Logo
Get A Demo
  1. Home
  2. Blog
  3. Identifying Cisco IOS Type 4 passwords with SecureTrack

Last updated February 15th, 2023 by Reuven Harrison

Cisco recently cautioned about a security weaknesses on some versions of IOS and IOS XE-based routers, switches and appliances. The risk is related to a certain type of password (Type 4) that could allow an authenticated remote attacker to access sensitive information on a targeted device.

Cisco recommends to check whether such passwords exist on your Cisco devices and to replace them with Type 5 passwords.

While Cisco has provided a method to test devices for existence of these problematic passwords, you may still want a way to ensure that such passwords are not introduced anytime in the future.

Here’s a custom device configuration test that we developed to identify any Type 4 passwords across your router inventory and also to alert if such a password is mistakenly configured in the future.

Assuming your routers are defined in SecureTrack, follow these instructions to test them:

  1. Add the custom test by running this command on the SecureTrack server:
    curl -k -u <user>:<password> -X POST -d '<dcr_test_concrete><groupId>8</groupId><id/><name>Forbid Type 4 Passwords</name><isActive>true</isActive><isDefault>true</isDefault><risk>3</risk><severity>3</severity><testDef><description>Verify that Type 4 passwords are not configured.</description><expression>^(enable secret 4|username.*secret.4)[^n]*</expression><id/><input>running_config</input><isCustom>true</isCustom><mustContain>false</mustContain><name>Forbid Type 4 Passwords</name><products><device>IOS</device><id>1</id><vendor>Cisco</vendor></products><remediation>Replace Type 4 passwords with Type 5 passwords.</remediation><testDefUid>CU001</testDefUid><type>line_match</type></testDef><testUid>CU001</testUid></dcr_test_concrete>' -H "Content-Type:application/xml"  "http://localhost:8080/securetrack/api/dcrTests/custom"
  2. Create a new device configuration report under Reports
  3. Enable the new custom test:
    Identifying Cisco ios
  4. Save and run the report
  5. A properly configured device should pass the test like this:
    Identifying Cisco ios

     

Don't miss out on more Tufin blogs

Subscribe to our weekly blog digest

In this post:

Background Image

Related Posts

Navigating Cloud Security Metrics: A Guide for CISOs
Navigating Cloud Security Metrics: A Guide for CISOs
3 Common Challenges and Solutions when Implementing Zero Trust Networking Policies
3 Common Challenges and Solutions when Implementing Zero Trust Networking Policies
Understanding the Application Layer Firewall: The Future of Online Security
Understanding the Application Layer Firewall: The Future of Online Security
Tufin Named “Customer Service Department of the Year” by the Stevie Awards
Tufin Named “Customer Service Department of the Year” by the Stevie Awards

Top Posts

How to Perform a Firewall Audit – Policy Rules Review Checklist
How to Perform a Firewall Audit – Policy Rules Review Checklist
Understanding AWS Route Table: A Practical Guide
Understanding AWS Route Table: A Practical Guide
What is a Firewall Ruleset? How can it help me?
What is a Firewall Ruleset? How can it help me?
Tech How-To: Configure Your Firewalls to Block the “WannaCry” Ransomware Attack
Tech How-To: Configure Your Firewalls to Block the “WannaCry” Ransomware Attack
Close