Cisco Products Have Backdoors

Cbs228 writes "A Cisco Security Advisory released yesterday admits that "A default username/password pair is present in all releases of the Wireless LAN Solution Engine (WLSE) and Hosting Solution Engine (HSE) software. A user who logs in using this username has complete control of the device. This username cannot be disabled." Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?"

Cisco's Life Lesson - Maybe not.

[Allen+Zadr]

There is no doubt that this is the sort of thing that all of the so called "tin-foil hat" crowd has been warning us about for years.

I, for one, welcome the "I-told-you-so"s from our new paranoid overlords.

On a more serious point, and on the paranoid side, I'm sure Cisco is only releasing this information because an employee either threatened to leak this information, or was mis-using this information to his/her own gain...

However, if that's the case, wouldn't Cisco's fix simply change the password? I highly doubt that they will be embarassed enough to have learned a powerful life-lesson.

Re:Cisco's Life Lesson - Maybe not.

Cisco has an evil backdoor that works (initially) at the ethernet level. You send several specially crafted frames to a MAC on the local segment or special packets to the outside interface and the unit will open up a back connection to Cisco. The PIX and ACLs in their router products will not log these or otherwise alert you to their existence. Once the connection is made, Cisco can mirror selected bits of your LAN traffic. Being that most of the internet's traffic flows over Cisco products...

Some history:
In 1928 an American inventor (Henry P. Acket) was working on a method to send extremely low voltage electrical impulses over wires as a covert means of communications. He succeeded in that he was able to use the telephone companies' wires to speak to friends without paying a telephone tax. Early on, his friend Charles Isco was able to put a backdoor in the vacuum tubes with nothing more than a few drops of solder, some tin and flux. Charles showed Acket this and provided some wax cylinders of Acket's supposedly private conversation.

The FBI heard of this and took all their patent-pending information. Acket and Isco were paid the then huge sums of $1M and $500K respectively to shut up.

Fast forward to the 60's.
Early in 1963, J. Edgar Hoover was perusing the FBI archives when he spotted these plans from 35 years prior. He didn't believe it but one of his technical people played Hoover a tape recording made with a successor of the equipment. The tape was of Hoover making dinner reservations at Le Grande Fiste, a homosexual dinner club. Hoover went through the roof. He destroyed all the paperwork and equipment. After months of extreme drug therapy which rendered the technician nearly incoherent, Hoover had him framed for a crime we are all familiar with. The technician's name? Lee Harvey Oswald.

Ahh.. the technology survived
In the 1980s some people from Stanford University were going through recordings of Oswalds. Playing them backwards they could hear the terms "Black Helicopters", "Area 51" and "Backdoor Device". The truly learned already know about black helicopters and Area 51.. but what was this "Backdoor Device" Oswalds was rambling about? Those investigators, Len Bosack and Sandy Lerner, went on to form Cisco.

If you look inside any Cisco product you'll find a small vacuum tube with hacked in piece of tin, some solder and flux.

I present this information at grave risk to myself.

Re:Cisco's Life Lesson - Maybe not.

[Zathrus]

I see a great many people buying hardware from Cisco's competitors in the near-future.

What makes you think that they don't have a backdoor username/pw as well? It may not be hard coded (they could both be strings that are determined by a hash function, based on the date/time or some other changing value), but I'd bet you they're there, at least on any high end equipment. Why? So that the damn thing is supportable remotely... even after some idiot admin screws up everything else. And, no, resetting the firmware on these things to restore the default admin password isn't acceptable -- simply because in doing so you'd lose all the other settings (bad for two reasons -- 1) they usually take hours or days to setup correctly, 2) if you're accessing the box for support, you probably want to see what the hell happened in case it was a bug).

Re:Cisco's Life Lesson - Maybe not.

[DJStealth]

If it is necessary to have a backdoor, it should only be enabled temporarily via a switch/hardware button (in the case that the admin password was forgotten).

I.e. in order to get in through the backdoor, you need to hold down a button for 10 seconds, and the login will be enabled for the next 2 minutes (which should be enough time to change the admin pw if it is forgotten). This would require that the site be physically secure; however would prevent those from remotely accessing the backdoor (unless someone is actually there to hit this 'switch).

