Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cisco Products Have Backdoors

Posted by CmdrTaco on from the two-scoops-of-creepy dept.

Cbs228 writes "A Cisco Security Advisory released yesterday admits that "A default username/password pair is present in all releases of the Wireless LAN Solution Engine (WLSE) and Hosting Solution Engine (HSE) software. A user who logs in using this username has complete control of the device. This username cannot be disabled." Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?"

10 of 555 comments (clear)

  1. Well, definately not buying any of those... by BradySama · · Score: 3, Informative

    Another example of why the benefits of open source need to be pushed up the corporate ladder... this is nuts. Almost as nasty as the things they've done for China. Thanks, Cisco. Another one bites the credibility dust.

  2. No Refund - firmware fix by Allen+Zadr · · Score: 3, Informative

    The ARTICLE that you DIDN'T read, clearly states how to get a service fix - see my first post about what I think about the completeness of said fix.

    --
    Kinetic stupidity has a new brand leader: Allen Zadr.
  3. yep by SHEENmaster · · Score: 4, Informative

    look for openbsd's corporate usage page.

    --
    You can't judge a book by the way it wears its hair.
  4. Re:No workarounds? by dbarclay10 · · Score: 5, Informative
    However, the advisory also discusses how to obtain new software for their equipment. So it appears that there is a fix to the problem, via a software upgrade. In light of this, the 'no workarounds' stuff is rather misleading -- and when I first read it, it made my draw drop.

    It's pretty much understood, at least by sysadmins if not the general public, that an issue can always be fixed by a software upgrade. Any vendor saying that an issue *really* can't be fixed, no matter what, typically means that it's a design choice and if you don't like it, switch to another vendor (*cough* Microsoft? *cough*).

    Given that, when a vendor says "no workaround available," they mean that your only choice is to upgrade the software. For example, a workaround to a vulnerability in, say, Microsoft's CIFS stack would be to firewall off the ports it uses (though you need to do that on every machine, of course - otherwise it won't be effective, as we've seen so many times).

    So, to sum up: workaround = quick fix via configuration or similar, and it's a given that you can fix the problem via a (typically time-consuming) software update.

    --

    Barclay family motto:
    Aut agere aut mori.
    (Either action or death.)
  5. You have to understand bug-fix parlance... by Vellmont · · Score: 4, Informative

    A workaround is a simple method of fixing the problem without patching the software. Usually it involves configuration changes, disabling parts of the software, or even firewalls. For this particular problem it's easy to see why there's no workaround.

    The fix is a software patch. Many admins prefer a workaround as a short-term solution (can change simple config in a few minutes). A software patch is obviously more complicated, and often has higher impact on other services.

    --
    AccountKiller
  6. Re:Cisco's Life Lesson - Maybe not. by i_am_pi · · Score: 5, Informative

    Well, resetting the firmware on Cisco's devices does NOT reset the rest of the settings.

    The process goes like this:
    Boot device with console cable
    Hit ctrl-c during boot
    use the proper command to change the configuration register to 0x2142, which means "Start up using OS from flash, but IGNORE configuration in NVRAM".
    Use the proper command to boot the device.

    You'll then be staring at "Password: " where it will accept an empty string. The configuration is still there (type show startup-config and you'll see the whole thing), but ignored.

    Enable yourself. copy start run (bring everything back up).
    config t (begin configuration)
    username blah password blabla priv 15 (if you have multiple usernames + priv levels)
    enable secret blabla (big-daddy enable password)
    line vty 0 4 (telnet access)
    login
    password bla
    exit
    config-reg 0x2102 (stop ignoring the configuration)
    exit
    copy run start (save that daddy)

  7. Cisco is not alone. It's industry wide practice. by lotussuper7 · · Score: 5, Informative

    I have worked for 6 or 7 different companies that build either comm boxes or control software, and each and every one has had built in backdoors.

    It's not just Cisco, it's a common practice in the industry to give their field people a way to get into the box (or program) when the customer screws it up.

    Backdoors that, often, have access to functions far beyond what the customer knows about, and in many cases, able of really messing up the device if used incorrectly by a tech who is not an expert.

    On the flip side, I was working as a level 3 tech for one now out-of-business large computer company, and it was not uncommon to get a call from a customer asking if we could break into a box and reset passwords for them since they had "lost" the passwords. They need to get access without doing a full reset and losing the configuration information since the box is in a production environment.

    So, they put a modem on the diagnostic port, I dial in, do the magic, and make the customer happy.

    So, yes, it is a security hole, but it is also something that customers are happy about when they need it.

    --
    ----- Lotus Super 7 - A real car. :-}
  8. Re:You can't trust ANYONE. by StealthHunter · · Score: 3, Informative

    Search google for "Reflections on Trusting Trust" it's a great ACM award speach by Ken Thompson about this very topic. try here

  9. Can't you people READ THE F**KING ARTICLE ? by smeenz · · Score: 3, Informative
    Honestly... you people can't resit jumping to conclusions can you ? If you READ the f'ing article, you would see that this vulnerability exists in a Cisco *application* that runs on a *linux* platform that is used to *manage* their wireless aironet devices in bulk, and has NOTHING to do with their switching/routing/wireless hardware products whatsoever.

    If you read further, you would note that Cisco has already released patches for the problem.

    If you had ANY experience with cisco security vulnerabilty disclosures, you would realise that cisco's definition of "workaround" means "a way to avoid the problem without applying patches or updates", because many cisco customers aren't able to apply patches the second an exploit is announced due to down time / planning / change control measures.

    Just because it says there is no workaround, it doesn't mean there isn't a fix. And there is, in this case, which is clearly linked to in the article.

    And before someone replies with "you're new to slashdot aren't you", no, I'm not. I'm used to this sort of reaction from the slash community. Normally there are a few sane people that get modded up by correcting the knee jerkers, but this time it looks like everyone is preaching "every cisco switch and router has a built in username and password that can't be disabled"

  10. Re:Well, that depends. by PurpleFloyd · · Score: 4, Informative
    While Cisco does have a decent security track record (exempting this colossally boneheaded manuver), your tirade against "slashdot mind-droids" is simply false. Backdoor passwords tend to be one of the most obvious things to detect, excepting serious trickery like putting the password into the compiler. Code that looks like
    if (inputpasshash==storedhash)
    {
    return TRUE;
    }
    else if (inputpasshash==BACKDOOR)
    {
    return TRUE;
    }
    else
    {
    return FALSE;
    }
    tends to stand out pretty well during a code audit, and is visible even to a beginning C student. Backdoors are harder to sneak into open source software, simply because people will watch your every move and might not agree with all your changes.
    --

    That's it. I'm no longer part of Team Sanity.