Forgot your password?
typodupeerror
Security Privacy Your Rights Online

Cisco Products Have Backdoors 555

Posted by CmdrTaco
from the two-scoops-of-creepy dept.
Cbs228 writes "A Cisco Security Advisory released yesterday admits that "A default username/password pair is present in all releases of the Wireless LAN Solution Engine (WLSE) and Hosting Solution Engine (HSE) software. A user who logs in using this username has complete control of the device. This username cannot be disabled." Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?"
This discussion has been archived. No new comments can be posted.

Cisco Products Have Backdoors

Comments Filter:
  • by Allen Zadr (767458) * <Allen@Zadr.gmail@com> on Thursday April 08, 2004 @04:10PM (#8807695) Journal

    There is no doubt that this is the sort of thing that all of the so called "tin-foil hat" crowd has been warning us about for years.

    I, for one, welcome the "I-told-you-so"s from our new paranoid overlords.

    On a more serious point, and on the paranoid side, I'm sure Cisco is only releasing this information because an employee either threatened to leak this information, or was mis-using this information to his/her own gain...

    However, if that's the case, wouldn't Cisco's fix simply change the password? I highly doubt that they will be embarassed enough to have learned a powerful life-lesson.

    • Cisco actually has a better track record than some other closed source vendors I could mention.
      • Great. So... that makes it Ok then?
      • Indeed, until now I haven't had any reason to dislike Cisco(although their equipment is expen$ive). Companies like Symantec and Roxio have always been higher on the list of people who will be the first against the wall when the revolution comes. But guess I'll be looking at Cisco more closely.

        On another note, I guess the guys at the school lab need to hear this one.
        • Well that and their use of "Cisco" math when it comes to what their switches will push for throughput.

          For the same money you'd spend on a Cisco switch you can probably buy a Nortel that'll run circles around the Cisco.

          Or, if your tripping over the bags of cash or their just blocking the door, you could spring for a Juniper...

          Don't get me wrong, Cisco stuff works, it's just really expensive and their are cheaper more capable equipment on the market...
          • by WhiteDragon (4556) *

            For the same money you'd spend on a Cisco switch you can probably buy a Nortel that'll run circles around the Cisco.

            Or, if your tripping over the bags of cash or their just blocking the door, you could spring for a Juniper...

            Or, you could buy a Big Iron [nwfusion.com] switch from Foundry [foundrynet.com] that will blow away most of the offerings from Cisco.

      • by InadequateCamel (515839) on Thursday April 08, 2004 @04:39PM (#8808162)
        Cisco actually has a better track record than some other closed source vendors I could mention.


        That's a silly comment. Up until a few hours ago you would have thought Cisco was pretty good. Now they have done a really stupid thing and have been caught red-handed.

        The question we should be asking is what else have they done that their customers would object to if they knew about it?

        Call me paranoid, but this is exactly the sort of behaviour that I expect from software/hardware manufacturers. Cisco just happened to get caught doing it.
      • Cisco actually has a better track record than some other closed source vendors I could mention.

        I don't mean to be a grammar troll, but clearly you used the wrong tense:

        "Cisco actually had a better track record...."
      • by arivanov (12034) on Thursday April 08, 2004 @05:20PM (#8808767) Homepage
        Really?

        They continuously use codebase from the opensource parts of the software world and lie about it. The only OSS component they currently admit to is the regexp library. In fact they have used code from xntpd (and were bug for bug vulnerable to NTP exploits), OpenSSL, OpenSSH, so on so forth, ad naseum. When a vulnerability in any of these comes around they never admit it because the IOS sacred cow is supposedly pure and not infected by any opensource (besides regexp). This continues until someone starts running the exploits versus their gear. And after that ... BANG... Check BUGTRAQ for the SSH and NTP exploits as a fine example. I bet there are others as well.

        They constantly have idiotic ideas like CDP which are insecure by design and turned on by default.

        They have promoted a very long list of outright lies including security ones in the exam preparation materials and exam question. That is also besides the fact that Cisco does not consider the analysis for correctness and sane security practice of these materials to be fair use and disallows quoting them. Here is one that has managed to get through:
        http://lists.netsys.com/pipermail/full-d isclosure/ 2003-October/012809.html

        There are many others.

        So on so forth. Ad naseum. If you think that Microsoft is vile you definitely have not had to do a lot of network engineering especially with Cisco kit...
    • wouldn't Cisco's fix simply change the password? I highly doubt that they will be embarassed enough to have learned a powerful life-lesson.

