Cisco Issues Patch For Nexus Switches To Remove Hardcoded Credentials (csoonline.com)

← Back to Stories (view on slashdot.org)

Cisco Issues Patch For Nexus Switches To Remove Hardcoded Credentials (csoonline.com)

Posted by BeauHD on Thursday March 3, 2016 @10:05AM from the where's-the-remote dept.

itwbennett writes: Cisco Systems has released critical software updates for its Nexus 3000 and 3500 switches to remove a default administrative account with static credentials that could allow remote attackers access to a bash shell with root privileges, meaning that they can fully control the device. The account is created at installation time by the Cisco NX-OS software that runs on these switches and it cannot be changed or deleted without affecting the system's functionality, Cisco said in an advisory. The affected devices are: Cisco Nexus 3000 Series switches running NX-OS 6.0(2)U6(1), 6.0(2)U6(2), 6.0(2)U6(3), 6.0(2)U6(4) and 6.0(2)U6(5) and Cisco Nexus 3500 Platform switches running NX-OS 6.0(2)A6(2), 6.0(2)A6(3), 6.0(2)A6(4), 6.0(2)A6(5) and 6.0(2)A7(1).

36 comments

Min score:

Reason:

Sort:

Purple? by Anonymous Coward · 2016-03-03 10:11 · Score: 0

Did you just promote a purple article to the frontpage? just wow mods, just wow!
So pretty much everyone, now. by Anonymous Coward · 2016-03-03 10:13 · Score: 3, Interesting

Is there anyone out there that DOESN'T have a backdoor into their gear? Should I just burn it all and buy cheap old x86 gear and slap OpenBSD on it and manually configure everything myself to ensure that nobody is trying to pull a fast one on me?
1. Re:So pretty much everyone, now. by Sax+Russell+5449D29A · 2016-03-03 10:41 · Score: 4, Insightful
  
  Privilege escalation, unauthenticated remote commands to system daemons running with admin privileges... this is everyday life with the biggest IT shops out there.
  What's even worse? They don't care! Countless times have I sent these big companies detailed bug/security reports only to find the exact same fucking "feature" in their systems a year later. The only way to make a difference is to stop giving them money, if even for a while. Then they usually come back to you and *might* listen.
  
  --
  -SR
2. Re: So pretty much everyone, now. by Moblaster · 2016-03-03 10:48 · Score: 1
  
  This kind of back door is so obvious, so stupid, and so NOT NEW, that Cisco CEO Chuck Robbins must be fires over this. There is no excuse to let some govt plant be able to get these back doors in in this day and age. What an embarrassment that CEO is. And anyone who says he is not responsible for this is avoiding the point that this is... SO NOT NEW.
3. Re:So pretty much everyone, now. by mspohr · 2016-03-03 11:11 · Score: 1
  
  Yes! You've come up with a good solution.
  
  --
  I don't read your sig. Why are you reading mine?
4. Re:So pretty much everyone, now. by Anonymous Coward · 2016-03-03 11:33 · Score: 0
  
  yes
5. Re:So pretty much everyone, now. by dsmatthews9379 · 2016-03-03 12:11 · Score: 1
  
  Sure if you think you are a better maker than they are breakers and you have a genuine need to lock down your network that hard by all means build hand crafted secure gatekeepers and monitoring devices so you can control the data flows on your networks and see what is going on without your logs being manipulated. You could also have your infrastructure more layered and virtualise more vulnerable processes so that you can throw them away and load a fresh one if you have suspicions that they are compromised. But who is going to monitor your logs 24/7, you? Or are you going to write an AI to do that for you too?
  
  At the end of the day the sad fact of the matter is that, for the average person, protecting yourself 100% from intrusion takes as much work as never catching cold.
  
  So good luck with that, and in the mean time you could look at other contingencies, like regular backups and discretion as to what information you store, in what form, and where you keep it. How many examples of people following all best practices and still getting owned can you think of anyway? Perhaps if you are specifically targeted by people with very high skill levels, but why do you feel that you would ever be more than the victim of a random selection?
6. Re:So pretty much everyone, now. by AHuxley · 2016-03-03 16:28 · Score: 1
  
  Thats what some nations are doing. Starting again with their own fabs. Lots of secure local jobs, their own hardware and code.
  Power use is going to be huge, speed slow, heat will need new engineering solutions but the domestic hardware and software will be more secure.
  An imported turn key product with keys floating around, coded back doors, other nations security services... some tech just no worth importing any more.
  
  --
  Domestic spying is now "Benign Information Gathering"
7. Re:So pretty much everyone, now. by EEPROMS · 2016-03-03 16:33 · Score: 2
  
  I know a few guys who make home brew managed switches running a BSD flavour and lately they have been very busy building open source/hardware switches. You would think the switches are expensive and run slow but in fact they are way faster than the big name switches often with built in solid state storage and still cost less. No one in their right mind trusts any big brand switch maker any more because legally they "have to" install a back door and then they"legally" have to lie about it. Also if you go cheap you have the chinese installing back doors at the hardware level and when they get busted they call it a service feature not removed before sale.
Simply unbelievable by Anonymous Coward · 2016-03-03 10:13 · Score: 0

From the same salesmen who brought the white house an insecure telepresence system for classified conferences with Military officers
nobody cares by Anonymous Coward · 2016-03-03 10:14 · Score: 0

it's a bugfix for a cisco switch... why is this on the frontpage dammit? why is this news to begin with?
1. Re: nobody cares by Anonymous Coward · 2016-03-03 10:20 · Score: 1
  
  Because when the company that more or less runs the internet as we know it, goes amateur hour, it's of interest to the scores of people on here who manage part of the internet.
2. Re:nobody cares by Anonymous Coward · 2016-03-03 10:23 · Score: 0
  
  I guess you don't understand what remote root shell access implies.
And, they want us to buy SMARTnet... by Anonymous Coward · 2016-03-03 10:18 · Score: 0

to get the upgrade. I miss the old cisco that actually cared about security.
1. Re: And, they want us to buy SMARTnet... by Anonymous Coward · 2016-03-03 10:42 · Score: 1
  
  Our ASA routers have a serious vulnerability with no workarounds, but my boss won't let us buy a service contract so we can upgrade them. I will never willingly buy cisco again.
2. Re: And, they want us to buy SMARTnet... by Cramer · 2016-03-03 13:14 · Score: 1
  
  Depending on how old it is, they DID rebuilt 8.2.5 to fix the latest round of stupid. One email or phone call will get you the necessary image. (or, ya'know, use the internet like everyone else. It's faster.)
3. Re: And, they want us to buy SMARTnet... by Anonymous Coward · 2016-03-03 14:48 · Score: 0
  
  Our ASA routers have a serious vulnerability with no workarounds, but my boss won't let us buy a service contract so we can upgrade them.
  There are many reasons to dislike Cisco, but that isn't one of them.
  Even without a service contract, Cisco will give you security upgrades for free. Just call them and ask.
  And Cisco's salespeople are so incompetent that they won't even try to sell you a service contract when you call for a free security upgrade.
That is simply... by OpenSourced · 2016-03-03 10:18 · Score: 2

Step 1: Create a static account on all devices because reasons.
Step 2: What could possibly go wrong?

--
Rome taught me patience and assiduous application to detail. Virtues which temper the boldness of great, general views.
Give Cisco a break by flacco · 2016-03-03 10:19 · Score: 4, Funny

This brash new start-up is still learning the ropes when it comes to networking and security and stuff. I'm sure it wasn't intentional.

--
pr0n - keeping monitor glass spotless since 1981.
Because the FBI by minijedimaster · 2016-03-03 10:37 · Score: 5, Funny

The FBI must have needed access to a single dead terrorist's switch.
1. Re:Because the FBI by zlives · 2016-03-03 11:09 · Score: 1
  
  well as long as it was for security reasons then its ok.
wtf... by Anonymous Coward · 2016-03-03 10:45 · Score: 0

Who the fuck puts hardcoded ANYTHING into their code? I mean, was this a co-op student? 10th grader?
Even my son of 13 knows NOT to hardcode anything.
W T F
Read the advisory by Anonymous Coward · 2016-03-03 10:46 · Score: 0

The workaround for the 3000 switches is to disable telnet. If anyone still has telnet enabled they you deserve to have yourself hacked.
However, the 3500 platform isn't secure from ssh attack so the patch is needed.
Cisco can blame someone else... by Andrew+Lindh · 2016-03-03 10:50 · Score: 5, Informative

