Hardcoded Password Found in Cisco Enterprise Software, Again (bleepingcomputer.com) 70
Catalin Cimpanu, writing for BleepingComputer: Cisco released 16 security advisories yesterday, including alerts for three vulnerabilities rated "Critical" and which received a maximum of 10 out of 10 on the CVSSv3 severity score. The three vulnerabilities include a backdoor account and two bypasses of the authentication system for Cisco Digital Network Architecture (DNA) Center. The Cisco DNA Center is a piece of software that's aimed at enterprise clients and which provides a central system for designing and deploying device configurations (aka provisioning) across a large network. This is, arguably, a pretty complex piece of software, and according to Cisco, a recent internal audit has yielded some pretty bad results.
Re: (Score:2)
Who the Fuck is Writing the Shit? (Score:3, Funny)
Are they using overseas programmers?
Is this another success of outsourcing?
Re:Who the Fuck is Writing the Shit? (Score:5, Interesting)
But don't worry, they were only going to use it responsibly , and as you have nothing to hide its all good....
These are not the exploits you are looking for.......
Re: (Score:1)
Not in this case. There's little advantage in leaving backdoors if one is making them so obvious that other agencies could easily use them. Actual backdoors are more sophisticated.
Re: (Score:2)
Re: (Score:2)
Well, is the TLA scum is _this_ stupid in placing their backdoors, then the world is really in fast decline. Not saying they are not this stupid, but if they are that would be very bad.
Re: (Score:1)
Re: (Score:3)
Re: (Score:2)
Again (Score:2, Informative)
There are automated tools to find this stuff. So why?
Re: (Score:2)
Re: (Score:2)
There are security scanners. They will flag this.
Irrefutable facts. (Score:4, Insightful)
These passwords were either left there purposefully or accidentally. If they were left there purposefully it may have been done either with or without Cisco's knowledge.
There is no combination of available possibilities that can be justified by acceptable behavior from a network security hardware vendor of this stature. Either they are effectively completely incompetent or they're effectively completely malicious.
Re: (Score:2)
Re:Irrefutable facts. (Score:5, Funny)
We're talking about Cisco here. What makes you think it's an either/or choice?
Re: (Score:1)
Well, you're right that in this type of situation there's no such thing as "benign incompetence" and so these are effectively the same result. People who themselves are incompetent may not realize this but may still be redeemable over a long enough time frame. By leaving this part open to interpretation, it still gives those people a seat at the table to continue the conversation.
This is why we continue to have these problems (Score:4, Interesting)
The company discovered many backdoors and hardcoded accounts in the past two years as part of internal audits and has received some pretty unfair criticism for its efforts.
WTF WTF WTF WTF.
Unfair criticism? You've got to be shitting me.
The company discovered many backdoors and hardcoded accounts in the past two years as part of internal audits
And where did these backdoors come from? Aliens? NO, YOU PUT THEM THERE!
Re: (Score:1)
And where did these backdoors come from? Aliens? NO, YOU PUT THEM THERE!
This is why E.W. Dijkstra advocated talking about "defects" instead of "bugs". They don't just crawl in, someone put them there. Security problems, same thing. Backdoors, even more obviously so, wilfully even.
If we cared about this sort of thing, we consistently did exactly that. If we did that, it would also make it that much harder for marketeering and other spin doctors to go give their booboos a cute spin.
On a slightly tangential note, many manufacturers put such things in and cisco might be a big name,
Re: (Score:2)
Re: (Score:2)
WTF WTF WTF WTF.
Unfair criticism? You've got to be shitting me.
The companies we really should be criticizing are the ones who have many undiscovered backdoors and hardcoded accounts because they've been able to avoid doing internal audits.
Re: (Score:2)
The company discovered many backdoors and hardcoded accounts in the past two years as part of internal audits
And where did these backdoors come from? Aliens? NO, YOU PUT THEM THERE!
Or the NSA put them there. Or Cisco has been hacked nine ways from sunday and hackers put them there. I actually think that last one is the most reasonable explanation. Cisco is one of the most visible targets in the networking world. Getting an exploit into their software means getting it into some of the most important networks on the planet.
Where was QA? (Score:2)
oh, "Were Agile we don't need no stinking' QA"
Re: (Score:2)
Do you work for Microsoft?
Re: (Score:2)
Yep. It's not just Cisco too. :(
Done on purpose (Score:2)
I imagine this was done on purpose. And from where I'm sitting, I'm thinking, it did not have malicious intent. It was probably a choice made so Cisco can bail out IT departments that lost passwords to their gear and need a way in. Just my 2 dollars. Inflation sucks, doesn't it?
Re: (Score:2)
what data do you have to completely rule out malicious intent?
No more Cisco (Score:2)
FTFY (Score:3)
From: Cisco CEO
Recently we discovered three vulnerabilities that have meant the unfortunate discovery of one of the many NSA hidden administrative accounts and two of the security bypass accounts for hidden use by the FBI and CIA.
We here at Cisco want to assure our most important customers that we take the discovery of your backdoors very seriously. We are now sending out a patch to the enterprise muppets that includes a new backdoor on port 6969 with the username/password pair admin:nimda
Cisco values our AmericanTLA customers greatly and want to assure you that this unfortunate defect in our backdoor enabling program was only a minor exposure. There were still many hundreds of your usable backdoors undiscovered and at no time was your ability access to private data reduced or compromised.
God Bless America.
Chuck
CEO Cisco
Crappy Software alert (Score:2)
Have been a programmer and QA, I have little confidence in developer. This is a sign of:
1) sloppy programming.
2) no code reviews.
3) Crappy test coverage. The application should make provision for changing passwords. *No one* tried changing the pass word?
4) Bad QA. Or non-existent
5) Finally it springs from bad management.
Re: (Score:2)
Matches my experience.
enterprise software (Score:2)
when i was still in school, me and my friends always had a good laugh about how bad some commercial software was written and how they got away with charging people $20-$100 for their crapfest.
then i got a job in IT and had to work with 'enterprise' software and discovered a whole new level of fails and couldn't understand why or how they got so many companies to pay, in some cases, millions for it.
and the worst part? it isn't getting any better!
Fine (Score:2)
Hardcoded password found in Cisco software (Score:2)