Hacker News new | past | comments | ask | show | jobs | submit login

This is a pretty egregiously editorialized title; what we know is that there's apparently an SSH keypair authorized on these devices, for which the private key is available on the device. That's a terrible, ugly vulnerability, but it's as likely due to stupidity as to malice.

The right title is something like: CVS-2019-1804: Cisco Nexus 9000 Switches Allow SSH As Root.




It allows anyone who knows the default SSH key pair to login as root. How is that not a backdoor?

Backdoor definition: "A backdoor is a method, often secret, of bypassing normal authentication in a computer system."


People sometimes read "backdoor" as something intentionally left by an insider for later use by themselves or others.


Well Cisco wrote the code so it has to be in some way intentional but it doesn't necessarily mean it was done maliciously though. It could a private developer key used for testing accidentally got pushed out in production code or some poorly thought out management "feature". Regardless it is an epically dumb mistake for a company like Cisco to make on an enterprise product.


> Well Cisco wrote the code so it has to be in some way intentional but it doesn't necessarily mean it was done maliciously though. It could a private developer key used for testing accidentally got pushed out in production code or some poorly thought out management "feature". Regardless it is an epically dumb mistake for a company like Cisco to make on an enterprise product.

That someone might not be the company, it might be a developer.

It's entirely true that the company says it's not a backdoor, the developer says it's a mistake, but he/she was approached from an external organization.

Unless you can provide either way it's impossible to classify it as a backdoor or not.


> People sometimes read "backdoor" as something intentionally left by an insider for later use by themselves or others.

And considering you can never know if someone else knows about it, that means you can never know if it was a backdoor.


And what do you think this was? Virtually all router/networking devices have some kind of "hardcoded account" (read:backdoor) and this is only slowly changing. I believe the EU is going to ban the practice soon.


You’re joking right?

It’s “allow ssh as root with a publicly available ssh key”. Your version is making it sound mundane.


Sad state of affairs when terrible, ugly vulnerabilities are mundane.


If it was a genuine "backdoor" why would you want use a publicly available key?


Being the only keyholder reduces plausable deniability, so maybe.


The private key is on the shipped devices, from my reading.


Agreed.

I'm hypothesizing that you might do this, even with keys intended to be used as a back door, by shipping it on devices, you vastly increase the number of potential suspects for any backdoor abuse.

Continuing this train of thought - a hardcoded password is classic example of a backdoor, and just as "public" as including a private key.


This isn't a backdoor but it is a major vulnerability.


If mundanity is your concern, add an exclamation point to it.


Accuracy helps.


It is impossible to know the motivation of the person who put this here but these constructs have no place in firmware for critical devices and Cisco should have known that for a long time already. Either they truly are idiots or this is malicious.


More likely they are just imperfect humans.


That's a bit vague; imperfect humans are both malicious and incompetent, often at the same time.


And often neither.


Then from whence came their imperfection?


Just stop. Is it really hard to understand that normal people can make mistakes without being malicious or incompetent? Imperfect and incompetent are not synonyms.

And my response to the OP was to push back on the idea that only "idiots" could make mistakes. To me that is an absurdly reductionist view of human nature.


You tell me stop and then proceed to ask a question? How incredibly rude. I suggest you rethink your philosophy of discourse, and words (hint: most qualities such as incompetence and maliciousness exist on a continuum).


Huh? You were labeling people as incompetent and supporting the OP's idea they were idiots. I was asking for empathy and understanding that people can make mistakes. And when I tell you to stop, I'm the rude one?


Yeah, telling somebody to cease communication and then asking them a question is absolutely rude. I think we're all incompetent to varying degrees in different domains, I don't think it's rude to express that. From my perspective I don't feel I was rude at all in this exchange until my last message with the snarky "hint" part, but I was okay with that since you had essentially just told me to shut up.


You are misinterpreting my very terse "Just stop". If I were to expand it: "Just stop trying to convince me that people who make 'mistakes' can only be incompetent, malicious, or idiots"

That is not the same thing as "Just stop communicating" or "shut up". I shouldn't have been so terse. Without the verbal cues you made a different assumption about what I was trying to say.


In this context I don't really see a difference between "stop making your point about the subject we've been communicating about" and "stop communicating in general." Am I supposed to talk about the weather, or engage in a lengthy meta-discussion about talking about the subject we've been talking about?

