back to article Four words from Cisco to strike fear into the most hardened techies: Guest account as root

Cisco has doled out yet more security updates for its IOS and IOS XE network operating systems, which, we are obliged to remind you, is its scheduled six-monthly patch run and not the usual "oh bugger" state of affairs. In the latest run we have a dozen patches for 13 vulnerabilities rated "high", including ones that cause a …

  1. Anonymous Coward
    Anonymous Coward

    faulty "role-based access control evaluation"

    This is proves the difference between (real) software engineers and run-off-the-mill monkey coders.

    1. Danny 2

      Re: faulty "role-based access control evaluation"

      I did Systems Integration and Test for a Cisco kid once and would like to think I would have caught this or anything else development threw our way. SI&T is always a seriously underrated and underfunded department, the goalkeeper who stops own goals due to an eye for detail and an understanding even real software engineers have bad moments.

      For example, you probably meant 'run of the mill' rather than 'run off the mill'.

      1. Anonymous Coward
        Anonymous Coward

        Re: faulty "role-based access control evaluation"

        My reading of this is that on IISR800's/CGR1000's you have the option of installing an add-on server module. The RBAC issue is around a user with access to the router potentially having access to the guest OS without the correct privilege level (from the linked vulnerability notice: "Exploitation of this vulnerability could allow the attacker to successfully log in to the Guest OS using a low-privileged IOS user credentials."). The intended design is to only allow access with level 15 privileges.

        While I'm not disputing it is a bug, guest access to the router is likely to mean a user with restricted access rather than an unauthenticated user - knowing how Cisco's AAA system works and the ability to assign roles to privilege levels, the "only priv 15 should be allowed access" looks like an exception.

        I would have thought restricting command sets would have been a suitable workaround, but Cisco doesn't list this as an option and I don't have access to any of these devices to test further.

      2. This post has been deleted by its author

  2. Blockchain commentard
    Thumb Up

    On the plus side, who hasn't forgotten the admin password and had to change something urgently. Well done Cisco :-)

    1. phuzz Silver badge
      Facepalm

      Or more likely, the person who set up the equipment has left, and no one knows what the passwords are.

  3. Christian Berger

    What really scares me

    Cisco has abysmally bad security for decades now... on different product lines... with completely new implementations. I mean just by chance they should have found some competent programmers starting a new project.

    I mean even Microsoft managed to clean up their mess for a while after XP.

    1. Anonymous Coward
      Anonymous Coward

      Re: What really scares me

      "Cisco has abysmally bad security for decades now... on different product lines... with completely new implementations."

      Compared to Cisco, Microsoft have significantly less variety across their product lines. Cisco list >820,000 line items in their current pricing spreadsheet. While a significant portion of that is hardware, the associated software may run across multiple product lines with very different intended uses.

      Add in regular acquisitions of third party products (particularly management tools) and you have a lot of security issues that have minimal impact to large portions of the customer base.

      For this particular vulnerability, I would suggest that the Cisco solution was developed in association with customers (it's basically a small router integrated with 3G/4G connectivity, wifi and an optional server for remote data collection/monitoring purposes) and the method used to provide connectivity between the router and the server didn't consider potential customer requirements to separate management roles.

    2. Anonymous Coward
      Anonymous Coward

      Re: What really scares me

      I've never interviewed at Cisco, but if its anything like the company I interviewed at recently for a C++ system and network dev the problem is with the interviewers. Instead of being asked things like "whats the first thing you do after mapping a structure to network data assuming you received enough data to fill it" *** or "whats a good way to receive signals in a multithreaded process*** they asked crap like "tell us what design patterns you know" and "what features do you like in C++17".

      I mean FFS, get a grip on the problem space and ask the correct questions then you'll get people who know what they're doing.

      *** (questions I've asked candidates myself when I've been the interviewer)

      - Change numeric fields to host byte order

      - Use sigwait() in a dedicated thread.

  4. Pascal Monett Silver badge
    Trollface

    Man it must be hard for Cisco

    Patching all these holes to keep China out while ensuring the NSA still has access.

    1. TXITMAN

      Re: Man it must be hard for Cisco

      Cisco has a couple of buildings on their campus full of federal workers. Nothing will change soon. If you want security look elsewhere.

    2. Anonymous Coward
      Anonymous Coward

      Re: Man it must be hard for Cisco

      There are so many holes in Cisco software through due to their incompetence, that the idea that they build in backdoors for the NSA seems kind of silly. That would be like Microsoft building a backdoor into Windows XP.

    3. eamonn_gaffey

      Re: Man it must be hard for Cisco

      This latest example from Cisco may expain why UK Govt. persiists with Huawei. They would rather the risk of the PRC Communist Party spying on us, than the shambles from the likes of Cisco. A novel risk based approach I guess :-)

  5. Andy The Hat Silver badge

    At least there are no significant access issues that would result in the prevention of sale of their equipment on the grounds of lack of basic security ... unlike all the holes listed by the US for that pesky chinese What way? stuff ...

  6. katrinab Silver badge
    Flame

    Double standards

    When security holes are found in Huawei kit, it is a threat to national security etc, but when similar or worse holes are found in Cisco kit, ¯\_(ツ)_/¯.

