Cisco Products Have Backdoors
Cbs228 writes "A Cisco Security Advisory released yesterday admits that "A default username/password pair is present in all releases of the Wireless LAN Solution Engine (WLSE) and Hosting Solution Engine (HSE) software. A user who logs in using this username has complete control of the device. This username cannot be disabled." Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?"
There is no doubt that this is the sort of thing that all of the so called "tin-foil hat" crowd has been warning us about for years.
I, for one, welcome the "I-told-you-so"s from our new paranoid overlords.
On a more serious point, and on the paranoid side, I'm sure Cisco is only releasing this information because an employee either threatened to leak this information, or was mis-using this information to his/her own gain...
However, if that's the case, wouldn't Cisco's fix simply change the password? I highly doubt that they will be embarassed enough to have learned a powerful life-lesson.
Kinetic stupidity has a new brand leader: Allen Zadr.
Anything that can be exploited will be exploited. The key is to take every precaution possible--that's not possible when only a select few can see the code.
No, obviously not when you get right down to it. Just like we can't trust closed-source e-voting software with it comes to our republic (the U.S.:), we can't trust close-source vendors whose systems power our infrastructure...that, without, the world would cease to function as it does today.
But what can anyone do? Are there any open-source makers of networking hardware?
Can we really trust closed-source venders, such as Cisco, to develop secure products that are free of backdoors?
You can't trust open-source for this, either. Not unless you personally constructed every piece of the device, from the source code, to everything that interacts with the source code, including the compiler, the EEPROM burners, and the chipsets on the device itself.
How do you know that the open source you are looking at actually is the one running in your device? You don't.
How do you know that the code you are looking at, assuming that it is running in the device, wasn't modified by a malicious compiler? You don't.
How do you know that the compiled code, assuming it is compiled correctly, wasn't altered in the transfer to the device? You don't.
How do you know the other onboard chips aren't built with a backdoor, patching, hooking or circumventing whatever code is put in the device? You don't.
What it boils down to is that trust is a very difficult animal, and at some point, you need to draw the line. Looking at the source is a meager guarantee for the device behaving well, in the case of a malicious vendor.
The bottom line is that there are so many covert channels to insert code into your overall system today, as long as they are carried on the normal device acquisision channels, that you can't defend against an attack by a malicious vendor. What you can do is to count on their risk analysis, and expecting them to want to stay in business just as much as you do. It's not much, but it's pretty much the best we got.
No, not really. The user id could be set by serial number (randomly) and you could keep track of who has what serial number, who is authorized to get the password, the password could also roll (think subscription revenue!).
The patch can be downloaded from http://www.cisco.com/pcgi-bin/tablebuild.pl/1105-h ost-sol ( registered customers only) .
I love when companies release vital updates or other material, and then effectively force registration of all their clients. So either register with the mothership, or deal with a vulnerable program? Great.
For every karma whore there are four more people with mod points to kill.
The advisory (that link in the story) was pretty clear that there isn't a way to disable the use of this backdoor without a firmware upgrade.
Kinetic stupidity has a new brand leader: Allen Zadr.
This is the most fundamental problem with closed source: even if the underlying code is 100% perfect, bug-free, and wonderfully coded, there is no mechanism to prevent the last developer with sign-off on a project from slipping something nefarious in as code goes into "release" status.
I say this because, IMHO, Cisco's customers generally trust both them as a company and their products. In short, they've done a good job, for a closed source firm, of keeping the perception that they run a tight ship and keep their corporate nose clean.
That said, this is a ding, no doubt, but the bigger question here is while this backdoor was arguably somewhat obscure, it still existed. Even if no one "on the outside" ever learned of its existence, its very existence is troubling.
This is the type of thing that typically would have been caught in no time by the average open-source code-troller (much less a developer) quite quickly.
Sure, Cisco has a decent name, but what about companies that don't have the positive overall goodwill/reputation that Cisco does?
The notion that closed source software is "just as good" or even "more secure" is just plain wack-a-loo. (You can quote me on that.)
----------
Nope. Not gonna do it. Wouldn't be prudent. Not at this juncture.
There will be no wholesale move off of Cisco products. Why?
Let's roleplay the conversation between the CIO and CEO/COO:
The bottom line is, most CIO/CTO's of non-IT companies could give a flying f**k what runs their networks as long as it works, stays up most of the time, is not too expensive, and is recommended.
ACHTUNG! Das computermachine ist nicht fuer gefingerpoken und mittengrabben. Ist nicht fuer gewerken bei das dumpkopfen.
Really?
... BANG... Check BUGTRAQ for the SSH and NTP exploits as a fine example. I bet there are others as well.
d isclosure/ 2003-October/012809.html
They continuously use codebase from the opensource parts of the software world and lie about it. The only OSS component they currently admit to is the regexp library. In fact they have used code from xntpd (and were bug for bug vulnerable to NTP exploits), OpenSSL, OpenSSH, so on so forth, ad naseum. When a vulnerability in any of these comes around they never admit it because the IOS sacred cow is supposedly pure and not infected by any opensource (besides regexp). This continues until someone starts running the exploits versus their gear. And after that
They constantly have idiotic ideas like CDP which are insecure by design and turned on by default.
They have promoted a very long list of outright lies including security ones in the exam preparation materials and exam question. That is also besides the fact that Cisco does not consider the analysis for correctness and sane security practice of these materials to be fair use and disallows quoting them. Here is one that has managed to get through:
http://lists.netsys.com/pipermail/full-
There are many others.
So on so forth. Ad naseum. If you think that Microsoft is vile you definitely have not had to do a lot of network engineering especially with Cisco kit...
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/