Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Networking Businesses Security

A Fifth Undocumented Cisco Backdoor Has Been Discovered (bleepingcomputer.com) 118

Cisco released 25 security updates Wednesday, including a critical patch removing an undocumented password for "root" accounts of Cisco Policy Suite (sold to ISPs and large corporate clients). "The vulnerability received a rare severity score of 9.8 out of a maximum of 10 on the CVSSv3 scale," reports Bleeping Computer.

An anonymous reader quotes Tom's Hardware: Over the past few months, not one, not two, but five different backdoors joined the list of security flaws in Cisco routers.... In March, a hardcoded account with the username "cisco" was revealed. The backdoor would have allowed attackers to access over 8.5 million Cisco routers and switches remotely. That same month, another hardcoded password was found for Cisco's Prime Collaboration Provisioning software, which is used for remote installation of Cisco's video and voice products. Later this May, Cisco found another undocumented backdoor account in Cisco's Digital Network Architecture Center, used by enterprises for the provisioning of devices across a network. In June, yet another backdoor account was found in Cisco's Wide Area Application Services, a software tool for Wide Area Network traffic optimization...

Whether or not the backdoor accounts were created in error, Cisco will need to put an end to them before this lack of care for security starts to affect its business.

This discussion has been archived. No new comments can be posted.

A Fifth Undocumented Cisco Backdoor Has Been Discovered

Comments Filter:
  • Why would Cicso have to put an end to it? Nobody in their right mind would touch Cisco products anymore. Let 'em swing by their own backdoors.
    • They had sales of $12.5 billion last quarter. Someone is buying a ton of the stuff.
    • They will of course find a scapegoat--surely they use version control. Said scapegoat will be fired, and then it'll be on to the next set of backdoors.

      • Re:Why buy? (Score:4, Insightful)

        by postbigbang ( 761081 ) on Saturday July 21, 2018 @05:31PM (#56987212)

        No one falls on their sword these days, or even admits anything because: lawyers. And no one gets fired.

        After all, one is a mistake, three is a bit more than oopsy-doo, and five? Well, five is: "We never did give a shit. Are my stock options ready yet? This junior coder gig has to pay me at least something."

    • There are still plenty of people that treat Cisco like they used to treat IBM back in the 80's and 90's where they believe Cisco is the safe bet. Hell I constantly argue with one of the networking guys at one of the places I contract into as he believes everything is shit except for Cisco.
  • ... back across the border.

    BUILD THAT (fire)Wall!!!

  • Cisco's Password Collaboration Provisioning software

  • We’re going to FIVE backdoors.

  • by jeffasselin ( 566598 ) <cormacolinde AT gmail DOT com> on Saturday July 21, 2018 @05:24PM (#56987186) Journal

    Most of these came from a massive code review Cisco has been doing through their entire software codebase, which across all their products is truly massive. They found a good number of flaws, and honestly these backdoor accounts mostly look like debugging features left in inadvertently.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Most of these came from a massive code review Cisco has been doing through their entire software codebase, which across all their products is truly massive. They found a good number of flaws, and honestly these backdoor accounts mostly look like debugging features left in inadvertently.

      No. Just fucking no.

      There is no reason. NO REASON to put a hard-coded default username/password into any software or hardware. None. Not even for "debugging" purposes. A retarded 12 year old who has never seen a computer could understand that this is a really stupid idea.

      • Someone just did that at where I worked. A cheap Indian intern and we caught her. Her response was I needed to get this done today and do not have time to setup an authentication system in hte code.

        She was eventually fired though but employers love cheap programmers more than good code.

    • So this is the code review that apparently led to releasing so many backdoors up to this point.

      The only code review that means anything is the one that comes from the computer's owner or someone the computer owner trusts, not a proprietor's claim to users or media. The only way to implement what computer owners need is to use free software for all of their computer's software without exceptions.

    • They found a good number of flaws, and honestly these backdoor accounts mostly look like debugging features left in inadvertently.

      Any competent intelligence agency would request that the backdoors look like debugging features left in inadvertently.

