Slashdot Mirror
Hundreds of Cisco Switches Vulnerable To Flaw Found in WikiLeaks Files (zdnet.com)
Zack Whittaker, writing for ZDNet: Cisco is warning that the software used in hundreds of its products are vulnerable to a "critical"-rated security flaw, which can be easily and remotely exploited with a simple command. The vulnerability can allow an attacker to remotely gain access and take over an affected device. More than 300 switches are affected by the vulnerability, Cisco said in an advisory. According to the advisory, the bug is found in the cluster management protocol code in Cisco's IOS and IOS XE software, which the company installs on the routers and switches it sells. An attacker can exploit the vulnerability by sending a malformed protocol-specific Telnet command while establishing a connection to the affected device, because of a flaw in how the protocol fails to properly process some commands. Cisco said that there are "no workarounds" to address the vulnerability, but it said that disabling Telnet would "eliminate" some risks.
typically cisco has a fix ready for the NSA backdoors. this one must have been a missed memo from NSA.
You deserve to have this happen to you.
Now, if you'll excuse me, I have backups to corrupt.
That means someone would have to be dumb enough to
1) Have the mgmt of the switch be publicly available
2) Have Telnet enabled.
Don't get me wrong, it's a bad bug. But a security-minded admin should not have these problems.
"A plan fiendishly clever in its intricacies"- Homer Simpson
In every place I've ever worked, they used 10/8 or 192.168/16 addresses.
1) You are using proprietary multichassis bonding
2) You need to make multiple switches look like one for licensing $$ purposes.
And that is about it. Look at any vendor's release notes and a substantial portion of the bugs are in the clustering regime. Just turn that crap off unless you need it... since inductry-wide it's a proprietary lock-in gambit and doesn't have to survive interop shootouts, there's no way the code is worth running otherwise.
Someone had to do it.
You can't treat such "hardware" as hardware anymore: it's a computer, which needs security updates like any other computer that's connected to a network.
If there is not a realistic way to know about, get, and add security patches to ANY computer that connects to a network, don't buy it.
Table-ized A.I.
While having a complete set of code to ones device is not an absolute certainty to security it is a basic foundation necessary to being reasonably assured your devices are in your control and not somebody else’s. Sadly with products like this there is little incentive outside of the home / consumer router market to release the source code such that the community is able to analyse the code itself. There is another problem in the technology sphere of technology changing too fast for proper security reviews and proper coding in general. I'd probably say we should be utilizing 20 year old router technology. The reality is without the standardization and use of chipsets long term we can't hope to properly review and improve the code to a quality that is half decent- given the amount of technology and code that has to be reviewed in the technology sphere in general.
If you don't believe in copy"right" or "intelectual property" and support privacy/encryption/security/decentralization/etc and most of all you support liberty and freedom you should check out Somaliafest 2017: https://www.somaliafest.com/ Another event and group led by a migration of principled libertarians and voluntaryists to New Hampshire with the aim of forming a free society. Similar to the Free State Project this event differs in that it heavily focuses more on areas of technology and freedom. Porcfest also immediately follows the event on the same camp ground. So many participants and vendors are planning to attend both events.
From TFA:
"Motherboard reported that WikiLeaks has yet to provide details of the security flaws to the companies in question. "
Ha. Guess Motherboard either didn't talk to Cisco, or Cisco didn't tell them anything, or Cisco lied waiting until they published their advisory. In any case, Motherboard's attempt to paint Wikileaks as "extorting" the companies is completely false, or fake, if you will.
"'Fortunately, WikiLeaks' Vault7 has permitted Cisco's security team to identity the vulnerability without releasing the exploit code. Cisco was the most proactive of the US manufactures and its security team initiated contact with WikiLeaks last week,' said the spokesperson."
Good for Cisco for getting on top of this and protecting their customers. Now, why the fuck is Microsoft, Google, Apple dragging their heels about protecting their customers?
