Slashdot Mirror
Cisco Products Have Backdoors
Cbs228 writes "A Cisco Security Advisory released yesterday admits that "A default username/password pair is present in all releases of the Wireless LAN Solution Engine (WLSE) and Hosting Solution Engine (HSE) software. A user who logs in using this username has complete control of the device. This username cannot be disabled." Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?"
There is no doubt that this is the sort of thing that all of the so called "tin-foil hat" crowd has been warning us about for years.
I, for one, welcome the "I-told-you-so"s from our new paranoid overlords.
On a more serious point, and on the paranoid side, I'm sure Cisco is only releasing this information because an employee either threatened to leak this information, or was mis-using this information to his/her own gain...
However, if that's the case, wouldn't Cisco's fix simply change the password? I highly doubt that they will be embarassed enough to have learned a powerful life-lesson.
Kinetic stupidity has a new brand leader: Allen Zadr.
I simply can not believe this has happened. This is more boneheaded than what Microsoft has done for the past few years.
I am defenseless. Use your button. Mod me down with all of your hatred.
admin/password.
I had but a simple dream, to destroy all humans.
Anything that can be exploited will be exploited. The key is to take every precaution possible--that's not possible when only a select few can see the code.
No, obviously not when you get right down to it. Just like we can't trust closed-source e-voting software with it comes to our republic (the U.S.:), we can't trust close-source vendors whose systems power our infrastructure...that, without, the world would cease to function as it does today.
But what can anyone do? Are there any open-source makers of networking hardware?
Great. So... that makes it Ok then?
"Mr. Potato Head! Back doors are not secrets!"
(According to the summary). In fact you can get new firmware, and it's free for everyone so long as you go through the channels. Fair play to Cisco (or at least, well done for recognising a public-relations disaster when they see one!)
I can see why it's useful to have a master password, but really, it was bound to cause major embarassment in the end - the only way it would work is if everyone who knew it (presumably cisco employees) never ever divulged it. That's likely!
Simon
Physicists get Hadrons!
Another example of why the benefits of open source need to be pushed up the corporate ladder... this is nuts. Almost as nasty as the things they've done for China. Thanks, Cisco. Another one bites the credibility dust.
The Cisco advisory points out that there are no workarounds. This would suggest that the problem cannot be remedied.
However, the advisory also discusses how to obtain new software for their equipment. So it appears that there is a fix to the problem, via a software upgrade. In light of this, the 'no workarounds' stuff is rather misleading -- and when I first read it, it made my draw drop.
Tubal-Cain smokes the white owl.
" Can we really trust closed-source venders, such as Cisco, to develop secure products that are free of backdoors?"
Yes. Lord, next you'll be asking about patents.
The ARTICLE that you DIDN'T read, clearly states how to get a service fix - see my first post about what I think about the completeness of said fix.
Kinetic stupidity has a new brand leader: Allen Zadr.
People read about these back doors, and they are appalled by the concept of it. I wish it was that easy. I design software for embedded devices and let me tell you, as soon as you add a password mechanism, then someone will lose the password within days. It's happened to me, and I finally had to put a global password in every machine. You hope that no one will ever find out, but once you tell a single customer, it could spread. I'm fortunate that my userbase is small and spread out, but for Cisco, this could be a disaster. If they made it so the master password could only be put in locally, that would be a big help, but may not be possible on these devices.
-Patrick
"They never stop thinking about new ways to harm our country and our people, and neither do we."
3COMengineers/Areweenies
What do you bet the id set is joshua/pencil?
Kinetic stupidity has a new brand leader: Allen Zadr.
Can we really trust closed-source venders, such as Cisco, to develop secure products that are free of backdoors?
You can't trust open-source for this, either. Not unless you personally constructed every piece of the device, from the source code, to everything that interacts with the source code, including the compiler, the EEPROM burners, and the chipsets on the device itself.
How do you know that the open source you are looking at actually is the one running in your device? You don't.
How do you know that the code you are looking at, assuming that it is running in the device, wasn't modified by a malicious compiler? You don't.
How do you know that the compiled code, assuming it is compiled correctly, wasn't altered in the transfer to the device? You don't.
How do you know the other onboard chips aren't built with a backdoor, patching, hooking or circumventing whatever code is put in the device? You don't.
