
Hardcoded Password Found in Cisco Software - wglb
https://www.bleepingcomputer.com/news/security/hardcoded-password-found-in-cisco-software/
======
reimertz
I would love to know which cloud companies, such as Amazon AWS, Azure, Google
Cloud Platform, etc. use Cisco at any critical part of their architecture.

Because Cisco has proven over and over again that they can't be trusted. Or
has something changed these last couple of years that I do not know about
regarding how they handle security?

Edit: I forgot that Google use their own hardware, but the article doesn't
mention if they use it for their cloud platform.
[https://www.wired.com/2015/06/google-reveals-secret-gear-
con...](https://www.wired.com/2015/06/google-reveals-secret-gear-connects-
online-empire)

~~~
Cyph0n
From my understanding, Cisco has been taking security very seriously ever
since the Snowden leaks.

They essentially have an entire team dedicated to designing and implementing
security measures for their devices. However, the focus seems to be on
hardware and low-level security. I don't know if they have an active high-
level software security team.

~~~
txcwpalpha
As a security consultant, it makes me sad that the criteria for "taking
security seriously" is as low as just "having an entire team dedicated to ...
security".

 _Every_ company should have a team (or depending on size, at least a person)
dedicated to the security of software and infrastructure. Even the most
traditionally slow-moving companies these days have security teams. If you do
not have this, _you are behind_ and are laughably unprepared for the modern
age. I wish the public would start recognizing this and publicly shaming
companies that don't take security seriously.

~~~
brianwawok
> Every company should have a team (or depending on size, at least a person)
> dedicated to the security of software and infrastructure.

Two competitors in a space. One has 3 developers and 1 security guy, the other
has 4 developers.

In 99/100 outcomes, all else being equal, the 4 developer guy will add more
features and outpace the other team and win the market.

Security is an overhead and a drag on company resources.. until it's not.

But how many startups fail due to lack of a security team? I cannot think of
any from my RL network. I am sure some exist... but otherwise, this is the
same as most "safety" measures... unimportant until it is really important.

~~~
derefr
> But how many startups fail due to lack of a security team?

Crypto exchange startups, for a big, glaring example. They’re an exception in
a lot of ways, though.

~~~
nevir
They're also a category where security is inherently a user-visible feature of
their products (and as such, it _should_ be easier to justify security
engineers)

------
bringtheaction
> The flaw can be exploited only by local attackers, and it also grants access
> to a low-privileged user account. In spite of this, Cisco has classified the
> issue as "critical."

I find this reassuring. It is the opposite of downplaying security issues.

~~~
Rotdhizon
Cisco in the past few years has been good about handling security incidents,
although it makes you wonder why they keep adding in hard coded password to
their gear. Unless it's individual devs adding them in without documenting
them or telling anyone else on the team about them.

~~~
collinf
I'm sure the executives take issues like this incredibly seriously. None of
this stuff is insidious in nature, it's just what happens when people bypass
processes.

Engineer doesn't take the time for proper password management -> Password gets
left in source -> Other engineer who does code review misses password -> this
continues for several iterations -> product gets released.

Unfortunately this definitely happens more often than you would want to think.

~~~
paulie_a
> I'm sure the executives take issues like this incredibly seriously

Considering Cisco's history of security issues they clearly don't take it
seriously and it is unlikely that will change.

~~~
Jach
Couldn't the same have been said about Microsoft say pre-Vista?

Of course taking security seriously doesn't magically make you have competent
staff and eliminate embarrassing vulns, Windows has still had its share post-
Vista. A lot of "taking security seriously" can just turn into security
theater cheerleading and focusing too much on certain processes (especially
response over prevention[0]) without ever doing effective threat modeling.

[0] You fixed a reported admin-attacking-admin XSS bug within the SLA, good
job! You're also letting admins upload binary blobs you then parse, has anyone
run a fuzzer on this to help uncover any potential code execution bugs? Does
anyone even know what a fuzzer is? No? Carry on... Until something gets
reported.

~~~
user5994461
I don't think that's a fair comparison. The internet didn't exist when windows
2000 and XP were done.

~~~
paulie_a
Sarcasm, drunk or high?

~~~
user5994461
None of these.

In the decade around the 2000's, we went from almost zero computer in the
developed world, to virtually every household having one and they're all
permanently connected through a high speed network.

That's a new universe of unplanned threats and attack vectors. None of this
was anticipated when operating systems were designed, a few years before
release.

------
DarronWyke
"Cisco" and "security issue" go together like peanut butter and chocolate.
Knowing this, and with the knowledge that IOS is some form of arcane torture,
leads me to wonder: why hasn't Cisco been completely obsoleted by Juniper or
other providers?

~~~
helper
Nobody gets fired for buying cisco.

~~~
braderhart
Actually they do, but those sales people will make sure payoffs are part of
the purchase, and even if you get fired for calling out the conflict of
interests, it is usually harder for an honest employee to fight a multi-
billion dollar company that has professional propaganda departments.

------
ransom1538
When I was learning oracle (the db) an engineer told me: "The password is
scott / tiger". I was like: "That seems easy to guess." Him: "No it's hard
coded into oracle - it works everywhere!"

[http://www.dba-oracle.com/t_scott_tiger.htm](http://www.dba-
oracle.com/t_scott_tiger.htm)

~~~
emmelaich
It's not hard code into Oracle, it's just a part of the demo database. You can
change it.

~~~
ransom1538
Don't forget!!!

------
joshmarlow
Anybody got a Huawei router to try this password on? ;)

------
GordonS
They found this during internal testing. Although this is bad, it's
commendable that they released this info - many companies would have buried
it.

------
visibletrousers
From cisco-sa-20180307-cpcp: "...an unauthenticated, local attacker ... could
exploit this vulnerability by connecting to the affected system via Secure
Shell"

This is a remote root hole.

------
sh-run
This article incorrectly refers to ACS as a firewall system. ACS is used
primarily to control management access to Network Devices via TACACS+ or
RADIUS. It offers no firewall functionality whatsoever.

This is arguably worse than it just being a firewall. I imagine that it
wouldn't be a huge leap for someone to use this exploit to create a local
account and policies to give themselves access to every router, switch,
firewall and appliance in an enterprise.

------
athenot
Here's the original link of the disclosure:

[https://tools.cisco.com/security/center/content/CiscoSecurit...](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-
sa-20180307-cpcp)

Also, while there are no workarounds to that software version, Cisco has
released free software updates that address the vulnerability described in
this advisory.

------
gigatexal
The guys over at packetpushers network (checkout their podcast) have been
railing on Cisco for their software quality for years _. This isn’t surprising
to me.

_ and yet Cisco remains a big sponsor for them. The balls on those guys:
Literally laughing at the hand that feeds them.

------
bluesign
"This vulnerability affects Cisco Prime Collaboration Provisioning (PCP)
Software Release 11.6 only. No prior builds are affected by this
vulnerability."

This part smells fishy. Probably we will never learn how it is introduced for
this build.

------
fishmeat
What was the password that they found?

------
Froyoh
What was the password?

~~~
Smaug123
This is not something you can expect ever to find out, burning with curiosity
though we may all be. Since there's never a guarantee that every vulnerable
system has been patched, it's very unlikely that Cisco will reveal the
password. (It could, of course, be leaked somehow, but you will never find out
officially.)

------
mtgx
Could it be related?

[https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6...](https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/lawful/intercept/book/65LIch1.html)