      Assuming the word has gotten out somehow, I'm not sure how they can change the password on all those systems that are currently out there, without raising the public awareness to the level that motivates them to apply the neccisary patches.
    • "However, if that's the case, wouldn't Cisco's fix simply change the password?"

      Doesn't sound like much of a fix to me... That barely comes into the category of workaround. Maybe issue-evasion.

      I see a great many people buying hardware from Cisco's competitors in the near-future. Like right now. I wonder how long it'll be before we find out what the user/pass pairs are?

      • USER/PASS (Score:5, Funny)

        by Allen Zadr (767458) * <Allen@Zadr.gmail@com> on Thursday April 08, 2004 @04:19PM (#8807869) Journal
        Don't some of us have some serious hacking to do? I guess I know what you are planning on doing this weekend.

        What do you bet the id set is joshua/pencil?

      • by Zathrus (232140) on Thursday April 08, 2004 @04:29PM (#8808016) Homepage
        I see a great many people buying hardware from Cisco's competitors in the near-future.

        What makes you think that they don't have a backdoor username/pw as well? It may not be hard coded (they could both be strings that are determined by a hash function, based on the date/time or some other changing value), but I'd bet you they're there, at least on any high end equipment. Why? So that the damn thing is supportable remotely... even after some idiot admin screws up everything else. And, no, resetting the firmware on these things to restore the default admin password isn't acceptable -- simply because in doing so you'd lose all the other settings (bad for two reasons -- 1) they usually take hours or days to setup correctly, 2) if you're accessing the box for support, you probably want to see what the hell happened in case it was a bug).
        • by i_am_pi (570652) <`moc.liamtoh' `ta' `_ip_ma_i'> on Thursday April 08, 2004 @04:34PM (#8808095) Homepage Journal
          Well, resetting the firmware on Cisco's devices does NOT reset the rest of the settings.

          The process goes like this:
          Boot device with console cable
          Hit ctrl-c during boot
          use the proper command to change the configuration register to 0x2142, which means "Start up using OS from flash, but IGNORE configuration in NVRAM".
          Use the proper command to boot the device.

          You'll then be staring at "Password: " where it will accept an empty string. The configuration is still there (type show startup-config and you'll see the whole thing), but ignored.

          Enable yourself. copy start run (bring everything back up).
          config t (begin configuration)
          username blah password blabla priv 15 (if you have multiple usernames + priv levels)
          enable secret blabla (big-daddy enable password)
          line vty 0 4 (telnet access)
          login
          password bla
          exit
          config-reg 0x2102 (stop ignoring the configuration)
          exit
          copy run start (save that daddy)
        • First off, these devices can be reset in several different ways without losing the configuration.

          Second, once you have the device configured properly, you should back up your configuration with TFTP or over the console to make recovery easy. This way, even if the device itself is fried, you can just dump your config onto a replacement unit and get on with your day.

          • Second, once you have the device configured properly, you should back up your configuration with TFTP or over the console to make recovery easy. This way, even if the device itself is fried, you can just dump your config onto a replacement unit and get on with your day.

            Exactly. I'd tried "we don't have a backup of the router config" pretty much the same as "we don't have a backup of the webserver" when deciding how badly I'd have to lart the respective administrator. Even little home routers often have

      • by arivanov (12034) on Thursday April 08, 2004 @05:33PM (#8808913) Homepage
        I see a great many people buying hardware from Cisco's competitors in the near-future. Like right now.

        I do not.

        IMO, you definitely do not understand how Cisco marketing functions. It took me 5+ years of dealing with it to start understanding it. Basically, every single IOS release they shipped is bug ridden beyond any reasonable limits. Any other company shipping such crap would have failed long ago. They did not. The reason is that they have created cottage industries of "certified specialists" all over the world which will make sure that their customers and employers will never buy anything but Cisco and never hire an unfettered one. Just have a look how many banks run "Cisco Only Networks". The reason for this is simple. They are employed because there is always something wrong and there is always something to fix. Cisco knows this and it will never ever kill what makes 90% of its enterprise sales.

        This is also the reason why even Cisco supplied GUI or centralised management solutions never manage some features. This is also the reason why there is no way in hell for you to get anywhere trying to manage Cisco gear using industry standard protocols. Ever tried to do some alteration of IP parameteres on Cisco via SNMP? I am not even talking about rocket science like the diff-serv MIB or the BGP MIB. Ever tried to hook it a proper element manager without few Ms of glue code that does direct CLI? Dream on...