What it boils down to is that trust is a very difficult animal, and at some point, you need to draw the line. Looking at the source is a meager guarantee for the device behaving well, in the case of a malicious vendor.
The bottom line is that there are so many covert channels to insert code into your overall system today, as long as they are carried on the normal device acquisision channels, that you can't defend against an attack by a malicious vendor. What you can do is to count on their risk analysis, and expecting them to want to stay in business just as much as you do. It's not much, but it's pretty much the best we got.
look for openbsd's corporate usage page.
You can't judge a book by the way it wears its hair.
Greetings, Professor Falken.
Shall we play a game?
You probably shouldn't click this.
Hmm yes, like when SGI shipped their machines with much the same problem. Has nearly a decade of fighting computer intrusion taught them nothing. Thats pretty shoddy Cisco.
I don't read your sig, why do you read mine?
The patch can be downloaded from http://www.cisco.com/pcgi-bin/tablebuild.pl/1105-h ost-sol ( registered customers only) .
I love when companies release vital updates or other material, and then effectively force registration of all their clients. So either register with the mothership, or deal with a vulnerable program? Great.
For every karma whore there are four more people with mod points to kill.
Let's see..
"Although Cisco cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability."
This is probably a standard disclaimer in their security documents, but wouldn't you want them to be sure of the accuracy of their statements?
Why can software/hardware companies get way with "We tried our best, honest!" ?
Auditing the code only guarantees security if you trust that your compiler isn't compromised.
Auditing the compiler's code doesn't guaranteee anything either. It too had to be compiled, and the compiler's compiler may have been compromised.
I wouldn't think they would need it. There's a tiny little recessed button on the back on my linksys unit. Hold it in for 10 seconds and presto! the unit is back to the factory configuration. Passwords and all.
No excuse for a master password. Mind you, I'm not saying there isn't one, just that there is no need for one.
Do they plan on releasing a firmware update?
RTFA.
If so, how do we know they aren't going to put another backdoor into that and simply change the information?
You don't.
Is there a way they can make the firmware patch open source without giving away their other "proprietary" source?
If you own the affected products and require open source firmware patches then you should have thought of that before you bought the product. If you require open source hardware then buy open source hardware.
Speak truth to power.
A workaround is a simple method of fixing the problem without patching the software. Usually it involves configuration changes, disabling parts of the software, or even firewalls. For this particular problem it's easy to see why there's no workaround.
The fix is a software patch. Many admins prefer a workaround as a short-term solution (can change simple config in a few minutes). A software patch is obviously more complicated, and often has higher impact on other services.
AccountKiller
I have worked for 6 or 7 different companies that build either comm boxes or control software, and each and every one has had built in backdoors.
It's not just Cisco, it's a common practice in the industry to give their field people a way to get into the box (or program) when the customer screws it up.
Backdoors that, often, have access to functions far beyond what the customer knows about, and in many cases, able of really messing up the device if used incorrectly by a tech who is not an expert.
On the flip side, I was working as a level 3 tech for one now out-of-business large computer company, and it was not uncommon to get a call from a customer asking if we could break into a box and reset passwords for them since they had "lost" the passwords. They need to get access without doing a full reset and losing the configuration information since the box is in a production environment.
So, they put a modem on the diagnostic port, I dial in, do the magic, and make the customer happy.
So, yes, it is a security hole, but it is also something that customers are happy about when they need it.
----- Lotus Super 7 - A real car.
Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?
Yes. They have to keep an eye out for their customers. However, there are two ways of getting around this:
Password can only be entered while someone is physically present - so you have to press a button on the device, then login with back door in the next 30 seconds. This proves access, and any company that has poor physical security is not likely to care about network security.
Second use challenge-response password mechanisms. This prevents a 'global' backdoor, while still giving the manufacturer the ability to gain access. The user enters a generic name/pass ("lost", "password") the machine then responds with a 128 bit (hexadecimal) number (randomly generated) and the user provides both the serial number and this random number to the company. The company responds with a correct response (another 128 bit number, perhaps) and the device allows access.
Combine either or both of these two methods with a "reset configuration to factory defaults when back door is used" and the company can claim that they are as secure as can be, without preventing the occasional user complaint that the hardware is a doorstop because some subadmin made a mistake changing the password.
