Cisco Products Have Backdoors 555
Cbs228 writes "A Cisco Security Advisory released yesterday admits that "A default username/password pair is present in all releases of the Wireless LAN Solution Engine (WLSE) and Hosting Solution Engine (HSE) software. A user who logs in using this username has complete control of the device. This username cannot be disabled." Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?"
Cisco's Life Lesson - Maybe not. (Score:5, Insightful)
There is no doubt that this is the sort of thing that all of the so called "tin-foil hat" crowd has been warning us about for years.
I, for one, welcome the "I-told-you-so"s from our new paranoid overlords.
On a more serious point, and on the paranoid side, I'm sure Cisco is only releasing this information because an employee either threatened to leak this information, or was mis-using this information to his/her own gain...
However, if that's the case, wouldn't Cisco's fix simply change the password? I highly doubt that they will be embarassed enough to have learned a powerful life-lesson.
I... (Score:2, Insightful)
Trust No One (Score:5, Insightful)
Can we really trust closed-source vendors? (Score:5, Insightful)
But what can anyone do? Are there any open-source makers of networking hardware?
How Stupid. (Score:1, Insightful)
How did anyone EVERY think this was a 'good thing'???
No workarounds? (Score:5, Insightful)
The Cisco advisory points out that there are no workarounds. This would suggest that the problem cannot be remedied.
However, the advisory also discusses how to obtain new software for their equipment. So it appears that there is a fix to the problem, via a software upgrade. In light of this, the 'no workarounds' stuff is rather misleading -- and when I first read it, it made my draw drop.
Re:Cisco's Life Lesson - Maybe not. (Score:2, Insightful)
Doesn't sound like much of a fix to me... That barely comes into the category of workaround. Maybe issue-evasion.
I see a great many people buying hardware from Cisco's competitors in the near-future. Like right now. I wonder how long it'll be before we find out what the user/pass pairs are?
Re:I... (Score:3, Insightful)
What makes you think that this was a Cisco policy? It's far more likely that this is the work of some rogue coder within Cisco who added it without anyone else's knowledge. It's not as though adding a backdoor password is very tough for somebody who has access to the relevant code. If there aren't detailed code reviews, a backdoor could hide out for a very, very long time.
You can't trust ANYONE. (Score:5, Insightful)
You can't trust open-source for this, either. Not unless you personally constructed every piece of the device, from the source code, to everything that interacts with the source code, including the compiler, the EEPROM burners, and the chipsets on the device itself.
How do you know that the open source you are looking at actually is the one running in your device? You don't.
How do you know that the code you are looking at, assuming that it is running in the device, wasn't modified by a malicious compiler? You don't.
How do you know that the compiled code, assuming it is compiled correctly, wasn't altered in the transfer to the device? You don't.
How do you know the other onboard chips aren't built with a backdoor, patching, hooking or circumventing whatever code is put in the device? You don't.
What it boils down to is that trust is a very difficult animal, and at some point, you need to draw the line. Looking at the source is a meager guarantee for the device behaving well, in the case of a malicious vendor.
The bottom line is that there are so many covert channels to insert code into your overall system today, as long as they are carried on the normal device acquisision channels, that you can't defend against an attack by a malicious vendor. What you can do is to count on their risk analysis, and expecting them to want to stay in business just as much as you do. It's not much, but it's pretty much the best we got.
Re:It needs to be there (Score:5, Insightful)
Register, or else (Score:5, Insightful)
I love when companies release vital updates or other material, and then effectively force registration of all their clients. So either register with the mothership, or deal with a vulnerable program? Great.
Does Cisco know wha'ts going on? (Score:5, Insightful)
"Although Cisco cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability."
This is probably a standard disclaimer in their security documents, but wouldn't you want them to be sure of the accuracy of their statements?
Why can software/hardware companies get way with "We tried our best, honest!" ?
Re:Open Source (Score:2, Insightful)
Auditing the compiler's code doesn't guaranteee anything either. It too had to be compiled, and the compiler's compiler may have been compromised.
Re:Firmware? (Score:5, Insightful)
Do they plan on releasing a firmware update?
RTFA [cisco.com].
If so, how do we know they aren't going to put another backdoor into that and simply change the information?
You don't.
Is there a way they can make the firmware patch open source without giving away their other "proprietary" source?
If you own the affected products and require open source firmware patches then you should have thought of that before you bought the product. If you require open source hardware then buy open source hardware.
Re:Firmware? (Score:2, Insightful)
It's software, it's been fixed, nothing to see here. Move along.
Re:Cisco's Life Lesson - Maybe not. (Score:2, Insightful)
Re:I... (Score:5, Insightful)
Like the parent said...boneheaded.
