A Fifth Undocumented Cisco Backdoor Has Been Discovered

Cisco released 25 security updates Wednesday, including a critical patch removing an undocumented password for "root" accounts of Cisco Policy Suite (sold to ISPs and large corporate clients). "The vulnerability received a rare severity score of 9.8 out of a maximum of 10 on the CVSSv3 scale," reports Bleeping Computer.

An anonymous reader quotes Tom's Hardware: Over the past few months, not one, not two, but five different backdoors joined the list of security flaws in Cisco routers.... In March, a hardcoded account with the username "cisco" was revealed. The backdoor would have allowed attackers to access over 8.5 million Cisco routers and switches remotely. That same month, another hardcoded password was found for Cisco's Prime Collaboration Provisioning software, which is used for remote installation of Cisco's video and voice products. Later this May, Cisco found another undocumented backdoor account in Cisco's Digital Network Architecture Center, used by enterprises for the provisioning of devices across a network. In June, yet another backdoor account was found in Cisco's Wide Area Application Services, a software tool for Wide Area Network traffic optimization...

Whether or not the backdoor accounts were created in error, Cisco will need to put an end to them before this lack of care for security starts to affect its business.

Why buy?

[AndyKron]

Why would Cicso have to put an end to it? Nobody in their right mind would touch Cisco products anymore. Let 'em swing by their own backdoors.

Re:Why buy?

[110010001000]

They had sales of $12.5 billion last quarter. Someone is buying a ton of the stuff.

Re:Why buy?

[weilawei]

They will of course find a scapegoat--surely they use version control. Said scapegoat will be fired, and then it'll be on to the next set of backdoors.

Re:Why buy?

[postbigbang]

No one falls on their sword these days, or even admits anything because: lawyers. And no one gets fired.

After all, one is a mistake, three is a bit more than oopsy-doo, and five? Well, five is: "We never did give a shit. Are my stock options ready yet? This junior coder gig has to pay me at least something."

Re:Why buy?

[gravewax]

There are still plenty of people that treat Cisco like they used to treat IBM back in the 80's and 90's where they believe Cisco is the safe bet. Hell I constantly argue with one of the networking guys at one of the places I contract into as he believes everything is shit except for Cisco.

Re:Why buy?

[datavirtue]

Ton of support.

Re:Why buy?

[datavirtue]

I would bet there is a Chinese brand/supplier who is more secure than Cisco.

Re:How is this possible

[mhkohne]

I can only assume that Cisco has moved on from selling to the engineering teams to selling to the c-suite. That's the only explanation I can come up with for a company with multiple back-doors found in their products still being able to make sales.

Send thos sum bitches ...

[CaptainDork]

... back across the border.

BUILD THAT (fire)Wall!!!

FTFY

[fahrbot-bot]

Cisco's Password Collaboration Provisioning software

F*** it

[93+Escort+Wagon]

We’re going to FIVE backdoors.

Code review

[jeffasselin]

Most of these came from a massive code review Cisco has been doing through their entire software codebase, which across all their products is truly massive. They found a good number of flaws, and honestly these backdoor accounts mostly look like debugging features left in inadvertently.

Re:Code review

Most of these came from a massive code review Cisco has been doing through their entire software codebase, which across all their products is truly massive. They found a good number of flaws, and honestly these backdoor accounts mostly look like debugging features left in inadvertently.

No. Just fucking no.

There is no reason. NO REASON to put a hard-coded default username/password into any software or hardware. None. Not even for "debugging" purposes. A retarded 12 year old who has never seen a computer could understand that this is a really stupid idea.

Re:Code review

[drinkypoo]

They found a good number of flaws, and honestly these backdoor accounts mostly look like debugging features left in inadvertently.

Any competent intelligence agency would request that the backdoors look like debugging features left in inadvertently.

Re:Code review

[Billly+Gates]

Someone just did that at where I worked. A cheap Indian intern and we caught her. Her response was I needed to get this done today and do not have time to setup an authentication system in hte code.

