Hacker News new | past | comments | ask | show | jobs | submit login
A Cisco Router Bug Has Global Implications (wired.com)
50 points by Dajsvaro on May 13, 2019 | hide | past | favorite | 6 comments

This article makes it sound like the sky is falling but it's not. In order to actually exploit CVE-2019-1862, you need to be an authenticated user with access to the Web UI. Typically management of a router isn't exposed to the whole Internet.

As a Network Engineer at an org with decent staffing and a great cyber sec program and as someone who recently started working through the OSCP material. I'd like to agree with you and I will say I'm not overly worried about this (we'll still patch the second we can).

Cisco isn't exactly making things hard on attackers. Here's a couple of other vulnerabilities that could be used in conjunction with this one: Hardcoded credential vulnerability in IOS-XE (CVE-2018-0150). IOS-XE hasn't been without privledge escalation vulnerabilities either(eg CVE-2019-1754, among others)

Many orgs are unwilling to take a network outage for patching, especially in places like their DCs, internet or WAN edges where many of these devices would be deployed. I'm also aware of companies that are understaffed, where employees don't have the extra cycles to patch or apply workarounds. These are the same places that don't have active cyber security departments (no red-team, no vulnerability scanning, no dot1x and no written cyber security requirements) and don't budget for redundancy (making it even harder to patch). It only takes one forgotten NAT and firewall rule or a misplaced/unapplied ACL to end up with something exposed to the internet that shouldn't be. With how sophisticated some attackers have become and the slow rollout of network patches, this will probably be actively exploited even if it hasn't been already.

The article makes it sound like just one router is affected (ASR 1001-X), but that's just one model in one line of Cisco routers, and they all appear to be vulnerable: https://tools.cisco.com/security/center/content/CiscoSecurit...

It is always nice to read "This advisory will be updated as additional information becomes available." /s

Do you think these security defects are really bugs or are back-doors left in for the state security apparatus? Who or what department is tasked with testing Cisco devices for security vulnerabilities. I mean didn't anyone test the devices for potential remote root access and the ability to bypass the Trust Anchor? Lastly I don't know how an internet router can be not connected to the Internet and still function?

Doubt it. It's the consequence of bad security practices, incompetence at many levels, rushing to market, and in general how these platforms are designed (which is a consequence of previous statements).

While there are a lot of CVE's for pretty much all equipment like this from all vendors they require access to the mgmt interface to be exploited. These devices to the heavy lifting in ASIC/NPU's, so control plane and forwarding plane are separated (some things requiring cpu processing such as routing protocols needs to be forwarded from forwarding plane to control plane), but requires some configuration to be fully secure, easily done however.

The control plane is typically a linux distro these days (some run freebsd, QNX, or some in-house developed OS) with some open source applications on top (Apache or others as web servers are common for mgmt), some proprietary apps, ASIC drivers etc. A linux distro you seldom are allowed to makes changes to or update software fearing that it will cause problems for customers, same with the apps running on it. Even if you do upgrade it you have to get your customers to do it as well, most upgrades require scheduled downtime and typically comes with new fun bugs. Most of the CVE's come from the open source software running on these devices, some from them messing up configuration on them. Very few come from the proprietary apps as they mainly deal with network control protocols and not mgmt.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact