back to article Running Cisco's VoIP manager? Four words you don't want to hear: 'Backdoor SSH root key'

Cisco has warned Unified Communications installations can be remotely hijacked by miscreants, thanks to a hardwired SSH private key. In an advisory, the networking giant said unauthenticated attackers can log into its Unified Communications Domain Manager (Unified CDM) software as a root-level user by exploiting a default SSH …

  1. badger31

    Wow.

    I thought all that secret backdoor stuff was just in the movies.

    1. Kevin McMurtrie Silver badge

      Re: Wow.

      Most appliances have a tech support backdoor of some kind. Cisco gets the special award here for leaving the key in the lock and not requiring customer confirmation to use it.

    2. Destroy All Monsters Silver badge
      Holmes

      Re: Wow.

      I thought all that secret backdoor stuff was just in the movies.

      So how has that ten-year survivial training in the Amazonian been? You must have an amazing tan.

  2. Awil Onmearse

    "by exploiting a default SSH key meant for..."

    .Cisco support reps Spooks.

    Oh my aching sides.

  3. Pypes

    I'm guessing this belongs to that broad category of exploits known as "exploits that were considered features until someone else found out about them"

  4. Anonymous Coward
    Facepalm

    Hang on a minute…

    SSH keys are asymmetric… there's a public and a private key.

    The public key, as the name implies, is quite safe to leave lying around on foreign computers' authorized_keys files. It's the private key you must guard closely.

    Surely Cisco didn't do the dimwitted thing of embedding both keys?!

    1. Tom Maddox Silver badge
      FAIL

      Re: Hang on a minute…

      "Surely Cisco didn't do the dimwitted thing of embedding both keys?!"

      Signs point to yes. At a guess, the private key is embedded in the management software and can be activated to log into the various other components of the Unified Communications kit, presumably without prompting for a password just for extra fail.

    2. diodesign (Written by Reg staff) Silver badge

      Re: Hang on a minute…

      As per the Cisco advisory:

      "The vulnerability is due to the presence of a default SSH private key, which is stored in an insecure way on the system"

      :-(

      C.

      1. Tom 13

        Re: As per the Cisco advisory:

        So this wasn't simply a case of shooting oneself in the foot. They loaded up the pump shot gun to maximum capacity, administered a local anesthetic to their legs, and repeated fired at their feet.

        Got it.

    3. Mad Chaz

      Re: Hang on a minute…

      Article basically says that yea, that's exactly what they did.

    4. PyLETS

      Re: Hang on a minute…

      SSH can be setup either to use a shared secret password, or to use public/private keypairs, where only the public key would have needed embedding, and clearly the latter approach is safer if slightly harder to setup. I've installed it using both approaches. Cisco had wanted to leave a way in for themselves and/or their spook friends without it becoming so easily exploitable and had thought a bit more carefully about this, they wouldn't have used the shared secret password approach.

      1. Destroy All Monsters Silver badge
        Devil

        Re: Hang on a minute…

        The public key, as the name implies, is quite safe to leave lying around on foreign computers' authorized_keys files.

        Frankly, how well would you feel having a public key in ~/.ssh/authorized_keys files that has the friendly comment "support access - do not remove!" next to it?

  5. Mikel

    There is a lot more of this going on than you think

    Many other vendors are doing the same thing. This is not to excuse Cisco. It is just to point out that these multibillion dollar corporations take the same shortcuts as the greasy neckbeard at your local mom & pop IT shop. Paying the "big vendor converged infrastructure" premium is not going to protect you from this.

  6. lansalot

    ...

    ...meant for Cisco support reps *and our trusted partners*

    ... wink wink...

  7. theloon

    and the SP also promise that running your home will be secure

    On and on it goes. This is just the tip of things to come. Smartmeter hacks on mass taking down entire communities is just such an obvious thing to target.

    Then it's on to the connected home...

    Enjoy the darkness.

    1. Daniel Palmer

      Re: and the SP also promise that running your home will be secure

      >Smartmeter hacks on mass

      What would you gain from hacking a smart meter? It doesn't have any control over the mains AFAIK.

      1. Anonymous Coward
        Anonymous Coward

        Re: and the SP also promise that running your home will be secure

        Of course it does: remote disconnection.

        "In September 2011 Ofgem introduced new licence conditions for suppliers as part of its “Smart Metering - Consumer Protections Package” which ensure that rules around pre-payment and disconnection apply to remote switching and remote disconnection"

        -- www.parliament.uk/briefing-papers/sn06179.pdf p.14

        Ofgem's original guidance open letter: https://www.ofgem.gov.uk/ofgem-publications/57395/remote-disconnection-and-ppm-guidance-open-letter-160810.pdf

        1. Destroy All Monsters Silver badge

          Re: and the SP also promise that running your home will be secure

          What good is having the finest automation of humanity if you cannot put it to some good use?

  8. jbuk1

    "been tugged away"

    We're quoting from someone who's illiterate.

    Surely they meant "tucked."

    1. Destroy All Monsters Silver badge

      Dumps of your conversation are being tugged away as we speak!

  9. Paul Hayes 1

    This really is a colossal f**k up. Expect CUCM phone system users to receive huge phone bills any time soon once the hackers and dodgy international calling-card folks get their hands on that private key.

    Cisco looking at your call records is the least of your worries :)

  10. Anonymous Coward
    Anonymous Coward

    ex-Cisco support here. Anon for obvious reasons.

    The key _was_ used for remote access (I was not specifically touching VoIP stuff, however I was some-what familiar with the process to get access to the public key). As far as I'm aware, the press release is accurate and this was only used for support (However the key here is "as far as I'm aware").

    Saying that, I am not familiar with backdoors in other products for support, specifically IOS and it's derivatives. This is, after all, why Cisco bought Webex; secure remote access.

    Additionally, if you're allowing unfiltered access to your management network, you honestly have much bigger issues on your plate than this.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019