Cisco, haven’t we learned anything? (technician reset)
in this recent cisco advisory, the company alerts us to a security problem with cisco mars (cisco security monitoring analysis and response system).
the security issue is basically a user account on the system that will give you root when accessed.
the account is:
3. with a pre-set password.
in other words, this is a journey back 10 years when technicians would commonly have special keys (actual keys, electronics or passwords) to access a device if they have to troubleshoot it for anything, or say… the user lost his password.
people used to trade these keys online and hidden accounts were a thing of common practice. today people still trade commonly used default passwords but it is not as popular as it used to be, at least in the online world.
on the other hand, the most common practice to hack routers today, is still to try and access the devices with the notoriously famous default login/password for cisco devices: cisco/cisco.
cisco/cisco is the single most used default password of our time. it got more routers pwned than any exploit in history, and it still does. one would think that a company such as cisco, especially with this history, would stay away from such “default” accounts… but the fact that this account is hidden makes it something different.
it makes it a backdoor. one much like those used by the bad guys.
now… if cisco knowingly put it there, shame on them. if somebody put it there without their knowledge… well, shame on them.
this is indeed a vulnerability, as in a weakness. it is not however a software coding bug that may result in say… a buffer overflow. it is a part of the design of the system.
cisco disclosing this is very nice and commendable, but perhaps they should also let us know whether this was indeed a backdoor somebody put in their system or if it was part of the design?
i very much doubt it was anything else but a part of the design but that should be admitted to.
as the advisory states:
no other cisco products are currently known to be affected by this vulnerability.
okay, but how about other vulnerabilities of this type? are there any more backdoors in other cisco products?
if not, why wouldn’t they just come out and say that?
“there are no other such backdoors in our products”.
i’d even be happy with:
“to our knowledge, there are no other vulnerabilities of this type in our products.”
this is not a bug. one can never be sure all bugs are eliminated — however hard one may try.
one can admit to having no such features in other products, though.
once again we fall upon re-naming of a feature as a bug or a bug as a feature to make the problem sound less severe.
in this case, the judgement is plain and simple:
if cisco were bad guys, this is a backdoor.
as cisco are good guys, this is a technician reset.
terminology? what’s the difference?
the difference is that cisco are not bad guys. if they disclosure a problem they should do it fully, because as a client, i am now concerned.
this reminds me of ciscogate but not for obvious reasons. that was a bad event for everybody involved.
it reminds me of the very issue mike lynn discussed:
remote exploitation for cisco is possible, while so far cisco disclosed all these problems as dos vulnerabilities.
i am not saying cisco did that on purpose, but in this case they can set my mind at ease.
why don’t they?
after writing this i’ve been made aware that this product was from a company cisco bought not so long ago. this very same issue happened before (and more than once)… in one recent example with another company cisco bought named riverhead.
it is true cisco’s psirt is one of the best to work with among vendors, even mike lynn said that cisco psirt are some of the more decent people he worked with – “i’ve never had a problem with psirt”.
it is also true that cisco can’t find out about these until after they buy the companies, still, cisco f*cked up, more than just once or twice, and we call it. this kind of a so-called “vulnerability” should not happen, or be disclosed, continually, in this particular fashion.
checking into new investments security-wise, especially with security products and external qa may help solve such issues in the future.