  • I wonder if any of these back doors were created at the Request of a TLA.
    I wonder if a 'too good' security patch will blind them.
    I just wonder about ALL those back doors.
    They can't be that sloppy, can they?

    • by AHuxley ( 892839 )
      A front door for Five Eyes. New Zealand and Canada are inside too.
    • by mbkennel ( 97636 )
      If it had been created by NSA itself it would have been much more subtle and deniable. This looks oafishly stupid or corrupt.
  • by Proudrooster ( 580120 ) on Saturday July 21, 2018 @05:49PM (#56987330) Homepage

    As a person that works a provisioning, VPN, and remote setup, this really complicates my life. This was the last backdoor I had to all the CISCO gear. If anyone knows of another backdoor, could you please message me. What a pain, not customers are going to have to give me their password.

  • $100 on these back-doors were govt mandated access

  • A Fifth Undocumented Cisco Backdoor...

    Cisco has been allowing undocumented immigrants into the country?! Oh my!

  • Cisco's stock isn't in the toilet for reasons which aren't immediately apparent.

  • by schweini ( 607711 ) on Saturday July 21, 2018 @07:43PM (#56987656)
    How the hell can a company that acts all serious have flaws like this?
    I'm no conspiracy theorist, but IMHO the only way obvious things like these didn't get caught in code review or QA is that these backdoors are there on purpose.
    Or can anyone come up with a legitimate excuse for this?
  • Then claim the janitor did the code.

  • How about we all stop kidding ourselves, the 'undocumented password' were put in therre at the behest of the NSA.
    • Yes, of course, why do so many "nerds" here not get it ?
      One of Snowden's most important revelations is that the NSA has an excellent "map" of virtually every device that connects to the internet.
      How could they do that if they could not get the tables from all of these routers ?

  • by beheaderaswp ( 549877 ) * on Sunday July 22, 2018 @03:20AM (#56988698)

    I've never been a fan of Cisco, Microsoft, or "corporate tech giants".

    Most of the systems engineering people in my generation (the old guys) can build routers. Give them a PC or a chassis, Linux or BSD, and in an hour it will be a router with security features that can be used to keep data safe.

    But corporate America seems to like appliances. I can understand it for multiport bridges (that's a switch for you young people). But for routing and security an appliance seems a bad idea because of planned obsolescence and closed nature of the architectures..

    Plus... when you buy a security or routing appliance... you only know what the manufacturer tells you about it- and "certified" people only know how to configure it while sometimes having an alarming lack of understanding TCP/IP.

    In my view trading knowledge for cost savings is a big issue. Sure there's a balance sheet advantage to buying appliances and perhaps using certified contractors to run them. But the cost comes up when a failure comes up requiring real know-how.

    Heck- I know of one company that is on their third revision of warehouse WIFI because none of the people they brought in understand microwave radio in an environment with a great deal of RF reflective metal. They know to use LMR600 cabling because Cisco specs it. But they do not know why. And they do not analyze how the tech will actually be used. So every revision of the network design performs badly.

    That's just one example. But it's rife in the industry. So much so that I moved into industrial programming because so few people are doing it and there's a high demand in my area. And they still care about "knowledge"... especially when it comes to programming old industrial systems with new safety controls.

    So when I hear about back doors in commercial products, I ask the same question: does trading knowledge for appliances actually make a business work better?

    Shouldn't the people running the network actually know how it works and what's on the network?

    The MBAs say no.

  • ... that the parents of the Southpark children wanted to get back so eagerly in https://en.wikipedia.org/wiki/... [wikipedia.org] (it is called "Backdoor Sluts 9").

    Just buy Huawai or ZTE, there, only the one backdoor from the chinese government is built-in.
  • I went to a tech college and after graduating my next steps were to get my A+, MCSE and CCNA. That's when I started getting into Linux and open source software in general. I swayed from getting my certs (I'm an independent tech consultant now) and I'm really glad I did. I know there aren't many FOSS alternatives to Cisco/Juniper equipment but if I spent all that time learning the ins and outs of Cisco proprietary equipment, I would have felt it was a big waste of time knowing that, after all my trying to se

Never test for an error condition you don't know how to handle. -- Steinbach

Working...