-Adam
The advisory (that link in the story) was pretty clear that there isn't a way to disable the use of this backdoor without a firmware upgrade.
Kinetic stupidity has a new brand leader: Allen Zadr.
I was called by a apartment complex that offered broadband to tenants. Apparently, one of the kids (mostly college students) had taken a networking class or something, and telneted in to the switches, and screwed a bunch of stuff up.
Of course, he changed the password to who knows what, so we had to call Nortel up and read them the serial number from each switch, and they gave us a backdoor password. I belive it was generated by a program they had. We had to verify proof of purchase and everything with the company, but who couldn't forge a Invoice from CDW or Insight?
Cisco actually has a better track record than some other closed source vendors I could mention.
That's a silly comment. Up until a few hours ago you would have thought Cisco was pretty good. Now they have done a really stupid thing and have been caught red-handed.
The question we should be asking is what else have they done that their customers would object to if they knew about it?
Call me paranoid, but this is exactly the sort of behaviour that I expect from software/hardware manufacturers. Cisco just happened to get caught doing it.
>Just like we can't trust closed-source e-voting software [when] it comes to our republic (the U.S.:), we can't trust close-source vendors whose systems power our infrastructure...that, without, the world would cease to function as it does today.
Taliban leader speaking:
OK troops, here's what we'll do; we will sub-contract from the Pakistanis that are sub-contracting from the Indians that are sub-contracting from the Americans that are outsourcing their I.T. operations, and when WE are the ones coding everything for the Americans, we slip in trojans, viruses and everything else we can think of to screw with their heads!
Once they are all helpless because they've outsourced all the jobs that require an education, we show up and sell them all Edsel automobiles and when they've all killed themselves on the road, we simply take over the country.
Simple.
I don't know the meaning of the word 'don't' - J
Cisco IOS routers don't have to have a "master password" backdoor; they have a well-defined process for password recovery (typically you connect to the console port, interrupt the boot at the firmware level, and change a register - then you are in with no password and can reset it).
Another example: Livingston PortMasters also don't have a "master password" backdoor. You hook up to the console port, flip a dip switch and use a special login. That issues a challenge string, which you then send to Livingston (or now portmasters.com). You get a respose string and use it to log in, and then you change the password.
The common assumption is that full physical access implies ownership; that is a reasonable assumption (since if someone can get at it, they can take it).
Cisco actually has a better track record than some other closed source vendors I could mention.
I don't mean to be a grammar troll, but clearly you used the wrong tense:
"Cisco actually had a better track record...."
Opinions on the Twiddler2 hand-held keyboard?
Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?
Simple question, with an even simpler answer: No.
If you want to be wordier, you can make the general statement that the reason for closed source is that there are things in the source that the vendor doesn't want you to know about.
Those things may be innocent, such as debugging hooks, that you'd probably approve of if you knew, but which they don't want made public because then competitors' support people could sabotage the equipment during a support call. Or they could be not so innocent, such as collecting date from your network for commercial use (i.e., selling it to your competitors). Or maybe they don't want you to see the low quality of the code.
But if the source is hidden, there's a reason, and the reason can be summarized as "They don't want you to know about something in there."
If you have any security concerns at all, you should follow the advice that the security folks have been giving for years: Don't run software unless you've compiled it yourself (preferably using a compiler from a different vendor). Otherwise, you have no way of knowing what's hidden inside the binaries.
Of course, in whatever passes for the Real World around here, some vendors are more trustworthy than others. We've had few actual problems like this with open-source vendors, though there have been a few incidents. It's a lot harder for an open-source vendor to get away with such tricks for very long.
But in general, you should be aware that if they don't want you to see the source, there is probably a good reason.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
...of the phrase that President Regan used to tell Gorbie all the time "Trust, but verify."
Cisco has been a major player for a long time, so we have a de-facto trust relationship with them, but we need to be able to verify their account guarding. All they need to do is open the firmware up and let the million eyes peer through it. Any vulnerability detected and not reported by one will surely be caught by another, and assuming he's not trustworthy either there are still more eyes. Quis custodiet ipsos custodes. The only problem is if the flaw doesn't exist in only flashable firmware (i.e.: in hardware someplace that can't be modified at all)--then that would be an issue. I think we can trust the Cisco hardware, it's the flashed system that needs to be checked.
