Cisco Removes Backdoor Account, Fourth Incident in the Last Four Months (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Cisco Removes Backdoor Account, Fourth Incident in the Last Four Months (bleepingcomputer.com)

Posted by msmash on Friday June 8, 2018 @06:43AM from the get-your-things-together dept.

For the fourth time this year, Cisco has removed hardcoded credentials that were left inside one of its products, which an attacker could have exploited to gain access to devices and inherently to customer networks. From a report: This time around, the hardcoded password was found in Cisco's Wide Area Application Services (WAAS), which is a software package that runs on Cisco hardware that can optimize WAN traffic management. This backdoor mechanism (CVE-2018-0329) was in the form of a hardcoded, read-only SNMP community string in the configuration file of the SNMP daemon. SNMP stands for Simple Network Management Protocol, an Internet protocol for collecting data about and from remote devices. The community string was there so SNMP servers knowing the string's value could connect to the remote Cisco device and gather statistics and system information about it.

51 comments

Min score:

Reason:

Sort:

Fool me once, shame on you... by K.+S.+Kyosuke · 2018-06-08 06:47 · Score: 4, Insightful

...fool me four times, I still won't get fired for buying Cisco?

--
Ezekiel 23:20
1. Re:Fool me once, shame on you... by Anonymous Coward · 2018-06-08 06:53 · Score: 0
  
  I switched to Linksys because of this. Bye bye Cisco, we'll be seeing ya.
2. Re: Fool me once, shame on you... by Anonymous Coward · 2018-06-08 07:17 · Score: 1
  
  Linksys is a cisco subsidiary....
3. Re:Fool me once, shame on you... by Anonymous Coward · 2018-06-08 07:19 · Score: 0
  
  Linksys? What models did you buy? Did you buy models that were manufactured before or after Cisco owned Linksys? Or did you you buy models that were manufactured when Belkin owned Linksys after purchasing from Cisco? Or did you buy models that were manufactured after Foxconn aquired Linksys when they bought Belkin?
4. Re: Fool me once, shame on you... by Anonymous Coward · 2018-06-08 07:23 · Score: 0
  
  Don't forget HP, they assemble the Cisco boxes and load the software.
5. Re: Fool me once, shame on you... by Anonymous Coward · 2018-06-08 07:48 · Score: 0
  
  (used to be)
6. Re: Fool me once, shame on you... by Anonymous Coward · 2018-06-08 14:33 · Score: 0
  
  dude your fucking stupid,,
  Flextronix or FauxCon
  HP cant finger themselves if they had a hole the size of the Grand Canyon.
  Hell Even msmash cant Finger them..
7. Re: Fool me once, shame on you... by Anonymous Coward · 2018-06-08 14:40 · Score: 0
  
  rather HP cant Finger msmash if she was sporting a GrandCanyon CamelToe
8. Re:Fool me once, shame on you... by bill_mcgonigle · 2018-06-09 12:52 · Score: 1
  
  You'll get fired for buying Cisco in my company but not in the Fortune 500, where blame is paramount to functionality. Cisco sells "blame us" for huge dollar values.
  Speaking of which, are any of the open-platform linux 10-gig switches under $5K yet?
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Code Reviews by sycodon · 2018-06-08 06:55 · Score: 1

They aren't an excuse for eating bagels.

--
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
1. Re: Code Reviews by Anonymous Coward · 2018-06-08 07:35 · Score: 0
  
  You can verify all the testing backdoors are guarded with #ifdef DEBUG in a peer review. Good luck preventing CM from releasing a misconfigured build.
2. Re: Code Reviews by johanw · 2018-06-08 08:49 · Score: 1
  
  It would not be the firdt time someone released a debug build in the wild.
No news here by Anonymous Coward · 2018-06-08 06:58 · Score: 1

The string is probably "public."
1. Re:No news here by shaitand · 2018-06-08 07:21 · Score: 1
  
  It is news... the pattern suggests someone is actively cleaning house at cisco.
It's okay by Anonymous Coward · 2018-06-08 07:00 · Score: 0