Re:Cisco's Life Lesson - Maybe not. (Score:5, Insightful)
What makes you think that they don't have a backdoor username/pw as well? It may not be hard coded (they could both be strings that are determined by a hash function, based on the date/time or some other changing value), but I'd bet you they're there, at least on any high end equipment. Why? So that the damn thing is supportable remotely... even after some idiot admin screws up everything else. And, no, resetting the firmware on these things to restore the default admin password isn't acceptable -- simply because in doing so you'd lose all the other settings (bad for two reasons -- 1) they usually take hours or days to setup correctly, 2) if you're accessing the box for support, you probably want to see what the hell happened in case it was a bug).
If it does 'need' to be there (Score:2, Insightful)
A backdoor as cisco has is unacceptable in every way.
Re:You can't trust ANYONE. (Score:5, Insightful)
True, but highly unlikley.
Because I transfered it. Perhaps via serial cable or over a cable not on a public network.
I draw the line at blatent backdoors. The difficulty of breaking into my router by giving me a bad compiler is FAR FAR FAR more difficult than a backdoor admin account. Once that gets out anyone can log in and do what they like.
Re:It needs to be there (Score:5, Insightful)
If I buy a 50 quid wall safe and lose my key, I could probably go into any locksmiths and get a replacement key for that model safe. If I spend 1,000,000 on a bank vault I'd like to think that no generic or master key existed...
Backing away from the analogy quietly for a moment..I think it would be pretty simple(for Cisco) to enable the backdoor login only via a console connected to the serial port and not remotely..
Re:Cisco's Life Lesson - Maybe not. (Score:3, Insightful)
Eventually every back door has to be used... (Score:5, Insightful)
Yes. They have to keep an eye out for their customers. However, there are two ways of getting around this:
Password can only be entered while someone is physically present - so you have to press a button on the device, then login with back door in the next 30 seconds. This proves access, and any company that has poor physical security is not likely to care about network security.
Second use challenge-response password mechanisms. This prevents a 'global' backdoor, while still giving the manufacturer the ability to gain access. The user enters a generic name/pass ("lost", "password") the machine then responds with a 128 bit (hexadecimal) number (randomly generated) and the user provides both the serial number and this random number to the company. The company responds with a correct response (another 128 bit number, perhaps) and the device allows access.
Combine either or both of these two methods with a "reset configuration to factory defaults when back door is used" and the company can claim that they are as secure as can be, without preventing the occasional user complaint that the hardware is a doorstop because some subadmin made a mistake changing the password.
-Adam
Yes, but - WIRELESS (Score:5, Insightful)
The advisory (that link in the story) was pretty clear that there isn't a way to disable the use of this backdoor without a firmware upgrade.
Re:You can't trust ANYONE. (Score:2, Insightful)
Re:You can't trust ANYONE. (Score:3, Insightful)
And do you even have this option with closed source? You don't.
Believe me, if the end application is valuable enough, someone will take the time and effort to run down the entire audit trail you described, if given the source code to do so. Personally, I like having the option. Trust, but verify.
Ever dealt with Cisco? Personally? (Score:1, Insightful)
Second of all, when you read those two bug toolkit ID's, you will notice that there are patches directly available to fix the problem. Oh no, not a patch. Pfffft.
Re:Cisco's Life Lesson - Maybe not. (Score:2, Insightful)
Also of note on Efficient SDSL routers (and likely others) the decimal equivalent of the last octets of the MAC address is the serial number. Useful if you don't have physical access to the router.
No (Score:4, Insightful)
Simple question, with an even simpler answer: No.
If you want to be wordier, you can make the general statement that the reason for closed source is that there are things in the source that the vendor doesn't want you to know about.
Those things may be innocent, such as debugging hooks, that you'd probably approve of if you knew, but which they don't want made public because then competitors' support people could sabotage the equipment during a support call. Or they could be not so innocent, such as collecting date from your network for commercial use (i.e., selling it to your competitors). Or maybe they don't want you to see the low quality of the code.
But if the source is hidden, there's a reason, and the reason can be summarized as "They don't want you to know about something in there."
If you have any security concerns at all, you should follow the advice that the security folks have been giving for years: Don't run software unless you've compiled it yourself (preferably using a compiler from a different vendor). Otherwise, you have no way of knowing what's hidden inside the binaries.
Of course, in whatever passes for the Real World around here, some vendors are more trustworthy than others. We've had few actual problems like this with open-source vendors, though there have been a few incidents. It's a lot harder for an open-source vendor to get away with such tricks for very long.
But in general, you should be aware that if they don't want you to see the source, there is probably a good reason.
