                   | 12.3(8)T4 or later releases            |
|                              | 12.4(2)T or later releases             |
+------------------------------+----------------------------------------+
| Cisco 2610XM                 |                                        |
| Cisco 2611XM                 | 12.2(11)T6 or later releases           |
| Cisco 2620XM                 | 12.3(2)T or later releases             |
| Cisco 2621XM                 | 12.3(1)M or later releases             |
| Cisco 2650XM                 | 12.3(4)XD                              |
| Cisco 2651XM                 | 12.2(15)ZJ3                            |
| Cisco 2691                   | 12.4(2)T or later releases             |
+------------------------------+----------------------------------------+
| Cisco 2801                   |                                        |
| Cisco 2811                   | 12.3(8)T4 or later releases            |
| Cisco 2821                   | 12.4(2)T or later releases             |
| Cisco 2851                   |                                        |
+------------------------------+----------------------------------------+
|                              | 12.2(11)T6 or later releases           |
|                              | 12.2(11)T6 or later releases           |
| Cisco 3640                   | 12.3(2)T or later releases             |
| Cisco 3661                   | 12.3(1)M or later releases             |
| Cisco 3662                   | 12.3(4)XD                              |
|                              | 12.2(15)ZJ3                            |
|                              | 12.4(2)T or later releases             |
+------------------------------+----------------------------------------+
| Cisco 3620                   | 12.2(11)T6 or later releases           |
|                              | 12.3(1)M or later releases             |
+------------------------------+----------------------------------------+
|                              | 12.2(13)T3 or later releases           |
|                              | 12.3(2)T or later releases             |
|                              | 12.3(1)M or later releases             |
| Cisco 3640A                  | 12.3(4)XD                              |
|                              | 12.2(15)ZJ3                            |
|                              | 12.4(2)T or later releases             |
+------------------------------+----------------------------------------+
|                              | 12.2(11)T6 or later releases           |
|                              | 12.3(2)T or later releases             |
| Cisco 3725                   | 12.3(1)M or later releases             |
| Cisco 3745                   | 12.3(4)XD                              |
|                              | 12.2(15)ZJ3                            |
|                              | 12.4(2)T or later releases             |
+------------------------------+----------------------------------------+
| Cisco 3825                   | 12.3(11)T or later releases            |
| Cisco 3845                   | 12.4(2)T or later releases             |
+------------------------------+----------------------------------------+
|                              | 12.3(2)T or later releases             |
| Cisco 7204VXR                | 12.3(1)M or later releases             |
| Cisco 7206VXR                | 12.4(2)T or later releases             |
|                              | Cisco SDM does not support B, E, or    |
|                              | S train releases on the Cisco 7000     |
|                              | routers.                               |
+------------------------------+----------------------------------------+
|                              | 12.3(2)T or later releases             |
|                              | 12.3(3)M or later releases             |
| Cisco 7301                   | 12.4(2)T or later releases             |
|                              | Cisco SDM does not support B, E, or    |
|                              | S train releases on the Cisco 7000     |
|                              | routers.                               |
+------------------------------+----------------------------------------+

Any of the previously listed Cisco routers whose IOS configuration is not
based on the default IOS configuration shipped with either the CRWS or
SDM application are not affected by this attack methodology.

Additional Information
======================

The Cisco IOS HTTP server is enabled by default on several Cisco IOS 
devices for use with web-based configuration tools such as CRWS or SDM. 
If those products are configured via either CRWS or SDM, administrators 
will be prompted to change the default administrative credentials when 
they try to configure the device for the first time (earlier versions of
CRWS did NOT request the changing of default credentials. For details 
see: http://www.cisco.com/warp/public/707/cisco-sa-20060712-crws.shtml).

If the device first-time configuration is done using the command line 
interface (CLI) and not through the web-based interface, the 
administrator will NOT be prompted to change the default credentials nor
will they be removed automatically by the device itself.   Not changing 
or removing the default credentials leaves the device open to potential 
exploitation, as described in Symantec's research paper.

Cisco introduced a new security feature via Cisco Bug ID: CSCse65910,
per which Cisco IOS has added a new keyword 'one-time' to the usernames.
User credentials configured on the device and using the 'one-time' 
option can only be used once when the user connects to the router 
through a virtual terminal (vty) line or Console port.  Cisco IOS will
remove this credential from the running configuration after the initial
use.  The administrator of the device, should then add a username with
a privilege level of 15 using the following command:

   username 'myuser' privilege 15 secret 0 'mypassword'

Replace 'myuser' and 'mypassword' with the username and password you 
want to use, and save the changes to the startup configuration.

SDM takes advantage of this Cisco IOS feature from SDM version 2.3.3 
or later. This feature is documented on Cisco Bug Toolkit as Cisco 
Bug ID: CSCek35024.

