Slashdot Mirror
Cisco Products Have Backdoors
Cbs228 writes "A Cisco Security Advisory released yesterday admits that "A default username/password pair is present in all releases of the Wireless LAN Solution Engine (WLSE) and Hosting Solution Engine (HSE) software. A user who logs in using this username has complete control of the device. This username cannot be disabled." Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?"
There is no doubt that this is the sort of thing that all of the so called "tin-foil hat" crowd has been warning us about for years.
I, for one, welcome the "I-told-you-so"s from our new paranoid overlords.
On a more serious point, and on the paranoid side, I'm sure Cisco is only releasing this information because an employee either threatened to leak this information, or was mis-using this information to his/her own gain...
However, if that's the case, wouldn't Cisco's fix simply change the password? I highly doubt that they will be embarassed enough to have learned a powerful life-lesson.
Kinetic stupidity has a new brand leader: Allen Zadr.
admin/password.
I had but a simple dream, to destroy all humans.
Anything that can be exploited will be exploited. The key is to take every precaution possible--that's not possible when only a select few can see the code.
No, obviously not when you get right down to it. Just like we can't trust closed-source e-voting software with it comes to our republic (the U.S.:), we can't trust close-source vendors whose systems power our infrastructure...that, without, the world would cease to function as it does today.
But what can anyone do? Are there any open-source makers of networking hardware?
"Mr. Potato Head! Back doors are not secrets!"
(According to the summary). In fact you can get new firmware, and it's free for everyone so long as you go through the channels. Fair play to Cisco (or at least, well done for recognising a public-relations disaster when they see one!)
I can see why it's useful to have a master password, but really, it was bound to cause major embarassment in the end - the only way it would work is if everyone who knew it (presumably cisco employees) never ever divulged it. That's likely!
Simon
Physicists get Hadrons!
People read about these back doors, and they are appalled by the concept of it. I wish it was that easy. I design software for embedded devices and let me tell you, as soon as you add a password mechanism, then someone will lose the password within days. It's happened to me, and I finally had to put a global password in every machine. You hope that no one will ever find out, but once you tell a single customer, it could spread. I'm fortunate that my userbase is small and spread out, but for Cisco, this could be a disaster. If they made it so the master password could only be put in locally, that would be a big help, but may not be possible on these devices.
-Patrick
"They never stop thinking about new ways to harm our country and our people, and neither do we."
Can't Cisco just download it to the devices themselves? They do have the password to every box, after all.
-Patrick
"They never stop thinking about new ways to harm our country and our people, and neither do we."
Can we really trust closed-source venders, such as Cisco, to develop secure products that are free of backdoors?
You can't trust open-source for this, either. Not unless you personally constructed every piece of the device, from the source code, to everything that interacts with the source code, including the compiler, the EEPROM burners, and the chipsets on the device itself.
How do you know that the open source you are looking at actually is the one running in your device? You don't.
How do you know that the code you are looking at, assuming that it is running in the device, wasn't modified by a malicious compiler? You don't.
How do you know that the compiled code, assuming it is compiled correctly, wasn't altered in the transfer to the device? You don't.
How do you know the other onboard chips aren't built with a backdoor, patching, hooking or circumventing whatever code is put in the device? You don't.
What it boils down to is that trust is a very difficult animal, and at some point, you need to draw the line. Looking at the source is a meager guarantee for the device behaving well, in the case of a malicious vendor.
The bottom line is that there are so many covert channels to insert code into your overall system today, as long as they are carried on the normal device acquisision channels, that you can't defend against an attack by a malicious vendor. What you can do is to count on their risk analysis, and expecting them to want to stay in business just as much as you do. It's not much, but it's pretty much the best we got.
The patch can be downloaded from http://www.cisco.com/pcgi-bin/tablebuild.pl/1105-h ost-sol ( registered customers only) .
I love when companies release vital updates or other material, and then effectively force registration of all their clients. So either register with the mothership, or deal with a vulnerable program? Great.
For every karma whore there are four more people with mod points to kill.
It's pretty much understood, at least by sysadmins if not the general public, that an issue can always be fixed by a software upgrade. Any vendor saying that an issue *really* can't be fixed, no matter what, typically means that it's a design choice and if you don't like it, switch to another vendor (*cough* Microsoft? *cough*).
Given that, when a vendor says "no workaround available," they mean that your only choice is to upgrade the software. For example, a workaround to a vulnerability in, say, Microsoft's CIFS stack would be to firewall off the ports it uses (though you need to do that on every machine, of course - otherwise it won't be effective, as we've seen so many times).