Re:Cisco's Life Lesson - Maybe not.

[i_am_pi]

Well, resetting the firmware on Cisco's devices does NOT reset the rest of the settings.

The process goes like this:
Boot device with console cable
Hit ctrl-c during boot
use the proper command to change the configuration register to 0x2142, which means "Start up using OS from flash, but IGNORE configuration in NVRAM".
Use the proper command to boot the device.

You'll then be staring at "Password: " where it will accept an empty string. The configuration is still there (type show startup-config and you'll see the whole thing), but ignored.

Enable yourself. copy start run (bring everything back up).
config t (begin configuration)
username blah password blabla priv 15 (if you have multiple usernames + priv levels)
enable secret blabla (big-daddy enable password)
line vty 0 4 (telnet access)
login
password bla
exit
config-reg 0x2102 (stop ignoring the configuration)
exit
copy run start (save that daddy)

Re:Cisco's Life Lesson - Maybe not.

[strictnein]

Holy f@ck I'm an idiot.

I got to this point:

The technician's name? Lee Harvey Oswald.

Before realizing something was wrong with this post.

Re:Cisco's Life Lesson - Maybe not.

[arivanov]

I see a great many people buying hardware from Cisco's competitors in the near-future. Like right now.

I do not.

IMO, you definitely do not understand how Cisco marketing functions. It took me 5+ years of dealing with it to start understanding it. Basically, every single IOS release they shipped is bug ridden beyond any reasonable limits. Any other company shipping such crap would have failed long ago. They did not. The reason is that they have created cottage industries of "certified specialists" all over the world which will make sure that their customers and employers will never buy anything but Cisco and never hire an unfettered one. Just have a look how many banks run "Cisco Only Networks". The reason for this is simple. They are employed because there is always something wrong and there is always something to fix. Cisco knows this and it will never ever kill what makes 90% of its enterprise sales.

This is also the reason why even Cisco supplied GUI or centralised management solutions never manage some features. This is also the reason why there is no way in hell for you to get anywhere trying to manage Cisco gear using industry standard protocols. Ever tried to do some alteration of IP parameteres on Cisco via SNMP? I am not even talking about rocket science like the diff-serv MIB or the BGP MIB. Ever tried to hook it a proper element manager without few Ms of glue code that does direct CLI? Dream on...

And the username/password pair is...

[momerath2003]

admin/password.

Re:And the username/password pair is...

[orrigami]

That is my root password.

Re:And the username/password pair is...

[MacOS_Rules]

I found it! The little bugger is at 127.0.0.1, and confirmed, the l/p work! OMG, tons of pr0n! ;)

Re:And the username/password pair is...

[orthogonal]

My favorite password is ******

I quote from bash.org:

#244321 +(2664)- [X]

<Cthon98> hey, if you type in your pw, it will show as stars
<Cthon98> ********* see!
<AzureDiamond> hunter2
<AzureDiamond> doesnt look like stars to me
<Cthon98> <AzureDiamond> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<Cthon98> Absolutely
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<AzureDiamond> thats neat, I didnt know IRC did that
<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
<AzureDiamond> awesome!
<AzureDiamond> wait, how do you know my pw?
<Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
<AzureDiamond> oh, ok.

Re:And the username/password pair is...

>I found it! The little bugger is at 127.0.0.1, and confirmed, the l/p work! OMG, tons of pr0n! ;)

No pr0n when I connect there, but I'll be damned, THAT BUGGER HAS A COPY OF ALL MY FILES!

Re:And the username/password pair is...

[RussDavisDotCom]

Correction: That WAS your root password.

Trust No One

[aaron240]

Anything that can be exploited will be exploited. The key is to take every precaution possible--that's not possible when only a select few can see the code.

Can we really trust closed-source vendors?

[macshune]

No, obviously not when you get right down to it. Just like we can't trust closed-source e-voting software with it comes to our republic (the U.S.:), we can't trust close-source vendors whose systems power our infrastructure...that, without, the world would cease to function as it does today.

