Cisco Can't Stop Using Hard-Coded Passwords (schneier.com) 30
There's a new Cisco vulnerability in its Emergency Responder product: "This vulnerability is due to the presence of static user credentials for the root account that are typically reserved for use during development. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user." Bruce Schneier adds: "This is not the first time Cisco products have had hard-coded passwords made public. You'd think it would learn."
You think they would learn... (Score:5, Insightful)
The thing about Cisco is, they keep buying companies and products, they don't really know what they are inheriting. Cisco Emergency Responder is a product that came from somewhere else, developed by people who weren't apart of the Cisco work until recently, and really is a completely different product train that everything else they do.
Yet, it should have been caught by a good security review before Cisco slapped their name on it. Clearly that process is broken.
Re: (Score:3)
"Yet, it should have been caught by a good security review before Cisco slapped their name on it. Clearly that process is broken."
Always will be as long as marketing, accounting, etc. departments and types are the ones that control when stuff is released.
Re: (Score:3)
This is a been Cisco model since around 2000, buy stuff and first priority seems to be change the branding and get new release out the door, if at all possible re-write the config file parsing and change the parameter names so it a vaguely "ios-like".
What I never understood and still don't is why they are so quick to do this. They could be earning the sales revenue still immediately while running with the old product name for a little bit, to make sure it really integrates with the rest of the stack well a
Re: (Score:2)
"The thing about Cisco is, they keep buying companies and products, they don't really know what they are inheriting"
True dat. Over 200 acquisitions & likely over $200 billion spent if adjusting for inflation. No way they have a full handle on all the vulnerabilities & silly decisions.
https://en.wikipedia.org/wiki/... [wikipedia.org]
valid license $$ needed to be able to install fix (Score:4, Insightful)
valid license $$ needed to be able to install fix
Re: (Score:2)
This is notable. Cisco and updating is a weird combo. Believing that free updates will be forthcoming for vulnerabilities probably makes people yawn at this kind of thing, but that's not the case. Assuming you can find the correct update in the tree of various options.
Re:You think they would learn... (Score:4, Informative)
Only one very specific version is vulnerable. My guess is that they have the root password hardcoded during dev and they missed the step about changing it when it shipped. 12.5.1su4 is the version. Older and newer versions are fine. https://sec.cloudapps.cisco.co... [cisco.com]
It's still an attack vector though, and yes, they missed it.
Re: (Score:2)
Re: (Score:1)
The thing about Cisco is, they keep buying companies and products, they don't really know what they are inheriting. Cisco Emergency Responder is a product that came from somewhere else, developed by people who weren't apart of the Cisco work until recently, and really is a completely different product train that everything else they do.
Yet, it should have been caught by a good security review before Cisco slapped their name on it. Clearly that process is broken.
Cisco Emergency Reponder, including version 1.1, that was retired by in Cisco in 2007, is only "recently" a part of Cisco? Can you clue me in on that (honest question, not sarcasm)?
Re: (Score:2)
The newer versions are essentially a 'new' product they bought from an Introdo spin-off. Old CER is not the same as 'new' CER.
Re: (Score:3)
Don't let Cisco off the hook so easily. Wasn't it Cisco-designed switches / routers that continued to use SSH version 1 long after that protocol was shown to be completely broken?
Re: (Score:2)
True, a lot of companies are like that. Security is difficult - it takes time, money, and expertise, whereas most companies want to be faster and with fewer expenses. The password approach also is outdated, most modern security doesn't have anything like a master password, instead you've got a certificate based system. Ie, here's your cert good for only 24 hours and 6 sessions. Although the newer security style requires more customer training and support, more back office server integrations, etc, which i
Blahblahbla (Score:2, Flamebait)
Meh... (Score:2, Funny)
User: root
Password: password123
& I leave all the permissions in dev default settings. Ain't nobody gonna crack my security!
Do you think Cisco will offer me a job?
Re: (Score:2)
Damn, you already changed your password from "changeme".
You're overqualified.
Re: (Score:2)
I don't bother with passwords on the luggage. Instead I label it with "Beware: Live virus samples, may cause explosive diarrhea!"
Re: (Score:2)
The Cisco security cycle (Score:3)
The usual sequence of events for Cisco hardcoded credentials is:
There are several of these running concurrently, so Cisco can release a new fixed-password vulnerability every few months. Back when the dot-com acquisition rate was higher, they did it more often.
What, seriously? (Score:2)
Were I Cisco's competitors, I'd immediately start printing ads saying "Buy from us. We don't do that."
Buy crappy devices, get crappy security (Score:3)
At this time anybody should really stay away from Cisco.
It seems no one bothers to read these days... (Score:1)
But they are SOC-2 compliant, etc. (Score:2)
Not a problem, Cisco is SOC-2 and ISO27001 certified so they don't have security issues. (at least if you listen to the people selling certification tools)
Makes one really wonder about their (Score:1)
Buying Cisco equipment is starting to look a lot like an extortion racket.
Do you own Cisco equipment or does Cisco own you.
Just one layer? (Score:2)
How much harder would it be to keep the hard-coded password but replace it with one that's cryptographically generated based on a hash of the device serial or MAC address. At least then you'd have to know something about the hardware to remotely exploit it.
Re: (Score:2)
Logistically it's a solved problem. When you are flashing serial numbers, MAC, whatever into a device on the factory you also generate a default password. Put it on a sticker with QR code on the device. When an IT department brings new equipment into the inventory they scan the device and now they have MAC and default password and can easily begin automated deployment.
Cisco has so many different products that are at wildly varying levels of quality and logistic sophistication that their brand name basically
and the consequences to Cisco are... ??? (Score:3)
In just about any other industry, shipping a product with an obvious flaw would result in product liability lawsuits. And that would cost the vendor money for lawyers, trials and judgements/out of court settlements.
But for Cisco and others in this industry, it's ... crickets ...... If there's no impact on Cisco, why should they change things?
Once again I call for software product liability as a matter of law.
They all do it...Windows has it too (Score:3)
Windows 7, 8, 10, and 11 has a "hidden" Administrator account, with no password. It can be enabled without knowing any login credentials, by using a UEFI boot disk. https://www.howtogeek.com/962/... [howtogeek.com]
Windows Hello makes it less useful, because it's no longer possible to monkey with a Microsoft account from this hidden admin account. But it's still very possible to grab files from the hard drive, without knowing any password at all.