Do people really leave Telnet enabled ?
Cisco has patched a critical security flaw in its switches that can be potentially exploited by miscreants to hijack networks – a flaw disclosed in the Vault 7 leak of CIA files. Switchzilla says the vulnerability, CVE-2017-3881, can be exploited remotely by simply establishing a Telnet connection and sending a cluster …
Tuesday 9th May 2017 19:47 GMT Brad Ackerman
There are idiots still using Windows XP; unencrypted HTTP for login (hence the Firefox changes); ridiculously out-of-date web browsers; Silverlight; and for all I know SSHv1 and LM authentication. Cisco used to charge extra for SSH support.
Think of this as the Rule 34 of infosec: if it's possible to configure a system that way, no matter how dumb, some asshole will do it.
Wednesday 10th May 2017 00:31 GMT gerdesj
All switches that cost more than say £200 that I know of all have telnet enabled by default. Its bloody crap. It's not as though sshd is expensive - its free!
Mind you, given the calibre of some of the "top end" switch fiddlers that I have come across, I am not surprised. Security Not My Problem seems to be a mantra rather than a character flaw for some.
Tuesday 9th May 2017 19:39 GMT Anonymous Coward
In any medium or largish (100+ network devices) I would expect a few telnet enabled devices.
Combine misconfiguration, firmware that doesn't support encryption, non-standard switches to support a requirement that is deemed "non-IT" when it's purchased but IT end up supporting it, old devices that don't have firmware that only support telnet in a remote office - good security is hard at scale and on a budget...
Tuesday 9th May 2017 19:46 GMT tom dial
From 2009 or so within the US DoD networks, telnet (and ftp) services were generally not allowed. There were exceptions, nearly all ftp from non-DoD data providers, and these were addressed by establishing hardened proxy servers or DMZs where traffic could be examined and transferred securely for internal use. In later years, the screws were tightened several times a year in a continuing effort to weed out remaining exceptions.along with ftp.
It exceeds my ability to understand use of telnet for administration, or enabling the telnet service on a network exposed to or reachable from the public Internet.
Tuesday 9th May 2017 21:57 GMT A Non e-mouse
Wednesday 10th May 2017 09:41 GMT EnviableOne
Cisco Security Advice
Its been the recomendatio that Telnet and HTTP be turned off, in favour of SSH and HTTPS, and an ACL applied to VTY lines for years (at least 6 (2 iterations of the CCNA.))
But along with leaving remote provisioning on, and CDP etc, Switchzilla expect you to get a certfied engineer to install it and do the work, rather than legislating for the guy that buys cisco because; no one got fired for buying it, and plugs it in expecting it work.