Cisco Fixes Three-Year-Old Telnet Flaw In Security Appliances

Trailrunner7 writes "There is a severe remote code execution vulnerability in a number of Cisco's security appliances, a bug that was first disclosed nearly three years ago. The vulnerability is in Telnet and there has been a Metasploit module available to exploit it for years. The FreeBSD Project first disclosed the vulnerability in telnet in December 2011 and it was widely publicized at the time. Recently, Glafkos Charalambous, a security researcher, discovered that the bug was still present in several of Cisco's security boxes, including the Web Security Appliance, Email Security Appliance and Content Security Management Appliance. The vulnerability is in the AsyncOS software in those appliances and affects all versions of the products." At long last, though, as the article points out, "Cisco has released a patched version of the AsyncOS software to address the vulnerability and also has recommended some workarounds for customers."

Security + Telnet

[MightyYar]

Security + Telnet = My Brain Hurts

Re:Security + Telnet

[3.5 stripes]

Yeah, any sort of security guidelines should have at the top, in the largest boldest letters possible, DO NOT USE TELNET.

Re:Security + Telnet

[silas_moeckel]

I use telnet plenty great for connecting to a tcp port and debugging. It's a horrid thing to run as a service and allow people to login etc.

Re:

[basketcase]

Use netcat (aka nc) for that. It works just as well and you can just ^C to get out of it.

Re:

[camperdave]

Oh? I was unaware that Cisco equipment came with netcat.

Re:

[basketcase]

This is about talking to Cisco not from Cisco.

Re:

[jandrese]

Often times you have to do both, thanks to security policies that prevent user machines from connecting directly with routers/switches. The admin jumps on the box with a serial cable and uses telnet from there to talk to the other equipment.

Re:

[AchilleTalon]

The point is: Do not run telnetd on a security device.

Running a telnet client to check a port/connection has not the same implications as using a telnet session to manage a security device.

Re:

[jandrese]

Connecting to a device and forwarding packets through it are two different things. It's sensible to have a policy that disallows most users from attempting to ssh to the router's management interface. Often they're on completely different VLANs. It can cause a problem however when the managed connection between the VLANs has an issue and people need to get in there to modify the router settings.

Re:Security + Telnet

[CaptnZilog]

I use telnet plenty great for connecting to a tcp port and debugging. It's a horrid thing to run as a service and allow people to login etc.

Yeah, the client comes in handy at times to connect to port 80 and 'handcraft' a http request to see a response, etc... but running a telnet server/service on the machine? Especially on a "security" device?!?!? C'mon... that's just ludicrous in all kinds of ways.

Re:

[TWX]

Depends on how the network is VLANned. I agree, it's not optimal for certain, but in cases where the management team for the devices have one VLAN for just themselves trunked to them, and where they use a common set of credentials to manage (ie, no TACACS/Radius) then it's not really any less secure.

Admittedly if someone makes a mistake and puts the wrong user on that VLAN, or if they need to get to the devices from elsewhere then they may have to traverse the network before getting to that VLAN, so the

Re:

[phantomfive]

Telnet is literally worse than requiring no password for log in.

Re:

[silas_moeckel]

Not really less secure??? How many vulnerability's have there been to inject frames into vlans, Turn access ports into trunks often with the default trunk everything.

Re:

[sunderland56]

I use telnet plenty great for connecting to a tcp port and debugging.

SSH be plenty greater for connecting to TCP ports and not security problem.

Re:

[wonkey_monkey]

SSH is for securely connecting to SSH servers. It's not useful, and certainly not "secure", for low level debugging of TCP connections.

Re:

[sunderland56]

SSH is for securely connecting to SSH servers. It's not useful, and certainly not "secure", for low level debugging of TCP connections.

Were you listening to your iPod? Because you missed the loud whooshing sound.

Re:

[wonkey_monkey]

If you wanted to people to know you were kidding, you'd have to make it at least 300% more dumberer than that!