So, Cisco, how about opening that up? Come on, be a pal....
This is the most fundamental problem with closed source: even if the underlying code is 100% perfect, bug-free, and wonderfully coded, there is no mechanism to prevent the last developer with sign-off on a project from slipping something nefarious in as code goes into "release" status.
I say this because, IMHO, Cisco's customers generally trust both them as a company and their products. In short, they've done a good job, for a closed source firm, of keeping the perception that they run a tight ship and keep their corporate nose clean.
That said, this is a ding, no doubt, but the bigger question here is while this backdoor was arguably somewhat obscure, it still existed. Even if no one "on the outside" ever learned of its existence, its very existence is troubling.
This is the type of thing that typically would have been caught in no time by the average open-source code-troller (much less a developer) quite quickly.
Sure, Cisco has a decent name, but what about companies that don't have the positive overall goodwill/reputation that Cisco does?
The notion that closed source software is "just as good" or even "more secure" is just plain wack-a-loo. (You can quote me on that.)
----------
Nope. Not gonna do it. Wouldn't be prudent. Not at this juncture.
I only made it to (Score:3, Funny) before I decided it was likely bogus...
Backdoors are very common in embedded devices
so you can bootstrap the system. They should
have covered this better, but it is probably
not an evil conspiracy. It's probably just
developers and testers trying to do their
job without a lot of security shit that
makes everything take longer and be more
difficult.
There will be no wholesale move off of Cisco products. Why?
Let's roleplay the conversation between the CIO and CEO/COO:
The bottom line is, most CIO/CTO's of non-IT companies could give a flying f**k what runs their networks as long as it works, stays up most of the time, is not too expensive, and is recommended.
ACHTUNG! Das computermachine ist nicht fuer gefingerpoken und mittengrabben. Ist nicht fuer gewerken bei das dumpkopfen.
A Cisco exec should do hard time for this.
Well that and their use of "Cisco" math when it comes to what their switches will push for throughput.
For the same money you'd spend on a Cisco switch you can probably buy a Nortel that'll run circles around the Cisco.
Or, if your tripping over the bags of cash or their just blocking the door, you could spring for a Juniper...
Don't get me wrong, Cisco stuff works, it's just really expensive and their are cheaper more capable equipment on the market...
Yes Francis, the world has gone crazy.
From the Slashdot story: "Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?"
This should be shortened to: "Can we trust closed-source vendors?"
History has shown that we cannot.
Take Microsoft for example. LUGOD maintains a list of stories about Microsoft abusiveness: Reasons to Avoid Microsoft. I counted more than 200 in 2002, and things have gotten worse since then.
(This seems to be one of the few times that Open Source advocates have invented an interesting name: Linux User GOD. Sounds like a new religion.)
Part of the problem seems to be that, eventually, closed-source vendors begin to be controlled by managers who have no technical experience. Such managers can help the company make more money only by abusing the customer, because they don't know enough to contribute to technical improvements.
Why has Google risen to prominence so quickly? Partly because they know what they are doing technically. But largely because they have a policy of "do no harm". It's a simple policy, but most managers are not able to come to the conclusion they should follow it.
Most managers seem to have received their training by mimicing the abusive, ignorant PHB in Dilbert cartoons. Think what a terrible world we live in that Dilbert is considered funny!
I know most Open Source developers are uncomfortable with this description, but they approach their work as an act of love. Whatever the reason, history has shown that they are far more trustworthy.
Really?
... BANG... Check BUGTRAQ for the SSH and NTP exploits as a fine example. I bet there are others as well.
d isclosure/ 2003-October/012809.html
They continuously use codebase from the opensource parts of the software world and lie about it. The only OSS component they currently admit to is the regexp library. In fact they have used code from xntpd (and were bug for bug vulnerable to NTP exploits), OpenSSL, OpenSSH, so on so forth, ad naseum. When a vulnerability in any of these comes around they never admit it because the IOS sacred cow is supposedly pure and not infected by any opensource (besides regexp). This continues until someone starts running the exploits versus their gear. And after that
They constantly have idiotic ideas like CDP which are insecure by design and turned on by default.
They have promoted a very long list of outright lies including security ones in the exam preparation materials and exam question. That is also besides the fact that Cisco does not consider the analysis for correctness and sane security practice of these materials to be fair use and disallows quoting them. Here is one that has managed to get through:
http://lists.netsys.com/pipermail/full-
There are many others.
