Slashdot Mirror
Cisco Removed Its Seventh Backdoor Account This Year, and That's a Good Thing (zdnet.com)
An anonymous reader quotes a report from ZDNet: Cisco, the world's leading provider of top networking equipment and enterprise software, has released today 15 security updates, including a fix for an issue that can be described as a backdoor account. This latest patch marks the seventh time this year when Cisco has removed a backdoor account from one of its products. Five of the seven backdoor accounts were discovered by Cisco's internal testers, with only CVE-2018-0329 and this month's CVE-2018-15439 being found by external security researchers. The company has been intentionally and regularly combing the source code of all of its software since December 2015, when it started a massive internal audit. Cisco started that process after security researchers found what looked to be an intentional backdoor in the source code of ScreenOS, the operating system of Juniper, one of Cisco's rivals.
Juniper suffered a massive reputational damage following the 2015 revelation, and this may secretly be the reason why Cisco has avoided using the term "backdoor account" all year for the seven "backdoor account" issues. Instead, Cisco opted for more complex wordings such as "undocumented, static user credentials for the default administrative account," or "the affected software enables a privileged user account without notifying administrators of the system." It is true that using such phrasings might make Cisco look disingenuous, but let's not forget that Cisco has been ferreting these backdoor accounts mainly on its own, and has been trying to fix them without scaring customers or impacting its own stock price along the way.
Juniper suffered a massive reputational damage following the 2015 revelation, and this may secretly be the reason why Cisco has avoided using the term "backdoor account" all year for the seven "backdoor account" issues. Instead, Cisco opted for more complex wordings such as "undocumented, static user credentials for the default administrative account," or "the affected software enables a privileged user account without notifying administrators of the system." It is true that using such phrasings might make Cisco look disingenuous, but let's not forget that Cisco has been ferreting these backdoor accounts mainly on its own, and has been trying to fix them without scaring customers or impacting its own stock price along the way.
seven down so many more to go.
It's a good thing the headline pointed out that it was a good thing. I'd never be able to have figured it out for myself if I hadn't been told. Now could someone please tell me what products to consume?
updates $100/mo per device
So you're saying you're surprised a company named Crisco has a lot of backdoor accounts?
Cisco requires you to pay for a support contract (yearly) to have access to the updates for a switch when they already charged 3x what it's worth to begin with.
I don't know how that's even legal when you have big security holes like this. The product is not fit for use, yet you have to pay even more $ to make it "safe" again.
Any hardware manufacturer that allows backdoors to even end up in a shipping device clearly has something wrong with the way they do software development. And when they do find things like this, they need to backtrack via version control and see who allowed this crap to happen (in terms of the developer and the all the different levels of people who were supposed to review that developers code before it got out there) and give the people who allowed it to happen or should have caught it a good talking to so the people involved change the way they do things so it cant happen again.
Then again, given what Snowden has told us, all these backdoors in all these internet connected things may well be intentional and only closed or covered up when someone not sworn to secrecy finds one...
Yep. It means a smashed QA process.
But no one will fall on their swords. More will be found. No necks hung from a yard arm, even though the backdoors are probably known.
Were they inserted at the request of intelligence agencies? We'll never know. However, this is my suspicion. There is a great hunger for such things among the spooks.
---- Teach Peace. It's Cheaper Than War.
Yes, the direction the code is moving in is an improvement, but that's not good, that's less awful. But the fact that there were seven backdoor accounts to remove is a huge problem.
This is my signature. There are many like it, but this one is mine.
Would someone care to explain how these backdoors got in the code in the first place?
... that there were only seven found and fixed this year.
A search of the US-CERT vulnerability database turns up more than 300 hard-coded credential CVEs against Cisco since records were kept.
The relevant legal term is "warranty of merchantability". It's an implied warranty that manufacturers cannot (successfully) disclaim. The warranty of merchantability essentially guarantees that the item is fit to sell. It doesn't guarantee the quality is better than cheaper brands, but it does warrant that the product is fit for the marketplace - that it properly suits the needs of some purchasers.
I haven't done a deep dive on these particular Cisco accounts yet since I'm off work this week. At first blush, Cisco probably has a legal obligation to provide an update to fix this issue at no charge. Because it was never fit for sale, that needs to be fixed. If they choose to fix it with an update that also provides new features that's fine, but using the magic words "warranty of merchantability", preferably in a letter that sounds like it was written by a lawyer, should get you updates at no charge.
In addition, Cisco provides a LOT of documentation about which of its products are suited for which purposes, and how to configure them for different purposes. I've read literally thousands of pages from Cisco myself. By stating, in writing, that this particular product is suited for this particular purpose, Cisco may have also created a "warranty of fitness for a particular purpose". When they say in writing that a particular ASA is designed to function as a VPN gateway for enterprises with 1,000-5,000 employees, that may legally create a warranty that it is in fact somewhat suitable for the purpose claimed. If these security issues make it not suitable for the advertised purpose, Cisco needs to fix that at no charge.
Exactly. And as per Snowden's revelations years ago. Cisco was pointed to as purposefully backdooring its products at the behest of the NSA years ago, and today they are suddenly on the side of the angels because they have graciously patched out a few of them?
Meanwhile, what has the NSA already installed on those systems through those backdoors? If they are getting patched out now, it's only because Cisco's keepers don't need it any more.
Cisco removed seven backdoor accounts, huh? How many more are in there?
That's not rhetorical- I'd really like to know.
I am not a sig.
I suspect this is not just a matter of adding admin accounts with a fixed password.
I manage a large production control system in a pharma plant. The software is from a well known vendor (in that industry) and comes with a lot of certifications. There are no hard coded user accounts, though there are privileged accounts that I know the password of because I set them up. But regardless of the fact that I know those passwords, this is an enormous pile of software comprised of services, user applications, scripting engines, background process, etc, and different parts of the software are running distributed over 15 different servers. As a collection, some of that software is 30 years old and cobbled together from lots of pieces from lots of different sources.
I come from a software developer background, doing mostly kernel level work, interprocess communication, software infrastructure etc. When I look at the pile of software I have been managing for over a decade now, I see many ways to abuse running services or schedulers, and making do things they are not supposed to.
Not because I can 'log in' as a service account, but because I know for example that one of those privileged accounts is getting information from some place in order to determine what to do, and because of an oversight or bug, I can affect the information telling that account what to do. Due to less than perfect design (or possibly because of legacy software that cannot easily be changed) I could piggy back a script or executable on top of something else and have that executed in a privileged manner.
So I really think that this is not so much a cisco developer adding in privileged accounts. After all that would be trivial enough to find in code audits. But it is much more likely that there are ways to influence what a privileged process inside the cisco system is doing. The term 'backdoor' implies a much bolder and intentional issue, which I really don't think is going on here.
And since Cisco has developers who are very much at home in their own software, it doesn't really surprise me that they can look at their own code, and figure out things that may have unexpected vulnerabilities.
Any hardware manufacturer that allows backdoors to even end up in a shipping device clearly has something wrong with the way they do software development.
Either that, or... enemies working inside the company.
No sig today...
I suspect this is not just a matter of adding admin accounts with a fixed password.
It won't be as simple as "cat /etc/passwd", no.
No sig today...