Cisco Removed Its Seventh Backdoor Account This Year, and That's a Good Thing

An anonymous reader quotes a report from ZDNet: Cisco, the world's leading provider of top networking equipment and enterprise software, has released today 15 security updates, including a fix for an issue that can be described as a backdoor account. This latest patch marks the seventh time this year when Cisco has removed a backdoor account from one of its products. Five of the seven backdoor accounts were discovered by Cisco's internal testers, with only CVE-2018-0329 and this month's CVE-2018-15439 being found by external security researchers. The company has been intentionally and regularly combing the source code of all of its software since December 2015, when it started a massive internal audit. Cisco started that process after security researchers found what looked to be an intentional backdoor in the source code of ScreenOS, the operating system of Juniper, one of Cisco's rivals.

Juniper suffered a massive reputational damage following the 2015 revelation, and this may secretly be the reason why Cisco has avoided using the term "backdoor account" all year for the seven "backdoor account" issues. Instead, Cisco opted for more complex wordings such as "undocumented, static user credentials for the default administrative account," or "the affected software enables a privileged user account without notifying administrators of the system." It is true that using such phrasings might make Cisco look disingenuous, but let's not forget that Cisco has been ferreting these backdoor accounts mainly on its own, and has been trying to fix them without scaring customers or impacting its own stock price along the way.

the number of backdoor accounts.

[Anonymous Coward]

seven down so many more to go.

Re:

[Anonymous Coward]

Backdoors don't just magically appear on their own. Someone at Cisco had to put them there. Someone at Cisco had to be told to put them there. It is impossible that Cisco didn't know these backdoors were there.

Re:

[Narcocide]

Well, unlikely but not completely impossible. Of course, if they really didn't already know, that actually says something far worse about them.

Re:

[Narcocide]

Your racist ascii-art skills are garbage. What, did you auto generate those from a gif you saved in 1995 or something?

Re:

[apparently]

Okay, so you posted totally hip ASCII art of Trump's stupid fucking face, so what's your point exactly?

Re:

[sabbede]

Geez, fine, you're gay, we get it. Nobody cares.

Re:

[Anonymous Coward]

Well, unlikely but not completely impossible.

So . . . you' re saying that code can just magically appear somewhere, on it's own. Sorry, it just doesn't work that way. It doesn't happen accidentally, it doesn't happen magically all by it self.

*SOMEONE* (most likely more than one person) had to make a deliberate decision
*SOMEONE* had to create that backdoor and put it in there.
*SOMEONE* (most likely more than one person) has known about it from day one.

The *REAL* question is "How is it possible that Cisco doesn't know exactly who did it, when they did

Re:

[Joce640k]

The *REAL* question is "How is it possible that Cisco doesn't know exactly who did it, when they did it, who authorized it, etc." This is trivial even on the shittiest version control system.

*THAT* is incompetence at a truly epic level.

Not if somebody's messing with the version control, impersonating other users, etc.

Or maybe it's somebody at management level.

Re:

[quintus_horatius]

Cisco knew they were there, and knows how many more are present. But they can't just go and remove them all today. They have to clear each one with the people that wanted the backdoors there in the first place.

Re:

[gweihir]

With one, yes. With two, maybe. With 7, definitely foul play, no other explanation.

Cisco isn't flying with the angels.

[Excelcia]

Backdoors don't just magically appear on their own. Someone at Cisco had to put them there. Someone at Cisco had to be told to put them there. It is impossible that Cisco didn't know these backdoors were there.

Exactly. And as per Snowden's revelations [infoworld.com] years ago. Cisco was pointed to as purposefully backdooring its products at the behest of the NSA years ago, and today they are suddenly on the side of the angels because they have graciously patched out a few of them?

Meanwhile, what has the NSA already installed on those systems through those backdoors? If they are getting patched out now, it's only because Cisco's keepers don't need it any more.

Re:

[Joce640k]

It is impossible that Cisco didn't know these backdoors were there.

You don't know that.

Maybe the NSA is sending a continuous stream of people to apply for jobs at CISCO and put back doors into the code.

Re:

[Anonymous Coward]

They send a continuous stream of court orders to a small number of people in the company. The details of how these things get done were present in the NSA leaks a couple of years ago.

