Slashdot Mirror
Cisco Products Have Backdoors
Cbs228 writes "A Cisco Security Advisory released yesterday admits that "A default username/password pair is present in all releases of the Wireless LAN Solution Engine (WLSE) and Hosting Solution Engine (HSE) software. A user who logs in using this username has complete control of the device. This username cannot be disabled." Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?"
There is no doubt that this is the sort of thing that all of the so called "tin-foil hat" crowd has been warning us about for years.
I, for one, welcome the "I-told-you-so"s from our new paranoid overlords.
On a more serious point, and on the paranoid side, I'm sure Cisco is only releasing this information because an employee either threatened to leak this information, or was mis-using this information to his/her own gain...
However, if that's the case, wouldn't Cisco's fix simply change the password? I highly doubt that they will be embarassed enough to have learned a powerful life-lesson.
Kinetic stupidity has a new brand leader: Allen Zadr.
I simply can not believe this has happened. This is more boneheaded than what Microsoft has done for the past few years.
I am defenseless. Use your button. Mod me down with all of your hatred.
Anything that can be exploited will be exploited. The key is to take every precaution possible--that's not possible when only a select few can see the code.
No, obviously not when you get right down to it. Just like we can't trust closed-source e-voting software with it comes to our republic (the U.S.:), we can't trust close-source vendors whose systems power our infrastructure...that, without, the world would cease to function as it does today.
But what can anyone do? Are there any open-source makers of networking hardware?
How fucking stupid do you have to be to realize that this was a BAD THING? Damn, perhaps if Cisco stopped spending so much on stupid ads and rethought its dev process stupid shit like this would not happen.
How did anyone EVERY think this was a 'good thing'???
The Cisco advisory points out that there are no workarounds. This would suggest that the problem cannot be remedied.
However, the advisory also discusses how to obtain new software for their equipment. So it appears that there is a fix to the problem, via a software upgrade. In light of this, the 'no workarounds' stuff is rather misleading -- and when I first read it, it made my draw drop.
Tubal-Cain smokes the white owl.
Can we really trust closed-source venders, such as Cisco, to develop secure products that are free of backdoors?
You can't trust open-source for this, either. Not unless you personally constructed every piece of the device, from the source code, to everything that interacts with the source code, including the compiler, the EEPROM burners, and the chipsets on the device itself.
How do you know that the open source you are looking at actually is the one running in your device? You don't.
How do you know that the code you are looking at, assuming that it is running in the device, wasn't modified by a malicious compiler? You don't.
How do you know that the compiled code, assuming it is compiled correctly, wasn't altered in the transfer to the device? You don't.
How do you know the other onboard chips aren't built with a backdoor, patching, hooking or circumventing whatever code is put in the device? You don't.
What it boils down to is that trust is a very difficult animal, and at some point, you need to draw the line. Looking at the source is a meager guarantee for the device behaving well, in the case of a malicious vendor.
The bottom line is that there are so many covert channels to insert code into your overall system today, as long as they are carried on the normal device acquisision channels, that you can't defend against an attack by a malicious vendor. What you can do is to count on their risk analysis, and expecting them to want to stay in business just as much as you do. It's not much, but it's pretty much the best we got.
No, not really. The user id could be set by serial number (randomly) and you could keep track of who has what serial number, who is authorized to get the password, the password could also roll (think subscription revenue!).
The patch can be downloaded from http://www.cisco.com/pcgi-bin/tablebuild.pl/1105-h ost-sol ( registered customers only) .
I love when companies release vital updates or other material, and then effectively force registration of all their clients. So either register with the mothership, or deal with a vulnerable program? Great.
For every karma whore there are four more people with mod points to kill.
Let's see..
"Although Cisco cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability."
This is probably a standard disclaimer in their security documents, but wouldn't you want them to be sure of the accuracy of their statements?
Why can software/hardware companies get way with "We tried our best, honest!" ?
Auditing the code only guarantees security if you trust that your compiler isn't compromised.
