Slashdot Mirror


Cisco Products Have Backdoors

Cbs228 writes "A Cisco Security Advisory released yesterday admits that "A default username/password pair is present in all releases of the Wireless LAN Solution Engine (WLSE) and Hosting Solution Engine (HSE) software. A user who logs in using this username has complete control of the device. This username cannot be disabled." Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?"

11 of 555 comments (clear)

  1. Cisco's Life Lesson - Maybe not. by Allen+Zadr · · Score: 5, Insightful

    There is no doubt that this is the sort of thing that all of the so called "tin-foil hat" crowd has been warning us about for years.

    I, for one, welcome the "I-told-you-so"s from our new paranoid overlords.

    On a more serious point, and on the paranoid side, I'm sure Cisco is only releasing this information because an employee either threatened to leak this information, or was mis-using this information to his/her own gain...

    However, if that's the case, wouldn't Cisco's fix simply change the password? I highly doubt that they will be embarassed enough to have learned a powerful life-lesson.

    --
    Kinetic stupidity has a new brand leader: Allen Zadr.
    1. Re:Cisco's Life Lesson - Maybe not. by Zathrus · · Score: 5, Insightful

      I see a great many people buying hardware from Cisco's competitors in the near-future.

      What makes you think that they don't have a backdoor username/pw as well? It may not be hard coded (they could both be strings that are determined by a hash function, based on the date/time or some other changing value), but I'd bet you they're there, at least on any high end equipment. Why? So that the damn thing is supportable remotely... even after some idiot admin screws up everything else. And, no, resetting the firmware on these things to restore the default admin password isn't acceptable -- simply because in doing so you'd lose all the other settings (bad for two reasons -- 1) they usually take hours or days to setup correctly, 2) if you're accessing the box for support, you probably want to see what the hell happened in case it was a bug).

  2. Trust No One by aaron240 · · Score: 5, Insightful

    Anything that can be exploited will be exploited. The key is to take every precaution possible--that's not possible when only a select few can see the code.

  3. Can we really trust closed-source vendors? by macshune · · Score: 5, Insightful

    No, obviously not when you get right down to it. Just like we can't trust closed-source e-voting software with it comes to our republic (the U.S.:), we can't trust close-source vendors whose systems power our infrastructure...that, without, the world would cease to function as it does today.

    But what can anyone do? Are there any open-source makers of networking hardware?

  4. You can't trust ANYONE. by CrystalFalcon · · Score: 5, Insightful

    Can we really trust closed-source venders, such as Cisco, to develop secure products that are free of backdoors?

    You can't trust open-source for this, either. Not unless you personally constructed every piece of the device, from the source code, to everything that interacts with the source code, including the compiler, the EEPROM burners, and the chipsets on the device itself.

    How do you know that the open source you are looking at actually is the one running in your device? You don't.

    How do you know that the code you are looking at, assuming that it is running in the device, wasn't modified by a malicious compiler? You don't.

    How do you know that the compiled code, assuming it is compiled correctly, wasn't altered in the transfer to the device? You don't.

    How do you know the other onboard chips aren't built with a backdoor, patching, hooking or circumventing whatever code is put in the device? You don't.

    What it boils down to is that trust is a very difficult animal, and at some point, you need to draw the line. Looking at the source is a meager guarantee for the device behaving well, in the case of a malicious vendor.

    The bottom line is that there are so many covert channels to insert code into your overall system today, as long as they are carried on the normal device acquisision channels, that you can't defend against an attack by a malicious vendor. What you can do is to count on their risk analysis, and expecting them to want to stay in business just as much as you do. It's not much, but it's pretty much the best we got.

  5. Re:It needs to be there by ls-lta · · Score: 5, Insightful

    No, not really. The user id could be set by serial number (randomly) and you could keep track of who has what serial number, who is authorized to get the password, the password could also roll (think subscription revenue!).

  6. Register, or else by skidde · · Score: 5, Insightful

    The patch can be downloaded from http://www.cisco.com/pcgi-bin/tablebuild.pl/1105-h ost-sol ( registered customers only) .

    I love when companies release vital updates or other material, and then effectively force registration of all their clients. So either register with the mothership, or deal with a vulnerable program? Great.

    --
    For every karma whore there are four more people with mod points to kill.
  7. Yes, but - WIRELESS by Allen+Zadr · · Score: 5, Insightful
    The problem here is that these routers are WIRELESS. All you need is proximity to use the secret ID. Block my MAC, I tell my MAC to use another address. Block all wireless, then what's the point of having a wireless product.

