Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cisco Security Appliances Found To Have Default SSH Keys

Posted by Soulskill on from the invitation-to-misbehave dept.

Trailrunner7 writes: Many Cisco security appliances contain default, authorized SSH keys that can allow an attacker to connect to an appliance and take almost any action he chooses. The company said all of its Web Security Virtual Appliances, Email Security Virtual Appliances, and Content Security Management Virtual Appliances are affected by the vulnerability.

This bug is about as serious as they come for enterprises. An attacker who is able to discover the default SSH key would have virtually free reign on vulnerable boxes, which, given Cisco's market share and presence in the enterprise worldwide, is likely a high number. The default key apparently was inserted into the software for support reasons.

"The vulnerability is due to the presence of a default authorized SSH key that is shared across all the installations of WSAv, ESAv, and SMAv. An attacker could exploit this vulnerability by obtaining the SSH private key and using it to connect to any WSAv, ESAv, or SMAv. An exploit could allow the attacker to access the system with the privileges of the root user," Cisco said.

62 of 112 comments (clear)

  1. Oh come ON by 93+Escort+Wagon · · Score: 1

    Was THIS the way you finally managed to get off ssh1, Cisco?

    --
    #DeleteChrome
  2. Beware 'appliances' by Junta · · Score: 1

    This is the example of precisely how disciplined the 'appliances' you get from vendors are constructed.

    This is a *security* focused appliance that made this goof from one of the more well regarded vendors in the market.

    Think about that next time you save a few seconds of your time buying an appliance or even pulling down something from dockerhub instead of just installing the platform.

    Of course the software industry has gone to town with appliances, meaning they spend no time properly packaging things anymore because an 'appliance' will take care of all of it.

    --
    XML is like violence. If it doesn't solve the problem, use more.
    1. Re:Beware 'appliances' by myowntrueself · · Score: 5, Interesting

      If cisco didn't use interns and cheap H1B labor, maybe this wouldn't happen. Seriously, they need some experience, security minded people to manage and review these products before they ship.

      If you think this is bad, try looking at the cisco ACE load balancers. They can't even do modern crypto and they refuse to update them.

      Are you kidding? This was done for support reasons; to support the NSA.

      --
      In the free world the media isn't government run; the government is media run.
    2. Re:Beware 'appliances' by ShaunC · · Score: 2

      This is a *security* focused appliance that made this goof from one of the more well regarded vendors in the market.

      "Goof?" I'm not convinced. It's just as likely that this was engineered into the products intentionally.

      News broke last year that NSA was intercepting Cisco equipment enroute to customers and making a few tweaks. Cisco made a big production a few months ago about how they were suddenly willing to ship to random addresses to avoid NSA interdiction. Perhaps that's because whatever NSA needs is already built in, and always has been, and the whole story about NSA physically yanking packages from carriers was misdirection. Put that story out there and people who are able to control the delivery chain will have a strong, but very false, sense of security.

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
    3. Re:Beware 'appliances' by Lunix+Nutcase · · Score: 1

      Why invent some NSA conspiracy when Cisco clearly said it was intentional for support purposes?

      The default key apparently was inserted into the software for support reasons.

    4. Re: Beware 'appliances' by Anonymous Coward · · Score: 1

      Excatly. Key is right where NSA told Cisco to put it.

      It's a *feature,* not a bug.

    5. Re:Beware 'appliances' by idontgno · · Score: 2

      for support reasons

      You're not asking the correct question.

      "To support whom?"

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
    6. Re:Beware 'appliances' by gtall · · Score: 1

      Yeah, that's it, NSA wanted Cisco to do something so stupid it would take the Chinese 2 minutes to figure out how holey their boxes are.

    7. Re:Beware 'appliances' by myowntrueself · · Score: 2

      Yeah, that's it, NSA wanted Cisco to do something so stupid it would take the Chinese 2 minutes to figure out how holey their boxes are.

      I don't get the impression that the NSA really think things like this through to that extent.

      --
      In the free world the media isn't government run; the government is media run.
    8. Re:Beware 'appliances' by Anonymous Coward · · Score: 1

      No way in Hades would Cisco "accidentally" insert a secret backdoor into so much enterprise hardware unless forced to do so. Putting aside layers upon layers of code review for something that big to happen Cisco management well know you don't do that to enterprise customers. I'm surprised post-Snowden so many people are still in denial the NSA is indeed trying to put backdoors in everything. It's not tinfoilhat.

