Hardcoded Password Found in Cisco Enterprise Software, Again

Catalin Cimpanu, writing for BleepingComputer: Cisco released 16 security advisories yesterday, including alerts for three vulnerabilities rated "Critical" and which received a maximum of 10 out of 10 on the CVSSv3 severity score. The three vulnerabilities include a backdoor account and two bypasses of the authentication system for Cisco Digital Network Architecture (DNA) Center. The Cisco DNA Center is a piece of software that's aimed at enterprise clients and which provides a central system for designing and deploying device configurations (aka provisioning) across a large network. This is, arguably, a pretty complex piece of software, and according to Cisco, a recent internal audit has yielded some pretty bad results.

Who the Fuck is Writing the Shit?

[sycodon]

Are they using overseas programmers?

Is this another success of outsourcing?

Re:Who the Fuck is Writing the Shit?

[sit1963nz]

No, this is the NSA, CIA, FBI, DHS , etc etc etc doing their part in making the world less safe.

But don't worry, they were only going to use it responsibly , and as you have nothing to hide its all good....

These are not the exploits you are looking for.......

Re:Who the Fuck is Writing the Shit?

Not in this case. There's little advantage in leaving backdoors if one is making them so obvious that other agencies could easily use them. Actual backdoors are more sophisticated.

Re:Who the Fuck is Writing the Shit?

[AHuxley]

Welcome to PRISM.

Re:Who the Fuck is Writing the Shit?

[gweihir]

Well, is the TLA scum is _this_ stupid in placing their backdoors, then the world is really in fast decline. Not saying they are not this stupid, but if they are that would be very bad.

Re: Who the Fuck is Writing the Shit?

[Kopp]

Why would they bother paying more for talents when so many screwups like this one cost zero $$$ ? Hiring talented workers (note than being an american programmer does not make you necessary a talented one) would either increase costs and price (which is bad for business) or reduce profits and money given to shareholders... again, why would they decide to pay more ?

Re:Who the Fuck is Writing the Shit?

[DickBreath]

Cisco needs to get a lot more serious about security. Best practices would be to make sure that next time it is much more difficult to find what the hardcoded password is.

Re:Who the Fuck is Writing the Shit?

[hattable]

Hang on a minute, your post doesn't demonize the intelligence agencies... So I must ask: why do you hate freedom of speech, the internet, and civil liberties?

Again

There are automated tools to find this stuff. So why?

Re:Again

[tirnacopu]

A tool that automates will by definition find a repeat of a previous (similar, if smart enough) action. A new programmer, placing in the root password in a new chunk of code, can still do it in so many ways as to be undetectable.

Re:Again

[plopez]

There are security scanners. They will flag this.

Irrefutable facts.

[Narcocide]

These passwords were either left there purposefully or accidentally. If they were left there purposefully it may have been done either with or without Cisco's knowledge.

There is no combination of available possibilities that can be justified by acceptable behavior from a network security hardware vendor of this stature. Either they are effectively completely incompetent or they're effectively completely malicious.

Re:Irrefutable facts.

[DigiShaman]

The only "default password" should be to log into an unboxed device or application, and be REQUIRED to change it before proceeding further. DONE! Solves that problem. Move on

Re:Irrefutable facts.

[scdeimos]

Either they are effectively completely incompetent or they're effectively completely malicious.

We're talking about Cisco here. What makes you think it's an either/or choice?

Re:Irrefutable facts.

[Narcocide]

Well, you're right that in this type of situation there's no such thing as "benign incompetence" and so these are effectively the same result. People who themselves are incompetent may not realize this but may still be redeemable over a long enough time frame. By leaving this part open to interpretation, it still gives those people a seat at the table to continue the conversation.

This is why we continue to have these problems

The company discovered many backdoors and hardcoded accounts in the past two years as part of internal audits and has received some pretty unfair criticism for its efforts.

WTF WTF WTF WTF.

Unfair criticism? You've got to be shitting me.

The company discovered many backdoors and hardcoded accounts in the past two years as part of internal audits

And where did these backdoors come from? Aliens? NO, YOU PUT THEM THERE!

Re:This is why we continue to have these problems

And where did these backdoors come from? Aliens? NO, YOU PUT THEM THERE!