    The advisory (that link in the story) was pretty clear that there isn't a way to disable the use of this backdoor without a firmware upgrade.

    --
    Kinetic stupidity has a new brand leader: Allen Zadr.
  8. Surprising, but not that surprising by allyourbasebelongtou · · Score: 5, Insightful

    This is the most fundamental problem with closed source: even if the underlying code is 100% perfect, bug-free, and wonderfully coded, there is no mechanism to prevent the last developer with sign-off on a project from slipping something nefarious in as code goes into "release" status.

    I say this because, IMHO, Cisco's customers generally trust both them as a company and their products. In short, they've done a good job, for a closed source firm, of keeping the perception that they run a tight ship and keep their corporate nose clean.

    That said, this is a ding, no doubt, but the bigger question here is while this backdoor was arguably somewhat obscure, it still existed. Even if no one "on the outside" ever learned of its existence, its very existence is troubling.

    This is the type of thing that typically would have been caught in no time by the average open-source code-troller (much less a developer) quite quickly.

    Sure, Cisco has a decent name, but what about companies that don't have the positive overall goodwill/reputation that Cisco does?

    The notion that closed source software is "just as good" or even "more secure" is just plain wack-a-loo. (You can quote me on that.)

    --
    ----------
    Nope. Not gonna do it. Wouldn't be prudent. Not at this juncture.
  9. /.-ers just don't get it.... by egriebel · · Score: 5, Insightful
    I'm going to go out on a limb and predict tons of posts of "dump cisco now!!" here. It'll never happen, Cisco will shrug this off. There's no way that the corporate infrastructure is going to be torn up, Cisco has too much penetration and momentum. Acutally, I bet it won't even hit mainstream media and be barely a footnote in NetworkWorld and related trade rags.

    There will be no wholesale move off of Cisco products. Why?

    1. Who else are you going to use?
    2. Who is going to pay for the new hardware?
    3. When are you going to do the upgrading?

    Let's roleplay the conversation between the CIO and CEO/COO:

    CTO: Hey boss, I need $x million to replace all our Cisco equipment NOW!
    CEO: Hmm, that's a lot of work and money, are they broken?
    CTO: Well, no, but there's an extremely serious vulnerability!
    CEO: <blinks>
    CTO: Every Cisco box has the same administrative password!
    CEO: <starts to watch the window washers and birds outside>
    CTO: Anyone can log in to our systems with this password
    CEO: Hmm, I see....Is that bad?
    CTO: Yes, which is why they need to be replaced.
    CEO: Well, it certainly sounds serious. Why don't you prepare a proposal, get buyin with the Regional VPs and Directors, run it by Frank in operations, and then talk to my assistant Tiffany and get some time on my schedule.
    CTO: Sir, I think it should be expedited.
    CEO: Yes, hmm. So have you heard how Tiger is doing at the Masters today?

    The bottom line is, most CIO/CTO's of non-IT companies could give a flying f**k what runs their networks as long as it works, stays up most of the time, is not too expensive, and is recommended.

    --
    ACHTUNG! Das computermachine ist nicht fuer gefingerpoken und mittengrabben. Ist nicht fuer gewerken bei das dumpkopfen.
  10. Re:Well, that depends. by arivanov · · Score: 5, Insightful

    Really?

    They continuously use codebase from the opensource parts of the software world and lie about it. The only OSS component they currently admit to is the regexp library. In fact they have used code from xntpd (and were bug for bug vulnerable to NTP exploits), OpenSSL, OpenSSH, so on so forth, ad naseum. When a vulnerability in any of these comes around they never admit it because the IOS sacred cow is supposedly pure and not infected by any opensource (besides regexp). This continues until someone starts running the exploits versus their gear. And after that ... BANG... Check BUGTRAQ for the SSH and NTP exploits as a fine example. I bet there are others as well.

    They constantly have idiotic ideas like CDP which are insecure by design and turned on by default.

    They have promoted a very long list of outright lies including security ones in the exam preparation materials and exam question. That is also besides the fact that Cisco does not consider the analysis for correctness and sane security practice of these materials to be fair use and disallows quoting them. Here is one that has managed to get through:
    http://lists.netsys.com/pipermail/full-d isclosure/ 2003-October/012809.html

    There are many others.

    So on so forth. Ad naseum. If you think that Microsoft is vile you definitely have not had to do a lot of network engineering especially with Cisco kit...

    --
    Baker's Law: Misery no longer loves company. Nowadays it insists on it
    http://www.sigsegv.cx/