    9. Re: Beware 'appliances' by chromeronin799 · · Score: 1

      You do realise the NSA is a government organization. This means stupid ideas are almost guaranteed.

  3. NSA? by Laguerre · · Score: 4, Insightful

    There might be reasons other than "support" for universal access SSH keys.

    1. Re:NSA? by SoftwareArtist · · Score: 1

      Yes, that's exactly what they said. It was added to support the NSA. Oh, did you think "support reasons" meant support for their customers? How quaint! ;)

      --
      "I'm too busy to research this and form an educated opinion, but I do have time to tell everyone my uninformed opinion."
  4. How by koan · · Score: 2

    is this a bug?

    default, authorized SSH keys

    --
    "If any question why we died, Tell them because our fathers lied."
  5. Barracuda Backup, too! by ffsnjb · · Score: 1

    https://techlib.barracuda.com/...

    You can't change the keys, so if you want to use SSHFS to backup systems that aren't agent supported, you've potentially given root access to anyone who's extracted the private key from the appliance (and leaked it to the internet). I wouldn't be surprised if the agents used the same craptastic cryptographic fail.

    --
    "Why do you consent to live in ignorance and fear?" - Bad Religion
    1. Re:Barracuda Backup, too! by OverlordQ · · Score: 1

      To be fair, they allow you to use non-root users. And if you dont have a firewall rule to only allow SSH from the backup master, then you're an idiot.

      --
      Your hair look like poop, Bob! - Wanker.
  6. Re:Using Linux would prevent these Cisco mishaps! by ArmoredDragon · · Score: 4, Informative

    Cisco is very much a "configure it yourself" type of deal. In fact their whole certification track above the CCENT level revolves heavily around knowing the IOS command syntax.

    You can substitute their routers for Linux, but NOT their layer 3 switches, unless you really don't give a shit about performance in an enterprise environment.

  7. Re:Using Linux would prevent these Cisco mishaps! by Rigel47 · · Score: 1

    Are there even linux-based switches? I know the router front is doing good with Vyatta, etc, but never heard of linux switches. Doesn't make sense given how (relatively) cheap switches are.

  8. Re:Using Linux would prevent these Cisco mishaps! by Phishcast · · Score: 2

    Here's one, Cumulus Networks. A lot of Cisco switching gear is Linux underneath with a more familiar Cisco CLI.

  9. Re:Using Linux would prevent these Cisco mishaps! by swv3752 · · Score: 2

    http://cumulusnetworks.com/blo...
    http://www.datacenterknowledge...
    http://opennetlinux.org/
    http://www.opencompute.org/
    http://www.wired.com/2013/03/b...

    Get with the times, the Big Iron Networking gear (like usead at Google and Facebook) are switches running Linux.

    --
    Just a Tuna in the Sea of Life
  10. Odd how little criticism they get by jones_supa · · Score: 1

    It's odd how companies like Microsoft get criticized a lot about their malice and monopoly position, but Cisco gets a free pass even when they are the dominant player in enterprise networking gear. Why is this? I'm sure that even this message goes through mountains of Cisco hardware when I send it.

    1. Re:Odd how little criticism they get by Atticka · · Score: 1

      Its because of the "no one has ever lost a job buying Cisco" attitude that is so prevalent in the industry, many engineers drank the cool aid long ago and don't want to admit that Cisco is not completely infallible.

      Almost every network engineer I know has some sort of Cisco certification, people have to continue to justify the heft price for the hardware and the expensive certifications.

      --
      No sig here...
    2. Re:Odd how little criticism they get by aaarrrgggh · · Score: 1

      Quite honestly, I think a lot of people understand they are complete, overpriced shit. Unfortunately, the competitors appear to be mainly moderately or reasonably priced shit from a security perspective. The question comes down to accountability for the person purchasing/configuring it: can you at least say it was a best-of-breed device and was properly configured for an appropriate level of security, or will you need to say that the purchasing decision was made to save $400 and buy something else...

      It seems the only solid approach now is security in depth... which gets expensive quickly. I can just imagine my small business trying to manage our network like a fortune-500 company (should). There are limits as to what you can do, and you hit them quickly when the vendors you select are inept.

  11. Re:Using Linux would prevent these Cisco mishaps! by silas_moeckel · · Score: 1

    A Cisco Nexus is pretty Linux.

    --
    No sir I dont like it.
  12. Similar to having default passwords by davidwr · · Score: 1

    How many home routers have default passwords that aren't forcibly changed when the router is first set up?

