Hardcoded Password Found in Cisco Enterprise Software, Again

Catalin Cimpanu, writing for BleepingComputer: Cisco released 16 security advisories yesterday, including alerts for three vulnerabilities rated "Critical" and which received a maximum of 10 out of 10 on the CVSSv3 severity score. The three vulnerabilities include a backdoor account and two bypasses of the authentication system for Cisco Digital Network Architecture (DNA) Center. The Cisco DNA Center is a piece of software that's aimed at enterprise clients and which provides a central system for designing and deploying device configurations (aka provisioning) across a large network. This is, arguably, a pretty complex piece of software, and according to Cisco, a recent internal audit has yielded some pretty bad results.

Who the Fuck is Writing the Shit?

[sycodon]

Are they using overseas programmers?

Is this another success of outsourcing?

Re:Who the Fuck is Writing the Shit?

[sit1963nz]

No, this is the NSA, CIA, FBI, DHS , etc etc etc doing their part in making the world less safe.

But don't worry, they were only going to use it responsibly , and as you have nothing to hide its all good....

These are not the exploits you are looking for.......

Re: Who the Fuck is Writing the Shit?

Are they using overseas programmers?

Is this another success of outsourcing?

Almost certainly. We all know overseas cheap programmers and H1-Bs provide the much needed skills America is so badly lacking /sarcasm

The only thing America is lacking is companies willing to pay market rates for talent without getting the government to artificially dilute the labor supply through unneeded immigration and tax breaks for outsourcing.

Re:Who the Fuck is Writing the Shit?

They were just doing the needful.

Re:Who the Fuck is Writing the Shit?

Not in this case. There's little advantage in leaving backdoors if one is making them so obvious that other agencies could easily use them. Actual backdoors are more sophisticated.

Re:Who the Fuck is Writing the Shit?

[AHuxley]

Welcome to PRISM.

Re: Who the Fuck is Writing the Shit?

I actually LOLed at this...

Re:Who the Fuck is Writing the Shit?

It may be gauche to reply to a sig, but... no one is telling you to give up your guns, just your rocket launchers, antipersonnel mines, nuclear/chemical/biological/radiological weapons, fragmentation grenades, assault rifles and machine guns. If the forces of common sense had their way, you'd STILL be allowed to keep handguns, hunting rifles, and shotguns (of the non-sawed-off or shortened variety) for self-defense and hunting purposes.

There is no legitimate need in the US (or any actual first-world country,) for civilians OR police to have the weapons of war, since all you can use them for, besides paper-weights, is to WAGE WAR. They have NO OTHER use, and when enough people have them, they periodically DO just THAT: they wage war, and generally against other people who CANNOT defend themselves, and largely would not have been able to in most of these mass-shootings, even HAD they similar weapons to hand. If you think it's right and proper for ANY civilian to have the means to commit mass-murder with TRIVIAL EASE, no further discussion is necessary or even possible as you'd be clinically insane to hold that view. While you're at it, why not give every civilian a police car, sirens and all? There's a REASON some things are reserved, and not allowed to be in the possession of common citizens.

Imagine for example if every person in Las Vegas had a machine gun the day that sniper asshole started shooting at them from high up in a casino hotel at that country music festival. Imagine how many other people would have died from morons trying to fire back at a SNIPER holed up in a defensive position, occupying indisputably HIGH GROUND. (Note that the fucker would have had sand bags, etc., to defend himself if the crowd HAD had guns, as he'd likely have known it if it were commonplace for EVERYONE to carry machine guns or sniper rifles, etc.) How many people in the hotel would have died TOO if there'd been a barrage of gunfire in the other direction? Do you REALLY think random gunfire from the crowd COULD have neutralized him as a threat?!? Because that's hilarious.

Also, if your argument is that any restriction on gun ownership is the start of a slippery slope to NO gun ownership, let me point out that that's PROVABLY false; there WAS a federal assault weapons ban, and it did NOT result in "ALL THE GUNS" being rounded up. On the contrary, it was allowed to expire because gun MAKERS have BOUGHT all our LAW makers.

Too bad WE didn't think of that. I miss democracy, and wish this country at least still pretended to be one, don't you? If it DID, bribery would be illegal and we wouldn't be awash in a sea of guns, with things getting worse by the day, since the gun makers have managed to convince people that paranoia is GOOD. (Proof that Gordon Gecko was WRONG, because gun maker greed is at the root of this, and it's literally killing us.)

Also, as for hardcoded passwords... are we really still having stories about this come out? What WAS the hardcoded password, "12345"?!? Might as well have been.

