
Hardcoded Password Found in Cisco Enterprise Software Again - willvarfar
https://www.bleepingcomputer.com/news/security/hardcoded-password-found-in-cisco-enterprise-software-again/
======
Animats
_" Let's not criticize Cisco"_

No, let's criticize Cisco. Those backdoors didn't get there by themselves.
They had help. Do they have source control adequate to tell them where those
came from? Who put them in? Was the FBI informed? Were people arrested? Who
was fired? If not, why not?

------
kuon
I started learning networking with Cisco IOS nearly 25 years ago, but I hate
Cisco on many level (licensing, hardware price, support experience). They
pushed the technology forward, there is no denying to that, but they need to
be disturbed a lot more than what is happening now.

I have been using PCEngines for small routers running OpenBSD. But I am still
waiting for larger hardware (ethernet switch, telco routers...) to be able to
run an open source software. I know facebook/google started building their own
"open" hardware, but it is not generally available.

~~~
ausjke
RouterOS on Mikrotik, pfsense on x86, VyOS(debian) on x86 are all good
options. It's just hard to find off-the-shelf parts to build your 1u/2u
router/switches running open source though, software is there, but no such
hardware, the best you get is some random formats(e.g. mini-itx) and you can
not really put them on the rack.

~~~
closeparen
Are they really? My understanding is that the ASICs in real routers and
switches deliver performance way beyond what’s possible in a reasonable
general-purpose computer.

~~~
dboreham
Mikrotik supports those ASICs, when you run RouterOS on their native hardware.

~~~
opello
And if Linux or *BSD had a framework to represent the switch configuration I
think more switch IC device drivers would be forthcoming. Last time I worked
with a Marvell switch in Linux the configuration ended up being manual MDIO
accesses. Not difficult, but not a nice interface either.

------
adrianN
Why do people still buy Cisco products? Leaving hardcoded passwords in their
software shows such massive incompetence that I don't understand how they can
still sell anything.

~~~
exelius
The entire telecom industry has been asking this question for the last 20
years. They have finally broken Cisco’s hold over the last 5 years by just
building their own hardware a la Facebook and Google. Turns out it’s cheaper
that way anyway, and they were already having to hold cisco’s hand through
meeting spec lists, so it’s not much extra work for them to own the IP.

~~~
ra1n85
It’s only cheaper if you’re operating at large scale. For the vast majority of
organizations, Cisco/Juniper/Palo Alto/Arista are the only cost effective
options.

~~~
exelius
Right, but at the low end, there are better options than Cisco (all 3 you
mentioned really). At the high end (carrier grade), there weren’t necessarily.

They’re not going it alone; ONOS [1] is basically the open source carrier-
grade networking platform. Think of it as Kubernetes for SDN packet routing
that they’re building custom network integration solutions (think routers,
bulk fiber termination, RF, satellite, laser, WiFi mesh) on top of. Then get
Chinese manufacturers to build the hardware (which doesn’t have anything
proprietary in it — all white box with Intel or ARM CPUs).

Incredibly powerful and flexible, and they have all the heavy hitters involved
(Google, Intel, Samsung, AT&T, Comcast, etc.) It will be a game-changer for
telecom in another 5 or 6 years once the management tools mature and
commercial solutions based on it are developed.

[1] [https://www.onosproject.org/](https://www.onosproject.org/)

~~~
user5994461
Cisco never sold low end hardware.

Tell us what are the great alternatives in middle end.

~~~
ra1n85
Didn't they buy Linksys? Don't they make their own line of home routers and
modems/set top boxes?

------
sschueller
At least this time they them selves found the security vulnerabilities and not
someone else.

I hope these internal audits are now a normal part of their business.

~~~
willvarfar
Are there any recent ones found by others?

From the article:

> Let's not criticize Cisco

> The company discovered these flaws following as part of its massive series
> of internal audits it started back in December 2015.

> At the time, security researchers found a backdoor account in Juniper
> software that could decrypt VPN traffic, and Cisco decided to hunt and root
> out any similar backdoors before attackers found them first.

> The company discovered many backdoors and hardcoded accounts in the past two
> years as part of internal audits and has received some pretty unfair
> criticism for its efforts.