Auditing the compiler's code doesn't guaranteee anything either. It too had to be compiled, and the compiler's compiler may have been compromised.
Do they plan on releasing a firmware update?
RTFA.
If so, how do we know they aren't going to put another backdoor into that and simply change the information?
You don't.
Is there a way they can make the firmware patch open source without giving away their other "proprietary" source?
If you own the affected products and require open source firmware patches then you should have thought of that before you bought the product. If you require open source hardware then buy open source hardware.
Speak truth to power.
Why the hell was this modded "Interesting". RTFA.
It's software, it's been fixed, nothing to see here. Move along.
Beauty is in the eye of the beerholder.
Simply add a 'reset' button. Or something like that handy little jumper you can switch on your motherboard in case someone forgets a bios password.
A backdoor as cisco has is unacceptable in every way.
// "Can't clowns and pirates just -try- to get along?"
It depends on the value of the information within. If it's important enough to worry about whether a master password exists...then I'd suggest that it's important enough that people will remember their password and not need it.
If I buy a 50 quid wall safe and lose my key, I could probably go into any locksmiths and get a replacement key for that model safe. If I spend 1,000,000 on a bank vault I'd like to think that no generic or master key existed...
Backing away from the analogy quietly for a moment..I think it would be pretty simple(for Cisco) to enable the backdoor login only via a console connected to the serial port and not remotely..
Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?
Yes. They have to keep an eye out for their customers. However, there are two ways of getting around this:
Password can only be entered while someone is physically present - so you have to press a button on the device, then login with back door in the next 30 seconds. This proves access, and any company that has poor physical security is not likely to care about network security.
Second use challenge-response password mechanisms. This prevents a 'global' backdoor, while still giving the manufacturer the ability to gain access. The user enters a generic name/pass ("lost", "password") the machine then responds with a 128 bit (hexadecimal) number (randomly generated) and the user provides both the serial number and this random number to the company. The company responds with a correct response (another 128 bit number, perhaps) and the device allows access.
Combine either or both of these two methods with a "reset configuration to factory defaults when back door is used" and the company can claim that they are as secure as can be, without preventing the occasional user complaint that the hardware is a doorstop because some subadmin made a mistake changing the password.
-Adam
The advisory (that link in the story) was pretty clear that there isn't a way to disable the use of this backdoor without a firmware upgrade.
Kinetic stupidity has a new brand leader: Allen Zadr.
We maintain a very substantial annual contract with Cisco. I can tell you that while our service has varied a bit in terms of engineering skill over the years, overall it has been outstanding. They maintain, by and large, the most thoroughly documented product base of any major hardware vendor.
Second of all, when you read those two bug toolkit ID's, you will notice that there are patches directly available to fix the problem. Oh no, not a patch. Pfffft.
Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?
Simple question, with an even simpler answer: No.
If you want to be wordier, you can make the general statement that the reason for closed source is that there are things in the source that the vendor doesn't want you to know about.
Those things may be innocent, such as debugging hooks, that you'd probably approve of if you knew, but which they don't want made public because then competitors' support people could sabotage the equipment during a support call. Or they could be not so innocent, such as collecting date from your network for commercial use (i.e., selling it to your competitors). Or maybe they don't want you to see the low quality of the code.
But if the source is hidden, there's a reason, and the reason can be summarized as "They don't want you to know about something in there."
If you have any security concerns at all, you should follow the advice that the security folks have been giving for years: Don't run software unless you've compiled it yourself (preferably using a compiler from a different vendor). Otherwise, you have no way of knowing what's hidden inside the binaries.
Of course, in whatever passes for the Real World around here, some vendors are more trustworthy than others. We've had few actual problems like this with open-source vendors, though there have been a few incidents. It's a lot harder for an open-source vendor to get away with such tricks for very long.
But in general, you should be aware that if they don't want you to see the source, there is probably a good reason.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
This is the most fundamental problem with closed source: even if the underlying code is 100% perfect, bug-free, and wonderfully coded, there is no mechanism to prevent the last developer with sign-off on a project from slipping something nefarious in as code goes into "release" status.