    It's the same principle, with the only difference being it is something that has to be discovered by someone, once, rather than guessed like so many easy-to-guess default passwords ("admin", "password", etc.).

    The other difference is that one should expect better from a device that is specifically marketed as a security device. But that's a social issue not a technical one.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  13. Re:Using Linux would prevent these Cisco mishaps! by irving47 · · Score: 1

    Yeah, pretty much all of Ubiquiti's gear is. Edgeswitch, in particular, in this case.

    --
    I had a sucky sig.
  14. You must have the source code! by anwyn · · Score: 5, Interesting
    This so-called bug is only possible because users do not have access to the source code. From the user's perspective it does not matter if this was done because of pressure from NSA or convenience of maintenance techs!

    This class of bug is unknown in the free software world because your project will forked.

    All corporations are subject to enormous pressure from corporations, and therefore can not be trusted, even if the management wanted to play it straight.

    All populations, including the U.S'es are targets of information warfare by the NSA and GCHQ.

    There is no security without the source code.

    1. Re:You must have the source code! by PRMan · · Score: 5, Insightful

      This is exactly the "encryption backdoor" that the NSA and FBI keep saying they want. And this is exactly the outcome.

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
    2. Re:You must have the source code! by behrooz0az · · Score: 1

      Build the OS from source code the way you build Linux-From-Scratch, then we can talk about this.

      --
      Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
    3. Re:You must have the source code! by DaveHowe · · Score: 1

      I suspect in this particular case, it won't be needed. the devices in question are virtual appliances, and are some sort of *nix (probably bsd) under the hood. I haven't tried this yet, but it would make sense that booting from a rescue disk would let you go mess with the ssh keys and config directly.. now, all these boxes have a remote support functionality built in. I am suspecting (also) that this uses the key to get a true ssh shell (a bash prompt, again presumably) so they can do fixes at the os level. So, if we can find these new fixed keys, we may be able to hop onto the boxes, assign a new, better keypair, and have os level access ourselves for repairs :D

      --
      -=DaveHowe=-
  15. Re:Interesting eggcorn by bigfinger76 · · Score: 1, Troll

    Do you drag every conversation you hear down with this pedantic garbage every time you hear a figure of speech? You must be a blast at parties.

  16. Re:Using Linux would prevent these Cisco mishaps! by Anonymous Coward · · Score: 1

    You mean like everyone who had to replace their Debian-generated SSL keys due to bad (practically nonexistent) PRNG seeding?

  17. Re:Using Linux would prevent these Cisco mishaps! by Anonymous Coward · · Score: 1

    Juniper's OS is based on freebsd.

  18. Re:Interesting eggcorn by cbiltcliffe · · Score: 1

    Just out of curiosity, what do you think the proper homonym phrase is for this?

    --
    "City hall" in German is "Rathaus" Kinda explains a few things......
  19. Bug???? by gstoddart · · Score: 5, Insightful

    This bug is about as serious as they come for enterprises

    This isn't a bug.

    The default key apparently was inserted into the software for support reasons.

    This is crap security by design.

    And you can probably bet that the NSA and the Chinese have these keys, and can pretty much bypass any "security" offered by Cisco.

    Essentially Cisco did this shit on purpose, and you can bet at least some people knew damned well this was there.

    --
    Lost at C:>. Found at C.
    1. Re:Bug???? by Anonymous Coward · · Score: 1

      "And you can probably bet that the NSA and the Chinese have these keys"

      We know at minimum the NSA has them.,.. because it was the NSA that told Cisco to put them there!

      This isn't like accidentally spilling a coffee. The firmware of hundreds of thousands of devices doesn't "accidentally" get secret backdoors. Cisco wouldn't jeopardize billions in future sales without being forced to do so by an NSA. What I'm curious to know is the real story behind why they are suddenly telling us now? (rather than the scripted BS the NSA tells them to say). If I had to guess what actually happened, the NSA discovered some other foreign government got a hold of that SSH key, so they created a cover story to get rid of the exploit they themselves put there. (something I would bet money they'd done several times before on all sorts of equipment and software)

  20. Re: Interesting eggcorn by clovis · · Score: 2

    It should be "free rein". It refers to the reins used to direct the travel of a horse similarly to the way "steering wheels" were used to direct the motion of automobiles before Google acquired a majority stake on the US Supreme court and self-driving cars became mandatory.
    Anyway, If you were to release your grip on the reins, then the horse may theorectically feel free to travel in any direction. In practice the horse generally returned to the barn after scraping the rider off on the nearest tree.

