Cisco Products Have Backdoors

Cbs228 writes "A Cisco Security Advisory released yesterday admits that "A default username/password pair is present in all releases of the Wireless LAN Solution Engine (WLSE) and Hosting Solution Engine (HSE) software. A user who logs in using this username has complete control of the device. This username cannot be disabled." Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?"

Re:No workarounds?

[dbarclay10]

However, the advisory also discusses how to obtain new software for their equipment. So it appears that there is a fix to the problem, via a software upgrade. In light of this, the 'no workarounds' stuff is rather misleading -- and when I first read it, it made my draw drop.

It's pretty much understood, at least by sysadmins if not the general public, that an issue can always be fixed by a software upgrade. Any vendor saying that an issue *really* can't be fixed, no matter what, typically means that it's a design choice and if you don't like it, switch to another vendor (*cough* Microsoft? *cough*).

Given that, when a vendor says "no workaround available," they mean that your only choice is to upgrade the software. For example, a workaround to a vulnerability in, say, Microsoft's CIFS stack would be to firewall off the ports it uses (though you need to do that on every machine, of course - otherwise it won't be effective, as we've seen so many times).

So, to sum up: workaround = quick fix via configuration or similar, and it's a given that you can fix the problem via a (typically time-consuming) software update.

Re:Cisco's Life Lesson - Maybe not.

[i_am_pi]

Well, resetting the firmware on Cisco's devices does NOT reset the rest of the settings.

The process goes like this:
Boot device with console cable
Hit ctrl-c during boot
use the proper command to change the configuration register to 0x2142, which means "Start up using OS from flash, but IGNORE configuration in NVRAM".
Use the proper command to boot the device.

You'll then be staring at "Password: " where it will accept an empty string. The configuration is still there (type show startup-config and you'll see the whole thing), but ignored.

Enable yourself. copy start run (bring everything back up).
config t (begin configuration)
username blah password blabla priv 15 (if you have multiple usernames + priv levels)
enable secret blabla (big-daddy enable password)
line vty 0 4 (telnet access)
login
password bla
exit
config-reg 0x2102 (stop ignoring the configuration)
exit
copy run start (save that daddy)

Cisco is not alone. It's industry wide practice.

[lotussuper7]

I have worked for 6 or 7 different companies that build either comm boxes or control software, and each and every one has had built in backdoors.

It's not just Cisco, it's a common practice in the industry to give their field people a way to get into the box (or program) when the customer screws it up.

Backdoors that, often, have access to functions far beyond what the customer knows about, and in many cases, able of really messing up the device if used incorrectly by a tech who is not an expert.

On the flip side, I was working as a level 3 tech for one now out-of-business large computer company, and it was not uncommon to get a call from a customer asking if we could break into a box and reset passwords for them since they had "lost" the passwords. They need to get access without doing a full reset and losing the configuration information since the box is in a production environment.

So, they put a modem on the diagnostic port, I dial in, do the magic, and make the customer happy.

So, yes, it is a security hole, but it is also something that customers are happy about when they need it.