    • by Anonymous Coward on Thursday April 08, 2004 @04:22PM (#8807932)

      Cisco has an evil backdoor that works (initially) at the ethernet level. You send several specially crafted frames to a MAC on the local segment or special packets to the outside interface and the unit will open up a back connection to Cisco. The PIX and ACLs in their router products will not log these or otherwise alert you to their existence. Once the connection is made, Cisco can mirror selected bits of your LAN traffic. Being that most of the internet's traffic flows over Cisco products...

      Some history:
      In 1928 an American inventor (Henry P. Acket) was working on a method to send extremely low voltage electrical impulses over wires as a covert means of communications. He succeeded in that he was able to use the telephone companies' wires to speak to friends without paying a telephone tax. Early on, his friend Charles Isco was able to put a backdoor in the vacuum tubes with nothing more than a few drops of solder, some tin and flux. Charles showed Acket this and provided some wax cylinders of Acket's supposedly private conversation.

      The FBI heard of this and took all their patent-pending information. Acket and Isco were paid the then huge sums of $1M and $500K respectively to shut up.

      Fast forward to the 60's.
      Early in 1963, J. Edgar Hoover was perusing the FBI archives when he spotted these plans from 35 years prior. He didn't believe it but one of his technical people played Hoover a tape recording made with a successor of the equipment. The tape was of Hoover making dinner reservations at Le Grande Fiste, a homosexual dinner club. Hoover went through the roof. He destroyed all the paperwork and equipment. After months of extreme drug therapy which rendered the technician nearly incoherent, Hoover had him framed for a crime we are all familiar with. The technician's name? Lee Harvey Oswald.

      Ahh.. the technology survived
      In the 1980s some people from Stanford University were going through recordings of Oswalds. Playing them backwards they could hear the terms "Black Helicopters", "Area 51" and "Backdoor Device". The truly learned already know about black helicopters and Area 51.. but what was this "Backdoor Device" Oswalds was rambling about? Those investigators, Len Bosack and Sandy Lerner, went on to form Cisco.

      If you look inside any Cisco product you'll find a small vacuum tube with hacked in piece of tin, some solder and flux.

      I present this information at grave risk to myself.

    • by DJStealth (103231) on Thursday April 08, 2004 @04:30PM (#8808030)
      If it is necessary to have a backdoor, it should only be enabled temporarily via a switch/hardware button (in the case that the admin password was forgotten).

      I.e. in order to get in through the backdoor, you need to hold down a button for 10 seconds, and the login will be enabled for the next 2 minutes (which should be enough time to change the admin pw if it is forgotten). This would require that the site be physically secure; however would prevent those from remotely accessing the backdoor (unless someone is actually there to hit this 'switch).
      • while that sounds good, there are ISPs out there that lease routers to customers... on site. So, the customer would have physical access to the router even though they don't own it. Without padlocking the router shut, this would be very insecure. I'm taking the stance that there shouldn't be a back door at all.... Sure, maybe a way to reset the admin password, along with the entire flash rom, from the physical box... but backdoor? No way.
    • by Anonymous Coward
      I highly doubt that they will be embarassed enough to have learned a powerful life-lesson.

      Cisco doesn't make mistakes, they define new industry de-facto standards. Expect Juniper to issue a press-release shortly about some of their products having a backdoor as well. They're always followers.

  • I... (Score:2, Insightful)

    by Seoulstriker (748895)
    I simply can not believe this has happened. This is more boneheaded than what Microsoft has done for the past few years.
    • Re:I... (Score:3, Insightful)

      by rgmoore (133276) *

      What makes you think that this was a Cisco policy? It's far more likely that this is the work of some rogue coder within Cisco who added it without anyone else's knowledge. It's not as though adding a backdoor password is very tough for somebody who has access to the relevant code. If there aren't detailed code reviews, a backdoor could hide out for a very, very long time.

  • by momerath2003 (606823) * on Thursday April 08, 2004 @04:11PM (#8807714) Journal
    admin/password.
  • Trust No One (Score:5, Insightful)

    by aaron240 (618080) on Thursday April 08, 2004 @04:12PM (#8807719) Homepage
    Anything that can be exploited will be exploited. The key is to take every precaution possible--that's not possible when only a select few can see the code.
  • Radio cards? (Score:2, Interesting)

    by Kethinov (636034)
    I wonder of these insecurities are in my Cisco 350 series aironet radio card? My ISP should be informed of this if they are there.
  • by macshune (628296) on Thursday April 08, 2004 @04:14PM (#8807760) Journal
    No, obviously not when you get right down to it. Just like we can't trust closed-source e-voting software with it comes to our republic (the U.S.:), we can't trust close-source vendors whose systems power our infrastructure...that, without, the world would cease to function as it does today.

