In late 2015 Juniper announced that it had found two backdoors in the router and firewall appliances that it sells. Backdoors are unauthorized ways to get into these systems in a way that bypasses security. Kind of like going around to the back of the house and finding the kitchen door unlocked when no one is home. Researchers said that there were telltale signs that this was the work of the NSA, although they would never say, of course. If these backdoors were the work of the intelligence community, lets at least hope it was OUR intelligence community and not the CHINESE. Whether these backdoors were intentionally installed in the software with the approval of Juniper management at the request (and possibly payment) of the NSA is something we will never know (See article in Wired here).
At the time, Cisco, Juniper’s biggest competitor, said that they were going to look through their code for backdoors too. They claimed that they did and that they didn’t find any.
Fast forward two years and now the shoe is on the other foot.
Cisco has announced the FOURTH SERIES of backdoors in the last FOUR months in May. Possibly their code audit from 2015 is still going on, but if so, that would be going on for more than 30 months, which seems like a long time.
The most recent SET of bugs includes three bugs which are rated 10 out of 10 on the government’s CVSS3 severity ranking.
The first of the three is a hardcoded userid and password with administrative permissions. What could a hacker possibly do with that?
The second provides a way to bypass authentication (AKA “we don’t need no stinkin passwords”) in a component of some Cisco software (DNA Center).
The third is a another way to bypass authentication in some of Cisco’s APIs that programmers use.
In fairness to Cisco, they do have a lot of software.
But to beat Cisco up – WHAT THE HELL WERE THEY THINKING TO ALLOW HARD CODED PASSWORDS IN THE SOFTWARE IN THE FIRST PLACE?
Source: Bleeping Computer
Okay, now that I am done beating up Cisco (actually, not quite, I have one more), what lessons should you learn from this?
First (the last time today that I am going to beat Cisco up), in order for a Cisco customer, who paid a lot of money to get the equipment in the first place, to get these security patches – patches that plug holes that should have never been there in the first place – that customer has to PAY for software maintenance. If you let the maintenance lapse, you can re-up, but Cisco charges you a penalty for letting it lapse. For this policy alone, I refuse to recommend Cisco to anyone.
Second, if you are a Cisco user, because of this very user unfriendly policy, you must buy software maintenance and not let it expire. If you do, you will not be able to get any Cisco security patches. Remember that, as one of the biggest players in the network equipment space, Cisco is constantly under attack, so the odds of bugs turning up is like 100%.
Third, no matter who’s network equipment you use, you must stay current on patches. These flaws were being exploited within days and since hackers know that many Cisco customers do not pay for maintenance, those holes, which are now publicly known, will be open forever.
Only half in jest, my next recommendation would be to replace the Cisco equipment. There are many alternatives, some even free if you have the hardware to run it on.
Okay, that handles the end user.
But there is an even bigger lesson for software developers here.
How did these FOUR sets of back doors get in the software in the first place?
Only one possible answer exists.
A poor or non-existent secure software development lifecycle program (known as an SSDL) inside the company.
AS AN END USER CUSTOMER, WHEN IT COMES TO SECURITY SOFTWARE ESPECIALLY, YOU SHOULD BE ASKING ABOUT THE VENDOR’S SECURE SOFTWARE DEVELOPMENT LIFECYCLE PROGRAM.
IF YOU GET AN EVASIVE ANSWER, FIND A DIFFERENT VENDOR. VOTE WITH YOUR CREDIT CARD.
As a developer or developer manager, it is your responsibility to make sure that customers don’t vote with their credit cards.
IMPLEMENT a secure software development lifecycle program.
CREATE and MONITOR security standards.
TEST for conformance with those standards.
EDUCATE then entire development team – from analysts to testers – about the CRITICALITY of the SSDL process.
Advertisement: we can help you with this.
While Cisco is big enough to weather a storm like this, smaller companies will not be so lucky. The brand damage could be fatal to the company and all of its employees.