Re: Pay peanuts
You say that as if Cisco etc have never had a stupid vulnerability or "feature" like being able to rewrite the firmware remotely without authentication...
Ok I bite.
I take you're referring to the Smart Install (yes, I agree in principle that most things named Smart something rarely are). Whilst I agree that the feature (I don't agree it being called a vulnerability since the behaviour and risk is well documented in Cisco's documentation) could no doubt benefit from additional security features, we are in the end talking about an enterprise feature which presumably is being used by qualified personnel.
Here is an excerpt from the doc linked to above:
The absence of an authorization or authentication mechanism in the Smart Install protocol between the client and the director can allow a client to process crafted Smart Install messages as if these messages were from the Smart Install Director. These include the following:
* Change the TFTP server address on Smart Install clients.
* Copy the startup configuration of client switches to the previously-changed and attacker-controlled TFTP server.
* Substitute the startup configuration of clients with a configuration created by the attacker, and forcing a reload of the clients after a configured time interval.
* Upgrade the IOS image on client switches to an image supplied by the attacker.
Execute arbitrary commands on client switches (applicable to Cisco IOS Release 15.2(2)E and later releases and Cisco IOS XE Release 3.6.0E and later releases.)
While designing a Smart Install architecture, care should be taken such that the infrastructure IP address space is not accessible to untrusted parties. Design considerations are listed in the Security Best Practices section of this document.
Let's face it, if you using this feature to provision kit into your network, why would you NOT add the no vstack into the config you push to new device?
Biting the hand that feeds IT