    But what can anyone do? Are there any open-source makers of networking hardware?
    • yep (Score:5, Informative)

      by SHEENmaster (581283) <`travis' `at' `utk.edu'> on Thursday April 08, 2004 @04:20PM (#8807889) Homepage Journal
      look for openbsd's [openbsd.org] corporate usage page.
    • by Progman3K (515744) on Thursday April 08, 2004 @04:41PM (#8808176)
      >Just like we can't trust closed-source e-voting software [when] it comes to our republic (the U.S.:), we can't trust close-source vendors whose systems power our infrastructure...that, without, the world would cease to function as it does today.

      Taliban leader speaking:

      OK troops, here's what we'll do; we will sub-contract from the Pakistanis that are sub-contracting from the Indians that are sub-contracting from the Americans that are outsourcing their I.T. operations, and when WE are the ones coding everything for the Americans, we slip in trojans, viruses and everything else we can think of to screw with their heads!

      Once they are all helpless because they've outsourced all the jobs that require an education, we show up and sell them all Edsel automobiles and when they've all killed themselves on the road, we simply take over the country.

      Simple.
  • by General Newcomb (743341) on Thursday April 08, 2004 @04:15PM (#8807781)
    "Mr. Potato Head! Back doors are not secrets!"
  • by Space cowboy (13680) * on Thursday April 08, 2004 @04:15PM (#8807786) Journal

    (According to the summary). In fact you can get new firmware, and it's free for everyone so long as you go through the channels. Fair play to Cisco (or at least, well done for recognising a public-relations disaster when they see one!)

    I can see why it's useful to have a master password, but really, it was bound to cause major embarassment in the end - the only way it would work is if everyone who knew it (presumably cisco employees) never ever divulged it. That's likely!

    Simon

    • Yeah, I remember working for a company that made network storage devices. We had to make sure that we not only didn't have a back door, but that we didn't even know the root password. Lest we be implicated in any information leaked from the company.

      Yet we wanted to be able to fix a device even if they forgot their root password. What we settled for was a root password reset that was entirely visible to them at the time so if someone malicious did try to get their information they would at least know as it
  • by BradySama (755082) on Thursday April 08, 2004 @04:15PM (#8807789)
    Another example of why the benefits of open source need to be pushed up the corporate ladder... this is nuts. Almost as nasty as the things they've done for China [kuro5hin.org]. Thanks, Cisco. Another one bites the credibility dust.
  • No workarounds? (Score:5, Insightful)

    by Aardpig (622459) on Thursday April 08, 2004 @04:15PM (#8807790)

    The Cisco advisory points out that there are no workarounds. This would suggest that the problem cannot be remedied.

    However, the advisory also discusses how to obtain new software for their equipment. So it appears that there is a fix to the problem, via a software upgrade. In light of this, the 'no workarounds' stuff is rather misleading -- and when I first read it, it made my draw drop.

    • Re:No workarounds? (Score:5, Informative)

      by dbarclay10 (70443) on Thursday April 08, 2004 @04:23PM (#8807944)
      However, the advisory also discusses how to obtain new software for their equipment. So it appears that there is a fix to the problem, via a software upgrade. In light of this, the 'no workarounds' stuff is rather misleading -- and when I first read it, it made my draw drop.

      It's pretty much understood, at least by sysadmins if not the general public, that an issue can always be fixed by a software upgrade. Any vendor saying that an issue *really* can't be fixed, no matter what, typically means that it's a design choice and if you don't like it, switch to another vendor (*cough* Microsoft? *cough*).

      Given that, when a vendor says "no workaround available," they mean that your only choice is to upgrade the software. For example, a workaround to a vulnerability in, say, Microsoft's CIFS stack would be to firewall off the ports it uses (though you need to do that on every machine, of course - otherwise it won't be effective, as we've seen so many times).

      So, to sum up: workaround = quick fix via configuration or similar, and it's a given that you can fix the problem via a (typically time-consuming) software update.

    • by Vellmont (569020) on Thursday April 08, 2004 @04:32PM (#8808061)
      A workaround is a simple method of fixing the problem without patching the software. Usually it involves configuration changes, disabling parts of the software, or even firewalls. For this particular problem it's easy to see why there's no workaround.

      The fix is a software patch. Many admins prefer a workaround as a short-term solution (can change simple config in a few minutes). A software patch is obviously more complicated, and often has higher impact on other services.
    • Recovering passwords (Score:3, Interesting)

      by vasqzr (619165)

      I was called by a apartment complex that offered broadband to tenants. Apparently, one of the kids (mostly college students) had taken a networking class or something, and telneted in to the switches, and screwed a bunch of stuff up.

