CVE-2008-1246

Vulnerability

A privilege escalation vulnerability exists in the Cisco PIX/ASA Finesse Operation System versions 7.1 and 7.2. When the enable password is blank, a local or telnet user with privilege level 0 can trigger a flaw in the password prompt handling. By entering a character at the enable prompt, deleting it with Backspace, and then holding down the Backspace key for one second after erasing the final character, the system drops the user directly into privileged EXEC mode (level 15) without requiring the correct password. This issue does not occur when SSH, TACACS+, or RADIUS authentication is configured, or when an enable password is set [1]. Note: some third parties, including a vendor employee, reported inability to reproduce unless the enable password is blank.

Exploitation

An attacker requires either physical console access or remote access via Telnet (SSH is not vulnerable). The attacker must have a valid low-privilege (level 0) account on the device. The exploit sequence is: log in with the level 0 account, wait for the enable password prompt, type a space or any character, then press Backspace to delete all characters, and immediately hold down the Backspace key for about one second after the last character is erased. Successful execution results in immediate elevation to privilege level 15 without providing the enable password [1].

Impact

Successful exploitation grants the attacker complete administrative control over the affected Cisco PIX/ASA device, equivalent to privilege level 15. This allows full read and write access to all configurations, the ability to modify security policies, disable or circumvent firewall rules, view and clear logs, and potentially pivot to other network devices. The compromise is local or Telnet-based, but the elevated privileges persist for the duration of the session.

Mitigation

Cisco has not released a software update to address this issue, as the vulnerability is contingent on an already insecure configuration (blank enable password). The primary mitigation is to set a strong, non-blank enable password on all affected devices running Finesse OS 7.1 or 7.2. Additionally, disabling Telnet access and using SSH, TACACS+, or RADIUS authentication prevents the attack from being exploited remotely. This CVE is not listed on the Known Exploited Vulnerabilities (KEV) Catalog. If no fix is applied, administrators should ensure all local accounts have non-blank passwords and restrict console access to authorized personnel [1].