Re:

[Anonymous Coward]

Well, no, programmers under pressure, trying to connect with an authentication service that is either not present yet, or needs so much fucking around with to set up, that it's easy for a 'oh just get it so it responds instantly with a superuser token if they use testing123456 as a password, otherwise call the real service, and we'll just remember to change it back before we ship...' attitude to develop.

Re: the number of backdoor accounts.

[Anonymous Coward]

As someone who has first hand knowledge, many of these are put there during development, by developers, on their own, and either leave them in by accident or on purpose for ease of future development and support. Debugging sucks, and having a hard-coded account at least makes it suck a little less.

Re:

[Anonymous Coward]

Debugging sucks, and having a hard-coded account at least makes it suck a little less.

If you let that slip out into the real world, you suck a whole lot and have no business being in the industry.

If your management/security team is allowing this, they also have no business in the industry.

Cisco makes core infrastructure for people's network that directly impacts security. If they're putting products out into the wild with hard-coded accounts, they're not to be trusted -- they're certainly not to be praised

Re:

[gweihir]

Seven. Incredible. Other systems with really bad security have one.

Fuck Off

[Kunedog]

Leave your value judgement out of the headline.

A good thing

[alvinrod]

It's a good thing the headline pointed out that it was a good thing. I'd never be able to have figured it out for myself if I hadn't been told. Now could someone please tell me what products to consume?

Re:

[sjames]

I suppose it's good in the same sense that a serial killer pledging to murder less people this year is good news...

Re:

[sabbede]

I'll send you my Christmas list.

updates $100/mo per device

[Joe_Dragon]

updates $100/mo per device

Re:

[q4Fry]

It's this, [dilbert.com] except at the org-level?

good thing? pigs arse it is

[bloodhawk]

The fact they have to search for and find the backdoors after the fact means they have broken internal security coding review processes. These should never be getting to the stage where they can be found in this fashion,.

Re:good thing? pigs arse it is

[jonwil]

Any hardware manufacturer that allows backdoors to even end up in a shipping device clearly has something wrong with the way they do software development. And when they do find things like this, they need to backtrack via version control and see who allowed this crap to happen (in terms of the developer and the all the different levels of people who were supposed to review that developers code before it got out there) and give the people who allowed it to happen or should have caught it a good talking to so the people involved change the way they do things so it cant happen again.

Then again, given what Snowden has told us, all these backdoors in all these internet connected things may well be intentional and only closed or covered up when someone not sworn to secrecy finds one...

Re:

[rtb61]

Now guess what the back doors were used for, hmm, corporate environment, the home of insatiably greedy psychopaths, perhaps more than just a little insider trading. The SEC rightfully should investigate with the FBI, to see who did the back dooring and how those back doors were used, insider trading by far the most profitable way to use them, especially widely distributed back doors, billions to be made. Talk about failing to disclose stuff that would have a significant impact on share value, two reasons to

Re:

[Joce640k]

Any hardware manufacturer that allows backdoors to even end up in a shipping device clearly has something wrong with the way they do software development.

Either that, or... enemies working inside the company.

Re:

[postbigbang]

Yep. It means a smashed QA process.

But no one will fall on their swords. More will be found. No necks hung from a yard arm, even though the backdoors are probably known.

Were they inserted at the request of intelligence agencies? We'll never know. However, this is my suspicion. There is a great hunger for such things among the spooks.

Re:

[Pinky's Brain]

They don't like cooperating either, so you get one backdoor per agency.

Re:

[drinkypoo]

Were they inserted at the request of intelligence agencies? We'll never know. However, this is my suspicion. There is a great hunger for such things among the spooks.

Further, the only safe assumption is that they were intentionally placed there to be used, because if you don't follow that assumption you may miss something. Everyone who has any Cisco gear anywhere in their network should be especially diligent about assuming that the communications equipment can be compromised.

Re:

[Interfacer]

I suspect this is not just a matter of adding admin accounts with a fixed password.

I manage a large production control system in a pharma plant. The software is from a well known vendor (in that industry) and comes with a lot of certifications. There are no hard coded user accounts, though there are privileged accounts that I know the password of because I set them up. But regardless of the fact that I know those passwords, this is an enormous pile of software comprised of services, user applications, scrip

Re:

[Joce640k]

I suspect this is not just a matter of adding admin accounts with a fixed password.

It won't be as simple as "cat /etc/passwd", no.