Re:Who the Fuck is Writing the Shit?

Never attribute to malice that which is adequately explained by stupidity.

And I can tell you from dealing with TAC and Cisco developers on several software cases that stretched on for years: Cisco has REALLY bad overseas developers that couldn't code "Hello, World" without misspellings and at least 3 bugs.

Re:Who the Fuck is Writing the Shit?

I worked in their datacenter group for 5 years and nearly every year they would move some set of responsibility to their Bangalore office. Other BUs said the same was pretty common. So I'd guess that yes, the Bangalore office was involved in some way. What I've heard about that office is that it's really pressure to meet milestones. Things probably won't change until quality issues affect shareholders' bottom lines.

Re:Who the Fuck is Writing the Shit?

we wouldn't be awash in a sea of guns, with things getting worse by the day

I've heard several fine and well sourced arguments against the notion that things are worse now than they've ever been. I think that the perception is skewed because we have more mass shooting events where more people are killed at one time today, but overall many fewer gun deaths per capita than we did during the middle part of the twentieth century, say 1945-1980 or so. Crime has also gone down overall even as if it has intensified and concentrated in particular areas. The statistical arguments are out there for those who are interested and I think that we should be careful of "things are getting worse by the day" sorts of emotional appeals to panic, because the data doesn't generally support the "getting worse by the day" conclusion.

Re: Who the Fuck is Writing the Shit?

Youâ(TM)re a moron.

Have a nice day.

Re:Who the Fuck is Writing the Shit?

Things probably won't change until quality issues affect shareholders' bottom lines.

Hey ransomware authors, are you listening?

Re: Who the Fuck is Writing the Shit?

Poor butthurt Russkies also have to find new vulnerabilities now. Please help them by leaving your network insecure

Re: Who the Fuck is Writing the Shit?

the NSA, CIA, FBI etc from oversea.

Re:Who the Fuck is Writing the Shit?

[gweihir]

Well, is the TLA scum is _this_ stupid in placing their backdoors, then the world is really in fast decline. Not saying they are not this stupid, but if they are that would be very bad.

Re: Who the Fuck is Writing the Shit?

The question you have to ask yourself, punk, is: are 30,000 deaths a year a price worth paying to keep your guns?

Re: Who the Fuck is Writing the Shit?

[Kopp]

Why would they bother paying more for talents when so many screwups like this one cost zero $$$ ? Hiring talented workers (note than being an american programmer does not make you necessary a talented one) would either increase costs and price (which is bad for business) or reduce profits and money given to shareholders... again, why would they decide to pay more ?

Re: Who the Fuck is Writing the Shit?

Could be the push for forced diversity.

Thereâ(TM)s gotta be a downside to hiring the candidate based on the gender or color.

Or could be the result of outsourcing all development and QA to the cheapest country possible. Who needs ten good US-based engineers when you can get a hundred mediocre ones somewhere in Asia for the same price? Oh and you also donâ(TM)t have to give them full benefits.

Re:Who the Fuck is Writing the Shit?

[DickBreath]

Cisco needs to get a lot more serious about security. Best practices would be to make sure that next time it is much more difficult to find what the hardcoded password is.

Re:Who the Fuck is Writing the Shit?

[hattable]

Hang on a minute, your post doesn't demonize the intelligence agencies... So I must ask: why do you hate freedom of speech, the internet, and civil liberties?

Re: Who the Fuck is Writing the Shit?

Are 37,461 deaths per year a price worth paying to keep your cars?

https://en.wikipedia.org/wiki/Motor_vehicle_fatality_rate_in_U.S._by_year

Again

There are automated tools to find this stuff. So why?

Re:Again

[tirnacopu]

A tool that automates will by definition find a repeat of a previous (similar, if smart enough) action. A new programmer, placing in the root password in a new chunk of code, can still do it in so many ways as to be undetectable.

Re:Again

Sounds like someone's never heard of unit testing and/or fuzzing...

Re:Again

[plopez]

There are security scanners. They will flag this.

Irrefutable facts.

[Narcocide]

These passwords were either left there purposefully or accidentally. If they were left there purposefully it may have been done either with or without Cisco's knowledge.

There is no combination of available possibilities that can be justified by acceptable behavior from a network security hardware vendor of this stature. Either they are effectively completely incompetent or they're effectively completely malicious.

Re:Irrefutable facts.

[DigiShaman]

The only "default password" should be to log into an unboxed device or application, and be REQUIRED to change it before proceeding further. DONE! Solves that problem. Move on

Re:Irrefutable facts.