She was eventually fired though but employers love cheap programmers more than good code.

In order of likelihood

1) Cisco inherited the backdoors as they've bought product lines instead of creating them. Cisco is now in the merger business, not the engineering business
2) malicious actors inside or outside the company are exploiting a weak security environment
3) The competent cisco engineers left and now they really are just incompetent.

My guess is a combination of 1) and 3), but I sure wouldn't discount this as a deliberate campaign by a malicious state actor to gain control of the internet.

Re:In order of likelihood

[darkain]

When the user name is literally "cisco", who did they inherit that from?

Re:In order of likelihood

0.5 NSA
1.5 debug backdoors used during development were never removed

Re:In order of likelihood

[fibonacci8]

Theory 1 seems unlikely. Unless there's a good reason that inherited product lines had default user names of "cisco" either before or after acquisition that just beggars belief. I'm going with both 2 or 3 as more likely than option 1.

Re: In order of likelihood

[c6gunner]

Has anyone yet pointed out that they probably didn't inherit a back door with the username "Cisco"?

Re:In order of likelihood

[datavirtue]

All of this is on cisco so no point in bringing any of it up.

Re: In order of likelihood

[theshowmecanuck]

All 5?

Re:How is this possible

[Your+Average+Joe]

They have low waged NSA workers writing code, they knowingly allow and the back door just slipped right in...

Will the "NSA" be pissed?

[charliemerritt03]

I wonder if any of these back doors were created at the Request of a TLA.
I wonder if a 'too good' security patch will blind them.
I just wonder about ALL those back doors.
They can't be that sloppy, can they?

Re:Will the "NSA" be pissed?

[AHuxley]

A front door for Five Eyes. New Zealand and Canada are inside too.

Re:Will the "NSA" be pissed?

[mbkennel]

If it had been created by NSA itself it would have been much more subtle and deniable. This looks oafishly stupid or corrupt.

Re:How is this possible

[pete6677]

Pretty much. Anyone still buying Cisco products won't stop just because of something like this.

Re: How is this possible

[Billly+Gates]

Easy. An accountant bean counter got a dinner from Infosys or Tata and promised and he nearly shit his pants at the cost savings.

The Indian salesmen promised him a nice 6 fig bonus for being so smart ...

Cisco doesn't hire Americans and always goes for cheap talent to drive the share price up

Not the 5th back door ... nooooo.....

[Proudrooster]

As a person that works a provisioning, VPN, and remote setup, this really complicates my life. This was the last backdoor I had to all the CISCO gear. If anyone knows of another backdoor, could you please message me. What a pain, not customers are going to have to give me their password.

place your bets

[indy_Muad'Dib]

$100 on these back-doors were govt mandated access

Re:Only 9.8?

[JcMorin]

If the password is admin or root or 12345 or written in the installation PDF I guess?

Undocumented!?

[azcoyote]

A Fifth Undocumented Cisco Backdoor...

Cisco has been allowing undocumented immigrants into the country?! Oh my!

In other news

[easyTree]

Cisco's stock isn't in the toilet for reasons which aren't immediately apparent.

Is there any legitimate reason for this to happen?

[schweini]

How the hell can a company that acts all serious have flaws like this?
I'm no conspiracy theorist, but IMHO the only way obvious things like these didn't get caught in code review or QA is that these backdoors are there on purpose.
Or can anyone come up with a legitimate excuse for this?

Lie until you are caught.

[BoRegardless]

Then claim the janitor did the code.

Re:How is this possible

[datavirtue]

No one ever got fired for buying cisco...for some reason, unfortunately.

Re: How is this possible

[datavirtue]

There is no such thing as "cheap talent."

Re: Backdoors ALWAYS EXIST!

[theshowmecanuck]

They decided to void them because you are wrong. And a menace.

We need software freedom. Always.

[jbn-o]

So this is the code review that apparently led to releasing so many backdoors up to this point.

