Slashdot Mirror


Cisco Products Have Backdoors

Cbs228 writes "A Cisco Security Advisory released yesterday admits that "A default username/password pair is present in all releases of the Wireless LAN Solution Engine (WLSE) and Hosting Solution Engine (HSE) software. A user who logs in using this username has complete control of the device. This username cannot be disabled." Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?"

7 of 555 comments (clear)

  1. There is no workaround. by Space+cowboy · · Score: 5, Interesting


    (According to the summary). In fact you can get new firmware, and it's free for everyone so long as you go through the channels. Fair play to Cisco (or at least, well done for recognising a public-relations disaster when they see one!)

    I can see why it's useful to have a master password, but really, it was bound to cause major embarassment in the end - the only way it would work is if everyone who knew it (presumably cisco employees) never ever divulged it. That's likely!

    Simon

    --
    Physicists get Hadrons!
  2. It needs to be there by thpdg · · Score: 5, Interesting

    People read about these back doors, and they are appalled by the concept of it. I wish it was that easy. I design software for embedded devices and let me tell you, as soon as you add a password mechanism, then someone will lose the password within days. It's happened to me, and I finally had to put a global password in every machine. You hope that no one will ever find out, but once you tell a single customer, it could spread. I'm fortunate that my userbase is small and spread out, but for Cisco, this could be a disaster. If they made it so the master password could only be put in locally, that would be a big help, but may not be possible on these devices.

    --

    -Patrick

    "They never stop thinking about new ways to harm our country and our people, and neither do we."

  3. Re:Cisco's Life Lesson - Maybe not. by DJStealth · · Score: 4, Interesting

    If it is necessary to have a backdoor, it should only be enabled temporarily via a switch/hardware button (in the case that the admin password was forgotten).

    I.e. in order to get in through the backdoor, you need to hold down a button for 10 seconds, and the login will be enabled for the next 2 minutes (which should be enough time to change the admin pw if it is forgotten). This would require that the site be physically secure; however would prevent those from remotely accessing the backdoor (unless someone is actually there to hit this 'switch).

  4. Re:Well, that depends. by InadequateCamel · · Score: 4, Interesting

    Cisco actually has a better track record than some other closed source vendors I could mention.


    That's a silly comment. Up until a few hours ago you would have thought Cisco was pretty good. Now they have done a really stupid thing and have been caught red-handed.

    The question we should be asking is what else have they done that their customers would object to if they knew about it?

    Call me paranoid, but this is exactly the sort of behaviour that I expect from software/hardware manufacturers. Cisco just happened to get caught doing it.

  5. No it doesn't by Burdell · · Score: 5, Interesting
    There is no reason to have a master password that gives someone with that knowlege instant full access to every such device in the field. There are many ways to work around it (without resorting to just resetting the device and clearing all settings).

    Cisco IOS routers don't have to have a "master password" backdoor; they have a well-defined process for password recovery (typically you connect to the console port, interrupt the boot at the firmware level, and change a register - then you are in with no password and can reset it).

    Another example: Livingston PortMasters also don't have a "master password" backdoor. You hook up to the console port, flip a dip switch and use a special login. That issues a challenge string, which you then send to Livingston (or now portmasters.com). You get a respose string and use it to log in, and then you change the password.

    The common assumption is that full physical access implies ownership; that is a reasonable assumption (since if someone can get at it, they can take it).

  6. Re:Cisco's Life Lesson - Maybe not. by arivanov · · Score: 4, Interesting
    I see a great many people buying hardware from Cisco's competitors in the near-future. Like right now.

    I do not.

    IMO, you definitely do not understand how Cisco marketing functions. It took me 5+ years of dealing with it to start understanding it. Basically, every single IOS release they shipped is bug ridden beyond any reasonable limits. Any other company shipping such crap would have failed long ago. They did not. The reason is that they have created cottage industries of "certified specialists" all over the world which will make sure that their customers and employers will never buy anything but Cisco and never hire an unfettered one. Just have a look how many banks run "Cisco Only Networks". The reason for this is simple. They are employed because there is always something wrong and there is always something to fix. Cisco knows this and it will never ever kill what makes 90% of its enterprise sales.

    This is also the reason why even Cisco supplied GUI or centralised management solutions never manage some features. This is also the reason why there is no way in hell for you to get anywhere trying to manage Cisco gear using industry standard protocols. Ever tried to do some alteration of IP parameteres on Cisco via SNMP? I am not even talking about rocket science like the diff-serv MIB or the BGP MIB. Ever tried to hook it a proper element manager without few Ms of glue code that does direct CLI? Dream on...

    --
    Baker's Law: Misery no longer loves company. Nowadays it insists on it
    http://www.sigsegv.cx/
  7. Re:Well, that depends. by blogan · · Score: 4, Interesting

    I'm not sure backdoors are as blantantly obvious. What about something like this?

    hash = getHash(password)

    if (hash) {
    return (*hash == *storedhash);
    } else {
    logAuthError("Hash could not be found");
    return FALSE;
    }

    Looks correct, but if I modify getHash to return NULL when the password is a certain string, and logAuthError is actually buried in a separate header, it doesn't actually log an error, it returns TRUE.