An independent security firm last week discovered a flaw that leaves Cisco Systems' PIX firewall vulnerable to high-powered hackers using random combinations to break an encryption scheme.
The anomaly, which Cisco quietly acknowledged on its Web site, is in the data encryption standard (DES) mechanism for the firewall's Private Link module. This module allows users to establish virtual private networks (VPNs) using the PIX firewall.
The bug causes the firewall to revert from its normal 56-bit key scheme to the lesser 48-bit key scheme.
Increased damage potential
In practical terms, reducing the length of the encryption key from 56 bits to 48 bits means "knowledgeable hackers can, on average, find the right key to break the firewall's encryption 256 times faster than they would be able to find it with a true 56-bit key", Cisco said in its warning.
However Cisco is trying to downplay the consequences of the bug. The company's UK-based Internet technologies product manager, Benjamin Ellis, who was in Australia last week, told ARN that even reducing encryption to 48 bits still means the firewall is very secure.
He also said the takeup of the Private Link option has so far been fairly limited as VPN technology is still catching on. He said only "a handful" of users will be affected by the bug in Australia.
Cisco says the first regular release containing a fix for the problem will be Version 4.2.1, which is tentatively slated for release later this month. But Cisco officials says the schedule is subject to change. Fixes for Version 4.1 haven't been scheduled.
Customers who need to upgrade their PIX software immediately may contact Cisco's technical assistance centre to obtain interim software. But the vendor admitted "the interim software hasn't been subjected to full testing; it has a greater chance of containing serious bugs than regular release software".