The right title is something like: CVS-2019-1804: Cisco Nexus 9000 Switches Allow SSH As Root.
Backdoor definition: "A backdoor is a method, often secret, of bypassing normal authentication in a computer system."
That someone might not be the company, it might be a developer.
It's entirely true that the company says it's not a backdoor, the developer says it's a mistake, but he/she was approached from an external organization.
Unless you can provide either way it's impossible to classify it as a backdoor or not.
And considering you can never know if someone else knows about it, that means you can never know if it was a backdoor.
It’s “allow ssh as root with a publicly available ssh key”. Your version is making it sound mundane.
I'm hypothesizing that you might do this, even with keys intended to be used as a back door, by shipping it on devices, you vastly increase the number of potential suspects for any backdoor abuse.
Continuing this train of thought - a hardcoded password is classic example of a backdoor, and just as "public" as including a private key.
And my response to the OP was to push back on the idea that only "idiots" could make mistakes. To me that is an absurdly reductionist view of human nature.
That is not the same thing as "Just stop communicating" or "shut up". I shouldn't have been so terse. Without the verbal cues you made a different assumption about what I was trying to say.
I never used the term idiots, that's you putting someone else's words in my mouth.
It's hard for me to imagine how a person can make a mistake in a given domain without being at least bit incompetent in it, hence my point about competence/incompetence existing on a continuum.
Edit: ...and if the person were malicious, it wouldn't be a mistake to begin with.
Mistakes aren't always made due to incompetency and extremely competent people still can make mistakes.
I think most of the "seven factors that lead to stupidity" could still affect someone very competent:
We'll just have to agree to disagree regarding human nature.
Submitted title was "Backdoor Found in Cisco Routers CVE-2019-1804".
At the same time, your suggested "right title" doesn't seem too accurate either (imo).
When I see the term backdoor, I think of something done intentionally.
Maybe something like:
Embeded unsecured credentials , allow attacker remote root ssh access
( it's actually much harder than I initially thought , to phrase)
> CVS-2019-1804: Cisco Nexus 9000 remote root exploit via SSH-over-IPv6
(Yes, it's a backdoor, I ran out of time sorry)
Which makes it even more likely to be explained by stupidity as to malice.
I'll spin this around though: What would a high-quality plausibly deniable backdoor look like to you?
That sounds like they just erroneously left AllowRootLogins yes in the ssd_config, which would not be a critical vulnerability.
At least that's my reading.
If Cisco had some SecretFBIChinaBackdoor() function somewhere the backlash would be way way worse (or at least an unknown). Whereas at this point it's abundantly clear that serious "non intentional" security vulnerabilities in networking hardware basically go ignored by the market.
Maybe, but without proof it's still just speculation. Real bugs do occur often, and sometimes in sensitive areas.
I understand wanting to be vigilant. In both assuming malice and assuming human error though, you're still forced to make an assumption.
Indeed. That's what I was trying to say.
This of course says nothing about whether its inclusion was due to intent, incompetence, and/or malice. (If the private key includes “Comment: hack the planet” then yeah it’s malice :)