back to article Cisco's critical zero-day bug gets even worse – 'thousands' of IOS XE devices pwned

Remember that critical zero-day bug Cisco disclosed yesterday? Well, it gets worse. It now appears "thousands" of the networking giant's switches and routers have already been compromised by criminals that exploited the authentication bypass flaw and installed implants. This, according to security shop VulnCheck chief …

  1. ecofeco Silver badge

    Gee what a surprsie

    Not.

    I never get tired of saying it, so how's that cloud thing working for ya?

    1. Throatwarbler Mangrove Silver badge
      Thumb Down

      Re: Gee what a surprsie

      In fairness to "the cloud," this appears to be a straight-up security error in Cisco's software running on their physical hardware (routers, switches, etc.). In principle, one would be safer in the cloud, assuming that the cloud vendor is not also running affected Cisco equipment.

      What's more surprising to me is that anyone is running the Web interface facing the Internet or untrusted networks. Every network admin worth his/her salt ought to have access from the outside world locked down nine ways from Sunday, which to me means disabling remote Web management.

      1. ecofeco Silver badge

        Re: Gee what a surprsie

        Did we read the same article? Or do you (and those other down-votes) work for cisco?

        Thousands of failure point. Breaches already happened. Not even cisos's first few dozen times this has happened. I'm pretty sure I did not imagine those words. Oh wait, there they are right there in black and white.

        Oh ho ha, you almost had me going there for about an... attosecond. Yep, right there in black and white.

        Take the piss somewhere else. An admin worth their salt would not accept junk hardware not fit for purpose to begin with. Yet here we are.

      2. jeffty

        Re: Gee what a surprsie

        Exactly this.

        Starting point for the base config on any cisco device - disable telnet, enable ssh, set local authentication (preferably radius/tacacs), configure an access class on the management interface so only trusted management network IP addresses can log in via ssh/snmp, configure audit logging, make sure you're running a recent IOS that isn't riddled with bugs or holes. This is the way it's been for the last two decades if not longer.

        The web server (ip http server / ip http secure-server) has been disabled by default on every cisco device I've ever deployed, you've got to go out of your way to enable it (either by command or during initial setup). It doesn't give you anywhere near the full control you get via the command line, so it's pretty much impossible to properly secure a cisco device using the GUI. Only people I've ever seen use it are those who aren't experienced/comfortable with cisco devices or their CLI.

        1. Reaps

          Re: Gee what a surprsie

          this is cisco we are talking about,

          I've had "cisco experts" tell me cisco gear cannot do easy stuff (think basic networking) because their web helper tool couldn't do it.

          I then had to demonstrate how to do it via cli.

          trained clowns would know more.

        2. tip pc Silver badge

          Re: Gee what a surprsie

          20+ years supporting Cisco gear and I’ve never used a web interface on a switch.

          Does it actually do anything useful?

          ASDM is always painful and marginally useful for some tasks but the cli is always better.

          I guess an http interface is useful for api’s but…..,

      3. Anonymous Coward
        Mushroom

        Every network admins salt ought to have access from the outside world locked down ..

        > Every network admin worth his/her salt ought to have access from the outside world locked down nine ways from Sunday ..

        That would be nobody /s

        1. ecofeco Silver badge

          Re: Every network admins salt ought to have access from the outside world locked down ..

          Look at those down-votes you and I got. Lots of Cisco stans here apparently.

  2. Anonymous Coward
    Anonymous Coward

    How many of the infected CISCO thingies are property of institutions that terminated their technical staff due to economic conditions? In other words, is there anyone at the wheel?

    1. tip pc Silver badge

      Likely outsourced to someone who did a 2 day course

  3. Anonymous Coward
    Anonymous Coward

    I'm always bewildered when people get pwned by this stuff.

    With network kit the management should only be configured on specific interfaces with a very specific ACL. The first thing about protecting against authentication bypass vulns is don't let anybody have access to your management interface.

    For preference you want OOB management only and that on a private MPLS.

    Obviously that's not absolutely fool proof but every little helps. If you just stick management on SSH on the WAN interface of your router then your only protection is the authentication on your router.

    1. Mikerahl

      One problem I did find with Cisco lately is they've paired their IOS XE switch with a wireless controller that has a web interface, and clients want to be able to use said web interface. I think it's the 9500 series switch. Mind you, there is no justification for a wireless controller to be internet facing in the first place; if you're going to buy a $20k+ switch and add that controller, you should be securing it behind a proper firewall. And lock down the management access via ACLs.

      1. Rockets

        For the Office Extend feature that has remote WAP's connecting to the WLC over the Internet it's going to be internet facing. The web interface isn't required to be accessible for OEAP but the CAPWAP port certainly does. Ideally you'd lock that port down to known IP's but they way that feature is designed it's probably not always possible. IOS-XE under pins the dedicated 9800 WLC's too now.

  4. CowHorseFrog Silver badge

    Its a close race between Atlassian and Cisco, but i think Cisco is in the lead again.

  5. Mikerahl

    Disabling the http server on IOS devices has been about the first thing we've done on any Cisco device we stage,for the last several decades. The feature has never been particularly useful; it is really easy to build a simple config template and install it via CLI

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like