      Of course, he changed the password to who knows what, so we had to call Nortel up and read them the serial number from each switch, and they gave us a backdoor password. I belive it was generated by a program they had. We had to verify proof of purchase and everything with the
  • Your answer (Score:4, Funny)

    by ls-lta (681694) <(moc.ibtta) (ta) (maps_dnes_tnod)> on Thursday April 08, 2004 @04:15PM (#8807796)
    " Can we really trust closed-source venders, such as Cisco, to develop secure products that are free of backdoors?"

    Yes. Lord, next you'll be asking about patents.
  • It needs to be there (Score:5, Interesting)

    by thpdg (519053) on Thursday April 08, 2004 @04:16PM (#8807813) Journal
    People read about these back doors, and they are appalled by the concept of it. I wish it was that easy. I design software for embedded devices and let me tell you, as soon as you add a password mechanism, then someone will lose the password within days. It's happened to me, and I finally had to put a global password in every machine. You hope that no one will ever find out, but once you tell a single customer, it could spread. I'm fortunate that my userbase is small and spread out, but for Cisco, this could be a disaster. If they made it so the master password could only be put in locally, that would be a big help, but may not be possible on these devices.
    • by ls-lta (681694) <(moc.ibtta) (ta) (maps_dnes_tnod)> on Thursday April 08, 2004 @04:20PM (#8807891)
      No, not really. The user id could be set by serial number (randomly) and you could keep track of who has what serial number, who is authorized to get the password, the password could also roll (think subscription revenue!).
      • by thpdg (519053)
        Been there, done that. If you create any kind of formula for calculating it, then that can get out just as easily. A sales rep that uses the information to help one customer, suddenly has it for every machine. We made the mistake of using that method for enabling a pay option on one of our machines.
    • That's what reset buttons are for. A safe way to clear access without a remote back door.
    • by adamofgreyskull (640712) on Thursday April 08, 2004 @04:31PM (#8808058)
      It depends on the value of the information within. If it's important enough to worry about whether a master password exists...then I'd suggest that it's important enough that people will remember their password and not need it.

      If I buy a 50 quid wall safe and lose my key, I could probably go into any locksmiths and get a replacement key for that model safe. If I spend 1,000,000 on a bank vault I'd like to think that no generic or master key existed...

      Backing away from the analogy quietly for a moment..I think it would be pretty simple(for Cisco) to enable the backdoor login only via a console connected to the serial port and not remotely..
    • No it doesn't (Score:5, Interesting)

      by Burdell (228580) on Thursday April 08, 2004 @04:42PM (#8808197)
      There is no reason to have a master password that gives someone with that knowlege instant full access to every such device in the field. There are many ways to work around it (without resorting to just resetting the device and clearing all settings).

      Cisco IOS routers don't have to have a "master password" backdoor; they have a well-defined process for password recovery (typically you connect to the console port, interrupt the boot at the firmware level, and change a register - then you are in with no password and can reset it).

      Another example: Livingston PortMasters also don't have a "master password" backdoor. You hook up to the console port, flip a dip switch and use a special login. That issues a challenge string, which you then send to Livingston (or now portmasters.com). You get a respose string and use it to log in, and then you change the password.

      The common assumption is that full physical access implies ownership; that is a reasonable assumption (since if someone can get at it, they can take it).

  • 3COMengineers/Areweenies
  • Yes. If word got out they put in a backdoor so that some guy named Sisco at Cisco could root your box, their reputation would be ruined. They would essentially be the microsoft of routers, only they don't have 95% market share so they can't just flip everyone off. (Or maybe they do have 95% market share, I don't know)

    I'm sure they do extensive checking against this sort of thing.

  • by CrystalFalcon (233559) on Thursday April 08, 2004 @04:20PM (#8807882) Homepage
    Can we really trust closed-source venders, such as Cisco, to develop secure products that are free of backdoors?

    You can't trust open-source for this, either. Not unless you personally constructed every piece of the device, from the source code, to everything that interacts with the source code, including the compiler, the EEPROM burners, and the chipsets on the device itself.

    How do you know that the open source you are looking at actually is the one running in your device? You don't.

    How do you know that the code you are looking at, assuming that it is running in the device, wasn't modified by a malicious compiler? You don't.

    How do you know that the compiled code, assuming it is compiled correctly, wasn't altered in the transfer to the device? You don't.

    How do you know the other onboard chips aren't built with a backdoor, patching, hooking or circumventing whatever code is put in the device? You don't.