[scdeimos]

Either they are effectively completely incompetent or they're effectively completely malicious.

We're talking about Cisco here. What makes you think it's an either/or choice?

Re:Irrefutable facts.

[Narcocide]

Well, you're right that in this type of situation there's no such thing as "benign incompetence" and so these are effectively the same result. People who themselves are incompetent may not realize this but may still be redeemable over a long enough time frame. By leaving this part open to interpretation, it still gives those people a seat at the table to continue the conversation.

Re:HILLAY

She forgot to check her 6.

Can we get a useful news source please?

The actual advisory instead of a badly rehashed clickbaiticle by some nitwit from bleepingcomputer might actually be an improvement. Do we have any competent people do any reporting in this space, or is it really all nitwits writing for other nitwits?

This is why we continue to have these problems

The company discovered many backdoors and hardcoded accounts in the past two years as part of internal audits and has received some pretty unfair criticism for its efforts.

WTF WTF WTF WTF.

Unfair criticism? You've got to be shitting me.

The company discovered many backdoors and hardcoded accounts in the past two years as part of internal audits

And where did these backdoors come from? Aliens? NO, YOU PUT THEM THERE!

Re:This is why we continue to have these problems

And where did these backdoors come from? Aliens? NO, YOU PUT THEM THERE!

This is why E.W. Dijkstra advocated talking about "defects" instead of "bugs". They don't just crawl in, someone put them there. Security problems, same thing. Backdoors, even more obviously so, wilfully even.

If we cared about this sort of thing, we consistently did exactly that. If we did that, it would also make it that much harder for marketeering and other spin doctors to go give their booboos a cute spin.

On a slightly tangential note, many manufacturers put such things in and cisco might be a big name, to those with source access it's not really surprising. redmond really isn't the only one whose source code is fantastically bad (as we saw with that big fat source code leak a while back). Apparently all the big software companies like to employ lots of monkeys to write their source code for them.

Re:This is why we continue to have these problems

[AHuxley]

FBI? NSA? CIA? Other agency staff keep on doing their job and try to avoid such audits while undercover.

Re:This is why we continue to have these problems

[Nonesuch]

WTF WTF WTF WTF.

Unfair criticism? You've got to be shitting me.

The companies we really should be criticizing are the ones who have many undiscovered backdoors and hardcoded accounts because they've been able to avoid doing internal audits.

Re:This is why we continue to have these problems

[drinkypoo]

The company discovered many backdoors and hardcoded accounts in the past two years as part of internal audits

And where did these backdoors come from? Aliens? NO, YOU PUT THEM THERE!

Or the NSA put them there. Or Cisco has been hacked nine ways from sunday and hackers put them there. I actually think that last one is the most reasonable explanation. Cisco is one of the most visible targets in the networking world. Getting an exploit into their software means getting it into some of the most important networks on the planet.

Re:This is why we continue to have these problems

The company discovered many backdoors and hardcoded accounts in the past two years as part of internal audits and has received some pretty unfair criticism for its efforts.

WTF WTF WTF WTF.

Unfair criticism? You've got to be shitting me.

The company discovered many backdoors and hardcoded accounts in the past two years as part of internal audits

And where did these backdoors come from? Aliens? NO, YOU PUT THEM THERE!

You must be new to IT.

It’s “enterprise software”... to anyone who’s ever dealt with anything in that category from any vendor, none of this is remotely surprising. They could be anything from default local admin accounts in some forgotten service or a service account meant for integrating different backend components together.

There are better ways like generating a new ca at install time and issuing client ssl certs to each component, but that causes lots of headaches for admins too. Some stuff asks you for a bunch of different passwords at install time, some probably take your admin password and use it to secure everything else, embedded DB, messaging service whatever. Just saying, it’s ugly and complex when your app consists of multiple embedded dbs, plus external ones, queues, web services, schedulers, equal parts java, sql, scripts, and native code, etc.

Not saying forgive the mistake, but as far as looking for an explanation, I can tell some people here are trying too hard.

— Sr Unix Admin

Re: This is why we continue to have these problems

Bullshit. It is not as convenient as Facebook to handle a bunch of database servers, message queues, directory services? Yeah, it is called WORK.

Re:This is why we continue to have these problems

This audit was 3 years ago. Shouldn't the exploit CVE be 2015 and not 2018?

Have they been sitting around for 3 years to discover a hardcoded password?

Re:This is why we continue to have these problems

Also in the article:

Let's not criticize Cisco

Their products have serious faults. I think it's very appropriate to talk about them in a disapproving way.

