Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security

Hardcoded Password Found in Cisco Enterprise Software, Again (bleepingcomputer.com) 70

Catalin Cimpanu, writing for BleepingComputer: Cisco released 16 security advisories yesterday, including alerts for three vulnerabilities rated "Critical" and which received a maximum of 10 out of 10 on the CVSSv3 severity score. The three vulnerabilities include a backdoor account and two bypasses of the authentication system for Cisco Digital Network Architecture (DNA) Center. The Cisco DNA Center is a piece of software that's aimed at enterprise clients and which provides a central system for designing and deploying device configurations (aka provisioning) across a large network. This is, arguably, a pretty complex piece of software, and according to Cisco, a recent internal audit has yielded some pretty bad results.

Hardcoded Password Found in Cisco Enterprise Software, Again

Comments Filter:
  • by sycodon ( 149926 ) on Thursday May 17, 2018 @05:38PM (#56629276)

    Are they using overseas programmers?

    Is this another success of outsourcing?

    • by sit1963nz ( 934837 ) on Thursday May 17, 2018 @05:50PM (#56629332)
      No, this is the NSA, CIA, FBI, DHS , etc etc etc doing their part in making the world less safe.

      But don't worry, they were only going to use it responsibly , and as you have nothing to hide its all good....

      These are not the exploits you are looking for.......
      • by Anonymous Coward

        Not in this case. There's little advantage in leaving backdoors if one is making them so obvious that other agencies could easily use them. Actual backdoors are more sophisticated.

        • Hang on a minute, your post doesn't demonize the intelligence agencies... So I must ask: why do you hate freedom of speech, the internet, and civil liberties?
      • by gweihir ( 88907 )

        Well, is the TLA scum is _this_ stupid in placing their backdoors, then the world is really in fast decline. Not saying they are not this stupid, but if they are that would be very bad.

    • by AHuxley ( 892839 )
      Welcome to PRISM.
    • Cisco needs to get a lot more serious about security. Best practices would be to make sure that next time it is much more difficult to find what the hardcoded password is.
  • Again (Score:2, Informative)

    by Anonymous Coward

    There are automated tools to find this stuff. So why?

    • A tool that automates will by definition find a repeat of a previous (similar, if smart enough) action. A new programmer, placing in the root password in a new chunk of code, can still do it in so many ways as to be undetectable.

  • Irrefutable facts. (Score:4, Insightful)

    by Narcocide ( 102829 ) on Thursday May 17, 2018 @05:43PM (#56629296) Homepage

    These passwords were either left there purposefully or accidentally. If they were left there purposefully it may have been done either with or without Cisco's knowledge.

    There is no combination of available possibilities that can be justified by acceptable behavior from a network security hardware vendor of this stature. Either they are effectively completely incompetent or they're effectively completely malicious.

    • The only "default password" should be to log into an unboxed device or application, and be REQUIRED to change it before proceeding further. DONE! Solves that problem. Move on

    • by scdeimos ( 632778 ) on Thursday May 17, 2018 @06:07PM (#56629392)

      Either they are effectively completely incompetent or they're effectively completely malicious.

      We're talking about Cisco here. What makes you think it's an either/or choice?

      • Well, you're right that in this type of situation there's no such thing as "benign incompetence" and so these are effectively the same result. People who themselves are incompetent may not realize this but may still be redeemable over a long enough time frame. By leaving this part open to interpretation, it still gives those people a seat at the table to continue the conversation.

  • by Anonymous Coward on Thursday May 17, 2018 @05:53PM (#56629342)

    The company discovered many backdoors and hardcoded accounts in the past two years as part of internal audits and has received some pretty unfair criticism for its efforts.

    WTF WTF WTF WTF.

    Unfair criticism? You've got to be shitting me.

    The company discovered many backdoors and hardcoded accounts in the past two years as part of internal audits

    And where did these backdoors come from? Aliens? NO, YOU PUT THEM THERE!

    • by Anonymous Coward

      And where did these backdoors come from? Aliens? NO, YOU PUT THEM THERE!

      This is why E.W. Dijkstra advocated talking about "defects" instead of "bugs". They don't just crawl in, someone put them there. Security problems, same thing. Backdoors, even more obviously so, wilfully even.

      If we cared about this sort of thing, we consistently did exactly that. If we did that, it would also make it that much harder for marketeering and other spin doctors to go give their booboos a cute spin.

      On a slightly tangential note, many manufacturers put such things in and cisco might be a big name,

    • by AHuxley ( 892839 )
      FBI? NSA? CIA? Other agency staff keep on doing their job and try to avoid such audits while undercover.
    • by Nonesuch ( 90847 )

      WTF WTF WTF WTF.

      Unfair criticism? You've got to be shitting me.

      The companies we really should be criticizing are the ones who have many undiscovered backdoors and hardcoded accounts because they've been able to avoid doing internal audits.

    • The company discovered many backdoors and hardcoded accounts in the past two years as part of internal audits

      And where did these backdoors come from? Aliens? NO, YOU PUT THEM THERE!

      Or the NSA put them there. Or Cisco has been hacked nine ways from sunday and hackers put them there. I actually think that last one is the most reasonable explanation. Cisco is one of the most visible targets in the networking world. Getting an exploit into their software means getting it into some of the most important networks on the planet.

  • oh, "Were Agile we don't need no stinking' QA"

  • I imagine this was done on purpose. And from where I'm sitting, I'm thinking, it did not have malicious intent. It was probably a choice made so Cisco can bail out IT departments that lost passwords to their gear and need a way in. Just my 2 dollars. Inflation sucks, doesn't it?

    • by beckett ( 27524 )

      And from where I'm sitting, I'm thinking, it did not have malicious intent.

      what data do you have to completely rule out malicious intent?

  • Anybody who buys Cisco products now is an idiot not to be trusted.
  • by glowworm ( 880177 ) on Thursday May 17, 2018 @07:44PM (#56629822) Journal
    To: All AmericanTLA
    From: Cisco CEO

    Recently we discovered three vulnerabilities that have meant the unfortunate discovery of one of the many NSA hidden administrative accounts and two of the security bypass accounts for hidden use by the FBI and CIA.

    We here at Cisco want to assure our most important customers that we take the discovery of your backdoors very seriously. We are now sending out a patch to the enterprise muppets that includes a new backdoor on port 6969 with the username/password pair admin:nimda

    Cisco values our AmericanTLA customers greatly and want to assure you that this unfortunate defect in our backdoor enabling program was only a minor exposure. There were still many hundreds of your usable backdoors undiscovered and at no time was your ability access to private data reduced or compromised.

    God Bless America.
    Chuck
    CEO Cisco
  • Have been a programmer and QA, I have little confidence in developer. This is a sign of:
    1) sloppy programming.
    2) no code reviews.
    3) Crappy test coverage. The application should make provision for changing passwords. *No one* tried changing the pass word?
    4) Bad QA. Or non-existent
    5) Finally it springs from bad management.

  • when i was still in school, me and my friends always had a good laugh about how bad some commercial software was written and how they got away with charging people $20-$100 for their crapfest.
    then i got a job in IT and had to work with 'enterprise' software and discovered a whole new level of fails and couldn't understand why or how they got so many companies to pay, in some cases, millions for it.

    and the worst part? it isn't getting any better!

  • This sort of thing is so incredibly negligent, that companies who do this, should be fined or something. If only the politicians knew something about cybersecurity, maybe we could get some laws that make sense about it.
  • I suspect the cisco NSA liason does this routinely until found out by some third party security researcher. How else are they to perform their data collection duties. ref [wikipedia.org]

I've got a bad feeling about this.

Working...