Cisco's Network Backdoor Extravaganza. 5 in 5 months

[rcmaehl]

Sources:
Tom's Hardware

Bleeping Computer

 

TL;DR:

Cisco has one again released patches for an undocumented remote backdoor in more than 8.5 Million Cisco devices that power the backbone of the internet. This makes the 5th backdoor to receive a patch within 5 months.

 

Media:

 

Quotes/Excerpts:

Quote

a critical patch for Cisco Policy Suite that removes an undocumented password for the "root" account... a huge impact due to the nature of the software it was found in... Cisco sells to ISPs and large corporate clients... designed with network-intrusive features that allow it to keep track of individual users, tier traffic, and enforce access policies... lets an attacker gain access to this very powerful software and enables him to run malicious operations with root-level access...  the vulnerability received a rare severity score of 9.8 out of a maximum of 10... the fifth undocumented password (aka backdoor) that Cisco has removed from its software in the past five months. 

Quote

back in 2004, Cisco wrote an IETF proposal for a “lawful intercept” backdoor for routers, which law enforcement could use to remotely log in to routers...Attackers could exploit these backdoors and not leave any audit trail...This year has brought five undocumented backdoors in Cisco’s routers so far, and it isn't over yet... The backdoor gives an attacker root access to the network and there are no mitigations against it...Whether or not the backdoor accounts were created in error, Cisco will need to put an end to them before this lack of care for security starts to affect its business.

 

My Opinion:
 

Cisco is really putting it's reputation for enterprise applications and as a backbone for a large portion of the internet at risk. These backdoors are giving full remote network access, with no logging of the actions what so ever. It is clear that at least some of these were intentional based on their IETF proposal back in 2004. Let's hope Cisco changes their game before they become a tool by a Nation State.

[Lurick]

What irritates me the most is that this stuff is supposed to be checked for with tools before the code is released and seeing these tells me they aren't being run for whatever reason or the business unit doesn't have something in place to check for this which is a big no-no in my book. I know there are some things you can't check for like maybe a specifically crafted packet that's not been attempted before in some random variation but there are supposed to be scripts that are run against all code before it's released to check for hardcoded passwords. I think senior leadership needs to crack down on this stuff a lot more, if someone is found to have left a hardcoded password or something that's easily detectable by standard security tools and scripts, that person or group of persons needs to be severely reprimanded to say the least because in this day and age it's just unacceptable.

[Windows7ge]

I don't even understand why they would put these backdoors in. Does Cisco themselves want to be able to sneak into their own equipment once distributed? Some sort of easy access for Cisco employees to access equipment already configured with various levels of user/passwords?

[HarryNyquist]

3 minutes ago, Lurick said:

What irritates me the most is that this stuff is supposed to be checked for with tools before the code is released and seeing these tells me they aren't being run for whatever reason or the business unit doesn't have something in place to check for this which is a big no-no in my book.

If it's meant to be a backdoor, then in theory they wouldn't want those tools run. Or if they were run, that particular result was ignored.

3 minutes ago, Lurick said:

I think senior leadership needs to crack down on this stuff a lot more, if someone is found to have left a hardcoded password or something that's easily detectable by standard security tools and scripts, that person or group of persons needs to be severely reprimanded to say the least because in this day and age it's just unacceptable.

Senior leadership is almost always the one making dumb-as-fuck decisions about information security. They know nothing, they remain willfully ignorant, and ignore, silence, or completely eliminate the "foul!" cries of their InfoSec employees.

 

Most senior leaders of companies hold business degrees, not IT degrees. The people who would get punished aren't the ones who made the decision to ignore the security problems. It'll be a random developer who gets reprimanded or fired for not seeing the problem, even if there were very clear pieces of evidence showing they were following directions to leave the backdoor active.

[jagdtigger]

The NSA is at it again huh.... I think every manufacturer that makes critical systems like this should be forced to release the source code of their software(and BIOS if applicable) along with the toolchain for compiling. There is no other way to make sure there is nothing nefarious hidden in there.

[WereCatf]

Cisco's devices have had backdoors built into them for years and years now; it's amazing that anyone even buys their stuff anymore. Alas, I suppose the old adage of "A sucker is born every minute" still holds true..

[Lurick]

6 minutes ago, Windows7ge said:

I don't even understand why they would put these backdoors in. Does Cisco themselves want to be able to sneak into their own equipment once distributed? Some sort of easy access for Cisco employees to access equipment already configured with various levels of user/passwords?

Usually it has to do with accessing debugging tools and whatnot in the kernel itself when doing deep level troubleshooting with TAC but there are supposed to be other ways to access that stuff without needing hard coded passwords.

 

When these articles come out it's usually the result of someone leaving a debugging password coded into the system that wasn't removed and they didn't give a damn and thought they were better than that or just rushed the code out the door and either didn't run the tools or checked the box claiming they did and have their friend say it was run as part of peer-review. I would hazard a guess that a lot of this stems from fast software release schedules that focus on quantity of quality sadly.

[mynameisjuan]

Cisco please, I have had enough maintenance windows this month....

[jagdtigger]

14 minutes ago, Lurick said:

Usually it has to do with accessing debugging tools and whatnot in the kernel itself when doing deep level troubleshooting with TAC but there are supposed to be other ways to access that stuff without needing hard coded passwords.

It would be too hard to put a isolated serial port on the inside for that purpose and hardcode the system to only allow low level stuff through that one.

[Lurick]

1 minute ago, jagdtigger said:

It would be too hard to put a isolated serial port on the inside for that purpose and hardcode the system to only allow low level stuff through that one.

Yah, that would be the smart thing to do

[jagdtigger]

1 minute ago, Lurick said:

Yah, that would be the smart thing to do

Its way better than something that could be used remotely without trace. But for what i wrote you would have to open up the sucker, combine it with some intrusion detection and voila  .

[rcmaehl]

25 minutes ago, Lurick said:

Yah, that would be the smart thing to do

It'd be the RIGHT thing to do too.