
Cisco coughs up baker’s dozen of vulnerabilities and other security nasties - lnccl2j653l2
https://www.theregister.co.uk/2018/09/27/cisco_vulns_h2_18/
======
TheCapn
> "It was not immediately clear whether or not the company has released any
> patches for this, with the page on its website merely referring readers to a
> login-protected page."

Or as I learned in the last week with Cisco, it doesn't even matter if you
have an account! You can't download software updates to the hardware they sold
you unless you pay extra for a Service Contract!

Leaving security holes in the software? Well gosh, we're real sorry about
that. How 'bout you cough up a nominal fee for each of those "Security
Appliances" you bought so we can give you the privilege of fixing our
mistakes. Thanks!

~~~
RKearney
That is completely untrue. You can open a case and get access to downloads
outside your support contract if you reference a vulnerability that’s
affecting your current hardware.

~~~
antsar
> open a case and get access [...] if you reference a vulnerability that’s
> affecting your current hardware.

Ok, but that's bullshit, isn't it? Not all customers are going to be
proactive/attentive enough to know their hardware is vulnerable. Cisco knows
there is vulnerable gear in the wild, knows there is a fix, but withholds the
fix until people come begging? Almost feels like the sort of thing that should
be illegal (or at least on the losing end of a civil suit).

~~~
Buge
Didn't Microsoft do something similar by stopping support for Windows XP, but
providing support longer for people who pay special support contracts?

Of course Microsoft also released some free security updates beyond the date
too.

------
stuff4ben
> boils down to there being a "hidden command in the affected software",
> according to Cisco itself.

It always amazes me that we continually release software with these backdoors
in them. What is the thought process that's going on? Do they think security
by obscurity really works? They must or else they wouldn't keep doing this.
Cisco isn't a small company, they have the people-power, processes, and money
to not do this. It literally saves no time or money when you figure in the
cost to fixing the issue. US government conspiracy theories aside, I'm
guessing it's just lazy developers, incompetent managers, or potentially
intentional maliciousness from foreign governments or competitors.

~~~
davemp
I feel like software reverse engineering should be done in more curriculums so
developers can see just how easy it is to find backdoors as a relatively
unskilled attacker.

~~~
pure-awesome
Whilst I think it would be useful, you're not teaching the more general
lessons (such as not relying solely on security by obscurity).

I suspect the kind of person who left in that backdoor would, after going
through the course, simply make a slightly harder-to-find backdoor. (If
anything, they might be _more_ likely because they think they've taken into
account THE vulnerability, when it is only a vulnerability).

------
wgx
A colleague said: "The three-letter agencies are done with these, so they can
go public now" \- I wonder how true that is?

~~~
setquk
Likely. Considering the three letter agencies get early access to these things
from other vendors: [https://arstechnica.com/information-
technology/2013/06/nsa-g...](https://arstechnica.com/information-
technology/2013/06/nsa-gets-early-access-to-zero-day-data-from-microsoft-
others/)

~~~
giancarlostoro
This makes me wonder if this is how Stuxnet was birthed, very interesting.

~~~
krylon
A former coworker of mine who works in industrial automation told me that
Siemens had to give US authorities access to their source code; I would not be
surprised if that source code had "leaked" to the intelligence services.

------
lunchladydoris
I've long heard the term but never really looked into where it comes from.

If you're like me, check this out:
[https://www.todayifoundout.com/index.php/2010/09/why-a-
baker...](https://www.todayifoundout.com/index.php/2010/09/why-a-bakers-dozen-
is-13-instead-of-12/)

------
radicalgold
This all sounds very dramatic but I'm pretty sure that to take over the system
is not that easy. Most vulnerabilities, if they are mediocre, have zero
probability and most scenarios are pretty unlikely