But what can anyone do? Are there any open-source makers of networking hardware?

Your giving away all our secrets!

[General+Newcomb]

"Mr. Potato Head! Back doors are not secrets!"

There is no workaround.

[Space+cowboy]

(According to the summary). In fact you can get new firmware, and it's free for everyone so long as you go through the channels. Fair play to Cisco (or at least, well done for recognising a public-relations disaster when they see one!)

I can see why it's useful to have a master password, but really, it was bound to cause major embarassment in the end - the only way it would work is if everyone who knew it (presumably cisco employees) never ever divulged it. That's likely!

Simon

No workarounds?

[Aardpig]

The Cisco advisory points out that there are no workarounds. This would suggest that the problem cannot be remedied.

However, the advisory also discusses how to obtain new software for their equipment. So it appears that there is a fix to the problem, via a software upgrade. In light of this, the 'no workarounds' stuff is rather misleading -- and when I first read it, it made my draw drop.

Re:No workarounds?

[dbarclay10]

However, the advisory also discusses how to obtain new software for their equipment. So it appears that there is a fix to the problem, via a software upgrade. In light of this, the 'no workarounds' stuff is rather misleading -- and when I first read it, it made my draw drop.

It's pretty much understood, at least by sysadmins if not the general public, that an issue can always be fixed by a software upgrade. Any vendor saying that an issue *really* can't be fixed, no matter what, typically means that it's a design choice and if you don't like it, switch to another vendor (*cough* Microsoft? *cough*).

Given that, when a vendor says "no workaround available," they mean that your only choice is to upgrade the software. For example, a workaround to a vulnerability in, say, Microsoft's CIFS stack would be to firewall off the ports it uses (though you need to do that on every machine, of course - otherwise it won't be effective, as we've seen so many times).

So, to sum up: workaround = quick fix via configuration or similar, and it's a given that you can fix the problem via a (typically time-consuming) software update.

Your answer

[ls-lta]

" Can we really trust closed-source venders, such as Cisco, to develop secure products that are free of backdoors?"

Yes. Lord, next you'll be asking about patents.

It needs to be there

[thpdg]

People read about these back doors, and they are appalled by the concept of it. I wish it was that easy. I design software for embedded devices and let me tell you, as soon as you add a password mechanism, then someone will lose the password within days. It's happened to me, and I finally had to put a global password in every machine. You hope that no one will ever find out, but once you tell a single customer, it could spread. I'm fortunate that my userbase is small and spread out, but for Cisco, this could be a disaster. If they made it so the master password could only be put in locally, that would be a big help, but may not be possible on these devices.

Re:It needs to be there

[ls-lta]

No, not really. The user id could be set by serial number (randomly) and you could keep track of who has what serial number, who is authorized to get the password, the password could also roll (think subscription revenue!).

Re:It needs to be there

[adamofgreyskull]

It depends on the value of the information within. If it's important enough to worry about whether a master password exists...then I'd suggest that it's important enough that people will remember their password and not need it.

If I buy a 50 quid wall safe and lose my key, I could probably go into any locksmiths and get a replacement key for that model safe. If I spend 1,000,000 on a bank vault I'd like to think that no generic or master key existed...

Backing away from the analogy quietly for a moment..I think it would be pretty simple(for Cisco) to enable the backdoor login only via a console connected to the serial port and not remotely..

USER/PASS

[Allen+Zadr]

Don't some of us have some serious hacking to do? I guess I know what you are planning on doing this weekend.

What do you bet the id set is joshua/pencil?

Re:No Refund - firmware fix

[thpdg]

Can't Cisco just download it to the devices themselves? They do have the password to every box, after all.

You can't trust ANYONE.

[CrystalFalcon]

Can we really trust closed-source venders, such as Cisco, to develop secure products that are free of backdoors?

You can't trust open-source for this, either. Not unless you personally constructed every piece of the device, from the source code, to everything that interacts with the source code, including the compiler, the EEPROM burners, and the chipsets on the device itself.