Cisco encourages customers to change any default credentials being used 
by those device managers during first use. 

Recommended Workarounds
=======================

To help mitigate the risks associated with the type of attack presented 
in the Symantec paper, Cisco recommends that any default credentials 
shipped with the device (username/password combinations) be completely
removed.  If the Cisco router is not configured nor monitored by either 
SDM or CRWS, and if the IOS HTTP server is not required in your 
environment, it should be disabled.

Additional mitigations that can be deployed on Cisco devices within the
network are available in the Cisco Applied Intelligence companion 
document for this response:
http://www.cisco.com/warp/public/707/cisco-air-20070215-http.shtml 

    * Workaround 1 - Disabling the Cisco IOS HTTP Server Functionality

      Customers who do not use the CRWS or SDM application 
      device-management tools and not requiring the functionality 
      provided by the Cisco IOS HTTP server can disable it by adding the
      following commands to their device configuration:

        no ip http server
        no ip http secure-server

      The second command might return an error message if the Cisco IOS 
      version installed and running on the device does not support the SSL
      functionality. This error message is harmless and can be safely 
      ignored.

    * Workaround 2 - Enabling Authentication of Requests to the Cisco IOS
                     HTTP Server by Configuring an Enable Password

      Customers who are using the CRWS or SDM applications 
      device-management tools, or requiring the functionality provided by 
      the Cisco IOS HTTP server should configure an authentication 
      mechanism for access to the Cisco IOS HTTP server interface. One 
      option is to configure an enable secret or enable password. The 
      enable password is the default authentication mechanism used by the
      Cisco IOS HTTP server if no other method has been configured.

      To configure authentication of the http access via the enable 
      secret password, add the following commands to the device 
      configuration:


        enable secret 'mypassword'
        ip http authentication enable

      Replace 'mypassword' with a strong password of your choosing. For 
      guidance on strong passwords, please refer to your site security 
      policy. The document entitled 'Cisco IOS Password Encryption Facts' 
      available at 
      
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00801d7efa.shtml,
 
      explains the differences between the enable secret and the enable 
      password commands.

    * Workaround 3 - Enabling Authentication of Requests to the Cisco IOS
                     HTTP Server by using an Authentication Mechanism
                     Other than the Default

      Instead of configuring authentication using the default method as 
      described in Workaround 2, configure an authentication mechanism 
      for access to the Cisco IOS HTTP server via other mechanisms.  Such
      authentication mechanisms can be the local user database, or a 
      previously defined Authentication, Authorization and Accounting 
      (AAA) method. 

      As the procedure to enable an authentication mechanism for the 
      Cisco IOS HTTP server varies across Cisco IOS releases and other 
      additional factors, no example will be provided. 
 
      Customers looking for information about how to configure an 
      authentication mechanism for the Cisco IOS HTTP server are 
      encouraged to read the document entitled 'AAA Control of the IOS 
      HTTP Server', available at 
      
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008069bdc5.shtml.

      Note: The only authentication method tested and supported for use 
            with the CRWS application is the local user database. No 
            other methods (including the use of an external RADIUS or 
            TACACS+ server) are supported.

References
==========

    * Definition of Pharming

      The definition of pharming from: 
      
http://www.cisco.com/web/about/security/intelligence/mysdn-social-engineering.html
      is shown below:
      
      Pharming also takes advantage of false websites, by redirecting 
      users to the false site as they attempt to access a legitimate 
      website. This redirection, also known as domain spoofing, can be 
      perpetrated through an e-mailed virus that lies dormant on a PC 
      until the user enters a specific URL, or by poisoning a domain name
      system (DNS) directory. A DNS translates web and e-mail addresses 
      into numeric strings. In a poisoned DNS, the links that associate
      web addresses with numeric strings are changed so users are 
      directed to a false website when they enter a  specific URL. Any 
      secure information entered into the false website, such as a user 
      name and password, is captured by hackers.

    * Improving Security on Cisco Routers

      The document http://www.cisco.com/warp/public/707/21.html is an 
      informal discussion of some Cisco configuration settings that 
      network administrators should consider changing on their routers, 
      especially on their border routers, in order to improve security.

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR 
FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

Revision History
================

+-----------------------------------------------------------------------+
| Revision 1.0 | 2007-FEB-15 | Initial Initial public release.          |
+-----------------------------------------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco 
products, obtaining assistance with security incidents, and registering 
to receive security information from Cisco, is available on Cisco's 
worldwide website at 
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
 
This includes instructions for press inquiries regarding Cisco security 
notices. All Cisco security advisories are available at 
http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)

iD8DBQFF1Jxb8NUAbBmDaxQRAiOPAJ9om3FONUlIC7tINLCrfVFELSb6+QCeLjYd
g+mReh7B0gZpdYjIzZs+uKo=
=pFEo
-----END PGP SIGNATURE-----