  21. Re:Interesting eggcorn by David_Hart · · Score: 1

    Just out of curiosity, what do you think the proper homonym phrase is for this?

    From grammarist.com it should be "free rein" as in a horse being able to do what they want because the reins are free. "reign" is a recent misspelling that is being used more often.

  22. Re: Interesting eggcorn by LunaticTippy · · Score: 2

    The correct figure of speech is "free rain." Nobody alive remembers when rain fell freely where I'm living, so this has corrupted over the years into horses and monarchs and whatnot.

    --
    Man, you really need that seminar!
  23. Re:Using Linux would prevent these Cisco mishaps! by sexconker · · Score: 1

    A layer 3 switch is a fucking router. It's called a layer 3 switch because it's a fucking shitty router.
    Switches are layer 2.

  24. Not a bug by gweihir · · Score: 1

    I believe the problem here is that they thought they could get away including the "lawful interception" (i.e. "immoral and dangerous backdoor") key just by the ordinary mechanism instead of compiling it into the sshd binary.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  25. Re:Using Linux would prevent these Cisco mishaps! by Cramer · · Score: 2

    There are lots of switches running linux. Of course, linux isn't the thing doing the switching.

    The question to ask is can you get to the OS and/or ssh configuration to remove whatever the vendor may have installed? (i.e. remove whatever ssh backdoor keys they left there.) In most cases, the answer is "Hell. No."

  26. Re: Interesting eggcorn by aynoknman · · Score: 1

    The correct figure of speech is "free rain."

    Nope, the correct figure of speech is "Free Ryan.":
    From Wikipedia: "In September 2013, the first book about the Ryan Ferguson case was released: Free Ryan Ferguson: 101 Reasons Why Ryan Ferguson Should Be Released, by Brian D'Ambrosio."

    --
    We need a "+1 -- nice sig" moderation.
  27. Exactly by s.petry · · Score: 3, Insightful

    Do you know how many times I thought about adding a back channel to a piece of software I wrote because it's easier than training users? Do you care to guess at how many times I have actually done this?

    Lets ask that same question about smaller software companies. You won't find any that survive for long after people find out they have these kinds of security practices.

    It's hard to say why this happens so frequently and massively with large companies/corporations. I'm sure it's partly Government pressure, probably pressure from other companies/corporations, and partly an ignorant executive demanding this gets done. I'm sure the latter can claim the first two are the problem. The latter however, should result in termination of the execs responsible. That last part does not happen, which makes me wonder how big the first two really are.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  28. Time to yank NSA's leash by sshir · · Score: 4, Interesting

    Considering that NSA definitely had the source code and configuration (otherwise they would not use Cisco stuff themselves) they knew about this shit. And leaving such a huge hole in nation's security while it's NSA's main responsibility is unacceptable. And after that recent data breach fiasco, one has to wonder, why the fuck we keep paying their salaries?!

    1. Re:Time to yank NSA's leash by Protongeek · · Score: 1

      If the NSA has our ssh keys then I am not sure why they keep opening support cases with us. I work for Cisco and support the WSA. If this is so easy to intercept and steal the ssh private key from Cisco devices then why has it not already been done ? I have worked for Cisco for 5 years supporting this device and have yet to see anyone compromise the WSA. The SSH key is loaded for us CSEs to gain access to the back end of the OS which customers do not have access to. I understand the argument why is it a closed system ? Well we have enough customers that know enough to be dangerous to there devices. If customers had root access to the WSA they would try adding modules or removing them. Actions such as these would result in customer creating a ton of RMAs. I for one have wondered why we do not open it up to customers. But over the years I can now see why we do not.

  29. Cisco security appliances contain default SSH keys by nickweller · · Score: 1

    And why was this?

  30. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  31. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  32. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  33. Re:Well well well by Anonymous Coward · · Score: 1

    Anyone that doesn't think the NSA was involved is extremely gullible. Cisco is the biggest networking company in the world. They serve governments and large corporations around the planet which all expect transparency and security. Cisco's management, engineers, programmers and it their cats could speak.... all know beyond a shadow of a doubt you don't insert secret default backdoors into enterprise hardware. Code review would have detected such a glaringly obvious "bug" long before it was inserted into the firmware of billions of dollars of enterprise hardware effecting billions of users and trillions of dollars of commerce. There is no way this was done accidentally. Zero chance. Nada. Zilch.

