Hacker News new | past | comments | ask | show | jobs | submit login

Do you think these security defects are really bugs or are back-doors left in for the state security apparatus? Who or what department is tasked with testing Cisco devices for security vulnerabilities. I mean didn't anyone test the devices for potential remote root access and the ability to bypass the Trust Anchor? Lastly I don't know how an internet router can be not connected to the Internet and still function?



Doubt it. It's the consequence of bad security practices, incompetence at many levels, rushing to market, and in general how these platforms are designed (which is a consequence of previous statements).

While there are a lot of CVE's for pretty much all equipment like this from all vendors they require access to the mgmt interface to be exploited. These devices to the heavy lifting in ASIC/NPU's, so control plane and forwarding plane are separated (some things requiring cpu processing such as routing protocols needs to be forwarded from forwarding plane to control plane), but requires some configuration to be fully secure, easily done however.

The control plane is typically a linux distro these days (some run freebsd, QNX, or some in-house developed OS) with some open source applications on top (Apache or others as web servers are common for mgmt), some proprietary apps, ASIC drivers etc. A linux distro you seldom are allowed to makes changes to or update software fearing that it will cause problems for customers, same with the apps running on it. Even if you do upgrade it you have to get your customers to do it as well, most upgrades require scheduled downtime and typically comes with new fun bugs. Most of the CVE's come from the open source software running on these devices, some from them messing up configuration on them. Very few come from the proprietary apps as they mainly deal with network control protocols and not mgmt.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: