8/29/2006 -- Cisco Systems Inc. last week warned of a vulnerability affecting a range of its firewall products, including its Cisco PIX 500 Series Security Appliances, ASA 5500 Series Adaptive Security Appliances, as well as the Firewall Services Module for its Cisco Catalyst 6500 switches.

The bug could cause the EXEC password, passwords of locally defined usernames, and the enable password in the startup configuration to be changed without user intervention. The stakes, Cisco cautioned, are severe: If exploited, unauthorized users could gain access to a device once passwords in its startup configuration have been changed. There's a further wrinkle, too: Once an unauthorized user has gained access by changing legitimate passwords, authorized users can conversely be locked out and lose the ability to manage the affected device.

The flaw derives from the fact that EXEC mode and enable mode can be performed based on Authentication, Authorization and Accounting (AAA) methods such as Remote Authentication Dial-In User Service (RADIUS), Terminal Access Controller Access Control System Plus (TACACS+) or LOCAL. If a device does not have any AAA method configured, authentication for EXEC mode is performed using the password configured with the passwd command, and authentication for enable mode is performed using the password configured with the enable password command. Because of a software bug that exists in certain versions of the software used by these devices, Cisco says, the EXEC password, the passwords of locally defined users, and the enable password (all of which are typically stored in non-volatile startup configuration memory) can -- in certain circumstances -- be changed without user intervention.

Cisco published a list of bug fixes and workarounds here. -Stephen Swoyer