Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cisco Fixes Three-Year-Old Telnet Flaw In Security Appliances

Posted by timothy on from the but-telnet's-otherwise-fine? dept.

Trailrunner7 writes "There is a severe remote code execution vulnerability in a number of Cisco's security appliances, a bug that was first disclosed nearly three years ago. The vulnerability is in Telnet and there has been a Metasploit module available to exploit it for years. The FreeBSD Project first disclosed the vulnerability in telnet in December 2011 and it was widely publicized at the time. Recently, Glafkos Charalambous, a security researcher, discovered that the bug was still present in several of Cisco's security boxes, including the Web Security Appliance, Email Security Appliance and Content Security Management Appliance. The vulnerability is in the AsyncOS software in those appliances and affects all versions of the products." At long last, though, as the article points out, "Cisco has released a patched version of the AsyncOS software to address the vulnerability and also has recommended some workarounds for customers."

15 of 60 comments (clear)

  1. Security + Telnet by MightyYar · · Score: 5, Insightful

    Security + Telnet = My Brain Hurts

    --
    W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    1. Re:Security + Telnet by 3.5+stripes · · Score: 4, Insightful

      Yeah, any sort of security guidelines should have at the top, in the largest boldest letters possible, DO NOT USE TELNET.

      --


      He tried to kill me with a forklift!
    2. Re:Security + Telnet by silas_moeckel · · Score: 3, Interesting

      I use telnet plenty great for connecting to a tcp port and debugging. It's a horrid thing to run as a service and allow people to login etc.

      --
      No sir I dont like it.
    3. Re:Security + Telnet by basketcase · · Score: 2

      Use netcat (aka nc) for that. It works just as well and you can just ^C to get out of it.

    4. Re:Security + Telnet by CaptnZilog · · Score: 4, Informative

      I use telnet plenty great for connecting to a tcp port and debugging. It's a horrid thing to run as a service and allow people to login etc.

      Yeah, the client comes in handy at times to connect to port 80 and 'handcraft' a http request to see a response, etc... but running a telnet server/service on the machine? Especially on a "security" device?!?!? C'mon... that's just ludicrous in all kinds of ways.

  2. Thank Goodness! by linuxrunner · · Score: 5, Funny

    I've been waiting for this fix so I can finally drop SSH

    --
    www.slightlycrewed.com - Because aren't we all?
  3. Telnet by ledow · · Score: 2

    Is it just me that wasn't even aware that telnet had an encrypted mode (let alone a horribly-broken one)?

    Not been an issue as I always switch it off unless the device is entirely in-house (and, there, someone sniffing the packets is much more of a problem than the fact they might end up with a device password by doing so).

    Honestly, we just need to kill this "protocol".

  4. The funny about Cisco... by __aaclcg7560 · · Score: 3, Interesting

    When I worked at Cisco for nine months as a contractor last year, everyone used telnet to access network devices under development. My boss explained to me that 1) these were default passwords that everyone on the team knew, and 2) the development VLAN is secured from outsiders. That makes sense on one level, but using telnet is a bad habit one shouldn't get into.

    1. Re:The funny about Cisco... by bobbied · · Score: 2

      TELNET is just the default way to access the equipment. It comes out of the box that way (OK, not really but it's the default way to set up). Think of it as a legacy thing.

      There is nothing wrong with using TELNET on a private network but today we understand that security is better served using SSH for this functionality. However, in some environments, legacy dies hard because TELNET is not really that much of a security risk if you have good control over who accesses your network.

      Sharing passwords and logins may seem to be a problem too, but again, there can be times when the costs of managing all the necessary accounts out weighs the risks. If you have positive controls on who accesses your network, that may be enough, for you.

      Of course, the level of acceptable risk can vary between applications and companies. For your network, what Cisco does in their lab may be totally inadequate on many levels, or it may be overkill having to remember the "cisco" user password. It all depends on what risk is acceptable and what isn't to you.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  5. Re:Three years???? by __aaclcg7560 · · Score: 2

    From what I can tell in recent times, Cisco lays off 10% of their workforce in America and hires 10% of their workforce from India. The development teams are squeezed in the middle as experienced people are let go and new people are still learning the ropes. It's a rotten business model but apporved by Wall Street.

  6. Re:Workaround list by Anonymous Coward · · Score: 3, Insightful

    You've obviously never seen somebody go over budget.

  7. A vulnerability IN Telnet ? by alexhs · · Score: 2

    There are vulnerabilities IN Telnet ?
    And I thought Telnet WAS a vulnerability...
    It's vulnerabilities all the way down, I guess.

    --
    I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
  8. I'd worry anyway. by khasim · · Score: 3, Insightful

    That makes sense on one level, but using telnet is a bad habit one shouldn't get into.

    I agree. A better habit is setting up and using SSH.

    Not only that but "defense in depth". Do NOT rely upon your perimeter defenses to stop all attacks. It only takes one person with a compromised laptop and you're cracked.

    1) these were default passwords that everyone on the team knew

    SSH can be set up the same.

    2) the development VLAN is secured from outsiders

    Until it is compromised.

    Remember, in defense you have to be right on everything all the time. An attacker can just stumble into something you missed. Like someone's laptop that was brought in when it should not have been.

  9. Re:Telnet has its place by DarkOx · · Score: 3, Informative

    Because its not what your customers are really going to use! Better to exercise a real world configuration in the lab. Add 'null' cipher to ssh if you need this and make the command to enable it something obviously out of place for normal operations like:

    DangerDoNotUse_EnableSSH_NULL_CIPHER
    DangerDoNotUse_EnableSSH_NULL_MAC

    --
    Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  10. Telnet client = great, telnet server = bad idea by Viol8 · · Score: 2

    Don't get the server confused with the client. Telnet servers should have been put out to pasture years ago except perhaps on small isolated networks. The telnet CLIENT however is an extremely useful debugging tool for connecting to all sorts of text based servers (FTP, usenet, HTTP etc) and I get really pissed off with some distributions that assume because the server is no longer used neither is the client and so remove it.

    Also FWIW , telnet is still the default way to access MUDs and some BBSs.