The only code review that means anything is the one that comes from the computer's owner or someone the computer owner trusts, not a proprietor's claim to users or media. The only way to implement what computer owners need is to use free software for all of their computer's software without exceptions.

Undocumented password for Cisco root accounts

[najajomo]

How about we all stop kidding ourselves, the 'undocumented password' were put in therre at the behest of the NSA.

Re:Undocumented password for Cisco root accounts

[Btrot69]

Yes, of course, why do so many "nerds" here not get it ?
One of Snowden's most important revelations is that the NSA has an excellent "map" of virtually every device that connects to the internet.
How could they do that if they could not get the tables from all of these routers ?

Re: How is this possible

[Billly+Gates]

There is no such thing as "cheap talent."

Not according to the guys with MBAs. Only managers have talent of course and each employee is a black box with fixed production output measurable by Excel and MS Project. Just ask any of them? If they don't add value then go cheap and cash in

Re:How is this possible

[haruchai]

I can only assume that Cisco has moved on from selling to the engineering teams to selling to the c-suite.

That strategy served Microsoft very well back in the day

Cognitive dissonance...

[beheaderaswp]

I've never been a fan of Cisco, Microsoft, or "corporate tech giants".

Most of the systems engineering people in my generation (the old guys) can build routers. Give them a PC or a chassis, Linux or BSD, and in an hour it will be a router with security features that can be used to keep data safe.

But corporate America seems to like appliances. I can understand it for multiport bridges (that's a switch for you young people). But for routing and security an appliance seems a bad idea because of planned obsolescence and closed nature of the architectures..

Plus... when you buy a security or routing appliance... you only know what the manufacturer tells you about it- and "certified" people only know how to configure it while sometimes having an alarming lack of understanding TCP/IP.

In my view trading knowledge for cost savings is a big issue. Sure there's a balance sheet advantage to buying appliances and perhaps using certified contractors to run them. But the cost comes up when a failure comes up requiring real know-how.

Heck- I know of one company that is on their third revision of warehouse WIFI because none of the people they brought in understand microwave radio in an environment with a great deal of RF reflective metal. They know to use LMR600 cabling because Cisco specs it. But they do not know why. And they do not analyze how the tech will actually be used. So every revision of the network design performs badly.

That's just one example. But it's rife in the industry. So much so that I moved into industrial programming because so few people are doing it and there's a high demand in my area. And they still care about "knowledge"... especially when it comes to programming old industrial systems with new safety controls.

So when I hear about back doors in commercial products, I ask the same question: does trading knowledge for appliances actually make a business work better?

Shouldn't the people running the network actually know how it works and what's on the network?

The MBAs say no.

Next 4 backdoors are revealed in "the one video"

[ffkom]

... that the parents of the Southpark children wanted to get back so eagerly in https://en.wikipedia.org/wiki/... (it is called "Backdoor Sluts 9").

Just buy Huawai or ZTE, there, only the one backdoor from the chinese government is built-in.

Re:Cisco works for 3 letter agencies of US ...

[skids]

Yeah well, because the computers are all shit that leaves all us folks who actually bother to secure our routers with no competitive edge over people who just slap together a vendor-provided template and call it a day... only in rare cases do the hackers actually have to resort to attacking the network infrastructure.

(Anyway this is why I don't allow the "management" systems any write access or access to the password MIBs. I'll set up my own backups and deployment scripts, thank you, and I don't want your significantly-worse-code-quality-then-the-routers bloatware making any changes... visibility is all it's good for. I don't mind entering passwords a few extra tmes a day if it helps me sleep at night.)

Re:Backdoors ALWAYS EXIST!

OK, I'm not sure if some folks are serious here, or joking, but backdoors in software and firmware ALWAYS exist, and are quite necessary for troubleshooting; when you have gear deployed all over the world, and have to maintain/troubleshoot/update that gear...

And your realm of responsibility might in fact be exactly that.

