back to article Broken password check algorithm lets anyone log into Cisco's Wi-Fi admin software

Cisco on Tuesday issued a critical security advisory for its Wireless LAN Controller (WLC), used in various Cisco products to manage wireless networks. A vulnerability in the software's authentication code (bug type CWE-303) could allow an unauthenticated remote attacker to bypass authentication controls and login to the …

  1. Wellyboot Silver badge
    Facepalm

    Bug or Backdoor?

    The login creds aren't cisco + c1sc0 by any chance?

    1. Yet Another Anonymous coward Silver badge

      Re: Bug or Backdoor?

      Only after you install the security update, the default factory passwd is "password"

  2. HildyJ Silver badge
    Big Brother

    I'd guess

    Some bad actor discovered an NSA backdoor.

    Not to worry, I'm sure they have another one in place.

    1. TonyR
      Black Helicopters

      Re: I'd guess

      Not the NSA backdoor. That still works after the patch.

      1. rcxb1 Bronze badge

        Re: I'd guess

        Yeah, my toaster is still laughing at my jokes...

      2. Yet Another Anonymous coward Silver badge

        Re: I'd guess

        You have to picture some engineer deep in the MMB thinking Oh FFS.

        He spent years secretly hiding the subtlest of backdoors in CISCO updates and then they do this.

      3. Anonymous Coward
        Anonymous Coward

        Re: I'd guess

        it's a teeny tiny special chip... shh

        1. Yet Another Anonymous coward Silver badge

          Re: I'd guess

          Is that like the tiny secret invisible (except to Bloomberg's CEO) Chinese spy chips on Supermicro and Lenovo motherboards ?

  3. Pascal Monett Silver badge
    Facepalm

    "improper implementation of the password validation algorithm"

    Is there anyone left who tests a product before shoving it out the door ?

    Anyone ?

    1. TimMaher Silver badge
      Coat

      Re: Anyone ?

      A ball of tumbleweed blows across the prairie, to the faint sound of a gust of wind. A wolf howls in the distance.

      1. X5-332960073452
        Happy

        Re: Anyone ?

        Go north

        1. Phil O'Sophical Silver badge

          Re: Anyone ?

          It is dark. You are likely to be eaten by a grue.

    2. Danny 2 Silver badge

      Re: "improper implementation of the password validation algorithm"

      I used to systems test Cisco kit on a Sun sparc named Sisko in the '90s, and I didn't even know who Sisko was. This never happened on my watch, couldn't have as I was so clever and competent.

      I forget now, was Dunning the smart one and Kruger the idiot, or vice versa?

    3. fredesmite2

      Re: "improper implementation of the password validation algorithm"

      It worked in the lab .. why pay for testing ???

      1. bpfh Silver badge

        Re: "improper implementation of the password validation algorithm"

        It works on my pc...

        1. Nick Ryan Silver badge

          Re: "improper implementation of the password validation algorithm"

          It compiled...

    4. Dan 55 Silver badge
      Black Helicopters

      Re: "improper implementation of the password validation algorithm"

      Is there anyone left who tests a product before shoving it out the door ?

      Works as designed.

      1. Anonymous Coward
        Anonymous Coward

        Re: Works as designed.

        At a previous place of employment. One of the ex-employees closed a software problem report as "Works as coded".

        Yes, ex-employee. There were other problems, but that didn't help them out.

        1. bpfh Silver badge

          Re: Works as designed.

          I have to admit, I've seen a lot of this, although it's generally closed out as "works as designed", although there is generally a comment somewhere in the ticket that says "works as designed even if that design is absolutely brain dead"

          1. Ralph Online

            Re: Works as designed.

            Pronounced as "Designed in a tent".

    5. Antron Argaiv Silver badge
      Facepalm

      Re: "improper implementation of the password validation algorithm"

      Password validation algorithm?

      Something no one in the history of programming has ever implemented? Something that should have been implemented once and put into a library and used everywhere?

      Has Cisco lost all its competent software people and are the PFYs now running the show?

  4. Teejay

    Cisco is just one huge NSA bugdoor. The only way I could understand why their equipment ist still being installed is either because those making the buying decisions are in on the con... or because Cisco marketing targets the bean counters, who know nothing.

    1. Paul Crawford Silver badge

      I think you need to apply Hanlon's razor here.

      After all, the NSA are able to insert more subtle bugs, allegedly...

    2. VoiceOfTruth

      The real reason for banning Huawei

      It's two birds with one stone: 1, Huawei kit is not embuggered with NSA backdoors. That makes it a 'threat' to the USA's national security. 2, Banning Huawei effectively removes competition from the market (in this case Cisco).

      If you look at the history of what the USA has stolen using nefarious means like this you will see it is a pattern.

  5. JimmyPage
    Flame

    OH FFS

    Why does everyone feel the need to roll their own, and then get surprised it's shit ?

    See also: phone number, postcode, name validation routines.

    And for an industry that chokes on standards and TLAs WTF isn't there an RFC or IEEE or ISO standard on password generation (i.e. complexity rules), storage (i.e. as a hash) and recovery procedures (only via an already verified channel).

    Like what I wanted 20 years ago.

    1. Kieran

      Re: OH FFS

      Not entirely sure a 20 year old standard on password complexity would be much use today to be honest. ;)

      Everything you described though does have pretty solid standards that every developer should at least know - and that get repeated on every StackOverflow post where amateurs are likely to be ripping their code from.

      The problem is that there's still no accounting for human error:

      try {

      // SuperSecureStandardPasswordVerifier.verify(password);

      // TODO commented this out for testing, remember to put back!!!

      }

      1. Kevin McMurtrie Silver badge

        Re: OH FFS

        Also Stack Overflow:

        Question: Complex security thingy doesn't work

        Top rated answers: Simplest ways to disable complex security thingy

  6. Jellied Eel Silver badge

    Damnit

    Now how am I going to get free WiFi? Oh well, I'm sure there'll be more bugs.

  7. Anonymous Coward
    Anonymous Coward

    I hate to think what unknown 'bugs' are riddling my Zyxel switch and access point firmwares :/

    1. Nick Ryan Silver badge

      From memory Zyxel firmwares were just an exploit that hadn't happened yet. I'm pretty convinced this was not intentional given the quality of every part of their implementation

  8. sanmigueelbeer Silver badge
    Happy

    April 2022 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication

    April 2022 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022