Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security IT

Cisco Can't Stop Using Hard-Coded Passwords (schneier.com) 30

There's a new Cisco vulnerability in its Emergency Responder product: "This vulnerability is due to the presence of static user credentials for the root account that are typically reserved for use during development. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user." Bruce Schneier adds: "This is not the first time Cisco products have had hard-coded passwords made public. You'd think it would learn."
This discussion has been archived. No new comments can be posted.

Cisco Can't Stop Using Hard-Coded Passwords

Comments Filter:
  • by quetwo ( 1203948 ) on Friday October 13, 2023 @10:30AM (#63922799) Homepage

    The thing about Cisco is, they keep buying companies and products, they don't really know what they are inheriting. Cisco Emergency Responder is a product that came from somewhere else, developed by people who weren't apart of the Cisco work until recently, and really is a completely different product train that everything else they do.

    Yet, it should have been caught by a good security review before Cisco slapped their name on it. Clearly that process is broken.

    • "Yet, it should have been caught by a good security review before Cisco slapped their name on it. Clearly that process is broken."

      Always will be as long as marketing, accounting, etc. departments and types are the ones that control when stuff is released.

      • by DarkOx ( 621550 )

        This is a been Cisco model since around 2000, buy stuff and first priority seems to be change the branding and get new release out the door, if at all possible re-write the config file parsing and change the parameter names so it a vaguely "ios-like".

        What I never understood and still don't is why they are so quick to do this. They could be earning the sales revenue still immediately while running with the old product name for a little bit, to make sure it really integrates with the rest of the stack well a

    • by haruchai ( 17472 )

      "The thing about Cisco is, they keep buying companies and products, they don't really know what they are inheriting"
      True dat. Over 200 acquisitions & likely over $200 billion spent if adjusting for inflation. No way they have a full handle on all the vulnerabilities & silly decisions.

      https://en.wikipedia.org/wiki/... [wikipedia.org]

    • by Joe_Dragon ( 2206452 ) on Friday October 13, 2023 @10:44AM (#63922833)

      valid license $$ needed to be able to install fix

      • by HBI ( 10338492 )

        This is notable. Cisco and updating is a weird combo. Believing that free updates will be forthcoming for vulnerabilities probably makes people yawn at this kind of thing, but that's not the case. Assuming you can find the correct update in the tree of various options.

    • by wokka1 ( 913473 ) on Friday October 13, 2023 @10:44AM (#63922835)

      Only one very specific version is vulnerable. My guess is that they have the root password hardcoded during dev and they missed the step about changing it when it shipped. 12.5.1su4 is the version. Older and newer versions are fine. https://sec.cloudapps.cisco.co... [cisco.com]

      It's still an attack vector though, and yes, they missed it.

    • by runbuh ( 5530326 )

      The thing about Cisco is, they keep buying companies and products, they don't really know what they are inheriting. Cisco Emergency Responder is a product that came from somewhere else, developed by people who weren't apart of the Cisco work until recently, and really is a completely different product train that everything else they do.

      Yet, it should have been caught by a good security review before Cisco slapped their name on it. Clearly that process is broken.

      Cisco Emergency Reponder, including version 1.1, that was retired by in Cisco in 2007, is only "recently" a part of Cisco? Can you clue me in on that (honest question, not sarcasm)?

      • by quetwo ( 1203948 )

        The newer versions are essentially a 'new' product they bought from an Introdo spin-off. Old CER is not the same as 'new' CER.

    • Don't let Cisco off the hook so easily. Wasn't it Cisco-designed switches / routers that continued to use SSH version 1 long after that protocol was shown to be completely broken?

    • True, a lot of companies are like that. Security is difficult - it takes time, money, and expertise, whereas most companies want to be faster and with fewer expenses. The password approach also is outdated, most modern security doesn't have anything like a master password, instead you've got a certificate based system. Ie, here's your cert good for only 24 hours and 6 sessions. Although the newer security style requires more customer training and support, more back office server integrations, etc, which i

  • Blahblahbla (Score:2, Flamebait)

    It's only one specific release version. https://sec.cloudapps.cisco.co... [cisco.com]
  • My servers are super secure:

    User: root

    Password: password123

    & I leave all the permissions in dev default settings. Ain't nobody gonna crack my security!

