back to article Cisco warns 'unintentional debugging credential' left in some network switches can be abused to hijack equipment

Cisco this week revealed a pair of critical flaws, rated ten out of ten in severity, in its family of Catalyst PON Series Switches Optical Network Terminals. One of these vulnerabilities, CVE-2021-34795, is "an unintentional debugging credential," as Cisco put it, baked into the devices. What on Earth is an "unintentional …

  1. HildyJ Silver badge
    WTF?

    So I guess

    The NSA was finished using them?

    Seriously, how hard is it to track and remove debugging credentials (and accounts, and configurations, etc.)?

  2. mikus

    Oh yeah, so this one China order...

    They said just cut and paste this here for big order.

  3. sanmigueelbeer Silver badge
    Coat

    Guys, they found this one. Go and hide the others!

    It kinda smells like a backdoor left in by engineers for testing.

    TFTFY

  4. Paul Crawford Silver badge

    One of the reasons I prefer open source stuff like OpenWRT and pFSense is the lower probability of crap like this happening. Oh, and much cheaper as well...

    To be fair to others, they probably have cool features that I don't know about and/or have no idea how to use, not being adequately versed in the dark arts of VLAN management, etc.

    1. Version 1.0 Silver badge

      I've been using pFSence at home and at work for years now, pFSense was excellent until NetGate took it over, the last two "updates" have resulted in having to reboot every device connected to it.

      1. SleepGuy

        Same experience here with pfSense, bad updates & questionable decisions by them. Transitioned all our routers (~30) to OPNSense this year. Additionally, the NetGate ARM hardware is horrible and can't handle a power loss. Trashed that this year as well.

    2. Dave Null

      if you're genuinely advocating for OpenWRT for large scale enterprise I just don't know what to tell you.

      1. Paul Crawford Silver badge

        No, but Cisco push stuff for small companies as well.

        If you only have a dozen or two machines in one location then OpeWRT is quite adequate as a router and basic firewall. The ease of saving and restoring configuration allows you to have another cheap system on cold standby if you don't have the budget for fancy HA systems.

  5. Pascal Monett Silver badge

    Thank goodness it's shoddy Cisco programming

    and not Huawei. If it had been Huawei, it would be a National Security incident, whereas here, it's just a deplorable mistake.

    1. stiine Silver badge

      Re: Thank goodness it's shoddy Cisco programming

      So, when can we expect Huawei to issue a *verty* similar set of patches?

    2. Aitor 1 Silver badge

      Re: Thank goodness it's shoddy Cisco programming

      Well, those backdoors for the 5 eyes need to be installed, so remove the non 5 eyes compliant Huawei kit .

  6. John Sturdy
    WTF?

    As an aside, I'm puzzled by the terminology

    If these are "passive optical network switches", how does the concept of root access apply? That doesn't sound like a passive device to me.

    1. Our Lord and Savior Rahl

      Re: As an aside, I'm puzzled by the terminology

      It's Passive Optical Network Switch as in a switch for a Passive Optical Network, not a Passive Switch for an Optical Network.

      Basically the fiber and the splitters are unpowered.

  7. Dave Null

    Can CVE-2021-40113 turn on telnet?

    that would make this a lot more interesting

  8. Anonymous Coward
    Anonymous Coward

    Yo!!......

    ......ah!......a "mistake"!!!

    *

    ....and then there's the NSA backdoors which we haven't been told about!!!

    *

    Yes.....I know.....the NSA isn't in bed with Cisco...........

    *

    ....or in bed with NSO....or Google...............

    *

    Please........just stop reporting misinformation that some of us simply do not believe!!!!!

  9. EarthDog

    No discipline...

    I've worked as a sys admin, DBA, and QA. Talking with friends who have had similar careers we came to the conclusion that programmers have the self-discipline of incontinent baboons.

  10. scrubber
    Coat

    Apologies in advance, but...

    Catalyst PWN Series Switches Optical Network

    FTFY

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022