Re:

[Anonymous Coward]

fwiw (I work at cisco) there has been a long-standing bug in sshv2 on most cisco boxes since the heartbleed bug. took me quite a while to find what the problem was in turning on ssh2. ssh1 was easy, but I needed v2 (netconf requires v2, for example).

turns out, openssl was fixed on linux but not quite fixed (right) on cisco. short answer: you have to run ssh -v2 with a command line 'mess' (or edit a .ssh/config file) to reorder the key exchange listing. if you move some of the kex stuff ahead of others,

Re:

[alex67500]

Hang on... SSL and SSH are not the same! Heartbleed affected OpenSSL!

fwiw (I work at cisco)

In HR? Comms?

Re:

[bobbied]

Security + Telnet = My Brain Hurts

It should hurt..

However, if memory serves, I think that Cisco provides SSH access and allows you to disable telnet. Even then, suggested practice was to put all your network hardware consoles on a private VLAN and firewall it from general access... So it's understandable that it took some time to fix this given there are multiple work arounds.

Re:

[Mister Liberty]

You sig enthralls me.
To en tomaten tomaten tomaten to vrat
To en tom aten tomaten tom at en to vrat.
(To and Tom ate tomatoes, Tom ate and To devoured).
(Google Translate: 'To and ate tomatoes tom tom ate and ate to' which is just pathetic).

Re:

[MightyYar]

I lifted it from "The ABC Book" by Dr. Seuss [wikipedia.org].

Thank Goodness!

[linuxrunner]

I've been waiting for this fix so I can finally drop SSH

Telnet

[ledow]

Is it just me that wasn't even aware that telnet had an encrypted mode (let alone a horribly-broken one)?

Not been an issue as I always switch it off unless the device is entirely in-house (and, there, someone sniffing the packets is much more of a problem than the fact they might end up with a device password by doing so).

Honestly, we just need to kill this "protocol".

Re:

[oodaloop]

Is it just me that wasn't even aware that telnet had an encrypted mode

I just called it SSH.

Telnet

[AchilleTalon]

There is even a kerberized telnet for a long time, however still no advantage over ssh which is also kerberized. Telnet should really die once and for all.

The funny about Cisco...

[__aaclcg7560]

When I worked at Cisco for nine months as a contractor last year, everyone used telnet to access network devices under development. My boss explained to me that 1) these were default passwords that everyone on the team knew, and 2) the development VLAN is secured from outsiders. That makes sense on one level, but using telnet is a bad habit one shouldn't get into.

Re:

[bobbied]

TELNET is just the default way to access the equipment. It comes out of the box that way (OK, not really but it's the default way to set up). Think of it as a legacy thing.

There is nothing wrong with using TELNET on a private network but today we understand that security is better served using SSH for this functionality. However, in some environments, legacy dies hard because TELNET is not really that much of a security risk if you have good control over who accesses your network.

Sharing passwords and

Re:

[DarkOx]

here is nothing wrong with using TELNET on a private network but today we understand that security is better served using SSH for this functionality. However, in some environments, legacy dies hard because TELNET is not really that much of a security risk if you have good control over who accesses your network.

There is nothing right with it! SSH is not an overhead concern for any contemporary device. Even if the only people with access to the networks the management services accept connections from all have access you still have a problem. If there have been credentials running around in the clear we don't really know / can't prove who has been using them. Also it leaves the door open for MITM possiblities where content is injected. TACS logs show Bob issued the "write erase" but we can't really say it wasn'

Re:

[bobbied]

Don't misunderstand me, I'm not advocating TELNET. I'm just not ready to condemn someone for using it for legacy reasons in situations where security is not a huge concern.

Security is really "risk management". This means that you must weigh the implementation costs and consider the risks. Remember that the ONLY secure system is one that's powered off and not plugged in. And then, it's only as secure as the physical security makes it.

In a closed network, like in a development lab, I can imagine that t

I'd worry anyway.

[khasim]

That makes sense on one level, but using telnet is a bad habit one shouldn't get into.

I agree. A better habit is setting up and using SSH.

Not only that but "defense in depth". Do NOT rely upon your perimeter defenses to stop all attacks. It only takes one person with a compromised laptop and you're cracked.