How do you know that the open source you are looking at actually is the one running in your device? You don't.

How do you know that the code you are looking at, assuming that it is running in the device, wasn't modified by a malicious compiler? You don't.

How do you know that the compiled code, assuming it is compiled correctly, wasn't altered in the transfer to the device? You don't.

How do you know the other onboard chips aren't built with a backdoor, patching, hooking or circumventing whatever code is put in the device? You don't.

What it boils down to is that trust is a very difficult animal, and at some point, you need to draw the line. Looking at the source is a meager guarantee for the device behaving well, in the case of a malicious vendor.

The bottom line is that there are so many covert channels to insert code into your overall system today, as long as they are carried on the normal device acquisision channels, that you can't defend against an attack by a malicious vendor. What you can do is to count on their risk analysis, and expecting them to want to stay in business just as much as you do. It's not much, but it's pretty much the best we got.

Re:You can't trust ANYONE.

[bgog]

How do you know that the open source you are looking at actually is the one running in your device?

You compile it yourself.

How do you know that the code you are looking at, assuming that it is running in the device, wasn't modified by a malicious compiler?

True, but highly unlikley.

How do you know that the compiled code, assuming it is compiled correctly, wasn't altered in the transfer to the device?

Because I transfered it. Perhaps via serial cable or over a cable not on a public network.

What it boils down to is that trust is a very difficult animal, and at some point, you need to draw the line.

I draw the line at blatent backdoors. The difficulty of breaking into my router by giving me a bad compiler is FAR FAR FAR more difficult than a backdoor admin account. Once that gets out anyone can log in and do what they like.

yep

[SHEENmaster]

look for openbsd's corporate usage page.

and when you log in, you get...

[funny-jack]

Greetings, Professor Falken.
Shall we play a game?

Register, or else

[skidde]

The patch can be downloaded from http://www.cisco.com/pcgi-bin/tablebuild.pl/1105-h ost-sol ( registered customers only) .

I love when companies release vital updates or other material, and then effectively force registration of all their clients. So either register with the mothership, or deal with a vulnerable program? Great.

Does Cisco know wha'ts going on?

[myst564]

Let's see..

"Although Cisco cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability."

This is probably a standard disclaimer in their security documents, but wouldn't you want them to be sure of the accuracy of their statements?

Why can software/hardware companies get way with "We tried our best, honest!" ?

Re:Firmware?

[spoonyfork]

Do they plan on releasing a firmware update?

RTFA.

If so, how do we know they aren't going to put another backdoor into that and simply change the information?

You don't.

Is there a way they can make the firmware patch open source without giving away their other "proprietary" source?

If you own the affected products and require open source firmware patches then you should have thought of that before you bought the product. If you require open source hardware then buy open source hardware.

Re:I...

[YrWrstNtmr]

If there aren't detailed code reviews...

Like the parent said...boneheaded.

You have to understand bug-fix parlance...

[Vellmont]

A workaround is a simple method of fixing the problem without patching the software. Usually it involves configuration changes, disabling parts of the software, or even firewalls. For this particular problem it's easy to see why there's no workaround.

The fix is a software patch. Many admins prefer a workaround as a short-term solution (can change simple config in a few minutes). A software patch is obviously more complicated, and often has higher impact on other services.

Cisco is not alone. It's industry wide practice.

[lotussuper7]

I have worked for 6 or 7 different companies that build either comm boxes or control software, and each and every one has had built in backdoors.

It's not just Cisco, it's a common practice in the industry to give their field people a way to get into the box (or program) when the customer screws it up.

Backdoors that, often, have access to functions far beyond what the customer knows about, and in many cases, able of really messing up the device if used incorrectly by a tech who is not an expert.

On the flip side, I was working as a level 3 tech for one now out-of-business large computer company, and it was not uncommon to get a call from a customer asking if we could break into a box and reset passwords for them since they had "lost" the passwords. They need to get access without doing a full reset and losing the configuration information since the box is in a production environment.

So, they put a modem on the diagnostic port, I dial in, do the magic, and make the customer happy.

