
Cisco Nexus 9000 Switches Allow SSH As Root - sky_nox
https://nvd.nist.gov/vuln/detail/CVE-2019-1804
======
sky_nox
If you have the Cisco 9000 Series, patch them now! This SSH backdoor allows an
unauthenticated, remote attacker to login as root.

~~~
keanebean86
This is exactly why I only buy belkin routers. I can't even connect to it.

~~~
phs318u
Ha! Thanks for making me laugh out loud.

------
m-p-3
If a compamy as big as Cisco can screw this kind of thing so badly, the future
of IoT looks bleak.

~~~
kornish
You know what they say: the S in IoT stands for security.

~~~
zingmars
Can't wait for marketing people to catch up to this and call devices "SIoT"
without changing anything about the product.

~~~
SmellyGeekBoy
Perhaps "Security Hardened Internet Things" would be more appropriate?

~~~
wolfgke
Relevant:
[https://twitter.com/internetofshit](https://twitter.com/internetofshit)

------
crispyambulance

      > Cisco Nexus 9000 Switches Allow SSH As Root 
    

Cisco Nexus 9000 Switches [have a vulnerability that Allows an attacker to]
SSH As Root [over IPV6 using a default key-pair]

------
pmc
An increased use of SSH keys for credential guessing is also found in our SSH
honeypot: [https://pmcao.github.io/caudit/](https://pmcao.github.io/caudit/)

~~~
e12e
Heh - people are harvesting compromised secret keys then? Because "guessing"
secret keys shouldn't be viable?

------
fulafel
What product segment is this, what kind of organizations are likely have them?

Also, link to Cisco's own advisory:
[https://tools.cisco.com/security/center/content/CiscoSecurit...](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-
sa-20190501-nexus9k-sshkey)

~~~
wmf
It's a switch used in enterprise data centers. It's pretty critical because
servers plug directly into it.

------
tptacek
This is a pretty egregiously editorialized title; what we know is that there's
apparently an SSH keypair authorized on these devices, for which the private
key is available on the device. That's a terrible, ugly vulnerability, but
it's as likely due to stupidity as to malice.

The right title is something like: CVS-2019-1804: Cisco Nexus 9000 Switches
Allow SSH As Root.

~~~
RL_Quine
You’re joking right?

It’s “allow ssh as root with a publicly available ssh key”. Your version is
making it sound mundane.

~~~
fungi
If it was a genuine "backdoor" why would you want use a publicly available
key?

~~~
MaulingMonkey
Being the only keyholder reduces plausable deniability, so maybe.

~~~
RL_Quine
The private key is on the shipped devices, from my reading.

~~~
MaulingMonkey
Agreed.

I'm hypothesizing that you might do this, even with keys intended to be used
as a back door, by shipping it on devices, you vastly increase the number of
potential suspects for any backdoor abuse.

Continuing this train of thought - a hardcoded password is classic example of
a backdoor, and just as "public" as including a private key.

------
mkj
Is there an explanation of why it's ipv6 only?

~~~
wmf
ACI control traffic is probably IPv6-only. They may be taking advantage of
link-local addressing.

------
userbinator
I don't own nor have I read the manual of one of these, and there's not much
in the way of details on that page, but isn't this more like "use the factory-
supplied default key to get in for the first time, then change it to your
own"?

~~~
wmf
People are calling it a backdoor because presumably it was _not_ documented
anywhere.

------
thickice
can someone help me understand this better.. Did Cisco leave a user public key
in the switch and the private key has leaked ? To exploit this vulnerability
attacker has to get hold of that private key ?

~~~
rando444
The keypair is essentially some default known value.

You shouldn't be able to use this to connect at all, but apparently works over
IPv6.

So you'd have to have the private key, as well as knowing the IPv6 address of
the device you're connecting to, and that device would have to have a route to
the internet or a location you could connect to it from.

~~~
thickice
Any idea why it works for v6 but not v4 ? SSH authentication itself is
agnostic to the IP version, no ?

------
mckenna
This is a nasty one! Sloppy in hindsight.

There is one bright side to otherwise disgraceful incidents: All the customers
running older versions are now forced to upgrade to the latest versions. The
burden of supporting really old versions suddenly vanishes.

Box vendors should really stop selling unmanaged boxes/solutions. In reality,
customers end up buying service contracts anyway along with boxes. Instead,
sell usage/service/connectivity and manage the hardware. A critical patch like
this one could then be applied before a PSIRT is released. Frequent
upgrades(security patches or feature/bug fix patches) are now commonplace. The
user experience would be so much better if the solution were managed by the
vendor (cloud managed).