    What it boils down to is that trust is a very difficult animal, and at some point, you need to draw the line. Looking at the source is a meager guarantee for the device behaving well, in the case of a malicious vendor.

    The bottom line is that there are so many covert channels to insert code into your overall system today, as long as they are carried on the normal device acquisision channels, that you can't defend against an attack by a malicious vendor. What you can do is to count on their risk analysis, and expecting them to want to stay in business just as much as you do. It's not much, but it's pretty much the best we got.
    • by bgog (564818) * on Thursday April 08, 2004 @04:31PM (#8808042) Journal
      How do you know that the open source you are looking at actually is the one running in your device?
      You compile it yourself.

      How do you know that the code you are looking at, assuming that it is running in the device, wasn't modified by a malicious compiler?
      True, but highly unlikley.

      How do you know that the compiled code, assuming it is compiled correctly, wasn't altered in the transfer to the device?
      Because I transfered it. Perhaps via serial cable or over a cable not on a public network.

      What it boils down to is that trust is a very difficult animal, and at some point, you need to draw the line.

      I draw the line at blatent backdoors. The difficulty of breaking into my router by giving me a bad compiler is FAR FAR FAR more difficult than a backdoor admin account. Once that gets out anyone can log in and do what they like.
    • Not unless you personally constructed every piece of the device, from the source code, to everything that interacts with the source code, including the compiler, the EEPROM burners, and the chipsets on the device itself.

      And do you even have this option with closed source? You don't.

      Believe me, if the end application is valuable enough, someone will take the time and effort to run down the entire audit trail you described, if given the source code to do so. Personally, I like having the option. Trust,

    • Search google for "Reflections on Trusting Trust" it's a great ACM award speach by Ken Thompson about this very topic. try here [acm.org]
    • A lot of this kind of discussion came up in one of the recent e-voting stories. The problem is, if I use an open source compiler (assuming the code is audited by a non-malicious party, in the worse case, me), then you would have to resort to a hardware based attack (i.e. the device essentially 'patches' in the exploit). Of course, this is a lot harder than people seem to think. What if I, for example, compiled it with a compiler that used stack and memory map randomization? The hardware would patch over the
  • by funny-jack (741994) on Thursday April 08, 2004 @04:20PM (#8807890) Homepage
    Greetings, Professor Falken.
    Shall we play a game?
  • by dan dan the dna man (461768) on Thursday April 08, 2004 @04:20PM (#8807893) Homepage Journal
    Hmm yes, like when SGI shipped their machines with much the same problem. Has nearly a decade of fighting computer intrusion taught them nothing. Thats pretty shoddy Cisco.
  • Register, or else (Score:5, Insightful)

    by skidde (670293) on Thursday April 08, 2004 @04:21PM (#8807904) Homepage
    The patch can be downloaded from http://www.cisco.com/pcgi-bin/tablebuild.pl/1105-h ost-sol ( registered customers only) .

    I love when companies release vital updates or other material, and then effectively force registration of all their clients. So either register with the mothership, or deal with a vulnerable program? Great.
  • by myst564 (196476) on Thursday April 08, 2004 @04:21PM (#8807910)
    Let's see..

    "Although Cisco cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability."

    This is probably a standard disclaimer in their security documents, but wouldn't you want them to be sure of the accuracy of their statements?

    Why can software/hardware companies get way with "We tried our best, honest!" ?

  • by lotussuper7 (134496) on Thursday April 08, 2004 @04:34PM (#8808096) Homepage
    I have worked for 6 or 7 different companies that build either comm boxes or control software, and each and every one has had built in backdoors.

    It's not just Cisco, it's a common practice in the industry to give their field people a way to get into the box (or program) when the customer screws it up.

    Backdoors that, often, have access to functions far beyond what the customer knows about, and in many cases, able of really messing up the device if used incorrectly by a tech who is not an expert.

    On the flip side, I was working as a level 3 tech for one now out-of-business large computer company, and it was not uncommon to get a call from a customer asking if we could break into a box and reset passwords for them since they had "lost" the passwords. They need to get access without doing a full reset and losing the configuration information since the box is in a production environment.

    So, they put a modem on the diagnostic port, I dial in, do the magic, and make the customer happy.

    So, yes, it is a security hole, but it is also something that customers are happy about when they need it.
  • Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?

    Yes. They have to keep an eye out for their customers. However, there are two ways of getting around this:

    Password can only be entered while someone is physically present - so you have to press a button on the device, then login with back door in the next 30 seconds. This proves access, and any company that has poor physical security is not likely to care about network security.