Don't worry, I'm sure they added two more pursuant to the direction of The Man, with authority under an order issued by the [REDACTED] Court (which totally doesn't exist, promise).
Cisco Products by Anonymous Coward · 2018-06-08 07:02 · Score: 0

Cisco RedRoof Inn, "We'll always leave the backdoor in for ya."
1. Re:Cisco Products by Anonymous Coward · 2018-06-08 11:41 · Score: 0
  
  Cisco RedRoof Inn, "We'll always leave the backdoor in for ya."
  I think you meant to parody Motel 6....
2. Re:Cisco Products by Anonymous Coward · 2018-06-08 19:04 · Score: 0
  
  Cisco RedRoof Inn, "We'll always leave the backdoor in for ya."
  I think you meant to parody Motel 6....
  He/she is likely a foreign national from Asia with no notion of motel advertisements. But you did expose a candidate for deportation. Call DHS and collect two hundred dollars while he/she goes to jail without collecting same.
How can this be so difficult? by Anonymous Coward · 2018-06-08 07:06 · Score: 1

Certainly these types of things would be picked up by the rigorous and extensive code audit that all firmware at Cisco must undergo before being RTM right?
1. Re:How can this be so difficult? by Anonymous Coward · 2018-06-08 08:01 · Score: 0
  
  Yes, it would have checked to see that they were still there.
This sort of thing really gets the wrong spin by shaitand · 2018-06-08 07:20 · Score: 1, Interesting

Is it good that there were backdoors in the products? Of course not. But a rash of these sort of incidents being reported in a short time isn't a bad thing, it means someone is reviewing, cleaning house, and being transparent about it which is actually a good sign going forward. This kind of thing isn't a reason to dump a company or service it's more like six months ago you should have dumped them and didn't know it but now they are actually stepping up and whoever you switch to might be hiding all kinds of skeletons.
1. Re:This sort of thing really gets the wrong spin by klingens · 2018-06-08 07:33 · Score: 1
  
  It shows Cisco is riddled with incompetent developers who are too stupid to get even the most simple hello world problem: "do not put backdoors in your work" wrong. So it doesn't matter if there is now a single guy on top who goes through all the code and makes them work it over. I means the developers there are too stupid to be trusted with anything. And all those lines by those same stupid developers are still in there. They still made the millions or even billions of LOC in Cisco firmware which Cisco cannot change, since it makes up the value of the company. They cannot change IOS suddenly to something that actually works without NSA backdoors and exploits.
  Also, we haven't heard or seen of any mass firing at Cisco, so these same developers who put in the backdoors last year will write the firmware for the Cisco router you want the public to buy next year.
2. Re:This sort of thing really gets the wrong spin by Anonymous Coward · 2018-06-08 08:09 · Score: 0
  
  "Stupid developers"? How can you be so presumptuous?
  Stupid people generally don't get to become developers at Cisco.
  As a developer, I can say that most bad ideas such as these backdoors, originate from product requirements (sales teams, management, etc) and not from developers themselves. I'd bet that the developers in charge of implementing these backdoors did raise concerns and push back, but got the "my way or the highway" schpeel from their management.
3. Re:This sort of thing really gets the wrong spin by Anonymous Coward · 2018-06-08 08:19 · Score: 0
  
  Is it good that there were backdoors in the products? Of course not. But a rash of these sort of incidents being reported in a short time isn't a bad thing, it means someone is reviewing, cleaning house, and being transparent about it which is actually a good sign going forward. This kind of thing isn't a reason to dump a company or service it's more like six months ago you should have dumped them and didn't know it but now they are actually stepping up and whoever you switch to might be hiding all kinds of skeletons.
  I'm getting a kick out of all the "outrage" over a hard coded read-only SNMP community string. There used to be actual IT ops professionals that showed up here, at least for technical posts. /sigh
4. Re:This sort of thing really gets the wrong spin by Anonymous Coward · 2018-06-08 08:40 · Score: 0
  
