Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security Privacy Your Rights Online

Cisco Products Have Backdoors 555

Posted by CmdrTaco from the two-scoops-of-creepy dept.
Cbs228 writes "A Cisco Security Advisory released yesterday admits that "A default username/password pair is present in all releases of the Wireless LAN Solution Engine (WLSE) and Hosting Solution Engine (HSE) software. A user who logs in using this username has complete control of the device. This username cannot be disabled." Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?"
This discussion has been archived. No new comments can be posted.

Cisco Products Have Backdoors More

Cisco Products Have Backdoors

Comments Filter:

  • proof of concept (Score:0, Informative)

    by Anonymous Coward on Thursday April 08, 2004 @04:11PM (#8807705)
    Proof of Concept [coattails.net]

  • Well, definately not buying any of those... (Score:3, Informative)

    by BradySama ( 755082 ) on Thursday April 08, 2004 @04:15PM (#8807789)
    Another example of why the benefits of open source need to be pushed up the corporate ladder... this is nuts. Almost as nasty as the things they've done for China [kuro5hin.org]. Thanks, Cisco. Another one bites the credibility dust.

  • No Refund - firmware fix (Score:4, Informative)

    by Allen Zadr ( 767458 ) * <Allen.Zadr@nOspaM.gmail.com> on Thursday April 08, 2004 @04:16PM (#8807801) Journal
    The ARTICLE that you DIDN'T read, clearly states how to get a service fix - see my first post [slashdot.org] about what I think about the completeness of said fix.

  • yep (Score:5, Informative)

    by SHEENmaster ( 581283 ) <travis@utk. e d u> on Thursday April 08, 2004 @04:20PM (#8807889) Homepage Journal
    look for openbsd's [openbsd.org] corporate usage page.

  • Re:Linksys (Score:2, Informative)

    by fgb ( 62123 ) on Thursday April 08, 2004 @04:22PM (#8807935)
    I wouldn't think they would need it. There's a tiny little recessed button on the back on my linksys unit. Hold it in for 10 seconds and presto! the unit is back to the factory configuration. Passwords and all.

    No excuse for a master password. Mind you, I'm not saying there isn't one, just that there is no need for one.

  • Re:No workarounds? (Score:5, Informative)

    by dbarclay10 ( 70443 ) on Thursday April 08, 2004 @04:23PM (#8807944)
    However, the advisory also discusses how to obtain new software for their equipment. So it appears that there is a fix to the problem, via a software upgrade. In light of this, the 'no workarounds' stuff is rather misleading -- and when I first read it, it made my draw drop.

    It's pretty much understood, at least by sysadmins if not the general public, that an issue can always be fixed by a software upgrade. Any vendor saying that an issue *really* can't be fixed, no matter what, typically means that it's a design choice and if you don't like it, switch to another vendor (*cough* Microsoft? *cough*).

    Given that, when a vendor says "no workaround available," they mean that your only choice is to upgrade the software. For example, a workaround to a vulnerability in, say, Microsoft's CIFS stack would be to firewall off the ports it uses (though you need to do that on every machine, of course - otherwise it won't be effective, as we've seen so many times).

    So, to sum up: workaround = quick fix via configuration or similar, and it's a given that you can fix the problem via a (typically time-consuming) software update.

  • Re:It needs to be there (Score:2, Informative)

    by ceritus ( 719474 ) on Thursday April 08, 2004 @04:31PM (#8808055) Journal
    ... someone will lose the password within days ... I finally had to put a global password in every machine
    Most devices that I see come with a default username/password set that you can change and, if the admin is irresponsible enough to lose a password, the device has a mechanism (clear the NVRAM by hitting this physical button and rebooting, for example) to recover from their folly. It's a pain in the ass, but it's punishment for creating a password that you can't remember. Having a default password that cannot be removed or changed is just silly.

  • You have to understand bug-fix parlance... (Score:5, Informative)

    by Vellmont ( 569020 ) on Thursday April 08, 2004 @04:32PM (#8808061) Homepage
    A workaround is a simple method of fixing the problem without patching the software. Usually it involves configuration changes, disabling parts of the software, or even firewalls. For this particular problem it's easy to see why there's no workaround.

    The fix is a software patch. Many admins prefer a workaround as a short-term solution (can change simple config in a few minutes). A software patch is obviously more complicated, and often has higher impact on other services.

  • Re:Cisco's Life Lesson - Maybe not. (Score:5, Informative)

    by i_am_pi ( 570652 ) <i_am_pi_NO@SPAMhotmail.com> on Thursday April 08, 2004 @04:34PM (#8808095) Homepage Journal
    Well, resetting the firmware on Cisco's devices does NOT reset the rest of the settings.

    The process goes like this:
    Boot device with console cable
    Hit ctrl-c during boot
    use the proper command to change the configuration register to 0x2142, which means "Start up using OS from flash, but IGNORE configuration in NVRAM".
    Use the proper command to boot the device.

