Slashdot Mirror
A Fifth Undocumented Cisco Backdoor Has Been Discovered (bleepingcomputer.com)
Cisco released 25 security updates Wednesday, including a critical patch removing an undocumented password for "root" accounts of Cisco Policy Suite (sold to ISPs and large corporate clients). "The vulnerability received a rare severity score of 9.8 out of a maximum of 10 on the CVSSv3 scale," reports Bleeping Computer.
An anonymous reader quotes Tom's Hardware: Over the past few months, not one, not two, but five different backdoors joined the list of security flaws in Cisco routers.... In March, a hardcoded account with the username "cisco" was revealed. The backdoor would have allowed attackers to access over 8.5 million Cisco routers and switches remotely. That same month, another hardcoded password was found for Cisco's Prime Collaboration Provisioning software, which is used for remote installation of Cisco's video and voice products. Later this May, Cisco found another undocumented backdoor account in Cisco's Digital Network Architecture Center, used by enterprises for the provisioning of devices across a network. In June, yet another backdoor account was found in Cisco's Wide Area Application Services, a software tool for Wide Area Network traffic optimization...
Whether or not the backdoor accounts were created in error, Cisco will need to put an end to them before this lack of care for security starts to affect its business.
An anonymous reader quotes Tom's Hardware: Over the past few months, not one, not two, but five different backdoors joined the list of security flaws in Cisco routers.... In March, a hardcoded account with the username "cisco" was revealed. The backdoor would have allowed attackers to access over 8.5 million Cisco routers and switches remotely. That same month, another hardcoded password was found for Cisco's Prime Collaboration Provisioning software, which is used for remote installation of Cisco's video and voice products. Later this May, Cisco found another undocumented backdoor account in Cisco's Digital Network Architecture Center, used by enterprises for the provisioning of devices across a network. In June, yet another backdoor account was found in Cisco's Wide Area Application Services, a software tool for Wide Area Network traffic optimization...
Whether or not the backdoor accounts were created in error, Cisco will need to put an end to them before this lack of care for security starts to affect its business.
They had sales of $12.5 billion last quarter. Someone is buying a ton of the stuff.
They will of course find a scapegoat--surely they use version control. Said scapegoat will be fired, and then it'll be on to the next set of backdoors.
I can only assume that Cisco has moved on from selling to the engineering teams to selling to the c-suite. That's the only explanation I can come up with for a company with multiple back-doors found in their products still being able to make sales.
A thousand pounds of wood moving at 300 feet per minute. Don't get in the way.
Most of these came from a massive code review Cisco has been doing through their entire software codebase, which across all their products is truly massive. They found a good number of flaws, and honestly these backdoor accounts mostly look like debugging features left in inadvertently.
If he explores all forms and substances Straight homeward to their symbol-essences; He shall not die.
No one falls on their sword these days, or even admits anything because: lawyers. And no one gets fired.
After all, one is a mistake, three is a bit more than oopsy-doo, and five? Well, five is: "We never did give a shit. Are my stock options ready yet? This junior coder gig has to pay me at least something."
---- Teach Peace. It's Cheaper Than War.
When the user name is literally "cisco", who did they inherit that from?
0.5 NSA
1.5 debug backdoors used during development were never removed
Easy. An accountant bean counter got a dinner from Infosys or Tata and promised and he nearly shit his pants at the cost savings.
The Indian salesmen promised him a nice 6 fig bonus for being so smart ...
Cisco doesn't hire Americans and always goes for cheap talent to drive the share price up
http://saveie6.com/
As a person that works a provisioning, VPN, and remote setup, this really complicates my life. This was the last backdoor I had to all the CISCO gear. If anyone knows of another backdoor, could you please message me. What a pain, not customers are going to have to give me their password.
How the hell can a company that acts all serious have flaws like this?
I'm no conspiracy theorist, but IMHO the only way obvious things like these didn't get caught in code review or QA is that these backdoors are there on purpose.
Or can anyone come up with a legitimate excuse for this?
There is no such thing as "cheap talent."
I object to power without constructive purpose. --Spock
There is no such thing as "cheap talent."
Not according to the guys with MBAs. Only managers have talent of course and each employee is a black box with fixed production output measurable by Excel and MS Project. Just ask any of them? If they don't add value then go cheap and cash in
http://saveie6.com/
I can only assume that Cisco has moved on from selling to the engineering teams to selling to the c-suite.
That strategy served Microsoft very well back in the day
Pain is merely failure leaving the body
I've never been a fan of Cisco, Microsoft, or "corporate tech giants".
Most of the systems engineering people in my generation (the old guys) can build routers. Give them a PC or a chassis, Linux or BSD, and in an hour it will be a router with security features that can be used to keep data safe.
But corporate America seems to like appliances. I can understand it for multiport bridges (that's a switch for you young people). But for routing and security an appliance seems a bad idea because of planned obsolescence and closed nature of the architectures..
Plus... when you buy a security or routing appliance... you only know what the manufacturer tells you about it- and "certified" people only know how to configure it while sometimes having an alarming lack of understanding TCP/IP.
In my view trading knowledge for cost savings is a big issue. Sure there's a balance sheet advantage to buying appliances and perhaps using certified contractors to run them. But the cost comes up when a failure comes up requiring real know-how.
Heck- I know of one company that is on their third revision of warehouse WIFI because none of the people they brought in understand microwave radio in an environment with a great deal of RF reflective metal. They know to use LMR600 cabling because Cisco specs it. But they do not know why. And they do not analyze how the tech will actually be used. So every revision of the network design performs badly.
That's just one example. But it's rife in the industry. So much so that I moved into industrial programming because so few people are doing it and there's a high demand in my area. And they still care about "knowledge"... especially when it comes to programming old industrial systems with new safety controls.
So when I hear about back doors in commercial products, I ask the same question: does trading knowledge for appliances actually make a business work better?
Shouldn't the people running the network actually know how it works and what's on the network?
The MBAs say no.
Another consultant who stuck it out.
"We are the Priests, of the Temples of Syrinx..."
I released an app to production last week and damned if some stupid back door spontaneously showed up.
I swear I didn't put it in.
Maybe it's the compiler, eh,?
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.