  It shows Cisco is riddled with incompetent developers who are too stupid to get even the most simple hello world problem: "do not put backdoors in your work" wrong.
  If you don't even know how to connect to an SNMP server, then you're wasting electrons posting here. Seriously, the non-IT people... and "web developers" are standing out in this thread like Christmas lights in July.
  If you DID know anything about SNMP, then a default community string found in enterprise IT software would rate between a mild eye roll or silently muttered "dumbass". This is up there with "did not require sufficiently complex passwords" grade "vulnerabilities".
  You guys would shit your pants if you saw actual IT security scan results where you work.
5. Re:This sort of thing really gets the wrong spin by AlwinBarni · 2018-06-08 08:48 · Score: 1
  
  At least Cisco PR is up to the task.
  Wasn't that always someone else (outside the company) finding those backdoors - just saying.
6. Re:This sort of thing really gets the wrong spin by Anonymous Coward · 2018-06-08 09:18 · Score: 0
  
  Cisco-shill much? They're cleaning house alright, after being caught by security researchers. Now they're closing one door, and putting in another, and you'll read about it in a few months when they get caught again.
  Cisco are putting in doors for U.S. gov, and it's precisely why nobody should listen to them, or buy their products.
7. Re:This sort of thing really gets the wrong spin by gravewax · 2018-06-08 11:24 · Score: 1
  
  bullshit. There are only 2 conclusions you can draw from this
  a) CISCO's development process is fundamentally broken and there security vetting so flawed as to be laughably competent or
  b) they are intentionally malicious.
  neither scenario is good news. These are not standard security flaws that should be expected and discovered.
8. Re:This sort of thing really gets the wrong spin by Anonymous Coward · 2018-06-08 11:44 · Score: 0
  
  Also, we haven't heard or seen of any mass firing at Cisco, ....
  You haven't been paying attention - Cisco has been laying off good engineers for years now
9. Re:This sort of thing really gets the wrong spin by AHuxley · 2018-06-08 12:39 · Score: 1
  
  The brands that buy the product need help often so the backdoor is the only way to help. All part and parcel of working with the modern global internet.
  The NSA demands such support and it has to be done.
  
  Thats the very best way of thinking about it. Its just part of the product line. To help consumer, to help the NSA.
  
  The next options are much more fun.
  The NSA and other US agencies have placed staff in a lot of big brands who do this code "undercover" and live for every generation of product.
  Other US cyber contractors find the backdoor and report it the FBI.
  The FBI goes looking for the spies and finds a NSA operation domestically. The FBI looks around and finds a way in.
  The backdoor is removed much later but the FBI cannot comment of the NSA.
  Its all for global police requests. Police in different nations demand such access and backdoors. No backdoor and the export deals fails.
  So every export product ships with a police ready backdoor. Police around the world then allow their own respective gov to use the products.
  The NSA and FBI are happy with that.
  Rather then alert the world to many nations police deep in every network and computer system its just a "backdoor" that is discovered and reported on and nobody really know much.
  
  So whats more of a happy ending?
  Its for the consumers for support?
  Its the good NSA? Its the NSA spying and later the FBI?
  Its lot of police? And a few nations mil looking for spies in their own nations? GCHQ likes to watch all networks in Ireland too?
  Everyone is winning until the police backdoor is found :)
  
  --
  Domestic spying is now "Benign Information Gathering"
10. Re: This sort of thing really gets the wrong spin by Anonymous Coward · 2018-06-08 14:17 · Score: 0
  
  I would hardly consider a read only snmp string a backdoor.
11. Re:This sort of thing really gets the wrong spin by Anonymous Coward · 2018-06-08 15:04 · Score: 0
  
  I am getting a kick out of the CISCO shills trying to play down a security exposure that should have never been there in the first place.
12. Re:This sort of thing really gets the wrong spin by shaitand · 2018-06-12 05:20 · Score: 1
  
  Everyone is losing who isn't some flavor of police.
13. Re:This sort of thing really gets the wrong spin by AHuxley · 2018-06-12 12:38 · Score: 2
  
  Its amazing all this can stay in place and no users, experts ever really comment over the productive use of product lines. For generations.
  Thats some interesting power over publication and research.
  