1) these were default passwords that everyone on the team knew

SSH can be set up the same.

2) the development VLAN is secured from outsiders

Until it is compromised.

Remember, in defense you have to be right on everything all the time. An attacker can just stumble into something you missed. Like someone's laptop that was brought in when it should not have been.

Re:

[bobbied]

Then too, it may be that Cisco's development lab is really just there to run test software loads. I imagine that they are using TFTP and TELNET for this purpose. Oh the horror! (sarcasm off)

Where I don't disagree with you, I'm not ready to dump on somebody who chooses to use TELNET for what ever reason. IF they understand the risks and knowingly choose to do it anyway, it's their equipment and their call. You and I might never choose to do it this way, but neither of us are involved so it's not our ch

Re:

[__aaclcg7560]

Then too, it may be that Cisco's development lab is really just there to run test software loads. I imagine that they are using TFTP and TELNET for this purpose. Oh the horror! (sarcasm off)

The entire building was set up that way and kept separate from the actual labs inside the building, being one router hop away from the production network. That router didn't have the same safeguards as the perimeter routers for the outside world. Telnet was disabled on the router.

Three years????

[gstoddart]

How does a major vendor like Cisco take 3+ years to fix a known security hole?

Did they just sit on it? Or were they hoping nobody would notice?

That makes no sense to me at all.

Re:

[__aaclcg7560]

From what I can tell in recent times, Cisco lays off 10% of their workforce in America and hires 10% of their workforce from India. The development teams are squeezed in the middle as experienced people are let go and new people are still learning the ropes. It's a rotten business model but apporved by Wall Street.

Re:

[bobbied]

How does a major vendor like Cisco take 3+ years to fix a known security hole?

Work around existed, nobody ever fielded in a configuration that was subject to the problem, so this was LOW risk. If you are working more important issues, LOW risk stuff gets to wait.

That's how.

Telnet has its place

[davidwr]

However, being accessible by even a single machine you don't trust is not one of those places.

A place where it is helpful: Isolated networks such as in a test lab that you control. The fact that it is NOT encrypted can be a great asset in debugging if you are looking at packet-capture logs. Sure, there are other solutions but if telnet/telnetd are readily available and they get the job done without causing any bad side-effects in a particular use case why not use them?

Re:Telnet has its place

[DarkOx]

Because its not what your customers are really going to use! Better to exercise a real world configuration in the lab. Add 'null' cipher to ssh if you need this and make the command to enable it something obviously out of place for normal operations like:

DangerDoNotUse_EnableSSH_NULL_CIPHER
DangerDoNotUse_EnableSSH_NULL_MAC

Re:

[__aaclcg7560]

3) No ever got fired for buying Cisco.

Re:

[Anonymous Coward]

You've obviously never seen somebody go over budget.

Better late than never?

[xanthines-R-yummy]

Yes, sooner would have been better but at least they got around to fixing it, right?

A vulnerability IN Telnet ?

[alexhs]

There are vulnerabilities IN Telnet ?
And I thought Telnet WAS a vulnerability...
It's vulnerabilities all the way down, I guess.

Re:

[LessThanObvious]

It's vulnerable from a packet sniffer standpoint, but a remote vulnerability makes it worse. Many companies have old Cisco code that doesn't have the feature set to support SSH. Why Cisco thought you should have to buy "firewall feature set" on a router in order to get SSH, even long ago still baffles me. Using SSH to get to a management host and allowing telnet across your data center management LAN only from said management host isn't ideal, but it isn't the greatest security sin.

The vulnerability *IS* telnet.

[EmagGeek]

FTFY...

Telnet client = great, telnet server = bad idea

[Viol8]

Don't get the server confused with the client. Telnet servers should have been put out to pasture years ago except perhaps on small isolated networks. The telnet CLIENT however is an extremely useful debugging tool for connecting to all sorts of text based servers (FTP, usenet, HTTP etc) and I get really pissed off with some distributions that assume because the server is no longer used neither is the client and so remove it.

Also FWIW , telnet is still the default way to access MUDs and some BBSs.