So, yes, it is a security hole, but it is also something that customers are happy about when they need it.

Eventually every back door has to be used...

[stienman]

Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?

Yes. They have to keep an eye out for their customers. However, there are two ways of getting around this:

Password can only be entered while someone is physically present - so you have to press a button on the device, then login with back door in the next 30 seconds. This proves access, and any company that has poor physical security is not likely to care about network security.

Second use challenge-response password mechanisms. This prevents a 'global' backdoor, while still giving the manufacturer the ability to gain access. The user enters a generic name/pass ("lost", "password") the machine then responds with a 128 bit (hexadecimal) number (randomly generated) and the user provides both the serial number and this random number to the company. The company responds with a correct response (another 128 bit number, perhaps) and the device allows access.

Combine either or both of these two methods with a "reset configuration to factory defaults when back door is used" and the company can claim that they are as secure as can be, without preventing the occasional user complaint that the hardware is a doorstop because some subadmin made a mistake changing the password.

-Adam

Yes, but - WIRELESS

[Allen+Zadr]

The problem here is that these routers are WIRELESS. All you need is proximity to use the secret ID. Block my MAC, I tell my MAC to use another address. Block all wireless, then what's the point of having a wireless product.

The advisory (that link in the story) was pretty clear that there isn't a way to disable the use of this backdoor without a firmware upgrade.

Re:Well, that depends.

[InadequateCamel]

Cisco actually has a better track record than some other closed source vendors I could mention.


That's a silly comment. Up until a few hours ago you would have thought Cisco was pretty good. Now they have done a really stupid thing and have been caught red-handed.

The question we should be asking is what else have they done that their customers would object to if they knew about it?

Call me paranoid, but this is exactly the sort of behaviour that I expect from software/hardware manufacturers. Cisco just happened to get caught doing it.

Taliban Master-Plan to Destroy America

[Progman3K]

>Just like we can't trust closed-source e-voting software [when] it comes to our republic (the U.S.:), we can't trust close-source vendors whose systems power our infrastructure...that, without, the world would cease to function as it does today.

Taliban leader speaking:

OK troops, here's what we'll do; we will sub-contract from the Pakistanis that are sub-contracting from the Indians that are sub-contracting from the Americans that are outsourcing their I.T. operations, and when WE are the ones coding everything for the Americans, we slip in trojans, viruses and everything else we can think of to screw with their heads!

Once they are all helpless because they've outsourced all the jobs that require an education, we show up and sell them all Edsel automobiles and when they've all killed themselves on the road, we simply take over the country.

Simple.

No it doesn't

[Burdell]

There is no reason to have a master password that gives someone with that knowlege instant full access to every such device in the field. There are many ways to work around it (without resorting to just resetting the device and clearing all settings).

Cisco IOS routers don't have to have a "master password" backdoor; they have a well-defined process for password recovery (typically you connect to the console port, interrupt the boot at the firmware level, and change a register - then you are in with no password and can reset it).

Another example: Livingston PortMasters also don't have a "master password" backdoor. You hook up to the console port, flip a dip switch and use a special login. That issues a challenge string, which you then send to Livingston (or now portmasters.com). You get a respose string and use it to log in, and then you change the password.

The common assumption is that full physical access implies ownership; that is a reasonable assumption (since if someone can get at it, they can take it).

Surprising, but not that surprising

[allyourbasebelongtou]

This is the most fundamental problem with closed source: even if the underlying code is 100% perfect, bug-free, and wonderfully coded, there is no mechanism to prevent the last developer with sign-off on a project from slipping something nefarious in as code goes into "release" status.

I say this because, IMHO, Cisco's customers generally trust both them as a company and their products. In short, they've done a good job, for a closed source firm, of keeping the perception that they run a tight ship and keep their corporate nose clean.

That said, this is a ding, no doubt, but the bigger question here is while this backdoor was arguably somewhat obscure, it still existed. Even if no one "on the outside" ever learned of its existence, its very existence is troubling.

This is the type of thing that typically would have been caught in no time by the average open-source code-troller (much less a developer) quite quickly.