    You'll then be staring at "Password: " where it will accept an empty string. The configuration is still there (type show startup-config and you'll see the whole thing), but ignored.

    Enable yourself. copy start run (bring everything back up).
    config t (begin configuration)
    username blah password blabla priv 15 (if you have multiple usernames + priv levels)
    enable secret blabla (big-daddy enable password)
    line vty 0 4 (telnet access)
    login
    password bla
    exit
    config-reg 0x2102 (stop ignoring the configuration)
    exit
    copy run start (save that daddy)

  • Cisco is not alone. It's industry wide practice. (Score:5, Informative)

    by lotussuper7 ( 134496 ) on Thursday April 08, 2004 @04:34PM (#8808096) Homepage
    I have worked for 6 or 7 different companies that build either comm boxes or control software, and each and every one has had built in backdoors.

    It's not just Cisco, it's a common practice in the industry to give their field people a way to get into the box (or program) when the customer screws it up.

    Backdoors that, often, have access to functions far beyond what the customer knows about, and in many cases, able of really messing up the device if used incorrectly by a tech who is not an expert.

    On the flip side, I was working as a level 3 tech for one now out-of-business large computer company, and it was not uncommon to get a call from a customer asking if we could break into a box and reset passwords for them since they had "lost" the passwords. They need to get access without doing a full reset and losing the configuration information since the box is in a production environment.

    So, they put a modem on the diagnostic port, I dial in, do the magic, and make the customer happy.

    So, yes, it is a security hole, but it is also something that customers are happy about when they need it.

  • Re:It needs to be there (Score:3, Informative)

    by Havokmon ( 89874 ) <rick.havokmon@com> on Thursday April 08, 2004 @04:47PM (#8808271) Homepage Journal
    Reading your responses, makes me realize, I should add one thing. These devices that I work on, are for a non-Slashdot crowd. It won't spread like wildfire. More like a smoke signal on a dry day. Cisco should have calculated the popularity of such an access key.

    Cisco already provides a 'pasword retrieval' for all their routers. The trick is you have to be on site to perform the recovery.

    Why there needs to be a master password that can be accessed from ANYWHERE, I don't know. At least make it only work on the current subnet.

  • not a conspiracy (Score:2, Informative)

    by oogoody ( 302342 ) on Thursday April 08, 2004 @04:52PM (#8808353)
    Backdoors are very common in embedded devices
    so you can bootstrap the system. They should
    have covered this better, but it is probably
    not an evil conspiracy. It's probably just
    developers and testers trying to do their
    job without a lot of security shit that
    makes everything take longer and be more
    difficult.

  • Re:And the username/password pair is... (Score:2, Informative)

    by EqualSlash ( 690076 ) on Thursday April 08, 2004 @05:01PM (#8808496)

    May be this extensive list [governmentsecurity.org] should help ..

  • Re:Well, that depends. (Score:3, Informative)

    by Mysticalfruit ( 533341 ) on Thursday April 08, 2004 @05:05PM (#8808557) Homepage Journal
    Well that and their use of "Cisco" math when it comes to what their switches will push for throughput.

    For the same money you'd spend on a Cisco switch you can probably buy a Nortel that'll run circles around the Cisco.

    Or, if your tripping over the bags of cash or their just blocking the door, you could spring for a Juniper...

    Don't get me wrong, Cisco stuff works, it's just really expensive and their are cheaper more capable equipment on the market...

  • Thats why you buy from Snapgear! (Score:1, Informative)

    by Anonymous Coward on Thursday April 08, 2004 @05:07PM (#8808587)
    Snapgear [snapgear.com]!

    Open-source, uClinux based routers, VPN solutions and OEM products!

  • Re:No Refund - firmware fix (Score:2, Informative)

    by ak_hepcat ( 468765 ) <slashdot&akhepcat,com> on Thursday April 08, 2004 @05:09PM (#8808617) Homepage Journal
    600km?

    We do stuff like this all the time. Over 56k satellite circuits. Of course, we prefer to snail-mail a new flash card with the IOS, but for emergencies, tftp does work pretty well. Just slow.

    Ah, Alaska. Nothing else like it.

  • Re:Cisco's Life Lesson - Maybe not. (Score:3, Informative)

    by nate1138 ( 325593 ) on Thursday April 08, 2004 @05:19PM (#8808746)
    First off, these devices can be reset in several different ways without losing the configuration.

    Second, once you have the device configured properly, you should back up your configuration with TFTP or over the console to make recovery easy. This way, even if the device itself is fried, you can just dump your config onto a replacement unit and get on with your day.

