Cisco Products Have Backdoors

Cbs228 writes "A Cisco Security Advisory released yesterday admits that "A default username/password pair is present in all releases of the Wireless LAN Solution Engine (WLSE) and Hosting Solution Engine (HSE) software. A user who logs in using this username has complete control of the device. This username cannot be disabled." Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?"

proof of concept

Proof of Concept

Well, definately not buying any of those...

[BradySama]

Another example of why the benefits of open source need to be pushed up the corporate ladder... this is nuts. Almost as nasty as the things they've done for China. Thanks, Cisco. Another one bites the credibility dust.

No Refund - firmware fix

[Allen+Zadr]

The ARTICLE that you DIDN'T read, clearly states how to get a service fix - see my first post about what I think about the completeness of said fix.

Re:No Refund - firmware fix

[ak_hepcat]

600km?

We do stuff like this all the time. Over 56k satellite circuits. Of course, we prefer to snail-mail a new flash card with the IOS, but for emergencies, tftp does work pretty well. Just slow.

Ah, Alaska. Nothing else like it.

yep

[SHEENmaster]

look for openbsd's corporate usage page.

Re:Linksys

[fgb]

I wouldn't think they would need it. There's a tiny little recessed button on the back on my linksys unit. Hold it in for 10 seconds and presto! the unit is back to the factory configuration. Passwords and all.

No excuse for a master password. Mind you, I'm not saying there isn't one, just that there is no need for one.

Re:No workarounds?

[dbarclay10]

However, the advisory also discusses how to obtain new software for their equipment. So it appears that there is a fix to the problem, via a software upgrade. In light of this, the 'no workarounds' stuff is rather misleading -- and when I first read it, it made my draw drop.

It's pretty much understood, at least by sysadmins if not the general public, that an issue can always be fixed by a software upgrade. Any vendor saying that an issue *really* can't be fixed, no matter what, typically means that it's a design choice and if you don't like it, switch to another vendor (*cough* Microsoft? *cough*).

Given that, when a vendor says "no workaround available," they mean that your only choice is to upgrade the software. For example, a workaround to a vulnerability in, say, Microsoft's CIFS stack would be to firewall off the ports it uses (though you need to do that on every machine, of course - otherwise it won't be effective, as we've seen so many times).

So, to sum up: workaround = quick fix via configuration or similar, and it's a given that you can fix the problem via a (typically time-consuming) software update.

Re:It needs to be there

[ceritus]

... someone will lose the password within days ... I finally had to put a global password in every machine

Most devices that I see come with a default username/password set that you can change and, if the admin is irresponsible enough to lose a password, the device has a mechanism (clear the NVRAM by hitting this physical button and rebooting, for example) to recover from their folly. It's a pain in the ass, but it's punishment for creating a password that you can't remember. Having a default password that cannot be removed or changed is just silly.

You have to understand bug-fix parlance...

[Vellmont]

A workaround is a simple method of fixing the problem without patching the software. Usually it involves configuration changes, disabling parts of the software, or even firewalls. For this particular problem it's easy to see why there's no workaround.

The fix is a software patch. Many admins prefer a workaround as a short-term solution (can change simple config in a few minutes). A software patch is obviously more complicated, and often has higher impact on other services.

Re:Cisco's Life Lesson - Maybe not.

[i_am_pi]

Well, resetting the firmware on Cisco's devices does NOT reset the rest of the settings.

The process goes like this:
Boot device with console cable
Hit ctrl-c during boot
use the proper command to change the configuration register to 0x2142, which means "Start up using OS from flash, but IGNORE configuration in NVRAM".
Use the proper command to boot the device.

You'll then be staring at "Password: " where it will accept an empty string. The configuration is still there (type show startup-config and you'll see the whole thing), but ignored.

Enable yourself. copy start run (bring everything back up).
config t (begin configuration)
username blah password blabla priv 15 (if you have multiple usernames + priv levels)
enable secret blabla (big-daddy enable password)
line vty 0 4 (telnet access)
login
password bla
exit
config-reg 0x2102 (stop ignoring the configuration)
exit
copy run start (save that daddy)

Cisco is not alone. It's industry wide practice.

[lotussuper7]

I have worked for 6 or 7 different companies that build either comm boxes or control software, and each and every one has had built in backdoors.

It's not just Cisco, it's a common practice in the industry to give their field people a way to get into the box (or program) when the customer screws it up.

Backdoors that, often, have access to functions far beyond what the customer knows about, and in many cases, able of really messing up the device if used incorrectly by a tech who is not an expert.

On the flip side, I was working as a level 3 tech for one now out-of-business large computer company, and it was not uncommon to get a call from a customer asking if we could break into a box and reset passwords for them since they had "lost" the passwords. They need to get access without doing a full reset and losing the configuration information since the box is in a production environment.

So, they put a modem on the diagnostic port, I dial in, do the magic, and make the customer happy.

So, yes, it is a security hole, but it is also something that customers are happy about when they need it.

Re:It needs to be there

[Havokmon]

Reading your responses, makes me realize, I should add one thing. These devices that I work on, are for a non-Slashdot crowd. It won't spread like wildfire. More like a smoke signal on a dry day. Cisco should have calculated the popularity of such an access key.

