Cisco, haven’t we learned anything? (technician reset)

in this recent cisco advisory, the company alerts us to a security problem with cisco mars (cisco security monitoring analysis and response system).

the security issue is basically a user account on the system that will give you root when accessed.

the account is:
1. hidden.
2. default.
3. with a pre-set password.

in other words, this is a journey back 10 years when technicians would commonly have special keys (actual keys, electronics or passwords) to access a device if they have to troubleshoot it for anything, or say… the user lost his password.

people used to trade these keys online and hidden accounts were a thing of common practice. today people still trade commonly used default passwords but it is not as popular as it used to be, at least in the online world.

on the other hand, the most common practice to hack routers today, is still to try and access the devices with the notoriously famous default login/password for cisco devices: cisco/cisco.

cisco/cisco is the single most used default password of our time. it got more routers pwned than any exploit in history, and it still does. one would think that a company such as cisco, especially with this history, would stay away from such “default” accounts… but the fact that this account is hidden makes it something different.

it makes it a backdoor. one much like those used by the bad guys.

now… if cisco knowingly put it there, shame on them. if somebody put it there without their knowledge… well, shame on them.

this is indeed a vulnerability, as in a weakness. it is not however a software coding bug that may result in say… a buffer overflow. it is a part of the design of the system.
cisco disclosing this is very nice and commendable, but perhaps they should also let us know whether this was indeed a backdoor somebody put in their system or if it was part of the design?

i love eastereggs. i just don’t like surprises in system privileges or backdoors, especially not in a security monitoring and response product.

i very much doubt it was anything else but a part of the design but that should be admitted to.
as the advisory states:

no other cisco products are currently known to be affected by this vulnerability.

okay, but how about other vulnerabilities of this type? are there any more backdoors in other cisco products?
if not, why wouldn’t they just come out and say that?
“there are no other such backdoors in our products”.

i’d even be happy with:
“to our knowledge, there are no other vulnerabilities of this type in our products.”

this is not a bug. one can never be sure all bugs are eliminated — however hard one may try.
one can admit to having no such features in other products, though.

once again we fall upon re-naming of a feature as a bug or a bug as a feature to make the problem sound less severe.

in this case, the judgement is plain and simple:
if cisco were bad guys, this is a backdoor.
as cisco are good guys, this is a technician reset.

terminology? what’s the difference?

the difference is that cisco are not bad guys. if they disclosure a problem they should do it fully, because as a client, i am now concerned.

this reminds me of ciscogate but not for obvious reasons. that was a bad event for everybody involved.
it reminds me of the very issue mike lynn discussed:
remote exploitation for cisco is possible, while so far cisco disclosed all these problems as dos vulnerabilities.
i am not saying cisco did that on purpose, but in this case they can set my mind at ease.

why don’t they?

update:

after writing this i’ve been made aware that this product was from a company cisco bought not so long ago. this very same issue happened before (and more than once)… in one recent example with another company cisco bought named riverhead.

it is true cisco’s psirt is one of the best to work with among vendors, even mike lynn said that cisco psirt are some of the more decent people he worked with – “i’ve never had a problem with psirt”.

it is also true that cisco can’t find out about these until after they buy the companies, still, cisco f*cked up, more than just once or twice, and we call it. this kind of a so-called “vulnerability” should not happen, or be disclosed, continually, in this particular fashion.

checking into new investments security-wise, especially with security products and external qa may help solve such issues in the future.

gadi evron,
ge@beyondsecurity.com.

Share
  • http://www.BeyondSecurity.com aviram

    Don’t forget our ever-most-popular default passwords page.

  • Pingback: The Lazy Genius

  • Pingback: Waterloo Systems

  • Dave

    Look, this is not a “backdoor” or “easter egg” of any sort. This is the Linux box’s root account. Duh.

    So, why all of the conspiracy theory talk? Geez…

    A responsible Security Engineer will install this type of box (or vulnerability assessment appliance, or FW mgmt server, etc.) into a tightly-controlled postion within their network.

    While the root account obviously has uberGod privileges, the attack surface is private, secured, and therefore miniscule.

    Does anyone outside Cisco actually *know* the root pw? I looked at the link provided on this very website for default passwords. I did not see the MARS root pw listed there.

    FWIW…

    - Dave

  • sunshine

    There is no consipiracy talk. Read again.
    BTW – ever heard of brute force? Even if you didn’t once it is known someone will find it.

    If it isn’t known someone will find it, although a little bit later – or worse will just not tell anyone about it.

    WHo are you kidding?

  • Dave

    With the box physically secured, and SSH access limited to Security Admins, I’m not convinced that this is exploitable in any practical sense.

    I did, nonetheless, upgrade to 4.1.3 (a 170 MB upgrade package which fixes this issue), but mostly with the hope that when I mark an event as a false positive, that the box might actually do it. Word to John C.

    - Dave

  • sunshine

    Fixing a problem is always the right way to go. That is not mainly what I talked about though. :)

  • http://www.ciscohq.com Cisco Forum and News

    Layered security is always a great approach to practice. It’s help’s mitigate certain circumstance’s that may arise. :)