    Do you think Cisco will offer me a job?
  • by nicolaiplum ( 169077 ) on Friday October 13, 2023 @11:09AM (#63922901)

    The usual sequence of events for Cisco hardcoded credentials is:

    • Some founders create Flangers, Inc. Their main product is SprocketFlanger, an innovative enterprise network product. It looks good but is hacked together very quickly with fixed admin credentials so the Flangers support desk can easily fix problems. Flangers has a really good reputation for responsive support.
    • Flangers, Inc has a growing market share in an area Cisco does not have a product.
    • Cisco buys Flangers, Inc for their innovative SprocketFlanger product. Market analysts report admiringly on Cisco's expansion into this new market area and the Cisco stock price goes up a bit.
    • Most of the original Flangers, Inc staff leave with huge stock payouts, having succeeded in the startup dream.
    • The replacement Cisco staff have no idea about the internals of the SprocketFlanger product.
    • Enterprising independent security specialists (black-hat hackers...) find the fixed admin credentials and hack the shit out of a load of companies.
    • Cisco announces vulnerability, removes the fixed admin credentials.

    There are several of these running concurrently, so Cisco can release a new fixed-password vulnerability every few months. Back when the dot-com acquisition rate was higher, they did it more often.

  • Were I Cisco's competitors, I'd immediately start printing ads saying "Buy from us. We don't do that."

  • by gweihir ( 88907 ) on Friday October 13, 2023 @12:27PM (#63923065)

    At this time anybody should really stay away from Cisco.

  • The vulnerability only applies to one version of Cisco Emergency Reponder (12.5.1 SU4). The current version (14) does not have the vulnerability, nor do older versions (11.5 and earlier). So the "can't stop" is a bit of hyperbole. Clearly, in this case, they stopped. Maybe.
  • Not a problem, Cisco is SOC-2 and ISO27001 certified so they don't have security issues. (at least if you listen to the people selling certification tools)

  • code review process. Besides the fact that Cisco equipment is becoming unusable with their continuous call home authorization and subscription crap.
    Buying Cisco equipment is starting to look a lot like an extortion racket.
    Do you own Cisco equipment or does Cisco own you.
  • How much harder would it be to keep the hard-coded password but replace it with one that's cryptographically generated based on a hash of the device serial or MAC address. At least then you'd have to know something about the hardware to remotely exploit it.

    • Logistically it's a solved problem. When you are flashing serial numbers, MAC, whatever into a device on the factory you also generate a default password. Put it on a sticker with QR code on the device. When an IT department brings new equipment into the inventory they scan the device and now they have MAC and default password and can easily begin automated deployment.

      Cisco has so many different products that are at wildly varying levels of quality and logistic sophistication that their brand name basically

  • by david.emery ( 127135 ) on Friday October 13, 2023 @04:42PM (#63923551)

    In just about any other industry, shipping a product with an obvious flaw would result in product liability lawsuits. And that would cost the vendor money for lawyers, trials and judgements/out of court settlements.

    But for Cisco and others in this industry, it's ... crickets ...... If there's no impact on Cisco, why should they change things?

    Once again I call for software product liability as a matter of law.

  • by Tony Isaac ( 1301187 ) on Friday October 13, 2023 @05:42PM (#63923663) Homepage

    Windows 7, 8, 10, and 11 has a "hidden" Administrator account, with no password. It can be enabled without knowing any login credentials, by using a UEFI boot disk. https://www.howtogeek.com/962/... [howtogeek.com]

    Windows Hello makes it less useful, because it's no longer possible to monkey with a Microsoft account from this hidden admin account. But it's still very possible to grab files from the hard drive, without knowing any password at all.

The nice thing about standards is that there are so many of them to choose from. -- Andrew S. Tanenbaum

Working...