  7. aaaa
    FAIL

    No updates for in-contract non-EOL cisco devices

    So I switched from HP gear to Cisco a few years ago, but recently discovered that our in-contract hardware, with an EOL of 2022 is no longer receiving security updates, even though that's exactly what the service contract promises.

    https://community.cisco.com/t5/small-business-security/asa5505-software-update-to-9-4-to-resolve-security-advisory/m-p/3918845/highlight/true#M7158.

    For now I'm willing to suspend disbelief and assume left hand hasn't quite understood what right hand has done. Waiting to hear back from their legal dept. If they don't start issuing security updates for in-contract hardware, then there is no way I'll ever get permission to buy any cisco kit ever again - and I'm quite sure I'm not the only one.

    1. Notas Badoff

      Re: No updates for in-contract non-EOL cisco devices

      "After the first year and for Operating System SW -where available- we will provide bug fixes, maintenance releases, workarounds or patches for a period of 4 years for operating system software. Bear in mind that it may be necessary to use software upgrade release to correct a reported problem."

      So you buy a hardware platform, and after a bit Cisco says newer software won't be supported on that hardware, and then later still says there are vulnerabilities that are only fixed by newer software. That combination makes your hardware obsolete years before EOL?

      Why do people buy Cisco, when their attitude is "fuck you!"?

    2. Rockets

      Re: No updates for in-contract non-EOL cisco devices

      The ASA 5505 is really odd device support wise. For example the ASA 5510 & 5505 run the exact same ASA OS image file for 9.1.7.32 release but the 5510 was EOL 12 months ago. The 5505 does have 9.2.4 as the latest version available. Wonder if the 9.2.4 will run on a ASA 5510.

    3. Anonymous Coward
      Anonymous Coward

      Re: No updates for in-contract non-EOL cisco devices

      The one question I would have is when did you buy the 5505?

      While the 5505 was a shipping product until the end of 2017 (it first shipped in 2006), it had been replaced in early 2015 by a newer product that supported later software releases and had hardware that supported modern encryption AND the sales channel was recommending either waiting for the 5506X or purchasing 5512X's in 2014 as the 5505's didn't run newer ASA code. The ASA software for the platform reached end-of-support in September 2018 with the final maintenance release of 9.1(7).

      I would suggest that if you purchased the firewalls after ~2014 and your re-seller didn't mention it was a dead platform walking,you have been very unlucky. The 5505 looked dead in 2012 when the first ASA X models were released due to increases in memory/CPU/encryption hardware and Cisco initially didn't plan to replace the 5505, but it proved too popular and they had to rush out the 5506X and the subsequent 5508X.

      1. aaaa

        Re: No updates for in-contract non-EOL cisco devices

        AC: The one question I would have is when did you buy the 5505?

        If you check my link to community.cisco.com in the OP you'll see the answer to your question. You may have made a different decision based on the same criteria, but we purchased way before the end of sale date was even announced.

        If I'd known that Cisco wouldn't honour it's contract, and retire the software early (in breach of contract) then the ROI wouldn't have stood up and I'd have proposed an alternative, but we have to go into contracts assuming good faith.

  8. Anonymous Coward
    Anonymous Coward

    Proprietary vs Open Source? That is the question. Proprietary, you don't have visibility into what vulnerabilities/backdoors exist until it's "discovered" and may never get patched. Open Source, everyone can view the source code, including miscreants, but once "discovered" hopefully gets patched quickly.

    1. Anonymous Coward
      Anonymous Coward

      The majority of companies don't buy Cisco due to propriety versus open source, they buy it for support when something goes wrong.

  9. herman Silver badge

    I prefer China spying on me than the USA spying on me, so Huawei it is then...

    1. jelabarre59

      I prefer China spying on me than the USA spying on me, so Huawei it is then...

      I'm sure China would find less of interest to them by spying on me than the US Govt would, Not that I know what would even be of interest to the US, other than I voted for Gary Johnson both times...

      1. Anonymous Coward
        Anonymous Coward

        I believe that china spies would mostly be interested in trying to sell me something... and probably less intrusive than the extensive ad tracking networks that are everywhere these days, which of course the US govt has no problems with

  10. Wild Elk

    What are you even talking about?

  11. Claptrap314 Silver badge

    9.9

    That's Olympic Gold material right there. You don't see that very often.

  12. Mike Tubby
    WTF?

    Which order is the right order?

    So, to keep the spies out and the bugs in which order to I cascade my firewalls?

    Outside <--> Linux <--> Cisco <--> Huawei <--> CheckPoint <--> Inside

    Outside <--> Linux <--> Huawei <--> Cisco <--> CheckPoint <--> Inside

    Outside <--> Linux <--> Cisco <--> Huawei <--> CheckPoint <--> Inside

    Outside <--> Cisco <--> Huawei <--> Linux <--> CheckPoint <--> Inside

    Outside <--> Huawei <--> Cisco <--> Linux <--> CheckPoint <--> Inside

    Outside <--> CheckPoint <--> Huawei <--> Cisco <--> Linux <--> Inside

    ... ... ... ...

    dam... there are just so many combinations! ;-)

    Mike

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like