I never used the term idiots, that's you putting someone else's words in my mouth.

It's hard for me to imagine how a person can make a mistake in a given domain without being at least bit incompetent in it, hence my point about competence/incompetence existing on a continuum.

Edit: ...and if the person were malicious, it wouldn't be a mistake to begin with.


So people extremely knowledgeable in a domain don't make mistakes in that domain? Or are they just "one notch too low" on the continuum- enough so that they make a mistake? I just don't think that holds.

Mistakes aren't always made due to incompetency and extremely competent people still can make mistakes.

I think most of the "seven factors that lead to stupidity" could still affect someone very competent: https://fs.blog/2019/01/how-not-to-be-stupid/


Well, I do apologize for my sloppy writing that made you think I was telling you to shut up. That wasn't my intent. I was just trying to say that your argument wasn't persuasive to me.

We'll just have to agree to disagree regarding human nature.


Ok, we changed to that. Thanks!

Submitted title was "Backdoor Found in Cisco Routers CVE-2019-1804".


I agree , this is not a backdoor in the more commonly understood sense of the term , post-Snowden.

At the same time, your suggested "right title" doesn't seem too accurate either (imo).

When I see the term backdoor, I think of something done intentionally.

Maybe something like: Embeded unsecured credentials , allow attacker remote root ssh access

( it's actually much harder than I initially thought , to phrase)


The mods asked me to email comments like this to the hn@yc.c address in the footer (Contact link), and have been responsive (not necessarily agreed, but they do reply!) when I've done so. I emailed them a link to your comment as the edit request with an attempt of my own:

> CVS-2019-1804: Cisco Nexus 9000 remote root exploit via SSH-over-IPv6

(Yes, it's a backdoor, I ran out of time sorry)


Clarification - Anyone can email, not just me


CVS-2019-1804: Cisco Nexus 9000 Switches Allow SSH As Root via IPv6 only.

Which makes it even more likely to be explained by stupidity as to malice.


It's still a bit editorialized since this only affects ACI mode, not the default (and far more common) NX-OS mode.


And plausible deniability is the #1 rule when being malicious. If you know enough to use an asymmetric key instead of a password, but not enough to think it's a good idea to leave the private key there, you're in a weird cross-section of expertise.


A broken script that turns a development build into a production/customer build could also be at fault, forgetting to delete the default key pair.


Equally as plausible which is exactly where you want to be if you're malicious.

I'll spin this around though: What would a high-quality plausibly deniable backdoor look like to you?


> Allow SSH As Root

That sounds like they just erroneously left AllowRootLogins yes in the ssd_config, which would not be a critical vulnerability.


What is a backdoor if not this?


A backdoor to me suggests an intentional loophole through a level of security. A bug that does the same is severe, but isn't intentional.

At least that's my reading.


But any competently inserted intentional backdoor is going to be indistinguishable from a mistake.

If Cisco had some SecretFBIChinaBackdoor() function somewhere the backlash would be way way worse (or at least an unknown). Whereas at this point it's abundantly clear that serious "non intentional" security vulnerabilities in networking hardware basically go ignored by the market.


>But any competently inserted intentional backdoor is going to be indistinguishable from a mistake.

Maybe, but without proof it's still just speculation. Real bugs do occur often, and sometimes in sensitive areas.

I understand wanting to be vigilant. In both assuming malice and assuming human error though, you're still forced to make an assumption.


You're not forced to make an assumption, you can just be honest and say you don't know. There's too many comments in this thread effectively saying "it looks unintentional, so it's unintentional".


>You're not forced to make an assumption, you can just be honest and say you don't know.

Indeed. That's what I was trying to say.


Yes, that is the most commonly used to describe an “undocumented” access credential, regardless of why. This has been used for credentials that were added and forgotten, credentials that were added to permit unauthorized access later, and credentials that were added to permit authorized repairs more readily. These credentials were included in an “undocumented” (or “unpublished” might be more precise) manner and can be used to bypass security, so “backdoor” is correct.

This of course says nothing about whether its inclusion was due to intent, incompetence, and/or malice. (If the private key includes “Comment: hack the planet” then yeah it’s malice :)


Seems like a not very secure front door to me.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: