Cisco Issues Patch For Nexus Switches To Remove Hardcoded Credentials

itwbennett writes: Cisco Systems has released critical software updates for its Nexus 3000 and 3500 switches to remove a default administrative account with static credentials that could allow remote attackers access to a bash shell with root privileges, meaning that they can fully control the device. The account is created at installation time by the Cisco NX-OS software that runs on these switches and it cannot be changed or deleted without affecting the system's functionality, Cisco said in an advisory. The affected devices are: Cisco Nexus 3000 Series switches running NX-OS 6.0(2)U6(1), 6.0(2)U6(2), 6.0(2)U6(3), 6.0(2)U6(4) and 6.0(2)U6(5) and Cisco Nexus 3500 Platform switches running NX-OS 6.0(2)A6(2), 6.0(2)A6(3), 6.0(2)A6(4), 6.0(2)A6(5) and 6.0(2)A7(1).

So pretty much everyone, now.

Is there anyone out there that DOESN'T have a backdoor into their gear? Should I just burn it all and buy cheap old x86 gear and slap OpenBSD on it and manually configure everything myself to ensure that nobody is trying to pull a fast one on me?

Re:So pretty much everyone, now.

[Sax+Russell+5449D29A]

Privilege escalation, unauthenticated remote commands to system daemons running with admin privileges... this is everyday life with the biggest IT shops out there.

What's even worse? They don't care! Countless times have I sent these big companies detailed bug/security reports only to find the exact same fucking "feature" in their systems a year later. The only way to make a difference is to stop giving them money, if even for a while. Then they usually come back to you and *might* listen.

Re:So pretty much everyone, now.

[EEPROMS]

I know a few guys who make home brew managed switches running a BSD flavour and lately they have been very busy building open source/hardware switches. You would think the switches are expensive and run slow but in fact they are way faster than the big name switches often with built in solid state storage and still cost less. No one in their right mind trusts any big brand switch maker any more because legally they "have to" install a back door and then they"legally" have to lie about it. Also if you go cheap you have the chinese installing back doors at the hardware level and when they get busted they call it a service feature not removed before sale.

That is simply...

[OpenSourced]

Step 1: Create a static account on all devices because reasons.
Step 2: What could possibly go wrong?

Give Cisco a break

[flacco]

This brash new start-up is still learning the ropes when it comes to networking and security and stuff. I'm sure it wasn't intentional.

Because the FBI

[minijedimaster]

The FBI must have needed access to a single dead terrorist's switch.

Cisco can blame someone else...

[Andrew+Lindh]

Nuova Systems developed the Nexus switches (for cisco) and then Cisco bought the company. The Nexus 3000 is also listed as using more off-the-shelf merchant silicon. So maybe the just used the reference code that came with the cheaper chips? In the end it's still Cisco's responsibility to secure the systems they sell no matter where the stuff came from. This is not the first time cisco took over another company's work...

Nuova: http://www.networkworld.com/ar...
Nexus 3000: https://en.wikipedia.org/wiki/...
Acquisitions: https://en.wikipedia.org/wiki/...

when will someone sue and win?

[Gravis+Zero]

i'm just wondering at what point will someone sue a company for undermining the security of the device they were sold and actually win. i mean, if you advertise it as secure and you know you put a hardcoded password in the firmware, it's really just false advertising.