> The most recent backdoors Cisco discovered was in March, when the company's
> engineers discovered two —one in Cisco's Prime Collaboration Provisioning
> (PCP) platform, and one in the IOS XE operating system.

~~~
userbinator
The question is who put them there... and more interestingly, do the updates
replace the backdoors with different, more hidden ones?

To put it bluntly, even backdoor accounts need their credentials changed once
in a while.

~~~
ptero
Most backdoors in commercial software are due to stupidity, not ill intent:
software engineers putting a debug access point "I will remove it later before
it goes into production" or business side having weird ideas "it would be so
much simpler if we could log in and fix/reconfigure it for consumers".

Finding those only to replace them with a more elaborate bug seems to be ill
intent and unlikely for me. The bigger problem IMO is that the mentality above
is still prevalent: for every two backdoors found a new one may be put in by
another do-gooder.

~~~
_jal
Cisco is the Oracle of the networking world.

I'm sure it is mostly incompetence, with only the occasional state-actor
poisoning the well. But I see little evidence Cisco gives a damn or has any
intention of actually attempting to regain some of the squandered trust.

Which is fine, from my perspective; for the most part I like other vendors'
kit quite a bit more anyway.

I do think product liability law needs to kick in somewhere. If you have some
Tourettes-like inability to stop writing back doors in security products,
there should be some outside pressure to maybe get some help.

~~~
giancarlostoro
Is Cisco as evil as Oracle? Because ouch. Oracle is just plain evil. I have no
reason to compare Cisco to Oracle yet. I usually prefer TP Link since they're
usually effective and affordable to boot.

------
ausjke
Time to bring back mid-to-high-end open source routers.

Something like Vyos: [https://vyos.io/](https://vyos.io/)

For low-end you always have LEDE or Openwrt
[http://openwrt.org](http://openwrt.org)

~~~
Kenji
OpenWRT is fantastic. Critical security patches come within days of the
vulnerability being disclosed, the thing compiles with little hassle on Linux
Ubuntu and it runs stable and it's very lean and fast.

------
DannyB2
Cisco seriously needs to fix this and make sure that next time it is much
harder to find their hardcoded passwords. /s

------
Rotdhizon
Can anyone elaborate on how these situations occur? What happened during the
construction of this software? Did someone put in the credentials as a test
account and forget to remove it? Did someone sneak it in? Is it a standard
practice? I assume quite a few people worked on that software, I can't imagine
a whole department just up and forgot they coded in a backdoor.

~~~
smacktoward
"Just hard-code the credentials in for now, we'll go back and put in a more
sophisticated system for managing them later."

RON HOWARD VOICE: _They didn 't._

------
noslenac
As a business owner, this kind of thing is exactly why we as a company are
completely vendor/brand/technology agnostic. Too many companies get in a rut
and will be loyalists no matter what happens even when there are better
products out there.

I understand that switching is not always easy or even the right answer, but
if Cisco were worried about people/companies leaving to go to a competitor,
they may correct the problems that allow this kind of thing to keep occurring.
Fear of losing good customers may cause them to invest more in a better QA
process.

Just my two cents. I'm not anti-Cisco or pro-Cisco but do like our customers
to have the best possible solution for their environments and needs.

------
gabcoh
Sort of funny that right under the section titled:

>Let's not criticize Cisco

I get a nice Cisco add.

I know that the author doesn’t choose the ads but it’s still pretty funny.

------
paulie_a
Wtf Cisco. Get your shitty software in order. This is getting absurd how
frequently this happens. I will never trust Cisco gearfor anything

------
Clubber
It's difficult to believe a company like Cisco would release something like
this on accident. Maybe I'm just being naive.

~~~
tboyd47
Like many companies its size, it does not operate like a single company but
like many companies. I don't know what you are implying is the true cause, but
developers make these kinds of bad decisions all the time in companies of all
size. Most likely explanation to me is a calculated risk on the part of some
middle manager.

------
NelsonMinar
I don't understand how this continues to happen. Is it because it's so hard to
sue a company like Cisco for negligence?

------
phyzome
Ah, what an evergreen headline.