  • Re:You can't trust ANYONE. (Score:3, Informative)

    by StealthHunter ( 597677 ) on Thursday April 08, 2004 @05:43PM (#8809021)
    Search google for "Reflections on Trusting Trust" it's a great ACM award speach by Ken Thompson about this very topic. try here [acm.org]

  • Re:Well, that depends. (Score:2, Informative)

    by Cramer ( 69040 ) on Thursday April 08, 2004 @05:53PM (#8809113) Homepage
    Unless you downloaded and compiled the binaries from the postgresql.org server(s), then you cannot say, for sure, Cisco has not added backdoors to the code.

  • Re:Well, that depends. (Score:2, Informative)

    by Mateito ( 746185 ) on Thursday April 08, 2004 @06:02PM (#8809190) Homepage
    > Don't get me wrong, Cisco stuff works, it's just
    > really expensive and their are cheaper more
    > capable equipment on the market...

    True.

    Just remember that none of the "more capable" equipment is made by 3com.

  • Re:Well, that depends. (Score:2, Informative)

    by Cramer ( 69040 ) on Thursday April 08, 2004 @06:11PM (#8809328) Homepage
    ... oh, like the OpenSSL ident strings. 12.0 used OpenSSH, but they have since stopped using OpenSSH code in IOS -- they either rolled their own or snarfed someone else's. They've removed almost all of the ident strings except for those put there by the compiler: GCC: (GNU) 2.95.3 20010315 (cisco p10 release), etc.

  • Re:Well, that depends. (Score:3, Informative)

    by WhiteDragon ( 4556 ) * on Thursday April 08, 2004 @06:27PM (#8809507) Homepage Journal
    For the same money you'd spend on a Cisco switch you can probably buy a Nortel that'll run circles around the Cisco.

    Or, if your tripping over the bags of cash or their just blocking the door, you could spring for a Juniper...
    Or, you could buy a Big Iron [nwfusion.com] switch from Foundry [foundrynet.com] that will blow away most of the offerings from Cisco.

  • Re:Cisco's Life Lesson - Maybe not. (Score:2, Informative)

    by cpthowdy ( 609034 ) on Thursday April 08, 2004 @06:48PM (#8809725)
    It doesn't matter a whole lot... if an intruder has physical access to your gear, you're fux0red either way. And it's not like someone with physical access couldn't connect to the management console port with their laptop, cycle the power, and do the ol' password recovery hack that Cisco gear has built into it. See here for more info: Cisco Password Recovery Procedures [cisco.com]

  • Can't you people READ THE F**KING ARTICLE ? (Score:3, Informative)

    by smeenz ( 652345 ) on Thursday April 08, 2004 @07:18PM (#8810052) Homepage
    Honestly... you people can't resit jumping to conclusions can you ? If you READ the f'ing article, you would see that this vulnerability exists in a Cisco *application* that runs on a *linux* platform that is used to *manage* their wireless aironet devices in bulk, and has NOTHING to do with their switching/routing/wireless hardware products whatsoever.

    If you read further, you would note that Cisco has already released patches for the problem.

    If you had ANY experience with cisco security vulnerabilty disclosures, you would realise that cisco's definition of "workaround" means "a way to avoid the problem without applying patches or updates", because many cisco customers aren't able to apply patches the second an exploit is announced due to down time / planning / change control measures.

    Just because it says there is no workaround, it doesn't mean there isn't a fix. And there is, in this case, which is clearly linked to in the article.

    And before someone replies with "you're new to slashdot aren't you", no, I'm not. I'm used to this sort of reaction from the slash community. Normally there are a few sane people that get modded up by correcting the knee jerkers, but this time it looks like everyone is preaching "every cisco switch and router has a built in username and password that can't be disabled"

  • Re:Well, that depends. (Score:5, Informative)

    by PurpleFloyd ( 149812 ) <`zeno20' `at' `attbi.com'> on Thursday April 08, 2004 @07:59PM (#8810460) Homepage
    While Cisco does have a decent security track record (exempting this colossally boneheaded manuver), your tirade against "slashdot mind-droids" is simply false. Backdoor passwords tend to be one of the most obvious things to detect, excepting serious trickery like putting the password into the compiler [acm.org]. Code that looks like
    if (inputpasshash==storedhash)
    {
    return TRUE;
    }
    else if (inputpasshash==BACKDOOR)
    {
    return TRUE;
    }
    else
    {
    return FALSE;
    }
    tends to stand out pretty well during a code audit, and is visible even to a beginning C student. Backdoors are harder to sneak into open source software, simply because people will watch your every move and might not agree with all your changes.

  • Password recovery can be disabled. (Score:3, Informative)

    by Pii ( 1955 ) <jedi @ l i g h t s a b e r.org> on Thursday April 08, 2004 @09:09PM (#8810965) Journal
    Cisco's password recovery procedure can be disabled from Rommon, making the "configuration bypass" procedure non-functional.

Slashdot Top Deals

You knew the job was dangerous when you took it, Fred. -- Superchicken

Close