Cisco Products Have Backdoors 555
Cbs228 writes "A Cisco Security Advisory released yesterday admits that "A default username/password pair is present in all releases of the Wireless LAN Solution Engine (WLSE) and Hosting Solution Engine (HSE) software. A user who logs in using this username has complete control of the device. This username cannot be disabled." Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?"
proof of concept (Score:0, Informative)
Well, definately not buying any of those... (Score:3, Informative)
No Refund - firmware fix (Score:4, Informative)
yep (Score:5, Informative)
Re:Linksys (Score:2, Informative)
No excuse for a master password. Mind you, I'm not saying there isn't one, just that there is no need for one.
Re:No workarounds? (Score:5, Informative)
It's pretty much understood, at least by sysadmins if not the general public, that an issue can always be fixed by a software upgrade. Any vendor saying that an issue *really* can't be fixed, no matter what, typically means that it's a design choice and if you don't like it, switch to another vendor (*cough* Microsoft? *cough*).
Given that, when a vendor says "no workaround available," they mean that your only choice is to upgrade the software. For example, a workaround to a vulnerability in, say, Microsoft's CIFS stack would be to firewall off the ports it uses (though you need to do that on every machine, of course - otherwise it won't be effective, as we've seen so many times).
So, to sum up: workaround = quick fix via configuration or similar, and it's a given that you can fix the problem via a (typically time-consuming) software update.
Re:It needs to be there (Score:2, Informative)
You have to understand bug-fix parlance... (Score:5, Informative)
The fix is a software patch. Many admins prefer a workaround as a short-term solution (can change simple config in a few minutes). A software patch is obviously more complicated, and often has higher impact on other services.
Re:Cisco's Life Lesson - Maybe not. (Score:5, Informative)
The process goes like this:
Boot device with console cable
Hit ctrl-c during boot
use the proper command to change the configuration register to 0x2142, which means "Start up using OS from flash, but IGNORE configuration in NVRAM".
Use the proper command to boot the device.
You'll then be staring at "Password: " where it will accept an empty string. The configuration is still there (type show startup-config and you'll see the whole thing), but ignored.
Enable yourself. copy start run (bring everything back up).
config t (begin configuration)
username blah password blabla priv 15 (if you have multiple usernames + priv levels)
enable secret blabla (big-daddy enable password)
line vty 0 4 (telnet access)
login
password bla
exit
config-reg 0x2102 (stop ignoring the configuration)
exit
copy run start (save that daddy)
Cisco is not alone. It's industry wide practice. (Score:5, Informative)
It's not just Cisco, it's a common practice in the industry to give their field people a way to get into the box (or program) when the customer screws it up.
Backdoors that, often, have access to functions far beyond what the customer knows about, and in many cases, able of really messing up the device if used incorrectly by a tech who is not an expert.
On the flip side, I was working as a level 3 tech for one now out-of-business large computer company, and it was not uncommon to get a call from a customer asking if we could break into a box and reset passwords for them since they had "lost" the passwords. They need to get access without doing a full reset and losing the configuration information since the box is in a production environment.
So, they put a modem on the diagnostic port, I dial in, do the magic, and make the customer happy.
So, yes, it is a security hole, but it is also something that customers are happy about when they need it.
Re:It needs to be there (Score:3, Informative)
Cisco already provides a 'pasword retrieval' for all their routers. The trick is you have to be on site to perform the recovery.
Why there needs to be a master password that can be accessed from ANYWHERE, I don't know. At least make it only work on the current subnet.
not a conspiracy (Score:2, Informative)
so you can bootstrap the system. They should
have covered this better, but it is probably
not an evil conspiracy. It's probably just
developers and testers trying to do their
job without a lot of security shit that
makes everything take longer and be more
difficult.
Re:And the username/password pair is... (Score:2, Informative)
May be this extensive list [governmentsecurity.org] should help
Re:Well, that depends. (Score:3, Informative)
For the same money you'd spend on a Cisco switch you can probably buy a Nortel that'll run circles around the Cisco.
Or, if your tripping over the bags of cash or their just blocking the door, you could spring for a Juniper...
Don't get me wrong, Cisco stuff works, it's just really expensive and their are cheaper more capable equipment on the market...
Thats why you buy from Snapgear! (Score:1, Informative)
Open-source, uClinux based routers, VPN solutions and OEM products!
Re:No Refund - firmware fix (Score:2, Informative)
We do stuff like this all the time. Over 56k satellite circuits. Of course, we prefer to snail-mail a new flash card with the IOS, but for emergencies, tftp does work pretty well. Just slow.
Ah, Alaska. Nothing else like it.
Re:Cisco's Life Lesson - Maybe not. (Score:3, Informative)
Second, once you have the device configured properly, you should back up your configuration with TFTP or over the console to make recovery easy. This way, even if the device itself is fried, you can just dump your config onto a replacement unit and get on with your day.
Re:You can't trust ANYONE. (Score:3, Informative)
Re:Well, that depends. (Score:2, Informative)
Re:Well, that depends. (Score:2, Informative)
> really expensive and their are cheaper more
> capable equipment on the market...
True.
Just remember that none of the "more capable" equipment is made by 3com.
Re:Well, that depends. (Score:2, Informative)
Re:Well, that depends. (Score:3, Informative)
Re:Cisco's Life Lesson - Maybe not. (Score:2, Informative)
Can't you people READ THE F**KING ARTICLE ? (Score:3, Informative)
If you read further, you would note that Cisco has already released patches for the problem.
If you had ANY experience with cisco security vulnerabilty disclosures, you would realise that cisco's definition of "workaround" means "a way to avoid the problem without applying patches or updates", because many cisco customers aren't able to apply patches the second an exploit is announced due to down time / planning / change control measures.
Just because it says there is no workaround, it doesn't mean there isn't a fix. And there is, in this case, which is clearly linked to in the article.
And before someone replies with "you're new to slashdot aren't you", no, I'm not. I'm used to this sort of reaction from the slash community. Normally there are a few sane people that get modded up by correcting the knee jerkers, but this time it looks like everyone is preaching "every cisco switch and router has a built in username and password that can't be disabled"
Re:Well, that depends. (Score:5, Informative)
Password recovery can be disabled. (Score:3, Informative)