Cisco Web Portal Password Security Compromised

A security flaw in a search tool used on the Cisco Web portal could potentially compromise registered users passwords, the routing and switching giant warned Wednesday.

A Cisco Systems Inc. spokesperson told Ziff Davis Internet News the bug, discovered and reported by a third-party research firm, is not the result of any flaws in Cisco products or technologies.

“Were aware of a vulnerability in a search tool used on the site that could expose passwords of registered users. We have since taken necessary steps to correct this issue,” the spokesperson said.

Cisco has initiated system-wide resets of user passwords and patched the search tool flaw, he added.

The company has sent out password reset notices to registered Cisco.com users.

“Cisco has determined that Cisco.com password protection has been compromised. As a precautionary measure, Cisco has reset your password. To receive your new password, send a blank e-mail, from the account which you entered upon registration, to cco-locksmith@cisco.com. Account details with a new random password will be e-mailed to you,” the notice read.

/zimages/5/28571.gifClick here to read more about Cisco seeking a restraining order against former Internet Security Systems Inc. researcher Michael Lynn.

The Cisco.com portal is used by employees, customers, partners and third-party users to access information on a wide range of networking, VOIP (voice over IP) and security technologies.

“This is unrelated to the events of last week,” the spokesperson said, referring to the controversy at the Black Hat Briefings in Las Vegas when former Internet Security Systems Inc. researcher Michael Lynn spilled the beans on a remotely exploitable flaw in the Cisco IOS (Internetwork Operating System).

/zimages/5/28571.gifRead more here about the security hole in Ciscos IOS.

Lynns dramatic presentation caused quite a stir and prompted Cisco and ISS to file an injunction and temporary restraining order to block the further dissemination of information on the IOS flaw.

Cisco has since confirmed the “high risk” vulnerability could lead to code execution attacks and released patches for the vulnerable operating system.

/zimages/5/28571.gifTo read more about hackers working to expose the flaw, click here.

Computer hackers, angered by the companys attempts to censor Lynn, has vowed to find a way to exploit the Cisco IOS, prompting widespread speculation that the Web site breach is related to the Black Hat brouhaha.

“There is no evidence that this is related. This has nothing to do with a vulnerability in Cisco products,” the Cisco spokesperson said.

Editors Note: This story was updated to remove references to a possible malicious hacker attack.

/zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.