Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1162
Views
7
Helpful
13
Replies

Worrisome command "no service password-recovery strict"

ThomasKrizan6821
Level 1
Level 1

‎12-27-2023 05:17 AM

Hello, recently I have stumbled upon the command "no service password-recovery strict" in the IOS XE documentation. According to the docs, this command disables any way of recovering access to the device in case AAA or enable password doesn't work, you can't even access ROMMON, which basically bricks the device. According to Cisco, the only way to unbrick the device is to send it to them and they will get it running again.

Recently, one of our routers got hacked, by mistake we left HTTPS running on one router and because of that it got exploited by the IOS XE WEB GUI vulnerability, which gave the hacker full priviliged access to the router. Fortunately we noticed quickly and in the end only configuration was stolen which is not the end of the world. However since I've seen the no service password-recovery strict command I've been thinking that the hacker could have potentionally applied this command on the compromised router, mess up our configuration and therefore bricking our router remotely and taking it out business for long period of time since I imagine it would take a long time to send it to Cisco and them to fix it and send it back.

Now this could still be saved because we can always replace this router with backup, but what if another privilige escalation vulnerability was discovered (I wouldn't be very surprised at this point) and someone used it to access all our IOS XE devices before we even knew about it, using this command they could brick every single vulnerable device without us having any way to unbrick it, which in the end would probably take our company out of business since our network would be down for a long period of time and we can't replace every device.

Were it not for this command, getting hacked like this would still be a catastrophe but at least we could get the network up and running again pretty quickly.

Am I right to dislike this "feature" and worry about it ? Is there some not widely known way to recover access to the device even if this command was applied ? I like to be prepared for everything, doesn't matter how unlikely it is to happen, but right now I have no idea how I would handle the situation were this to happen.

Labels:
13 Replies 13

M02@rt37
VIP
VIP

‎12-27-2023 05:24 AM

Hello @ThomasKrizan6821 

As I know, there is no widely known, documented, or supported method to recover a device when the "no service password-recovery strict" command has been applied. The purpose of this command is to enhance security by making it extremely difficult to recover access to the device without physical access and assistance from Cisco.

Disabling password recovery mechanisms can indeed pose a risk, as it removes a safety net in case of accidental lockouts or compromises. If this command is applied and the access to the device is lost due to forgotten passwords or any other reason, the only way to recover the device is typically through Cisco's assistance.

 

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Leo Laohoo
Hall of Fame
Hall of Fame

‎12-27-2023 05:48 AM

I have never been a fan of the command "no service password-recovery" and I'm fed up with people using the command without understanding the full repercussion as a result and then come begging on how perform a password-recovery.  

I, for one, have seen this command being abused and misused many times.  

Any thread that has "no service password-recovery" configured and asking for instruction(s) for password-recovery I always tell them to raise an RMA. 

Instead of "no service password-recovery", Cisco should "monetize" this and incorporate it into the licensing regime.

M02@rt37
VIP
VIP
In response to Leo Laohoo

‎12-27-2023 05:53 AM

Totally agree with you @Leo Laohoo !

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

ThomasKrizan6821
Level 1
Level 1
In response to Leo Laohoo

‎12-27-2023 06:23 AM

Totally agree with you, though I can understand the existence of no service password-recovery command, but not the variant with strict keyword, that feature is asking to be abused..

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to ThomasKrizan6821

‎12-27-2023 11:27 AM

"no service password-recovery" is pretty dangerous and adding the strict parameter makes it much more dangerous. Anyone thinking about using either of these needs to have a very good understanding of the implications (and should have existing procedures for dealing with it). And many of us have seen situations where someone implemented one without having that good understanding, and suffered the consequences. Cisco implemented these because there are some environments where the concern about intrusion/compromise is so great that they are willing to live with the consequences. So the point here is that if you are thinking about implementing one of these alternatives think very carefully about whether you are really in one of those very few environments.

HTH

Rick
0 Helpful

MHM Cisco World
VIP
VIP

‎12-27-2023 05:48 AM

Recovering a Router with the Password Recovery Service Disabled - PacketLife.net

even if you disable this feature you can still recover
since that you dont need to disable it 
MHM

0 Helpful

M02@rt37
VIP
VIP
In response to MHM Cisco World

‎12-27-2023 05:52 AM

@MHM Cisco World 

2010 article... and depend of the platform, this procedure could not work.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

MHM Cisco World
VIP
VIP
In response to M02@rt37

‎12-27-2023 05:58 AM

User Security Configuration Guide, Cisco IOS Release 15SY - No Service Password-Recovery [Support] - Cisco

friend read this also
it only headache.
so I recommend not to disable it.
MHM 

0 Helpful

M02@rt37
VIP
VIP
In response to MHM Cisco World

‎12-27-2023 06:04 AM

@MHM Cisco World 

I'm agree! so I recommend not to disable it, at all !

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

ThomasKrizan6821
Level 1
Level 1
In response to MHM Cisco World

‎12-27-2023 06:28 AM - edited ‎12-27-2023 06:29 AM

If I understand it correctly, you cannot send break signal while the router is booting when command no service password-recovery strict is used (keyword strict is important) so this recovery process wouldn't work, I can't test it since I don't want to apply this command on my routers but it seems you wont even get the prompt to reset the router to factory settings. 

MHM Cisco World
VIP
VIP
In response to ThomasKrizan6821

‎12-27-2023 06:35 AM

What is platform you have ?

MHM

0 Helpful

ThomasKrizan6821
Level 1
Level 1
In response to MHM Cisco World

‎12-27-2023 06:39 AM

We use mostly ISR C11xx with IOS XE 17.6.5a. 

0 Helpful

Ruben Cocheno
Spotlight
Spotlight

‎12-27-2023 11:49 AM

@ThomasKrizan6821 

Unless you have that "no recovery" requirement in writing by your client so he understands the nefast consequences then you good.

The consequences of that command are really 

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/
0 Helpful
Customers Also Viewed These Support Documents