Re:

[cellocgw]

I suspect this is not just a matter of adding admin accounts with a fixed password.

It won't be as simple as "cat /etc/passwd", no.

You bet it won't be. It'll take
  %% cat >> /etc/passwd stopthisnonsense
%% usr:galacticoverlord
%% passwd: root
%% stopthisnonsense

And we're surprised, uh, why?

[NoNonAlphaCharsHere]

So you're saying you're surprised a company named Crisco has a lot of backdoor accounts?

support contracts required to get updates

[QuesarVII]

Cisco requires you to pay for a support contract (yearly) to have access to the updates for a switch when they already charged 3x what it's worth to begin with.

I don't know how that's even legal when you have big security holes like this. The product is not fit for use, yet you have to pay even more $ to make it "safe" again.

Warranty of merchantability, fitness for purpose

[raymorris]

The relevant legal term is "warranty of merchantability". It's an implied warranty that manufacturers cannot (successfully) disclaim. The warranty of merchantability essentially guarantees that the item is fit to sell. It doesn't guarantee the quality is better than cheaper brands, but it does warrant that the product is fit for the marketplace - that it properly suits the needs of some purchasers.

I haven't done a deep dive on these particular Cisco accounts yet since I'm off work this week. At first blush, Cisco probably has a legal obligation to provide an update to fix this issue at no charge. Because it was never fit for sale, that needs to be fixed. If they choose to fix it with an update that also provides new features that's fine, but using the magic words "warranty of merchantability", preferably in a letter that sounds like it was written by a lawyer, should get you updates at no charge.

In addition, Cisco provides a LOT of documentation about which of its products are suited for which purposes, and how to configure them for different purposes. I've read literally thousands of pages from Cisco myself. By stating, in writing, that this particular product is suited for this particular purpose, Cisco may have also created a "warranty of fitness for a particular purpose". When they say in writing that a particular ASA is designed to function as a VPN gateway for enterprises with 1,000-5,000 employees, that may legally create a warranty that it is in fact somewhat suitable for the purpose claimed. If these security issues make it not suitable for the advertised purpose, Cisco needs to fix that at no charge.

OpenBSD *is* well suited to firewalls

[raymorris]

I don't use OpenBSD anywhere else, but I agree it's particularly well suited to firewalls.

At one point I set up a machine that did nothing but store credit card numbers. It wasn't a web server or a database server or anything else, it had a single function so that it could be stripped of most software (since software has bugs). That too would have been a good place to use OpenBSD.

The one issue with that is because that's the only place I'd use OpenBSD, I'm not nearly as familiar with OpenBSD as I am with L

Re:

[Moskit]

There is a separate upgrade policy for security breaches. Cisco offered a free software upgrade for a number of such issues.

https://tools.cisco.com/securi... [cisco.com]

As a special customer service, and to improve the overall security of the Internet, Cisco may offer customers free software updates to address high-severity security problems. The decision to provide free software updates is made on a case-by-case basis. Refer to the Cisco security publication for details. Free software updates will typically be limited to Critical and High severity Cisco Security Advisories.

Sample security advisory:

https://tools.cisco.com/securi... [cisco.com]

Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license.

They do a reasonable thing on support side by the look of it.

Re:

[Anonymous Coward]

There was a time when I tried getting those "free" updates. Cisco support didn't know how to provide them and couldn't even read the policy on the Cisco website.

That was the day I stopped buying anything from Cisco.

Re: support contracts required to get updates

[Anonymous Coward]

The fact that Cisco can con c-level executives into buying their crap at highly inflated prices does not mean the engineers that are then forced to set it up believe for one second that it possesses such value.

I beat my wife 65% less , and that's a good thing.

[king neckbeard]

Yes, the direction the code is moving in is an improvement, but that's not good, that's less awful. But the fact that there were seven backdoor accounts to remove is a huge problem.

Re:

[Anonymous Coward]

It's a complete abuse of trust, and it should be grounds for revoking the corporate charter.

Re:

[DNS-and-BIND]

And shitty comments like this are why nobody tries to get better. Why bother if all you're going to get is abuse? It's very telling you chose a feminist way of thinking about it. They are the champions of being toxic people and granting no credit for positive developments. It's one of the reasons they lost their way some time ago.