~~~
legooolas
Most places (especially where they have enough money to be buying Cisco Nexus
9k kit) will want some sort of change management, not the vendor to be making
arbitrary changes to their critical infrastructure.

Also, given the number and severity of these sort of vulnerabilities in recent
times, do you want to give the same companies remote access to your
infrastructure as well? :)

------
kuon
I worked with Cisco a lot in the past. I am so happy we have more and more
open source alternative to replace all those network solution vendors.

------
madez
I surely can't be the only one who sees open down to the hardware replacements
as the only solution to this type of problems.

~~~
bmalehorn
As a former Cisco employee, I can tell you why companies never want to open
source their security-sensitive products:

Pros of open sourcing a product:

\- fewer total number of vulnerabilities

Cons of open sourcing a product:

\- more publicly-known vulnerabilities

\- less effort required to find new vulnerabilities

The product might be more _objectively_ secure, with more bug reports and more
fixes.

But it will be less _practically_ secure. There will be more known
vulnerabilities, and many customers can't upgrade, leaving more total
vulnerable customers. And worse, now anyone on the internet can try and find
new vulnerabilities for $0, while before they'd need to buy a $1,000+ piece of
hardware to even get a shot at the compiled code.

The real defense against this problem is security auditing. Security engineers
try to hack the device while asking a bunch of questions about SSH connections
and private keys. This is the technique most companies employ, often combined
with bug bounties.

~~~
neilv
Auditor: "Question 1. Did you manage to add backdoor keys to your production
build?"

Auditor: "Big surprise. We once again recommend that you use a build system.
Question 2. ..."

------
jeffrallen
Dude, Cisco, you had one job.

~~~
bildung
And they completed it successfully. They literally had a new backdoor _every
month_ for years now. No company is _that_ incompetent unless ordered to be
so.

------
samat
Are this devices normally left with accessible 22 port in the wild?

~~~
voidmain0001
A Nexus 9K is an expensive piece of kit, and is not a trivial switch to deploy
what with VPC and other configurations being commonplace, so just powering it
on will not deliver a workable product. I suspect most if not all deployments
follow best practice and have a management VLAN with access lists control
limiting the source address of the connecting client, and blocking access to
port 22 from other networks.

 __* Edit __* Plus the Nexus the backdoor is only relevant if the switch in
using ACI, and not standalone NX-OS mode. ACI training is a 5 day course for
advanced engineers.[https://www.cisco.com/c/en/us/training-events/training-
certi...](https://www.cisco.com/c/en/us/training-events/training-
certifications/training/training-services/courses/configuring-cisco-
nexus-9000-series-switches-in-aci-mode-dcac9k.html)

------
alfiedotwtf
Western governments: Huawei needs to be banned from our collective
infrastructure because backdoors

Also western governments: Cisco will remedy their errors

~~~
King-Aaron
HackerNews: Huueerrggg Huawei can't even write secure code

Cisco: Hold my beer

~~~
ShorsHammer
The Huawei stuff is pretty bad, but the comments read like they've been copied
pasted each time here. It's the exact same talking points.

~~~
bildung
Because the anti Huawei talk is obviously not in people's interest. Just look
how zero politicians worldwide lament that Cisco should be banned from
anything related to internet infrastructure despite showing _again and again_
that they are unwilling to stop implementing backdoors. Cisco makes it obvious
that backdoors are A OK as long as it's our backdoors. No one acting against
Huawei actually cares about peoples security.

~~~
alfiedotwtf
Is it xenophobia masquerading as national security, or national security
masquerading as xenophobia?

Neither... it's nothing but hegemony with the pretext of both.

------
GalacticDomin8r
Huawei you all feel about that now?

This is a true backdoor, not some silly telnet left on.

