Slashdot Mirror
Hundreds of Cisco Switches Vulnerable To Flaw Found in WikiLeaks Files (zdnet.com)
Zack Whittaker, writing for ZDNet: Cisco is warning that the software used in hundreds of its products are vulnerable to a "critical"-rated security flaw, which can be easily and remotely exploited with a simple command. The vulnerability can allow an attacker to remotely gain access and take over an affected device. More than 300 switches are affected by the vulnerability, Cisco said in an advisory. According to the advisory, the bug is found in the cluster management protocol code in Cisco's IOS and IOS XE software, which the company installs on the routers and switches it sells. An attacker can exploit the vulnerability by sending a malformed protocol-specific Telnet command while establishing a connection to the affected device, because of a flaw in how the protocol fails to properly process some commands. Cisco said that there are "no workarounds" to address the vulnerability, but it said that disabling Telnet would "eliminate" some risks.
You deserve to have this happen to you.
Now, if you'll excuse me, I have backups to corrupt.
That means someone would have to be dumb enough to
1) Have the mgmt of the switch be publicly available
2) Have Telnet enabled.
Don't get me wrong, it's a bad bug. But a security-minded admin should not have these problems.
"A plan fiendishly clever in its intricacies"- Homer Simpson
1) You are using proprietary multichassis bonding
2) You need to make multiple switches look like one for licensing $$ purposes.
And that is about it. Look at any vendor's release notes and a substantial portion of the bugs are in the clustering regime. Just turn that crap off unless you need it... since inductry-wide it's a proprietary lock-in gambit and doesn't have to survive interop shootouts, there's no way the code is worth running otherwise.
Someone had to do it.
You can't treat such "hardware" as hardware anymore: it's a computer, which needs security updates like any other computer that's connected to a network.
If there is not a realistic way to know about, get, and add security patches to ANY computer that connects to a network, don't buy it.
Table-ized A.I.
Don't ever assume that all hacks are coming from the outside.
Any sane configuration limits traffic to the routing gear. We have been able to programmatically generate configs forever it's not like it used to be with hand everything.
No sir I dont like it.
I'd probably say we should be utilizing 20 year old router technology.
That would be a security mistake... a lot of essential security features are younger than that. Heck, there are some switches that old where the only option for administration is through telnet. Switches that old (or new switches not properly configured, or anything in the prosumer market or lower) are pretty much an open killing field for intruders to forge, intercept, and bypass traffic.
The problem with open-sourcing these things is price and operating costs... open designs for the hardware would have to be mass-producible at the same price point as vendors have managed to achieve, and since they handle transit traffic, without open hardware, anything could be in that silicon to inject watermark CnC in packet headers or transmit timing.
So you have to be pretty damn cash-flush to spy-proof your access network... otherwise you just have to hope whoever can own your net doesn't want to and is competent enough to keep the house keys hidden from others that would.
Someone had to do it.
So, this leads to many questions: How long did the CIA know about this flaw and not tell Cisco Or, did Cisco know about this flaw and not warm users. How many other unpatched flaws are in the Vault 7 Is Cisco no issuing a REAL fix for this?
-- these are only opinions and they might not be mine.
Where telnet is still a thing, and last I checked was on by default.
Re: "warehouse to be backdoored prior to shipment to final destination"
Tailored Access Operations (TAO)
"Photos of an NSA “upgrade” factory show Cisco router getting implant" (5/15/2014)
https://arstechnica.com/tech-p...
GCHQ, NSA, CIA have different ideas on what they want and why.
In some nations the NSA might be working with a national telco over decades. So it is safe for the NSA to use a that nations gov staff as they more loyal to the NSA than their own nation over generations.
In other nations the telco network might still be staffed with people who are totally loyal to their own nation. So that big dump of data back to a domestic staging server network might be detected. Code litter from another nations malware is left to fool any contractors or other gov investigators.
Other methods are needed.
The CIA might have a trusted local person sneak into a building under the cover of been new staff, a friend or more than a new friend to a long term staff member. Physical access gets past any network security and trusted devices can be altered on site and data collected by a person later on site. No internet link needed but physical device access is needed to alter code and then collect the result. No code litter is found.
Or just send a command to a US brand's hardware and collect it all with the internet.
Different methods for different nations and if staff are still loyal to their own nation.
Domestic spying is now "Benign Information Gathering"
On the new 2960X's we just bought, it is NOT on by default. You have to go into a second tab during your express setup and purposely enable it.
Keep your brand or company secure by:
Keep your most advanced work and secrets away from any network.
Only use advanced US networks, US products for work that is in use and in public.
When new services, products, contracts are been considered don't store anything on servers, network facing hardware.
Hold design meetings in secure areas, don't bring in smart phones, devices. Keep vital encrypted notes on paper in that secure room.
Use a one time pad to send vital messages to distant staff. Use staff to move a message to staff globally, face to face, in person.
Use a networked company message board as a numbers station to broadcast information globally. Everyone looks at it everyday but the message is only for one person.
If you have the funding set up bait, a honey pot of digital ideas on US branded hardware that faces the internet as normal.
Pack it with the most amazing new ideas your competitors had, renamed as your own emerging products. Patents, secret bank accounts, staff lists, work with other nations. Make that server amazing. Use very different code names for emerging products and projects. See if anyone comes looking later for the same junk words or for the staff that are internal security risks on lists that are fake.
Set up a random safe house with trusted security teams for years based on that staff risk review. See if anyone tries to offer the fake staff member a new job, wants to be "friends", makes a cash offer or poses as your nations security services to do an interview...
Really simple counterintelligence that any nation or company can create.
That needs a lot of funding but protects against human and network methods.
Be aware of any new staff from other nations or your own nations new staff. New "friends" wanting a secure site tour. Physical site access can plant malware thats then collected later by hand.
Domestic spying is now "Benign Information Gathering"
I have no conspiracy theory, just a disdain for switch clustering suites. If you're talking about the vendor lock-in point, ask an SE where a standards-based inter-vendor clustering suite is on the company/industry roadmap. It's just a de-facto reality.
I haven't seen many switches lately that have a separate backplane cable for clustering. They all use their uplinks, since it only took vendors a decade or two to get cluster management packets adequately prioritized.
On ease of management I'll give you one more item: if the cluster supports hitless upgrading that's not doable through other means, and if your SLA doesn't leave you any windows that's an attractive feature. So three, three good reasons.
But unless you have only one cluster you're dealing with multiple CLI/SNMP/SDN endpoints anyway, so you might as well start automating, there will only be more over time.
"Stack resiliency" really is only applicable to HPC, and in that case you'll be using #1 from my original list anyway. The MTBF on these things is so low these days that for most purposes you are past the point of diminishing returns on any other level of reliability.
Someone had to do it.