    Second use challenge-response password mechanisms. This prevents a 'global' backdoor, while still giving the manufacturer the ability to gain access. The user enters a generic name/pass ("lost", "password") the machine then responds with a 128 bit (hexadecimal) number (randomly generated) and the user provides both the serial number and this random number to the company. The company responds with a correct response (another 128 bit number, perhaps) and the device allows access.

    Combine either or both of these two methods with a "reset configuration to factory defaults when back door is used" and the company can claim that they are as secure as can be, without preventing the occasional user complaint that the hardware is a doorstop because some subadmin made a mistake changing the password.

    -Adam
  • No (Score:4, Insightful)

    by jc42 (318812) on Thursday April 08, 2004 @04:42PM (#8808205) Homepage Journal
    Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?

    Simple question, with an even simpler answer: No.

    If you want to be wordier, you can make the general statement that the reason for closed source is that there are things in the source that the vendor doesn't want you to know about.

    Those things may be innocent, such as debugging hooks, that you'd probably approve of if you knew, but which they don't want made public because then competitors' support people could sabotage the equipment during a support call. Or they could be not so innocent, such as collecting date from your network for commercial use (i.e., selling it to your competitors). Or maybe they don't want you to see the low quality of the code.

    But if the source is hidden, there's a reason, and the reason can be summarized as "They don't want you to know about something in there."

    If you have any security concerns at all, you should follow the advice that the security folks have been giving for years: Don't run software unless you've compiled it yourself (preferably using a compiler from a different vendor). Otherwise, you have no way of knowing what's hidden inside the binaries.

    Of course, in whatever passes for the Real World around here, some vendors are more trustworthy than others. We've had few actual problems like this with open-source vendors, though there have been a few incidents. It's a lot harder for an open-source vendor to get away with such tricks for very long.

    But in general, you should be aware that if they don't want you to see the source, there is probably a good reason.

  • This reminds me... (Score:3, Interesting)

    by fudgefactor7 (581449) on Thursday April 08, 2004 @04:48PM (#8808294)
    ...of the phrase that President Regan used to tell Gorbie all the time "Trust, but verify."

    Cisco has been a major player for a long time, so we have a de-facto trust relationship with them, but we need to be able to verify their account guarding. All they need to do is open the firmware up and let the million eyes peer through it. Any vulnerability detected and not reported by one will surely be caught by another, and assuming he's not trustworthy either there are still more eyes. Quis custodiet ipsos custodes. The only problem is if the flaw doesn't exist in only flashable firmware (i.e.: in hardware someplace that can't be modified at all)--then that would be an issue. I think we can trust the Cisco hardware, it's the flashed system that needs to be checked.

    So, Cisco, how about opening that up? Come on, be a pal....
  • by allyourbasebelongtou (765748) on Thursday April 08, 2004 @04:49PM (#8808307) Homepage
    This is the most fundamental problem with closed source: even if the underlying code is 100% perfect, bug-free, and wonderfully coded, there is no mechanism to prevent the last developer with sign-off on a project from slipping something nefarious in as code goes into "release" status.

    I say this because, IMHO, Cisco's customers generally trust both them as a company and their products. In short, they've done a good job, for a closed source firm, of keeping the perception that they run a tight ship and keep their corporate nose clean.

    That said, this is a ding, no doubt, but the bigger question here is while this backdoor was arguably somewhat obscure, it still existed. Even if no one "on the outside" ever learned of its existence, its very existence is troubling.

    This is the type of thing that typically would have been caught in no time by the average open-source code-troller (much less a developer) quite quickly.

    Sure, Cisco has a decent name, but what about companies that don't have the positive overall goodwill/reputation that Cisco does?

    The notion that closed source software is "just as good" or even "more secure" is just plain wack-a-loo. (You can quote me on that.)
  • by egriebel (177065) * <edgriebel@gmai3.14159l.com minus pi> on Thursday April 08, 2004 @04:52PM (#8808357) Journal
    I'm going to go out on a limb and predict tons of posts of "dump cisco now!!" here. It'll never happen, Cisco will shrug this off. There's no way that the corporate infrastructure is going to be torn up, Cisco has too much penetration and momentum. Acutally, I bet it won't even hit mainstream media and be barely a footnote in NetworkWorld and related trade rags.

    There will be no wholesale move off of Cisco products. Why?

    1. Who else are you going to use?
    2. Who is going to pay for the new hardware?
    3. When are you going to do the upgrading?