Re:

[king neckbeard]

I gave them credit. They've moved to "less awful," a major upgrade from "OHGODOHGODKILLITWITHFIRE." They don't get to the point of actual praise until they can make it through at least a year without having to remove an account that should have never been available on an end-user product.

Re:

[DNS-and-BIND]

Are you a male feminist? You won't get laid that way, you know. It doesn't work.

How ridiculous

[enrique556]

Does cisco hardware not run on open source software? If not, this would be a great time for open source pundits to start jumping up and down and waving their hands around.
Intel seems to have the same critical mental disability when it comes to *not* putting gaping, obvious security holes in the closed source of its firmware, so from here it's pretty obvious that even the biggest, most reputable hardware companies cannot be trusted with this task.
If I was a Cisco customer I'd be calling up my "account manage

Re:

[Anonymous Coward]

Until 5 or so years ago, Cisco products primarily ran on VxWorks. After some acquisitions an other alignments, they began using Linux. In general, IOS runs on VxWorks while IOS XE runs on Linux. I don't know when the transition for firewalls took place. I'm fairly certain FTD runs on Linux while PIX and possibly ASA run on VxWorks. A lot of telecom equipment was deployed running VxWorks.

Re: Cisco good, Juniper bad

[Anonymous Coward]

Ya, and ScreenOS isn't even a Juniper OS, it's a legacy OS they acquired when they bought NetScreen years ago. That entire product line was end of life long ago, SRX is Juniper's current firewall and runs JunOS.
But when the ScreenOS vulnerability was found, Juniper dusted off the code, fixed it, and issued an update despite it having been ebd of support for quite some time.

Re: Cisco bad, Ubiquiti good

[CranberryKing]

Yes yes. Don't read the dribble.

How many other governments had the

[AHuxley]

keys?

Why?

[LaughingRadish]

Would someone care to explain how these backdoors got in the code in the first place?

Re:

[Anonymous Coward]

I am sure it was done from the highest levels and passed QA just fine. You behave surprised when found out.

Re:Why?

[AmiMoJo]

Most seem to be simple support backdoors. Customers losing passwords and guys arriving on-site without the right info is a big problem for support, so they like backdoors.

For support security is the enemy, it's something that makes their job harder. The customers don't really care about it, they just want stuff to work.

Re:

[Moskit]

It seems that programmers put hardcoded accounts for testing purposes and did not remove them from production code.

I'm surprised...

[Anonymous Coward]

... that there were only seven found and fixed this year.

A search of the US-CERT vulnerability database turns up more than 300 hard-coded credential CVEs against Cisco since records were kept.

Cisco E2500 debacle

[Jerry]

About a couple months after I purchased a Cisco E2500 WiFi, six or seven years ago, I got had a notice pop up on my screen asking me if I wanted to update the WiFi's firmware. It explained that in order to confirm the update I had to go to Cisco's cloud server and create an account. THEN, they would update the WiFi firmware. A search around the web at the time revealed that many folks who bought Cisco WiFi's received that notice and requirement. Some suggested that the NSA forced Cisco to update their

How many new backdoors did they create though?

[ayesnymous]

Otherwise they'd be in breach of their agreements they have with the government.

Seven Accounts?

[Weirsbaski]

Cisco removed seven backdoor accounts, huh? How many more are in there?

That's not rhetorical- I'd really like to know.

Re:

[Moskit]

They have thousands of products, running many different systems/codes. This is not seven backdoors in one product or one OS.
Cisco also acquires a lot of companies - some of the past backdoors were disovered after internal Cisco check revealed them post acquisition.

Re:

[PPH]

How many more are in there?

I think that's all of them [wikipedia.org].

good thing?

[sad_]

fine, they are closing backdoors, which they put there themselves and aparently have a hard time finding.
i just hope they are also educating their devs to never put in backdoors again, otherwise this will be a never ending story.

Fuck Cisco

[sexconker]

Fuck Cisco
Fuck IBM
Fuck Oracle

If you EVER do business with these clowns, you will regret it.

There is nothing good about Cisco

[gweihir]

That is the only reasonable conclusion from this extreme level of insecurity. They probably have some of these seven that are actual screw-ups (very, very bad) and certainly some that were placed intentionally (even worse). The only valid conclusion is to not buy from them, as they are even too stupid to hide intentional backdoors well...