Surprising, but not that surprising (Score:5, Insightful)
I say this because, IMHO, Cisco's customers generally trust both them as a company and their products. In short, they've done a good job, for a closed source firm, of keeping the perception that they run a tight ship and keep their corporate nose clean.
That said, this is a ding, no doubt, but the bigger question here is while this backdoor was arguably somewhat obscure, it still existed. Even if no one "on the outside" ever learned of its existence, its very existence is troubling.
This is the type of thing that typically would have been caught in no time by the average open-source code-troller (much less a developer) quite quickly.
Sure, Cisco has a decent name, but what about companies that don't have the positive overall goodwill/reputation that Cisco does?
The notion that closed source software is "just as good" or even "more secure" is just plain wack-a-loo. (You can quote me on that.)
/.-ers just don't get it.... (Score:5, Insightful)
There will be no wholesale move off of Cisco products. Why?
Let's roleplay the conversation between the CIO and CEO/COO:
The bottom line is, most CIO/CTO's of non-IT companies could give a flying f**k what runs their networks as long as it works, stays up most of the time, is not too expensive, and is recommended.
Re:Cisco is not alone. It's industry wide practice (Score:1, Insightful)
Re:Register, or else (Score:2, Insightful)
It clearly states that customers without support contracts or with uncooperative 3rd party vendors can go through the CISCO TAC (number listed on reference article) to get the proper patches.
Everyone affected, assuming they at least have the serial number still on the box, can get the patch, which is The Right Thing To Do(tm).
Re:Well, that depends. (Score:5, Insightful)
They continuously use codebase from the opensource parts of the software world and lie about it. The only OSS component they currently admit to is the regexp library. In fact they have used code from xntpd (and were bug for bug vulnerable to NTP exploits), OpenSSL, OpenSSH, so on so forth, ad naseum. When a vulnerability in any of these comes around they never admit it because the IOS sacred cow is supposedly pure and not infected by any opensource (besides regexp). This continues until someone starts running the exploits versus their gear. And after that
They constantly have idiotic ideas like CDP which are insecure by design and turned on by default.
They have promoted a very long list of outright lies including security ones in the exam preparation materials and exam question. That is also besides the fact that Cisco does not consider the analysis for correctness and sane security practice of these materials to be fair use and disallows quoting them. Here is one that has managed to get through:
http://lists.netsys.com/pipermail/full-
There are many others.
So on so forth. Ad naseum. If you think that Microsoft is vile you definitely have not had to do a lot of network engineering especially with Cisco kit...
Re:Well, that depends. (Score:2, Insightful)
I think the point is:
In an age of acces through networks, is it possible to trust any private organization enough to not oversee them with what they are doing ?
Or is it almost obligatory to know exactly what a particular device/computer etc. does, or at least have the possibility of own, or third party assessment.
Re:You can't trust ANYONE. (Score:3, Insightful)
Re:Cisco's Life Lesson - Maybe not. (Score:1, Insightful)
Maybe there is no backdoor... until you install the patch?
Re:Well, that depends. (Score:0, Insightful)
Really it isn't a mistake to consciously create a backdoor is it
Re:"Can we trust closed-source vendors?" NO! (Score:1, Insightful)
> are far more trustworthy.
With that you effectively demonize any person who works for a company that is not open source based. I work at a place that does 50% military work - closed source by definition I suppose. Everybody I know there tries hard to make a good product. We perform code reviews and quality control and do the best we can to provide a product that is what the customer wants and has paid for. Your black-and-white strokes aren't very fair to your fellow humans who don't happen to work in an environment of which you approve.
w
Re:Yes, but - WIRELESS (Score:3, Insightful)
Second, your proximity to a wireless device doesn't mean you have administrative access even to the device you are associated with.
As has been pointed out repeatedly in this thread, access to the administrative interface of Cisco devices can easily be restricted through the use of a simple Access Control List.
I could give you the vty (telnet) and enable passwords to 100s of devices I've set up that are connected to the Internet right now, and there's not a damn thing you'd be able to do to them.
This entire thread is much ado about nothing, and most of the comments I've seen are either from the agenda driven, or tragically misinformed.
Re:It needs to be there (Score:3, Insightful)
I took a short (20 minute) job today, which involved fixing a customer's Cisco Catalyst 2924. There was an enable password set, but no one knew what it was. They wanted to make some network changes, most of which involved changing a couple port configurations. Zzz...
So I, not responsible for the lost password, took the "punishment" for the old admin loosing the password. Aparently the guy doesn't work for them anymore or whatever. Hell, I got paid for an hour, what do I care.
I hope this changes their strategy of putting in secret passwords. They're into security enough to know that is very dangerous. Secrets are not well kept, and someone will always leak.