    Let's roleplay the conversation between the CIO and CEO/COO:

    CTO: Hey boss, I need $x million to replace all our Cisco equipment NOW!
    CEO: Hmm, that's a lot of work and money, are they broken?
    CTO: Well, no, but there's an extremely serious vulnerability!
    CEO: <blinks>
    CTO: Every Cisco box has the same administrative password!
    CEO: <starts to watch the window washers and birds outside>
    CTO: Anyone can log in to our systems with this password
    CEO: Hmm, I see....Is that bad?
    CTO: Yes, which is why they need to be replaced.
    CEO: Well, it certainly sounds serious. Why don't you prepare a proposal, get buyin with the Regional VPs and Directors, run it by Frank in operations, and then talk to my assistant Tiffany and get some time on my schedule.
    CTO: Sir, I think it should be expedited.
    CEO: Yes, hmm. So have you heard how Tiger is doing at the Masters today?

    The bottom line is, most CIO/CTO's of non-IT companies could give a flying f**k what runs their networks as long as it works, stays up most of the time, is not too expensive, and is recommended.

  • Negligence (Score:4, Interesting)

    by Animats (122034) on Thursday April 08, 2004 @05:03PM (#8808513) Homepage
    Why aren't we hearing words like "knowingly, willfully negligent", or "reckless endangerment", or "conspiracy to violate the Computer Fraud and Abuse Act"?

    A Cisco exec should do hard time for this.


  • From the Slashdot story: "Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?"

    This should be shortened to: "Can we trust closed-source vendors?"

    History has shown that we cannot.

    Take Microsoft for example. LUGOD maintains a list of stories about Microsoft abusiveness: Reasons to Avoid Microsoft [lugod.org]. I counted more than 200 in 2002, and things have gotten worse since then.

    (This seems to be one of the few times that Open Source advocates have invented an interesting name: Linux User GOD. Sounds like a new religion.)

    Part of the problem seems to be that, eventually, closed-source vendors begin to be controlled by managers who have no technical experience. Such managers can help the company make more money only by abusing the customer, because they don't know enough to contribute to technical improvements.

    Why has Google risen to prominence so quickly? Partly because they know what they are doing technically. But largely because they have a policy of "do no harm". It's a simple policy, but most managers are not able to come to the conclusion they should follow it.

    Most managers seem to have received their training by mimicing the abusive, ignorant PHB in Dilbert cartoons. Think what a terrible world we live in that Dilbert is considered funny!

    I know most Open Source developers are uncomfortable with this description, but they approach their work as an act of love. Whatever the reason, history has shown that they are far more trustworthy.
  • by LostCluster (625375) * on Thursday April 08, 2004 @07:00PM (#8809848)
    Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?

    Well, we certainly can't trust Cisco anymore. The reason is because trust is built up by having the ability to screw up and then not doing so. Cisco has clearly violated the trust of anybody who wanted a zero-backdoor product, and I submit that this breach is one that cannot be recovered from.

    However, I certainly understand why Cisco insists on there being such a hard-coded full-control backdoor. If you ever lose possession of the root password, you are screwed and you can turn a big-dollarsign router into a paperweight. It makes sense that Cisco should be able to swap your locked-up router for a like part in its default settings, and then be able to recover most of its value as an "open box" "remanufactured" item since there was nothing wrong with it other than an unknown password that since has been reset.

    Really, I'm not mad at Cisco for having backdoors as much as the fact that they refused to admit that there were secret backdoors.
  • by smeenz (652345) on Thursday April 08, 2004 @07:18PM (#8810052) Homepage
    Honestly... you people can't resit jumping to conclusions can you ? If you READ the f'ing article, you would see that this vulnerability exists in a Cisco *application* that runs on a *linux* platform that is used to *manage* their wireless aironet devices in bulk, and has NOTHING to do with their switching/routing/wireless hardware products whatsoever.

    If you read further, you would note that Cisco has already released patches for the problem.

    If you had ANY experience with cisco security vulnerabilty disclosures, you would realise that cisco's definition of "workaround" means "a way to avoid the problem without applying patches or updates", because many cisco customers aren't able to apply patches the second an exploit is announced due to down time / planning / change control measures.

    Just because it says there is no workaround, it doesn't mean there isn't a fix. And there is, in this case, which is clearly linked to in the article.

    And before someone replies with "you're new to slashdot aren't you", no, I'm not. I'm used to this sort of reaction from the slash community. Normally there are a few sane people that get modded up by correcting the knee jerkers, but this time it looks like everyone is preaching "every cisco switch and router has a built in username and password that can't be disabled"

If A = B and B = C, then A = C, except where void or prohibited by law. -- Roy Santoro

Working...