Cisco already provides a 'pasword retrieval' for all their routers. The trick is you have to be on site to perform the recovery.

Why there needs to be a master password that can be accessed from ANYWHERE, I don't know. At least make it only work on the current subnet.

not a conspiracy

[oogoody]

Backdoors are very common in embedded devices
so you can bootstrap the system. They should
have covered this better, but it is probably
not an evil conspiracy. It's probably just
developers and testers trying to do their
job without a lot of security shit that
makes everything take longer and be more
difficult.

Re:And the username/password pair is...

[EqualSlash]

May be this extensive list should help ..

Re:Well, that depends.

[Mysticalfruit]

Well that and their use of "Cisco" math when it comes to what their switches will push for throughput.

For the same money you'd spend on a Cisco switch you can probably buy a Nortel that'll run circles around the Cisco.

Or, if your tripping over the bags of cash or their just blocking the door, you could spring for a Juniper...

Don't get me wrong, Cisco stuff works, it's just really expensive and their are cheaper more capable equipment on the market...

Thats why you buy from Snapgear!

Snapgear!

Open-source, uClinux based routers, VPN solutions and OEM products!

Re:Cisco's Life Lesson - Maybe not.

[nate1138]

First off, these devices can be reset in several different ways without losing the configuration.

Second, once you have the device configured properly, you should back up your configuration with TFTP or over the console to make recovery easy. This way, even if the device itself is fried, you can just dump your config onto a replacement unit and get on with your day.

Re:You can't trust ANYONE.

[StealthHunter]

Search google for "Reflections on Trusting Trust" it's a great ACM award speach by Ken Thompson about this very topic. try here

Re:Well, that depends.

[Cramer]

Unless you downloaded and compiled the binaries from the postgresql.org server(s), then you cannot say, for sure, Cisco has not added backdoors to the code.

Re:Well, that depends.

[Mateito]

> Don't get me wrong, Cisco stuff works, it's just
> really expensive and their are cheaper more
> capable equipment on the market...

True.

Just remember that none of the "more capable" equipment is made by 3com.

Re:Well, that depends.

[Cramer]

... oh, like the OpenSSL ident strings. 12.0 used OpenSSH, but they have since stopped using OpenSSH code in IOS -- they either rolled their own or snarfed someone else's. They've removed almost all of the ident strings except for those put there by the compiler: GCC: (GNU) 2.95.3 20010315 (cisco p10 release), etc.

Re:Well, that depends.

[WhiteDragon]

For the same money you'd spend on a Cisco switch you can probably buy a Nortel that'll run circles around the Cisco.

Or, if your tripping over the bags of cash or their just blocking the door, you could spring for a Juniper...

Or, you could buy a Big Iron switch from Foundry that will blow away most of the offerings from Cisco.

Re:Cisco's Life Lesson - Maybe not.

[cpthowdy]

It doesn't matter a whole lot... if an intruder has physical access to your gear, you're fux0red either way. And it's not like someone with physical access couldn't connect to the management console port with their laptop, cycle the power, and do the ol' password recovery hack that Cisco gear has built into it. See here for more info: Cisco Password Recovery Procedures

Can't you people READ THE F**KING ARTICLE ?

[smeenz]

Honestly... you people can't resit jumping to conclusions can you ? If you READ the f'ing article, you would see that this vulnerability exists in a Cisco *application* that runs on a *linux* platform that is used to *manage* their wireless aironet devices in bulk, and has NOTHING to do with their switching/routing/wireless hardware products whatsoever.

If you read further, you would note that Cisco has already released patches for the problem.

If you had ANY experience with cisco security vulnerabilty disclosures, you would realise that cisco's definition of "workaround" means "a way to avoid the problem without applying patches or updates", because many cisco customers aren't able to apply patches the second an exploit is announced due to down time / planning / change control measures.

Just because it says there is no workaround, it doesn't mean there isn't a fix. And there is, in this case, which is clearly linked to in the article.

And before someone replies with "you're new to slashdot aren't you", no, I'm not. I'm used to this sort of reaction from the slash community. Normally there are a few sane people that get modded up by correcting the knee jerkers, but this time it looks like everyone is preaching "every cisco switch and router has a built in username and password that can't be disabled"

Re:Well, that depends.

[PurpleFloyd]

While Cisco does have a decent security track record (exempting this colossally boneheaded manuver), your tirade against "slashdot mind-droids" is simply false. Backdoor passwords tend to be one of the most obvious things to detect, excepting serious trickery like putting the password into the compiler. Code that looks like

if (inputpasshash==storedhash)
{
return TRUE;
}
else if (inputpasshash==BACKDOOR)
{
return TRUE;
}
else
{
return FALSE;
}

tends to stand out pretty well during a code audit, and is visible even to a beginning C student. Backdoors are harder to sneak into open source software, simply because people will watch your every move and might not agree with all your changes.

Password recovery can be disabled.

[Pii]

Cisco's password recovery procedure can be disabled from Rommon, making the "configuration bypass" procedure non-functional.