Now understand that Cisco does not have that responsibility, it delegates that to the end-user. People go through years of training in order to obtain the highest Cisco certifications. Bottom line is those who know what they're doing are not going to lock themselves out, and will put in their own backdoor accounts that are properly secured. And any Cisco router can be "cracked" with local physical access, which is the ultimate backdoor.

The problem here is when backdoors are NOT disclosed to the end-user and that "undisclosed" information gets leaked. It could be abused for years before it is disclosed to the general public.

Re: Phew...

[sycodon]

I released an app to production last week and damned if some stupid back door spontaneously showed up.

I swear I didn't put it in.

Maybe it's the compiler, eh,?

Re:How is this possible

[Billly+Gates]

Juniper seems popular with the non c-suite folks. It is faster and much easier and cheaper to manage. But they are not cisco so they are limited to MDF data centers mostly.

Re:How is this possible

[Billly+Gates]

Yep. That is how to do it. Another thing is C Suite folks love working with architects from consulting companies and ignoring their own staff for projects. So what Microsoft and Cisco do is have a gold level partnership. Want to keep it? Then hire CCIE and MCSE on your staff and sell a certain quota of their products etc.

So when they reach out it is a Microsoft and Cisco solution by default to keep their gold level certification.

Glad I never got my CCNA/CCNE

[TheDarkener]

I went to a tech college and after graduating my next steps were to get my A+, MCSE and CCNA. That's when I started getting into Linux and open source software in general. I swayed from getting my certs (I'm an independent tech consultant now) and I'm really glad I did. I know there aren't many FOSS alternatives to Cisco/Juniper equipment but if I spent all that time learning the ins and outs of Cisco proprietary equipment, I would have felt it was a big waste of time knowing that, after all my trying to secure things, there's a fucking backdoor (x5) in their stuff. Makes me sick.

Re:Glad I never got my CCNA/CCNE

[beheaderaswp]

An RHCE is worth more than those certs combined :)

Re: How is this possible

[Agripa]

There is no such thing as "cheap talent."

Not according to the guys with MBAs. Only managers have talent of course and each employee is a black box with fixed production output measurable by Excel and MS Project. Just ask any of them? If they don't add value then go cheap and cash in

If you are not sales, then you are overhead.

Re: How is this possible

[Billly+Gates]

There is no such thing as "cheap talent."

Not according to the guys with MBAs. Only managers have talent of course and each employee is a black box with fixed production output measurable by Excel and MS Project. Just ask any of them? If they don't add value then go cheap and cash in

If you are not sales, then you are overhead.

Let's not forget about these amazing thought leaders and CEOs? I mean Marissa at Yahoo put in an adjacent office as a daycare for her kid so she can sit back and day dream with meetings and have these amazing thoughts that turn into code and cash. She can't be bothered as thoughts and big offices create sales and deserve insane bonuses without having to produce anything.

The only exception I have seen is in oil companies where they had insane layoffs. All the managers kept their job and shafted the oil workers. Now we have hundreds of managers with 1 to 2 employees each and still wondering why they can't make money will all these idea creators around?

Re: How is this possible

[Agripa]

Let's not forget about these amazing thought leaders and CEOs? I mean Marissa at Yahoo put in an adjacent office as a daycare for her kid so she can sit back and day dream with meetings and have these amazing thoughts that turn into code and cash. She can't be bothered as thoughts and big offices create sales and deserve insane bonuses without having to produce anything.

The only exception I have seen is in oil companies where they had insane layoffs. All the managers kept their job and shafted the oil workers. Now we have hundreds of managers with 1 to 2 employees each and still wondering why they can't make money will all these idea creators around?

Company provided day care actually sounds like a good idea but I assume your point was that this was for the top CEO only. The less employees have to worry about family responsibilities, the more effective workers they should be.

Re: How is this possible

[Billly+Gates]

Marisa got rid of work at home if you remember then created the daycare just for her.

Talk about a morale killer right there.