Where was QA?

[plopez]

oh, "Were Agile we don't need no stinking' QA"

Re:Where was QA?

[greenwow]

Do you work for Microsoft?

QA: Quit Asking

Managers don't care about QA except for lip-service checking of the QA-box-complete until something goes wrong, but then promptly don't want to spent the time during normal development schedules as it extends the schedule too much.

Re:QA: Quit Asking

[antdude]

Yep. It's not just Cisco too. :(

Done on purpose

[duke_cheetah2003]

I imagine this was done on purpose. And from where I'm sitting, I'm thinking, it did not have malicious intent. It was probably a choice made so Cisco can bail out IT departments that lost passwords to their gear and need a way in. Just my 2 dollars. Inflation sucks, doesn't it?

Re:Done on purpose

[beckett]

And from where I'm sitting, I'm thinking, it did not have malicious intent.

what data do you have to completely rule out malicious intent?

Re:Done on purpose

It was probably a choice made so Cisco can bail out IT departments that lost passwords to their gear and need a way in.

Do you have a great deal of experience dealing with Cisco?

Re:Done on purpose

Things like that can be done such that they require physical access such as reboot the router while holding a button down before enabling recovery mode, or a per-device password printed on a label (my non-Cisco router has such). There is zero excuse for a hard-coded password that is always active.

No more Cisco

[AndyKron]

Anybody who buys Cisco products now is an idiot not to be trusted.

Re:HILLAY^H^H^H^H Nixons The One!

Dick Nixon will kick Hillys behind.

FTFY

[glowworm]

To: All AmericanTLA
From: Cisco CEO

Recently we discovered three vulnerabilities that have meant the unfortunate discovery of one of the many NSA hidden administrative accounts and two of the security bypass accounts for hidden use by the FBI and CIA.

We here at Cisco want to assure our most important customers that we take the discovery of your backdoors very seriously. We are now sending out a patch to the enterprise muppets that includes a new backdoor on port 6969 with the username/password pair admin:nimda

Cisco values our AmericanTLA customers greatly and want to assure you that this unfortunate defect in our backdoor enabling program was only a minor exposure. There were still many hundreds of your usable backdoors undiscovered and at no time was your ability access to private data reduced or compromised.

God Bless America.
Chuck
CEO Cisco

No

"The Cisco DNA Center is a piece of software"

No. The Cisco DNA Center is a piece of shit.

Re: HILLAY

Make Hilary great again?

Crappy Software alert

[plopez]

Have been a programmer and QA, I have little confidence in developer. This is a sign of:
1) sloppy programming.
2) no code reviews.
3) Crappy test coverage. The application should make provision for changing passwords. *No one* tried changing the pass word?
4) Bad QA. Or non-existent
5) Finally it springs from bad management.

Re:Crappy Software alert

[gweihir]

Matches my experience.

Re: Crappy Software alert

YOU ARE A FAGGOT

Re:Crappy Software alert

Nah this is a decision most probably not from dev.
We have lotsa sloppy programming and no code reviews here, out test coverage sucks and even though we have a good QA team they wouldnt find a mistake like this anyways. But we dont have this issue.
I think Nr.5 is where the issue is, maybe higher up.

But maybe ... those developers are like 3 year experienced noobs with no parents watching over their back... then I can understand.

Re: HILLAY

Let's hope they will falsify the primaries for her again.

enterprise software

[sad_]

when i was still in school, me and my friends always had a good laugh about how bad some commercial software was written and how they got away with charging people $20-$100 for their crapfest.
then i got a job in IT and had to work with 'enterprise' software and discovered a whole new level of fails and couldn't understand why or how they got so many companies to pay, in some cases, millions for it.

and the worst part? it isn't getting any better!

Re:enterprise software

exactly.
I see this all the time.

The tender with the shortest timeline and lowest price wins.
Here they are trying to make everyone work 20 hours a day 7 days a week...
The code already looks like a disaster.

This is how you get big corporate clients.
Oh... and we comming to america xD xD

Re:HILLAY

[DickBreath]

What does Hillary's tour schedule have to do with anything?

Fine

[Zamphatta]

This sort of thing is so incredibly negligent, that companies who do this, should be fined or something. If only the politicians knew something about cybersecurity, maybe we could get some laws that make sense about it.

Hardcoded password found in Cisco software

[najajomo]

I suspect the cisco NSA liason does this routinely until found out by some third party security researcher. How else are they to perform their data collection duties. ref

Huawei

So tell me again about how Huawei devices are not secure?