Nuova Systems developed the Nexus switches (for cisco) and then Cisco bought the company. The Nexus 3000 is also listed as using more off-the-shelf merchant silicon. So maybe the just used the reference code that came with the cheaper chips? In the end it's still Cisco's responsibility to secure the systems they sell no matter where the stuff came from. This is not the first time cisco took over another company's work...
Nuova: http://www.networkworld.com/ar...
Nexus 3000: https://en.wikipedia.org/wiki/...
Acquisitions: https://en.wikipedia.org/wiki/...
1. Re:Cisco can blame someone else... by Cramer · 2016-03-03 13:22 · Score: 1
  
  They all use standard Broadcom trash. (everybody does) The "reference code" (aka: SDK) isn't an OS. It's a library, and if you build it, a diagnostic shell. Any OS, UI, configuration language, etc. are up to the vendor.
2. Re:Cisco can blame someone else... by Cramer · 2016-03-03 13:25 · Score: 1
  
  (note: for all the "white box" switches on the market, Broadcom goes out of their way to not give you the actual SDK. Instead their "open" bullshit is an already compiled library.)
3. Re:Cisco can blame someone else... by Anonymous Coward · 2016-03-04 04:20 · Score: 0
  
  They all use standard Broadcom trash. (everybody does)
  nope. The Arista large-buffers switches use Fulcrum.
  https://www.sdxcentral.com/articles/news/arista-ships-intel-fulcrum-alta-chipset/2012/09/
  small-buffer Arista is probably Broadcom again. I expect anything with 100ms of buffer will not be Broadcom, but I don't really know.
not to many switches will be vulnerable by Anonymous Coward · 2016-03-03 10:56 · Score: 0

This is for a very small subset of code versions on likely the least popular series of Nexus line switches. Looks like someone goofed and published some code that shouldn't have left the lab. Still hilarious though.
The hardcoded password for the Nexus 6 by swb · 2016-03-03 10:57 · Score: 1

...is "deckard".
when will someone sue and win? by Gravis+Zero · 2016-03-03 11:04 · Score: 2

i'm just wondering at what point will someone sue a company for undermining the security of the device they were sold and actually win. i mean, if you advertise it as secure and you know you put a hardcoded password in the firmware, it's really just false advertising.

--
Anons need not reply. Questions end with a question mark.
1. Re:when will someone sue and win? by nehumanuscrede · 2016-03-04 01:42 · Score: 1
  
  Easy answer.
  When that one person has the financial capability to go up against, and overcome, the entire TEAM of lawyers that the company will deploy against them.
  Lawsuits are all about the money. Typically, he who has more of it, wins.
2. Re:when will someone sue and win? by Gravis+Zero · 2016-03-04 02:26 · Score: 1
  
  Easy answer.
  then you weren't paying attention.
  
  When that one person has the financial capability to go up against, and overcome, the entire TEAM of lawyers that the company will deploy against them.
  confirmed! i purposely used pronouns to allow for the real possibility of one company suing another. you would be pissed too if you were the lead in an ISP and you found out the routers you have been using have shit for security.
  
  --
  Anons need not reply. Questions end with a question mark.
Oy Vey! by Anonymous Coward · 2016-03-03 12:47 · Score: 0

NT
So - what's the password? by Anonymous Coward · 2016-03-03 13:28 · Score: 0

Can anyone provide proof that this vulnerability exists - or is this the usual Cisco bashing ?
1. Re: So - what's the password? by Anonymous Coward · 2016-03-04 00:15 · Score: 0
  
  The proof is that Cisco announced that they are patching it.
give up and by Huawei by Anonymous Coward · 2016-03-04 04:24 · Score: 0

You know Huawei is backdoored, but if you care more about American dissidents than Chinese dissidents maybe it's better. Also it's cheaper. All those US govt rules forbidding Huawei in critical infrastructure weren't to keep Chinese backdoors out but to keep American backdoors in.
Electrical engineering as a profession needs to do some soul-searching about their chronic invertebracy. Whenever we let the same people who build the hardware organize the Linux distribution that runs on it, we seem to end up with egregious negligence or eager overcompliance. When normal programmers do the job, they don't go beyond arrogant magical thinking and inept hand-wringing, so they are less bad.