Sure, Cisco has a decent name, but what about companies that don't have the positive overall goodwill/reputation that Cisco does?

The notion that closed source software is "just as good" or even "more secure" is just plain wack-a-loo. (You can quote me on that.)

/.-ers just don't get it....

[egriebel]

I'm going to go out on a limb and predict tons of posts of "dump cisco now!!" here. It'll never happen, Cisco will shrug this off. There's no way that the corporate infrastructure is going to be torn up, Cisco has too much penetration and momentum. Acutally, I bet it won't even hit mainstream media and be barely a footnote in NetworkWorld and related trade rags.

There will be no wholesale move off of Cisco products. Why?

1. Who else are you going to use?
2. Who is going to pay for the new hardware?
3. When are you going to do the upgrading?

Let's roleplay the conversation between the CIO and CEO/COO:

CTO: Hey boss, I need $x million to replace all our Cisco equipment NOW!
CEO: Hmm, that's a lot of work and money, are they broken?
CTO: Well, no, but there's an extremely serious vulnerability!
CEO: <blinks>
CTO: Every Cisco box has the same administrative password!
CEO: <starts to watch the window washers and birds outside>
CTO: Anyone can log in to our systems with this password
CEO: Hmm, I see....Is that bad?
CTO: Yes, which is why they need to be replaced.
CEO: Well, it certainly sounds serious. Why don't you prepare a proposal, get buyin with the Regional VPs and Directors, run it by Frank in operations, and then talk to my assistant Tiffany and get some time on my schedule.
CTO: Sir, I think it should be expedited.
CEO: Yes, hmm. So have you heard how Tiger is doing at the Masters today?

The bottom line is, most CIO/CTO's of non-IT companies could give a flying f**k what runs their networks as long as it works, stays up most of the time, is not too expensive, and is recommended.

Re:Well, that depends.

[arivanov]

Really?

They continuously use codebase from the opensource parts of the software world and lie about it. The only OSS component they currently admit to is the regexp library. In fact they have used code from xntpd (and were bug for bug vulnerable to NTP exploits), OpenSSL, OpenSSH, so on so forth, ad naseum. When a vulnerability in any of these comes around they never admit it because the IOS sacred cow is supposedly pure and not infected by any opensource (besides regexp). This continues until someone starts running the exploits versus their gear. And after that ... BANG... Check BUGTRAQ for the SSH and NTP exploits as a fine example. I bet there are others as well.

They constantly have idiotic ideas like CDP which are insecure by design and turned on by default.

They have promoted a very long list of outright lies including security ones in the exam preparation materials and exam question. That is also besides the fact that Cisco does not consider the analysis for correctness and sane security practice of these materials to be fair use and disallows quoting them. Here is one that has managed to get through:
http://lists.netsys.com/pipermail/full-d isclosure/ 2003-October/012809.html

There are many others.

So on so forth. Ad naseum. If you think that Microsoft is vile you definitely have not had to do a lot of network engineering especially with Cisco kit...

Re:Well, that depends.

[PurpleFloyd]

While Cisco does have a decent security track record (exempting this colossally boneheaded manuver), your tirade against "slashdot mind-droids" is simply false. Backdoor passwords tend to be one of the most obvious things to detect, excepting serious trickery like putting the password into the compiler. Code that looks like

if (inputpasshash==storedhash)
{
return TRUE;
}
else if (inputpasshash==BACKDOOR)
{
return TRUE;
}
else
{
return FALSE;
}

tends to stand out pretty well during a code audit, and is visible even to a beginning C student. Backdoors are harder to sneak into open source software, simply because people will watch your every move and might not agree with all your changes.

Re:Well, that depends.

[blogan]

I'm not sure backdoors are as blantantly obvious. What about something like this?

hash = getHash(password)

if (hash) {
return (*hash == *storedhash);
} else {
logAuthError("Hash could not be found");
return FALSE;
}

Looks correct, but if I modify getHash to return NULL when the password is a certain string, and logAuthError is actually buried in a separate header, it doesn't actually log an error, it returns TRUE.