So, to sum up: workaround = quick fix via configuration or similar, and it's a given that you can fix the problem via a (typically time-consuming) software update.
Barclay family motto:
Aut agere aut mori.
(Either action or death.)
I have worked for 6 or 7 different companies that build either comm boxes or control software, and each and every one has had built in backdoors.
It's not just Cisco, it's a common practice in the industry to give their field people a way to get into the box (or program) when the customer screws it up.
Backdoors that, often, have access to functions far beyond what the customer knows about, and in many cases, able of really messing up the device if used incorrectly by a tech who is not an expert.
On the flip side, I was working as a level 3 tech for one now out-of-business large computer company, and it was not uncommon to get a call from a customer asking if we could break into a box and reset passwords for them since they had "lost" the passwords. They need to get access without doing a full reset and losing the configuration information since the box is in a production environment.
So, they put a modem on the diagnostic port, I dial in, do the magic, and make the customer happy.
So, yes, it is a security hole, but it is also something that customers are happy about when they need it.
----- Lotus Super 7 - A real car.
The advisory (that link in the story) was pretty clear that there isn't a way to disable the use of this backdoor without a firmware upgrade.
Kinetic stupidity has a new brand leader: Allen Zadr.
Cisco IOS routers don't have to have a "master password" backdoor; they have a well-defined process for password recovery (typically you connect to the console port, interrupt the boot at the firmware level, and change a register - then you are in with no password and can reset it).
Another example: Livingston PortMasters also don't have a "master password" backdoor. You hook up to the console port, flip a dip switch and use a special login. That issues a challenge string, which you then send to Livingston (or now portmasters.com). You get a respose string and use it to log in, and then you change the password.
The common assumption is that full physical access implies ownership; that is a reasonable assumption (since if someone can get at it, they can take it).
This is the most fundamental problem with closed source: even if the underlying code is 100% perfect, bug-free, and wonderfully coded, there is no mechanism to prevent the last developer with sign-off on a project from slipping something nefarious in as code goes into "release" status.
I say this because, IMHO, Cisco's customers generally trust both them as a company and their products. In short, they've done a good job, for a closed source firm, of keeping the perception that they run a tight ship and keep their corporate nose clean.
That said, this is a ding, no doubt, but the bigger question here is while this backdoor was arguably somewhat obscure, it still existed. Even if no one "on the outside" ever learned of its existence, its very existence is troubling.
This is the type of thing that typically would have been caught in no time by the average open-source code-troller (much less a developer) quite quickly.
Sure, Cisco has a decent name, but what about companies that don't have the positive overall goodwill/reputation that Cisco does?
The notion that closed source software is "just as good" or even "more secure" is just plain wack-a-loo. (You can quote me on that.)
----------
Nope. Not gonna do it. Wouldn't be prudent. Not at this juncture.
There will be no wholesale move off of Cisco products. Why?
Let's roleplay the conversation between the CIO and CEO/COO:
The bottom line is, most CIO/CTO's of non-IT companies could give a flying f**k what runs their networks as long as it works, stays up most of the time, is not too expensive, and is recommended.
ACHTUNG! Das computermachine ist nicht fuer gefingerpoken und mittengrabben. Ist nicht fuer gewerken bei das dumpkopfen.
Really?
... BANG... Check BUGTRAQ for the SSH and NTP exploits as a fine example. I bet there are others as well.
d isclosure/ 2003-October/012809.html
They continuously use codebase from the opensource parts of the software world and lie about it. The only OSS component they currently admit to is the regexp library. In fact they have used code from xntpd (and were bug for bug vulnerable to NTP exploits), OpenSSL, OpenSSH, so on so forth, ad naseum. When a vulnerability in any of these comes around they never admit it because the IOS sacred cow is supposedly pure and not infected by any opensource (besides regexp). This continues until someone starts running the exploits versus their gear. And after that
They constantly have idiotic ideas like CDP which are insecure by design and turned on by default.
They have promoted a very long list of outright lies including security ones in the exam preparation materials and exam question. That is also besides the fact that Cisco does not consider the analysis for correctness and sane security practice of these materials to be fair use and disallows quoting them. Here is one that has managed to get through:
http://lists.netsys.com/pipermail/full-
There are many others.
So on so forth. Ad naseum. If you think that Microsoft is vile you definitely have not had to do a lot of network engineering especially with Cisco kit...
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/