Slashdot Mirror
Cisco Removed Its Seventh Backdoor Account This Year, and That's a Good Thing (zdnet.com)
An anonymous reader quotes a report from ZDNet: Cisco, the world's leading provider of top networking equipment and enterprise software, has released today 15 security updates, including a fix for an issue that can be described as a backdoor account. This latest patch marks the seventh time this year when Cisco has removed a backdoor account from one of its products. Five of the seven backdoor accounts were discovered by Cisco's internal testers, with only CVE-2018-0329 and this month's CVE-2018-15439 being found by external security researchers. The company has been intentionally and regularly combing the source code of all of its software since December 2015, when it started a massive internal audit. Cisco started that process after security researchers found what looked to be an intentional backdoor in the source code of ScreenOS, the operating system of Juniper, one of Cisco's rivals.
Juniper suffered a massive reputational damage following the 2015 revelation, and this may secretly be the reason why Cisco has avoided using the term "backdoor account" all year for the seven "backdoor account" issues. Instead, Cisco opted for more complex wordings such as "undocumented, static user credentials for the default administrative account," or "the affected software enables a privileged user account without notifying administrators of the system." It is true that using such phrasings might make Cisco look disingenuous, but let's not forget that Cisco has been ferreting these backdoor accounts mainly on its own, and has been trying to fix them without scaring customers or impacting its own stock price along the way.
Juniper suffered a massive reputational damage following the 2015 revelation, and this may secretly be the reason why Cisco has avoided using the term "backdoor account" all year for the seven "backdoor account" issues. Instead, Cisco opted for more complex wordings such as "undocumented, static user credentials for the default administrative account," or "the affected software enables a privileged user account without notifying administrators of the system." It is true that using such phrasings might make Cisco look disingenuous, but let's not forget that Cisco has been ferreting these backdoor accounts mainly on its own, and has been trying to fix them without scaring customers or impacting its own stock price along the way.
seven down so many more to go.
Leave your value judgement out of the headline.
It's a good thing the headline pointed out that it was a good thing. I'd never be able to have figured it out for myself if I hadn't been told. Now could someone please tell me what products to consume?
updates $100/mo per device
The fact they have to search for and find the backdoors after the fact means they have broken internal security coding review processes. These should never be getting to the stage where they can be found in this fashion,.
A good thing that:
They removed this backdoor account?
They removed 7 this year?
There were only 7 this year?
They didn't find all the others?
So you're saying you're surprised a company named Crisco has a lot of backdoor accounts?
Cisco requires you to pay for a support contract (yearly) to have access to the updates for a switch when they already charged 3x what it's worth to begin with.
I don't know how that's even legal when you have big security holes like this. The product is not fit for use, yet you have to pay even more $ to make it "safe" again.
Cisco has been taking long-term processing dumps in the pool. Cisco has been floating high-fiber, non-flushing matter in the pool. Cisco has been using a scoop meant for cleaning up after dogs but used on humans and then dumping them in the pool. It's all a good thing because no matter how much you swallowed, the pool was heavily chlorinated through Cisco efforts and Cisco made sure people kept on coming in the water because they weren't scare about all the brown floating human byproduct.
Yes, the direction the code is moving in is an improvement, but that's not good, that's less awful. But the fact that there were seven backdoor accounts to remove is a huge problem.
This is my signature. There are many like it, but this one is mine.
Does cisco hardware not run on open source software? If not, this would be a great time for open source pundits to start jumping up and down and waving their hands around.
Intel seems to have the same critical mental disability when it comes to *not* putting gaping, obvious security holes in the closed source of its firmware, so from here it's pretty obvious that even the biggest, most reputable hardware companies cannot be trusted with this task.
If I was a Cisco customer I'd be calling up my "account manager" and asking them if they got any of them open source based routers and if not, we'll get our routers somewhere else.
Ohhhh /. What have you become
Or thatâ(TM)s my take away from the summary
keys?
Domestic spying is now "Benign Information Gathering"
Your racist ascii-art skills are garbage. What, did you auto generate those from a gif you saved in 1995 or something?
Thank you dear author for framing my emotions before processing your work.
Thank you for empowering people who only read the title that what has happened is in fact... a good thing.
Would someone care to explain how these backdoors got in the code in the first place?
... that there were only seven found and fixed this year.
A search of the US-CERT vulnerability database turns up more than 300 hard-coded credential CVEs against Cisco since records were kept.
The relevant legal term is "warranty of merchantability". It's an implied warranty that manufacturers cannot (successfully) disclaim. The warranty of merchantability essentially guarantees that the item is fit to sell. It doesn't guarantee the quality is better than cheaper brands, but it does warrant that the product is fit for the marketplace - that it properly suits the needs of some purchasers.
I haven't done a deep dive on these particular Cisco accounts yet since I'm off work this week. At first blush, Cisco probably has a legal obligation to provide an update to fix this issue at no charge. Because it was never fit for sale, that needs to be fixed. If they choose to fix it with an update that also provides new features that's fine, but using the magic words "warranty of merchantability", preferably in a letter that sounds like it was written by a lawyer, should get you updates at no charge.
In addition, Cisco provides a LOT of documentation about which of its products are suited for which purposes, and how to configure them for different purposes. I've read literally thousands of pages from Cisco myself. By stating, in writing, that this particular product is suited for this particular purpose, Cisco may have also created a "warranty of fitness for a particular purpose". When they say in writing that a particular ASA is designed to function as a VPN gateway for enterprises with 1,000-5,000 employees, that may legally create a warranty that it is in fact somewhat suitable for the purpose claimed. If these security issues make it not suitable for the advertised purpose, Cisco needs to fix that at no charge.