  --
  Domestic spying is now "Benign Information Gathering"
I thought this was standard for SNMP by Anonymous Coward · 2018-06-08 07:24 · Score: 0

I thought everything had an open read-only account for getting SNMP data. I've used them on all kinds of equipment and didn't think it was a problem.
1. Re:I thought this was standard for SNMP by Anonymous Coward · 2018-06-08 07:53 · Score: 0
  
  Having such an account is okay. Having the credentials hard-coded into the router firmware is bad.
2. Re:I thought this was standard for SNMP by pnutjam · 2018-06-11 04:45 · Score: 1
  
  Maybe ok, only on a controlled network. It's certainly not ideal. SNMP supports authentication now and has for over a decade.
  
  --
  Cheap storage VM.
C'mon Cisco by DickBreath · 2018-06-08 07:51 · Score: 4, Funny

Cisco needs to get serious about making its hardcoded back doors less easy to find.

--

I'll see your senator, and I'll raise you two judges.
Agreed Re:C'mon Cisco by Anonymous Coward · 2018-06-08 08:03 · Score: 0

Backdoors are for friends and family.
Crooks need a hardcoded window entrance.
1. Re:Agreed Re:C'mon Cisco by Anonymous Coward · 2018-06-09 02:31 · Score: 0
  
  if you make back doors illegal then only criminals will have back doors...
Quake backdoor by Anonymous Coward · 2018-06-08 08:26 · Score: 0

I learned backdoor are stupids ~20 years ago when Id Software put a backdoor in Quake. http://insecure.org/sploits/qu...
HAW. HAW? ow! by Thud457 · 2018-06-08 08:40 · Score: 1

probably seineeWerAsreenignErepinuJ

--
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
No need to worry about Kaspersky or Huawei. by technoid_ · 2018-06-08 09:23 · Score: 1

We don't need Russian or Chinese companies to open Americans' devices to foreign governments, Cisco is doing a good job by themselves.

--
Two wrongs don't make a right, but 3 lefts do - Lew of GO magazine
This is why you do not trust Cisco by Anonymous Coward · 2018-06-08 09:30 · Score: 0

or their statements on cyber-security investigations where they claim Russia, China or North Korea hacked someone, or any of their hardware.
They don't just "forget" credentials and doors in their products, they put them all in there to give Gov access, and whenever they're caught they just remove one door, and put in another.
time to Ban Cisco? by Anonymous Coward · 2018-06-08 10:19 · Score: 0

And yet it is Kaspersky that is banned?
all I hear is... by Anonymous Coward · 2018-06-08 13:24 · Score: 0

All I hear is developers use the same defense as the Nazis did. "Nein! I vas just following mein orders."
It was a poor excuse then, and it's a poor excuse now.
I have already quit my job instead of doing something unethical (and was almost blackballed). What's your excuse, you pathetic, cowardly developers?
PS. Your Yiddish/German is horrible. It's "spiel", not "schpeel". Of course, since you are a self-professed developer (and probably a goyishe kop) this is to be expected..
1. Re:all I hear is... by Anonymous Coward · 2018-06-10 05:18 · Score: 0
  
  My "excuse" is: I need the income to survive. OK, boss wants a back door into a potentially life saving/jeopardizing system... in it goes. You want to pay for me to live, I will gladly live up to your ethical standards sir. Until then, its what management wants as they sign the checks.
2. Re:all I hear is... by Anonymous Coward · 2018-06-11 03:12 · Score: 0
  
  How pathetic is your existence that you simply accept this?
3. Re:all I hear is... by Anonymous Coward · 2018-06-11 08:58 · Score: 0
  
  Wow. Cash for your ethics. And people wonder why the world is so messed up.
Exactly! by Anonymous Coward · 2018-06-08 13:29 · Score: 0

That's exactly the problem. They are laying off good engineers and keeping developers.
Maybe... by Anonymous Coward · 2018-06-08 13:31 · Score: 0

Maybe that's why the Government Lab I work at switched to Juniper a few years ago.