So, this leads to many questions: How long did the CIA know about this flaw and not tell Cisco Or, did Cisco know about this flaw and not warm users. How many other unpatched flaws are in the Vault 7 Is Cisco no issuing a REAL fix for this?
-- these are only opinions and they might not be mine.
Where telnet is still a thing, and last I checked was on by default.
There seems to be a case for some free software that blocks fake news based on the users basic input. For example, I have no children and will never have a child or children. A child born from a thief is in possession of stolen property. Every now and then a fake website pops up with a news story like "Are your teens strung out on tech?" which is obviously fake. Rhetorically, Are you going to die and leave the computers contents with your fake news? It's a bit like running a Nuclear Power station and leaving it to melt down by not shutting it down before dying.
If your switch has it's administration ports open out to the internet or to anything but a protected LAN, then you need to fire everyone in IT and hire competent people.
Do not look at laser with remaining good eye.
"More than 300 switches are affected by the vulnerability"
Is that 300 devices or 300 models?
Maybe it's Nintendo Switches.
Good lord...it's like something horrifying every two weeks with this company.
Make no mistake, this was an intentional flaw designed specifically by Cisco's Chinese firmware house to give the Chinese government access to American networks. Of the products affected, most are -M series used in Military networks in the US.
What about:
The non-blocking inter-switch speed without sacrificing a single port?
The ease of management?
The stack resiliency?
I'm a huge fan of the technology and licensing is not an issue of any kink. There is literally no licensing cot to enable or disable clustering. There's a stacking cable, but that's it.
What I'm trying to say, is that you're mad as a hatter with your conspiracy theory.
On the new 2960X's we just bought, it is NOT on by default. You have to go into a second tab during your express setup and purposely enable it.
Keep your brand or company secure by:
Keep your most advanced work and secrets away from any network.
Only use advanced US networks, US products for work that is in use and in public.
When new services, products, contracts are been considered don't store anything on servers, network facing hardware.
Hold design meetings in secure areas, don't bring in smart phones, devices. Keep vital encrypted notes on paper in that secure room.
Use a one time pad to send vital messages to distant staff. Use staff to move a message to staff globally, face to face, in person.
Use a networked company message board as a numbers station to broadcast information globally. Everyone looks at it everyday but the message is only for one person.
If you have the funding set up bait, a honey pot of digital ideas on US branded hardware that faces the internet as normal.
Pack it with the most amazing new ideas your competitors had, renamed as your own emerging products. Patents, secret bank accounts, staff lists, work with other nations. Make that server amazing. Use very different code names for emerging products and projects. See if anyone comes looking later for the same junk words or for the staff that are internal security risks on lists that are fake.
Set up a random safe house with trusted security teams for years based on that staff risk review. See if anyone tries to offer the fake staff member a new job, wants to be "friends", makes a cash offer or poses as your nations security services to do an interview...
Really simple counterintelligence that any nation or company can create.
That needs a lot of funding but protects against human and network methods.
Be aware of any new staff from other nations or your own nations new staff. New "friends" wanting a secure site tour. Physical site access can plant malware thats then collected later by hand.
Domestic spying is now "Benign Information Gathering"
These hacks were released when they weren't so useful. Probably from Assanges Russian government friends, since they seem to be a package from the same group.
So the consequence of CIA not telling CISCO to fix it, is that every network using these CISCO routers is potentially backdoored by Russia at this point.
How many election systems? How many business secrets? How many weapons manufacturers? How many politicians emails? How many booking sites? Banking sites? Press computers?
That's just the primary attack, what about secondary? How many computers compromised that are used to develop smartphone apps, or other apps that then are compromised. Juniper had this, a source control system that was compromised and in turn allowed injection of malicious software into their routers, which in turn left holes in their customers systems.
The CIA thought it would only be themselves who would exploit it, and America got owned and so now everyone got owned.
Ericsson in particular are known for quality, reliability, and security.