Yes yes. Don't read the dribble.
These problems have been known long enough that none should exist in any of their "mature" products. We are past the point where newly-discovered backdoors should be considered evidence of criminal negligence.
About a couple months after I purchased a Cisco E2500 WiFi, six or seven years ago, I got had a notice pop up on my screen asking me if I wanted to update the WiFi's firmware. It explained that in order to confirm the update I had to go to Cisco's cloud server and create an account. THEN, they would update the WiFi firmware. A search around the web at the time revealed that many folks who bought Cisco WiFi's received that notice and requirement. Some suggested that the NSA forced Cisco to update their firmware to include a backdoor. True or False? I don't know, but considering what Snowden blew the whistle on, it would be easy to believe it. That's when I decided to update my E2500 firmware with DD-WRT instead. In addition to being open sourced and more secure, it gave me access to features on the WiFi that Cisco's HTML interface would supply. My next and current WiFI also has DD-WRT firmware on it.
Running with Linux for over 20 years!
for putting your made up chips/devices to do some evil stuff one computer at a time..
Okay, so you posted totally hip ASCII art of Trump's stupid fucking face, so what's your point exactly?
Would be what they're adding when they claim they're removing ...
Exactly. And as per Snowden's revelations years ago. Cisco was pointed to as purposefully backdooring its products at the behest of the NSA years ago, and today they are suddenly on the side of the angels because they have graciously patched out a few of them?
Meanwhile, what has the NSA already installed on those systems through those backdoors? If they are getting patched out now, it's only because Cisco's keepers don't need it any more.
Otherwise they'd be in breach of their agreements they have with the government.
It's a complete abuse of trust, and it should be grounds for revoking the corporate charter.
Cisco removed seven backdoor accounts, huh? How many more are in there?
That's not rhetorical- I'd really like to know.
I am not a sig.
They probably add 2 more.
And shitty comments like this are why nobody tries to get better. Why bother if all you're going to get is abuse? It's very telling you chose a feminist way of thinking about it. They are the champions of being toxic people and granting no credit for positive developments. It's one of the reasons they lost their way some time ago.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
That explains all an no deeper investigations are required.
Encrypt everything, trust only an OpenBSD firewall. Never send anything in plaintext over a CISCO or Juniper product. And yeah, don't use OpenSSL. OpenSSL is a can of worms.
That is why the Russians have their own CPU, Elbrus.
The Chinese have Loongson.
They use their own hardened Linux version or OpenBSD on these self-made CPUs.
Never trust Intel out of Israel. That is where their digital design comes from.
Their QA is a bunch of social scientists who cannot comprehend a single line of C code. That is what we must expect.
Oh wait America is far more incompetent.
that's just how it is, and it's thanks to America First mentality and your government agencies and their private courts who can order any telecom company to do anything they want.
If you purchase U.S.-made communication equipment, then the U.S. government has a way into your systems. You should buy Ericsson, Huawei, or Nokia, they are among the ten largest manufacturers in the world, and their equipment has always stood up to scrutiny and inspection.
fine, they are closing backdoors, which they put there themselves and aparently have a hard time finding.
i just hope they are also educating their devs to never put in backdoors again, otherwise this will be a never ending story.
On a long enough timeline, the survival rate for everyone drops to zero.
Geez, fine, you're gay, we get it. Nobody cares.
I don't use OpenBSD anywhere else, but I agree it's particularly well suited to firewalls.
At one point I set up a machine that did nothing but store credit card numbers. It wasn't a web server or a database server or anything else, it had a single function so that it could be stripped of most software (since software has bugs). That too would have been a good place to use OpenBSD.
The one issue with that is because that's the only place I'd use OpenBSD, I'm not nearly as familiar with OpenBSD as I am with Linux. Using a system you don't know well to build a firewall on is also a bad idea, if you can instead use an operating system that you know inside and out.
Cisco makes infrastructure which is tied into the lowest levels of the network. It's how people implement their damned security.
Are you saying we should be praising Cisco for fixing security holes that anybody with any concept of network security should have never allowed to exist in the first place? There is no scenario in which engineers at Cisco couldn't be aware that hard-coded backdoor passwords were a security risk. Not if they are competent in any way.
That's stupid, and is not unlike praising a car company for no longer making cars which burst into flames in an accident ... yes, it's good you've fixed that, but you never should have allowed it to happen in the first place. We also don't praise people who stop shitting on the floor.
Cisco was grossly incompetent in allowing these back doors. They're fixing their own incompetence. But don't expect high praise for that.
This. I favor complete dissolution of companies that systematically abuse the public trust. That definitely includes all of of the big ones whose incomes rival those of nation states.
Fuck Cisco
Fuck IBM
Fuck Oracle
If you EVER do business with these clowns, you will regret it.
I gave them credit. They've moved to "less awful," a major upgrade from "OHGODOHGODKILLITWITHFIRE." They don't get to the point of actual praise until they can make it through at least a year without having to remove an account that should have never been available on an end-user product.
This is my signature. There are many like it, but this one is mine.
That is the only reasonable conclusion from this extreme level of insecurity. They probably have some of these seven that are actual screw-ups (very, very bad) and certainly some that were placed intentionally (even worse). The only valid conclusion is to not buy from them, as they are even too stupid to hide intentional backdoors well...
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Are you a male feminist? You won't get laid that way, you know. It doesn't work.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!