I say this because, IMHO, Cisco's customers generally trust both them as a company and their products. In short, they've done a good job, for a closed source firm, of keeping the perception that they run a tight ship and keep their corporate nose clean.
That said, this is a ding, no doubt, but the bigger question here is while this backdoor was arguably somewhat obscure, it still existed. Even if no one "on the outside" ever learned of its existence, its very existence is troubling.
This is the type of thing that typically would have been caught in no time by the average open-source code-troller (much less a developer) quite quickly.
Sure, Cisco has a decent name, but what about companies that don't have the positive overall goodwill/reputation that Cisco does?
The notion that closed source software is "just as good" or even "more secure" is just plain wack-a-loo. (You can quote me on that.)
----------
Nope. Not gonna do it. Wouldn't be prudent. Not at this juncture.
There will be no wholesale move off of Cisco products. Why?
Let's roleplay the conversation between the CIO and CEO/COO:
The bottom line is, most CIO/CTO's of non-IT companies could give a flying f**k what runs their networks as long as it works, stays up most of the time, is not too expensive, and is recommended.
ACHTUNG! Das computermachine ist nicht fuer gefingerpoken und mittengrabben. Ist nicht fuer gewerken bei das dumpkopfen.
No no, they put a modem on the rs232 analyzer that's in their modem port. You "do the magic" they send the recorded bits off to alt.hack.yerEmployersAboutToDie and viola. In a few months you're lining up with all your former coworkers at the local unemployment shop while management sorts out the cords on their golden parachutes. bk425
Really?
... BANG... Check BUGTRAQ for the SSH and NTP exploits as a fine example. I bet there are others as well.
d isclosure/ 2003-October/012809.html
They continuously use codebase from the opensource parts of the software world and lie about it. The only OSS component they currently admit to is the regexp library. In fact they have used code from xntpd (and were bug for bug vulnerable to NTP exploits), OpenSSL, OpenSSH, so on so forth, ad naseum. When a vulnerability in any of these comes around they never admit it because the IOS sacred cow is supposedly pure and not infected by any opensource (besides regexp). This continues until someone starts running the exploits versus their gear. And after that
They constantly have idiotic ideas like CDP which are insecure by design and turned on by default.
They have promoted a very long list of outright lies including security ones in the exam preparation materials and exam question. That is also besides the fact that Cisco does not consider the analysis for correctness and sane security practice of these materials to be fair use and disallows quoting them. Here is one that has managed to get through:
http://lists.netsys.com/pipermail/full-
There are many others.
So on so forth. Ad naseum. If you think that Microsoft is vile you definitely have not had to do a lot of network engineering especially with Cisco kit...
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
I think the point is:
In an age of acces through networks, is it possible to trust any private organization enough to not oversee them with what they are doing ?
Or is it almost obligatory to know exactly what a particular device/computer etc. does, or at least have the possibility of own, or third party assessment.
Really it isn't a mistake to consciously create a backdoor is it
> history has shown that they
> are far more trustworthy.
With that you effectively demonize any person who works for a company that is not open source based. I work at a place that does 50% military work - closed source by definition I suppose. Everybody I know there tries hard to make a good product. We perform code reviews and quality control and do the best we can to provide a product that is what the customer wants and has paid for. Your black-and-white strokes aren't very fair to your fellow humans who don't happen to work in an environment of which you approve.
w
That punishment doesn't necessarly fit the crime.
:)
I took a short (20 minute) job today, which involved fixing a customer's Cisco Catalyst 2924. There was an enable password set, but no one knew what it was. They wanted to make some network changes, most of which involved changing a couple port configurations. Zzz...
So I, not responsible for the lost password, took the "punishment" for the old admin loosing the password. Aparently the guy doesn't work for them anymore or whatever. Hell, I got paid for an hour, what do I care.
I hope this changes their strategy of putting in secret passwords. They're into security enough to know that is very dangerous. Secrets are not well kept, and someone will always leak.
Serious? Seriousness is well above my pay grade.