Slashdot Mirror
Cisco Security Appliances Found To Have Default SSH Keys
Trailrunner7 writes: Many Cisco security appliances contain default, authorized SSH keys that can allow an attacker to connect to an appliance and take almost any action he chooses. The company said all of its Web Security Virtual Appliances, Email Security Virtual Appliances, and Content Security Management Virtual Appliances are affected by the vulnerability.
This bug is about as serious as they come for enterprises. An attacker who is able to discover the default SSH key would have virtually free reign on vulnerable boxes, which, given Cisco's market share and presence in the enterprise worldwide, is likely a high number. The default key apparently was inserted into the software for support reasons.
"The vulnerability is due to the presence of a default authorized SSH key that is shared across all the installations of WSAv, ESAv, and SMAv. An attacker could exploit this vulnerability by obtaining the SSH private key and using it to connect to any WSAv, ESAv, or SMAv. An exploit could allow the attacker to access the system with the privileges of the root user," Cisco said.
This bug is about as serious as they come for enterprises. An attacker who is able to discover the default SSH key would have virtually free reign on vulnerable boxes, which, given Cisco's market share and presence in the enterprise worldwide, is likely a high number. The default key apparently was inserted into the software for support reasons.
"The vulnerability is due to the presence of a default authorized SSH key that is shared across all the installations of WSAv, ESAv, and SMAv. An attacker could exploit this vulnerability by obtaining the SSH private key and using it to connect to any WSAv, ESAv, or SMAv. An exploit could allow the attacker to access the system with the privileges of the root user," Cisco said.
There might be reasons other than "support" for universal access SSH keys.
is this a bug?
default, authorized SSH keys
"If any question why we died, Tell them because our fathers lied."
Cisco is very much a "configure it yourself" type of deal. In fact their whole certification track above the CCENT level revolves heavily around knowing the IOS command syntax.
You can substitute their routers for Linux, but NOT their layer 3 switches, unless you really don't give a shit about performance in an enterprise environment.
Here's one, Cumulus Networks. A lot of Cisco switching gear is Linux underneath with a more familiar Cisco CLI.
If cisco didn't use interns and cheap H1B labor, maybe this wouldn't happen. Seriously, they need some experience, security minded people to manage and review these products before they ship.
If you think this is bad, try looking at the cisco ACE load balancers. They can't even do modern crypto and they refuse to update them.
Are you kidding? This was done for support reasons; to support the NSA.
In the free world the media isn't government run; the government is media run.
http://cumulusnetworks.com/blo...
http://www.datacenterknowledge...
http://opennetlinux.org/
http://www.opencompute.org/
http://www.wired.com/2013/03/b...
Get with the times, the Big Iron Networking gear (like usead at Google and Facebook) are switches running Linux.
Just a Tuna in the Sea of Life
This is a *security* focused appliance that made this goof from one of the more well regarded vendors in the market.
"Goof?" I'm not convinced. It's just as likely that this was engineered into the products intentionally.
News broke last year that NSA was intercepting Cisco equipment enroute to customers and making a few tweaks. Cisco made a big production a few months ago about how they were suddenly willing to ship to random addresses to avoid NSA interdiction. Perhaps that's because whatever NSA needs is already built in, and always has been, and the whole story about NSA physically yanking packages from carriers was misdirection. Put that story out there and people who are able to control the delivery chain will have a strong, but very false, sense of security.
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
This class of bug is unknown in the free software world because your project will forked.
All corporations are subject to enormous pressure from corporations, and therefore can not be trusted, even if the management wanted to play it straight.
All populations, including the U.S'es are targets of information warfare by the NSA and GCHQ.
There is no security without the source code.
This isn't a bug.
This is crap security by design.
And you can probably bet that the NSA and the Chinese have these keys, and can pretty much bypass any "security" offered by Cisco.
Essentially Cisco did this shit on purpose, and you can bet at least some people knew damned well this was there.
Lost at C:>. Found at C.
It should be "free rein". It refers to the reins used to direct the travel of a horse similarly to the way "steering wheels" were used to direct the motion of automobiles before Google acquired a majority stake on the US Supreme court and self-driving cars became mandatory.
Anyway, If you were to release your grip on the reins, then the horse may theorectically feel free to travel in any direction. In practice the horse generally returned to the barn after scraping the rider off on the nearest tree.
for support reasons
You're not asking the correct question.
"To support whom?"
Welcome to the Panopticon. Used to be a prison, now it's your home.
The correct figure of speech is "free rain." Nobody alive remembers when rain fell freely where I'm living, so this has corrupted over the years into horses and monarchs and whatnot.
Man, you really need that seminar!
Yeah, that's it, NSA wanted Cisco to do something so stupid it would take the Chinese 2 minutes to figure out how holey their boxes are.
I don't get the impression that the NSA really think things like this through to that extent.
In the free world the media isn't government run; the government is media run.
There are lots of switches running linux. Of course, linux isn't the thing doing the switching.
The question to ask is can you get to the OS and/or ssh configuration to remove whatever the vendor may have installed? (i.e. remove whatever ssh backdoor keys they left there.) In most cases, the answer is "Hell. No."
Do you know how many times I thought about adding a back channel to a piece of software I wrote because it's easier than training users? Do you care to guess at how many times I have actually done this?
Lets ask that same question about smaller software companies. You won't find any that survive for long after people find out they have these kinds of security practices.
It's hard to say why this happens so frequently and massively with large companies/corporations. I'm sure it's partly Government pressure, probably pressure from other companies/corporations, and partly an ignorant executive demanding this gets done. I'm sure the latter can claim the first two are the problem. The latter however, should result in termination of the execs responsible. That last part does not happen, which makes me wonder how big the first two really are.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Considering that NSA definitely had the source code and configuration (otherwise they would not use Cisco stuff themselves) they knew about this shit. And leaving such a huge hole in nation's security while it's NSA's main responsibility is unacceptable. And after that recent data breach fiasco, one has to wonder, why the fuck we keep paying their salaries?!