Contains specific settings that control the behavior of the Cisco device,
Determines how to direct traffic within a network, and
Stores pre-shared keys and user authentication information.
To protect this sensitive data, Cisco devices can use hashing or encryption algorithms
to secure this information, but only if they are properly configured to do so.
Hashing is a one-way algorithm. It produces output that is difficult to reverse back to the
original string. A random salt is often added to a password prior to hashing, making it
difficult to use precomputed hashes to reverse the password. If the salted hash of a
strong password (i.e., one that is both long and complex, making it hard for a computer
to guess) is captured by a malicious actor, that hash should be of little use since the
actor could not recover the actual password.
Encryption is an algorithm that uses a key to produce output that is difficult to reverse
back to the original plaintext string without a key. The encryption is either symmetric,
which uses the same key for encryption and decryption, or asymmetric, which uses a
public key for encryption and a corresponding private key for decryption back to the
original string. Cisco Type 6 passwords, for example, allow for secure, encrypted
storage of plaintext passwords on the device.
When configuration files are not properly protected, Cisco devices that are configured to
use a weak password protection algorithm do not adequately secure the credentials.
This can lead to compromised devices, and potentially to compromised entire networks.
Severity of the vulnerability
Hashed or encrypted forms of passwords can be stored in configuration files for
authentication purposes to protect the plaintext password. When the configuration file
displays on the Command Line Interface, or if it is copied from the device, the user sees
the protected form of the password with a number next to it. The number indicates the
type of algorithm used to secure the password. The password protection types for Cisco
devices are 0, 4, 5, 6, 7, 8, and 9.
For an overview of the Cisco password types, the following table lists them, their
difficulty to crack and recover the plaintext password, their vulnerability severity, and