back to article Home-pwners: Cisco's Prime Home lets hackers hijack people's routers, no questions asked

Cisco is advising ISPs and other service providers using its Prime Home system to install a security update immediately – to squash a serious remote execution bug. Switchzilla says the flaw, which was given a 10.0 CVSS score, could allow an attacker to log into the software as an administrator and remotely take control of …

  1. Anonymous Coward
    Anonymous Coward

    Cisco

    These guys build firewalls too?

    Suggests they are either grossly incompetent, or paid bt the Spooks to backdoor them

    1. a_yank_lurker Silver badge

      Re: Cisco

      Or both, wrote a backdoor that was too easy to discover and use.

    2. Tikiman

      Re: Cisco

      This is the era of "just barely good enough" quality. High quality left the building with massive layoffs of senior coders replaced by cheap 3d world hacks. Quite a few of those 3d world hacks cheated their way to a degree with purchased test answers. Software's on the same level as making cheap kids toys now.

  2. redpawn Silver badge

    My home is your home

    takes on a whole new meaning. It's like having a key lock where all you have to do is turn the handle to the left instead of the right when the door is locked. Prime chump system is more like it as you pay extra to be robbed.

  3. Anonymous Coward
    Anonymous Coward

    Locked and loaded!

    You're not locked.

    But the robbers are loaded...

  4. John Smith 19 Gold badge
    FAIL

    So another company that can't write secure software.

    "authenticate credentials" sounds like a task for a boilerplate code snippet or a macro.

    That of course implies the software is designed before someone starts coding it.

  5. Anonymous Coward
    Facepalm

    Yet another hole in the web interface

    "An attacker could exploit this vulnerability by sending API commands via HTTP to a particular URL without prior authentication"

    Yet another hole in the web interface. Why didn't Cisco pick this up at the code review and vulnerability stage. They did test it for such vulnerabilities at the design stage .. agile, devOps waterfall etc ..

    1. Anonymous Coward
      Anonymous Coward

      Re: Yet another hole in the web interface

      "agile, devOps waterfall etc .."

      Also known as quick & dirty and cheap. This is why security holes and software bugs get missed.

      If software development were done properly, and time was put into coding standards, code reviews, bounds checking, vulnerability assessments & testing then these holes would not be included.

      But since that takes time and costs money, then they are not done, putting the risk onto the customer with no obligation on the vendor to be responsible for their bugs and holes.

  6. Anonymous Coward
    Anonymous Coward

    Yet another Cisco back door?

    A more suspicious person than me might wonder if the seemingly endless back doors and 'flaws' being found in all of Cisco's products were actually intentionally placed there.

  7. Robert Helpmann?? Silver badge
    Childcatcher

    Alternate method of verification

    "Administrators can verify whether they are running an affected version by opening the Prime Home URL in their browser and checking the 'Version:' line in the login window."

    Or you could just try the exploit...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020