back to article Cisco in single SSH key security stuff-up

A red-faced Cisco has pushed out a patch for a bunch of virtual security appliances that had hard-coded SSH keys. Since the keys are associated with the virty appliances' remote management interface, a successful login would let an attacker waltz through the devices. The Borg has announced that its Web Security Virtual …

  1. This post has been deleted by its author

    1. asdf Silver badge

      Re: Suggestion

      or just OpenBSD properly configured. Hell even OpenWRT (on consumer side).

    2. Lee D Silver badge

      Re: Suggestion

      I don't get the fascination with Cisco routers outside of the datacentre.

      I have to say, on the shelf next to me are several Cisco routers that I have refused to install after the various faffing with firmware, closed-off configuration tools that you can't download without support contracts, lots of updates pending on them, hideous configuration methods, etc..

      My network, there are Cisco switches and wireless points throughout. They are much nicer to configure because they're aimed at doing so but they're entirely different beasts.

      The incoming leased lines etc. all have ISP-managed Cisco stuff that they claim they need on our end for failover, remote configuration, etc. They do nothing more than an Ethernet switch or fibre-convertor would, from what I can see.

      But on the boundary, between the two - at our interface between "lots of third-party junk and untrusted Internet" and "trusted internal network that we need to secure", we actually use Linux-based stuff (Smoothwall).

      I'm sure if you're an ISP they're great, but I never see anything but people struggling to configure them and keep them up to date and patch against ridiculous things. The failover protocols they use aren't complex or unique in any way.

      And no amount of fancy ISP kit disguises the fact that their supplied devices take a fibre or Ethernet at one end and push it to an Ethernet at the other end and do NOTHING to it in the meantime. Some of the configurations that you can pull from such kit (if the kit even ALLOWS you to pull configs back) are so basic as to be worthless. They have to forward all traffic, the incoming fibre/Ethernet only has a limited IP range anyway, it doesn't stop any kind of DDoS or unsolicited traffic coming in (I wouldn't want it to, they'd just break things), it doesn't do any kind of firewalling (my internal router still sees gratuitous attempts to ping, malformed packets, SYN-floods, etc.) and the only "fancy" thing is some HSRP or whatever it's called to let one router ping it's partner and failover if something is amiss. I've literally got ISP-supplied routers here with an IOS config that I could fit in a small screen on notepad. At one point I assumed it was for protecting their network from bad traffic from us, but that doesn't even seem to be true either (and, surely, a Cisco on their other end is their protection against that - I could swap out the in-and-out cables on their routers here in a trice).

      I always wonder why they bother for the majority of business lines compared to just "And this is your incoming, unfiltered Internet cable" and leaving it at that.

      Last time one of them had to configure a Cisco router, it came pre-configured from the ISP, then needed five engineer visits before it would pass a bit of traffic, then was sent back twice, then had to be manually configured in person on-site (at our insistence) by the head of the technical support, and then they would not configure it for our site needs (e.g. port-forwards, etc.) or license us for the tools to configure it via the GUI (only via telnet in IOS syntax), so they just left it at the point we'd need to put another router on the end of it anyway, That one's still on the shelf beside me, and I just plugged the unfiltered connection into our Linux-based router instead.

      I worked for some years on Freesco - a project designed to make a single-bootable-floppy Linux router that run on any PC with network cards (or modems or whatever). It was back in the dial-up, 10Base2 days, but even back then I used to use it as it was more powerful - coupled with some junk of a PC from the rubbish heap - than anything the fancy expensive Cisco routers could manage. pfSense etc. are it's logical successors nowadays but I still battle to find out quite what people expect to get from a Cisco router with only an "in" and an "out" Ethernet port that they couldn't manage with required downstream devices themselves anyway.

      1. John Sanders
        Holmes

        Re: Suggestion

        Cisco does nothing special.

        However it does a few things well, the hardware is stable, (and so is IOS for the most part), they have good documentation, and has lots and lots of features that are/may come in handy, also there is plenty of documentation online, and the method of configuration is pretty much a de-facto standard in the industry. Their switches are bread and butter and an expectation on any large environment.

        ISP's do not love Cisco, people who only know Cisco do.

        1. -v(o.o)v-

          Re: Suggestion

          One obvious benefit (coming from ISP/IXP world here) for Cisco is that it is easy to hire people who can manage it. And when the tech team grows that is very important.

      2. Anonymous Coward
        Anonymous Coward

        @Lee D - Re: Suggestion

        There is still an advantage of command line over the GUI when configuring Cisco equipments. You can calmly prepare and verify the configuration in a text file (usually starting from an existing one) then simply paste or upload it into the device. This gives you the choice of merging the settings with the existing configuration or overwriting it entirely.

        Now try doing this in GUI and come back to us and share the experience.

  2. Anonymous Coward
    Anonymous Coward

    Simply appalling!

    We are in 2015 and we still get this kind of childish mistakes.

    1. Anonymous Coward
      Anonymous Coward

      Re: Simply appalling!

      What makes you so sure it was a mistake?

      1. Anonymous Coward
        Anonymous Coward

        Re: Simply appalling!

        Yes. Perhaps "red-faced" should be changed to "red-white-and-blue-with-stars-and-stripes-faced"?

      2. Anonymous Coward
        Anonymous Coward

        @AC - Re: Simply appalling!

        The fact that they did it at the request of some three letters agency still qualifies as a mistake.

        1. Anonymous Coward
          Anonymous Coward

          Re: @AC - Simply appalling!

          "Request," AC?

  3. pompurin

    I'll be the Devils Advocate here:

    Without the associated private key of the private/public keypair an attacker would not be able to login?

    1. Anonymous Coward
      Anonymous Coward

      OK, so no random miscreant should be able to get in. That still leaves the hard-coded login credentials available to somebody who is not the owner of the appliance. A backdoor if ever there was one.

    2. Jim 43

      Agree. Now, any idea who has said private key?

      Right, time to patch.

  4. Anonymous Coward
    Anonymous Coward

    Same *old* shit

    I wonder if Cisco call it the "_NSAKEY" like they do at Redmond.

    Obviously anyone who hasn't switched to Huawei yet should make sure their antivirus software is up to date. Just to feel safe. ;)

  5. Anonymous Coward
    Anonymous Coward

    They were caught with a backdoor, and are trying to spin it as a general vulnerability

    From their description on the "advisory page":

    A vulnerability in the remote support functionality of Cisco WSAv, Cisco ESAv, and Cisco SMAv Software could allow an unauthenticated, remote attacker to connect to the affected system with the privileges of the root user.

    This is not an accidental vulnerability. They pre-installed SSH keys to allow [someone unknown] to access all of these systems. That's called a back door.

    1. Anonymous Coward
      Anonymous Coward

      Re: They were caught with a backdoor, and are trying to spin it as a general vulnerability

      No kidding! Like all but two of us didn't see this coming years ago.

      --AC

  6. Trooper_ID

    TLA

    well, this is embarrassing. Not that they accidentally left a hard coded entrance door in place, no, embarrassing that anyone other than the intended user found out about it. Oops.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019