So on so forth. Ad naseum. If you think that Microsoft is vile you definitely have not had to do a lot of network engineering especially with Cisco kit...
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
Well, yeah. Considering Cisco's market penetration and popularity it is amazing they have had so few security problems. They have a track record that even Apache should envy. One mistake and some of that slashdot mind-droids are spouting "well, that is because they are not open source".
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
I think the point is:
In an age of acces through networks, is it possible to trust any private organization enough to not oversee them with what they are doing ?
Or is it almost obligatory to know exactly what a particular device/computer etc. does, or at least have the possibility of own, or third party assessment.
Cisco is bad because it doesn't sell open source solutions?
No, Cisco is bad because they stuck a backdoor into their product that potentially fucked over a bunch of their customers.
I bet half your jobs depend on cisco.
And what kind of half-assed argument is that? Just because people use their products doesn't mean that their jobs depend on Cisco. Cisco can be ripped out and replaced just like most vendors. Get some Foundry or Nortel equipment.
Oh yeah, and fuck you too.
Where's my lobbyist? Right here.
Whoever modded this offtopic has the sense of humour of a brick.
See, what he is explaining is that due to Ciscos inherent stupidity at adding an override all password, their track record, that was once the shit, is now just shit. Get it???
Unless you downloaded and compiled the binaries from the postgresql.org server(s), then you cannot say, for sure, Cisco has not added backdoors to the code.
> Don't get me wrong, Cisco stuff works, it's just
> really expensive and their are cheaper more
> capable equipment on the market...
True.
Just remember that none of the "more capable" equipment is made by 3com.
Norman Cook's Ode to Sl
... oh, like the OpenSSL ident strings. 12.0 used OpenSSH, but they have since stopped using OpenSSH code in IOS -- they either rolled their own or snarfed someone else's. They've removed almost all of the ident strings except for those put there by the compiler: GCC: (GNU) 2.95.3 20010315 (cisco p10 release), etc.
Did you mount a military-grade, variable-focus MASER on an unlicensed artificial intelligence?
Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?
Well, we certainly can't trust Cisco anymore. The reason is because trust is built up by having the ability to screw up and then not doing so. Cisco has clearly violated the trust of anybody who wanted a zero-backdoor product, and I submit that this breach is one that cannot be recovered from.
However, I certainly understand why Cisco insists on there being such a hard-coded full-control backdoor. If you ever lose possession of the root password, you are screwed and you can turn a big-dollarsign router into a paperweight. It makes sense that Cisco should be able to swap your locked-up router for a like part in its default settings, and then be able to recover most of its value as an "open box" "remanufactured" item since there was nothing wrong with it other than an unknown password that since has been reset.
Really, I'm not mad at Cisco for having backdoors as much as the fact that they refused to admit that there were secret backdoors.
If you read further, you would note that Cisco has already released patches for the problem.
If you had ANY experience with cisco security vulnerabilty disclosures, you would realise that cisco's definition of "workaround" means "a way to avoid the problem without applying patches or updates", because many cisco customers aren't able to apply patches the second an exploit is announced due to down time / planning / change control measures.
Just because it says there is no workaround, it doesn't mean there isn't a fix. And there is, in this case, which is clearly linked to in the article.
And before someone replies with "you're new to slashdot aren't you", no, I'm not. I'm used to this sort of reaction from the slash community. Normally there are a few sane people that get modded up by correcting the knee jerkers, but this time it looks like everyone is preaching "every cisco switch and router has a built in username and password that can't be disabled"
That's it. I'm no longer part of Team Sanity.
Cisco's password recovery procedure can be disabled from Rommon, making the "configuration bypass" procedure non-functional.
For those that would die defending it, Freedom
has a sweet taste that the protected will never know.
I'm not sure backdoors are as blantantly obvious. What about something like this?
hash = getHash(password)
if (hash) {
return (*hash == *storedhash);
} else {
logAuthError("Hash could not be found");
return FALSE;
}
Looks correct, but if I modify getHash to return NULL when the password is a certain string, and logAuthError is actually buried in a separate header, it doesn't actually log an error, it returns TRUE.
I'd be impressed if you were posting to Slashdot from a Cisco router...
May we never see th