  34. Re:Using Linux would prevent these Cisco mishaps! by ArmoredDragon · · Score: 1

    A layer 3 switch is in many ways better than a router because it makes forwarding decisions in hardware. Meanwhile dedicated routers don't offer any big advantages over a layer 3 switch unless you happen to be using old shit like frame relay where you need special WICs and can't use ordinary ethernet or SFP adapters.

  35. Re:Using Linux would prevent these Cisco mishaps! by ArmoredDragon · · Score: 1

    Quite a difference between using any old Linux server as a router, and using an actual device that is purpose built for that which includes an ASIC to make faster and more efficient forwarding decisions.

  36. Re: Using Linux would prevent these Cisco mishaps! by sexconker · · Score: 1

    It is a router that can *route* packets among all interfaces at full speed. Get a Linux box with 16 NICs and flood them with traffic. See it sizzling, smoking and crashing.

    Oh fuck off with that bullshit. Routing packets takes minimal CPU, so fuck off with your sizzling and smoking horse shit. Full fledged routers are much more capable than "layer 3 switches".

  37. Re:Using Linux would prevent these Cisco mishaps! by sexconker · · Score: 1

    A "layer 3 switch" has minimal routing features and is only a "great router" if you don't need to do much routing and thus don't want to spend money on an actual router.

  38. Re:Using Linux would prevent these Cisco mishaps! by sexconker · · Score: 1

    Dedicated routers offer same-or-better performance and capacity of a "layer 3 switch", and give you FULL layer 3 traffic control, not the half-assed firewalling, prioritization, etc. that "layer 3 switches" provide (at slow fucking speed).

    "Layer 3 Switch" is a marketing term for "half-assed router", and nothing more. If they were as capable as routers they'd be called routers because they'd fucking be routers. It's just like "smart managed switch", which means you get a semi-functional web interface (and maybe a semi-functional serial interface), good enough to do basic filtering, authentication, and VLANing, but it's no where near as capable as a true managed switch.

    Saying a layer 3 switch is better than a router is like saying a spork is better than a spoon, fork, and knife.

  39. Re: Using Linux would prevent these Cisco mishaps! by buchanmilne · · Score: 1

    Except the 'security appliance' line does not run IOS. These are servers (originally re-badged Dell PowerEdge, but now Cisco UCS C-class rack-mounts) running AsyncOS (a proprietary FreeBSD-based platform), which used to be branded as Ironport.

    It doesn't seem to affect any IOS flavour (IOS, IOS-XE which is Linux-based, IOS-XR) or the Nexus NX-OS (Linux-based).

  40. Re:Using Linux would prevent these Cisco mishaps! by ArmoredDragon · · Score: 1

    Wow. Not only is everything you said way wrong (way way way WAY wrong,) but it's also approaching retardation.

    In fact, I strongly recommend there be a restraining order to prevent you from going anywhere within a mile of any enterprise grade network. You're of those guys who talks down to other employees at IT shops while always being the biggest cause of down time. 100% Dunning-Kruger.

  41. Re: Using Linux would prevent these Cisco mishaps by ArmoredDragon · · Score: 1

    Poverty = ignorance. Have you ever touched anything not sold in Bestbuy?

    I think it's worse than that. He's a real life Nelson "Big Head" Bighetti. Makes himself look knowledgeable but is really just fucking worthless.

  42. Re:Using Linux would prevent these Cisco mishaps! by smartfart · · Score: 1

    I've forgotten the name of the company now, but there was a presentation at the Linux conference last year (two years ago, maybe?) in New Orleans that talked about this very topic, and they (or someone else that approached me afterward because I asked a question about it) said that their company was making switching hardware that did stuff in kernel-space, maybe with a proprietary module. This is key here... you can stuff a bunch of NICs in a box and use brtables or whatever and make a switch, but that's going to be dog-slow. ASICs are needed, and at least that one Linux company is making them.

    --
    Need a Linux consultant in New Orleans?
  43. Get a grip guys by Anonymous Coward · · Score: 1

    WSA, ESA and SMA all came from the Ironport acquisition. At that time, Ironport was considered the model for success, and their management team basically acquired Cisco security. As a result, their products never got the full inspection for vulnerabilities and this was simply missed. This was not an NSA trick, just human error.

  44. Occams Electric Shaver by ThatsNotPudding · · Score: 1

    Essentially Cisco did this shit on purpose, and you can bet at least some people knew damned well this was there.

    Never attribute activity to nefarious government agencies to what can be more easily explained by clueless MBA PHBs demanding their own personal screendoor.