Cisco issues another security warning

Last modified: April 16, 2004, 11:04 AM PDT
By Marguerite Reardon 
Staff Writer, CNET News.com
           
In what seems to be an almost weekly occurrence, Cisco Systems has issued yet another security warning. 
Cisco warned customers on Thursday of what security experts are calling a "minor security issue" in its IPSec-based VPN 3000 Concentrator. The problem, which is present in both Linux and Microsoft versions of the IPSec client, occurs when customers configure the VPN (virtual private network) concentrator to accept group passwords rather than digital certificates for authentication.

Typically, a group password is encrypted when used for authentication. But security experts discovered that, on VPN 3000 Concentrator clients, the password can be extracted from memory, making it available to anyone using a device with the Cisco software client.
People who have gained knowledge of a group password may use it to hijack connections or gain knowledge of sensitive information when these are used as pre-shared keys during authentication.
In general, group password protection is viewed as less secure than other methods of authentication, such as public key infrastructure (PKI), which uses digital certificates to verify users. Cisco said in its security warning that it will fix the client problems with new releases of software. For now, it recommends customers use PKI as an alternative.
Secunia, a Copenhagen, Denmark-based security company, has issued a security bulletin on the vulnerability, calling it a minor security issue.

"This is a minor problem for Cisco users," said Thomas Kristensen, chief technology officer of Secunia. "I don't think it will affect many customers, because most are probably using PKI anyway."
The VPN client vulnerability is just one of several security problems Cisco has addressed in the past few weeks. Most recently, it notified customers of a vulnerability in wireless LAN (local area network) products that use its Lightweight Extensible Authentication Protocol. The vulnerability makes it easier for hackers to launch so-called dictionary attacks and guess passwords. Last week, the company notified customers that a preset username and password coded into its Wireless LAN Solution Engine and Hosting Solution Engine could give attackers complete control of the wireless LAN management devices.
Last week, Cisco also acknowledged an issue with its Catalyst 6500 line of switches that makes the hardware more susceptible to denial-of-service attacks. And in March, the company warned customers that software code exploiting nine vulnerabilities had been found in its Internetwork Operating System (IOS). This software runs on most of Cisco's products, including its Catalyst Ethernet switches and Internet Protocol routers.
"When you build products that are so complex, there are bound to be security holes," said Craig Mathias, an analyst with research firm Farpoint Group. "But why are Windows and IOS so complicated? Maybe Microsoft and Cisco should take a lesson from (Henry David) Thoreau and just simplify."