This is why E.W. Dijkstra advocated talking about "defects" instead of "bugs". They don't just crawl in, someone put them there. Security problems, same thing. Backdoors, even more obviously so, wilfully even.

If we cared about this sort of thing, we consistently did exactly that. If we did that, it would also make it that much harder for marketeering and other spin doctors to go give their booboos a cute spin.

On a slightly tangential note, many manufacturers put such things in and cisco might be a big name, to those with source access it's not really surprising. redmond really isn't the only one whose source code is fantastically bad (as we saw with that big fat source code leak a while back). Apparently all the big software companies like to employ lots of monkeys to write their source code for them.

Re:This is why we continue to have these problems

[AHuxley]

FBI? NSA? CIA? Other agency staff keep on doing their job and try to avoid such audits while undercover.

Re:This is why we continue to have these problems

[Nonesuch]

WTF WTF WTF WTF.

Unfair criticism? You've got to be shitting me.

The companies we really should be criticizing are the ones who have many undiscovered backdoors and hardcoded accounts because they've been able to avoid doing internal audits.

Re:This is why we continue to have these problems

[drinkypoo]

The company discovered many backdoors and hardcoded accounts in the past two years as part of internal audits

And where did these backdoors come from? Aliens? NO, YOU PUT THEM THERE!

Or the NSA put them there. Or Cisco has been hacked nine ways from sunday and hackers put them there. I actually think that last one is the most reasonable explanation. Cisco is one of the most visible targets in the networking world. Getting an exploit into their software means getting it into some of the most important networks on the planet.

Where was QA?

[plopez]

oh, "Were Agile we don't need no stinking' QA"

Re:Where was QA?

[greenwow]

Do you work for Microsoft?

Done on purpose

[duke_cheetah2003]

I imagine this was done on purpose. And from where I'm sitting, I'm thinking, it did not have malicious intent. It was probably a choice made so Cisco can bail out IT departments that lost passwords to their gear and need a way in. Just my 2 dollars. Inflation sucks, doesn't it?

Re:Done on purpose

[beckett]

And from where I'm sitting, I'm thinking, it did not have malicious intent.

what data do you have to completely rule out malicious intent?

No more Cisco

[AndyKron]

Anybody who buys Cisco products now is an idiot not to be trusted.

FTFY

[glowworm]

To: All AmericanTLA
From: Cisco CEO

Recently we discovered three vulnerabilities that have meant the unfortunate discovery of one of the many NSA hidden administrative accounts and two of the security bypass accounts for hidden use by the FBI and CIA.

We here at Cisco want to assure our most important customers that we take the discovery of your backdoors very seriously. We are now sending out a patch to the enterprise muppets that includes a new backdoor on port 6969 with the username/password pair admin:nimda

Cisco values our AmericanTLA customers greatly and want to assure you that this unfortunate defect in our backdoor enabling program was only a minor exposure. There were still many hundreds of your usable backdoors undiscovered and at no time was your ability access to private data reduced or compromised.

God Bless America.
Chuck
CEO Cisco

Crappy Software alert

[plopez]

Have been a programmer and QA, I have little confidence in developer. This is a sign of:
1) sloppy programming.
2) no code reviews.
3) Crappy test coverage. The application should make provision for changing passwords. *No one* tried changing the pass word?
4) Bad QA. Or non-existent
5) Finally it springs from bad management.

Re:Crappy Software alert

[gweihir]

Matches my experience.

Re:QA: Quit Asking

[antdude]

Yep. It's not just Cisco too. :(

enterprise software

[sad_]

when i was still in school, me and my friends always had a good laugh about how bad some commercial software was written and how they got away with charging people $20-$100 for their crapfest.
then i got a job in IT and had to work with 'enterprise' software and discovered a whole new level of fails and couldn't understand why or how they got so many companies to pay, in some cases, millions for it.

and the worst part? it isn't getting any better!

Re:HILLAY

[DickBreath]

What does Hillary's tour schedule have to do with anything?

Fine

[Zamphatta]

This sort of thing is so incredibly negligent, that companies who do this, should be fined or something. If only the politicians knew something about cybersecurity, maybe we could get some laws that make sense about it.

Hardcoded password found in Cisco software

[najajomo]

I suspect the cisco NSA liason does this routinely until found out by some third party security researcher. How else are they to perform their data collection duties. ref