Cisco Issues Patch For Nexus Switches To Remove Hardcoded Credentials (csoonline.com) 36
itwbennett writes: Cisco Systems has released critical software updates for its Nexus 3000 and 3500 switches to remove a default administrative account with static credentials that could allow remote attackers access to a bash shell with root privileges, meaning that they can fully control the device. The account is created at installation time by the Cisco NX-OS software that runs on these switches and it cannot be changed or deleted without affecting the system's functionality, Cisco said in an advisory. The affected devices are: Cisco Nexus 3000 Series switches running NX-OS 6.0(2)U6(1), 6.0(2)U6(2), 6.0(2)U6(3), 6.0(2)U6(4) and 6.0(2)U6(5) and Cisco Nexus 3500 Platform switches running NX-OS 6.0(2)A6(2), 6.0(2)A6(3), 6.0(2)A6(4), 6.0(2)A6(5) and 6.0(2)A7(1).
So pretty much everyone, now. (Score:3, Interesting)
Is there anyone out there that DOESN'T have a backdoor into their gear? Should I just burn it all and buy cheap old x86 gear and slap OpenBSD on it and manually configure everything myself to ensure that nobody is trying to pull a fast one on me?
Re:So pretty much everyone, now. (Score:5, Insightful)
Privilege escalation, unauthenticated remote commands to system daemons running with admin privileges... this is everyday life with the biggest IT shops out there.
What's even worse? They don't care! Countless times have I sent these big companies detailed bug/security reports only to find the exact same fucking "feature" in their systems a year later. The only way to make a difference is to stop giving them money, if even for a while. Then they usually come back to you and *might* listen.
Re: So pretty much everyone, now. (Score:2)
Re: (Score:2)
Yes! You've come up with a good solution.
Re: (Score:2)
Re: (Score:2)
Power use is going to be huge, speed slow, heat will need new engineering solutions but the domestic hardware and software will be more secure.
An imported turn key product with keys floating around, coded back doors, other nations security services... some tech just no worth importing any more.
Re: (Score:3)
Re: nobody cares (Score:1)
Because when the company that more or less runs the internet as we know it, goes amateur hour, it's of interest to the scores of people on here who manage part of the internet.
Re: And, they want us to buy SMARTnet... (Score:1)
Our ASA routers have a serious vulnerability with no workarounds, but my boss won't let us buy a service contract so we can upgrade them. I will never willingly buy cisco again.
Re: (Score:1)
Depending on how old it is, they DID rebuilt 8.2.5 to fix the latest round of stupid. One email or phone call will get you the necessary image. (or, ya'know, use the internet like everyone else. It's faster.)
That is simply... (Score:3)
Step 1: Create a static account on all devices because reasons.
Step 2: What could possibly go wrong?
Give Cisco a break (Score:5, Funny)
This brash new start-up is still learning the ropes when it comes to networking and security and stuff. I'm sure it wasn't intentional.
Because the FBI (Score:5, Funny)
Re: (Score:2)
well as long as it was for security reasons then its ok.
Cisco can blame someone else... (Score:5, Informative)
Nuova Systems developed the Nexus switches (for cisco) and then Cisco bought the company. The Nexus 3000 is also listed as using more off-the-shelf merchant silicon. So maybe the just used the reference code that came with the cheaper chips? In the end it's still Cisco's responsibility to secure the systems they sell no matter where the stuff came from. This is not the first time cisco took over another company's work...
Nuova: http://www.networkworld.com/ar... [networkworld.com]
Nexus 3000: https://en.wikipedia.org/wiki/... [wikipedia.org]
Acquisitions: https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:1)
They all use standard Broadcom trash. (everybody does) The "reference code" (aka: SDK) isn't an OS. It's a library, and if you build it, a diagnostic shell. Any OS, UI, configuration language, etc. are up to the vendor.
Re: (Score:1)
(note: for all the "white box" switches on the market, Broadcom goes out of their way to not give you the actual SDK. Instead their "open" bullshit is an already compiled library.)
The hardcoded password for the Nexus 6 (Score:2)
...is "deckard".
when will someone sue and win? (Score:3)
i'm just wondering at what point will someone sue a company for undermining the security of the device they were sold and actually win. i mean, if you advertise it as secure and you know you put a hardcoded password in the firmware, it's really just false advertising.
Re: (Score:2)
Easy answer.
When that one person has the financial capability to go up against, and overcome, the entire TEAM of lawyers that the company will deploy against them.
Lawsuits are all about the money. Typically, he who has more of it, wins.
Re: (Score:2)
Easy answer.
then you weren't paying attention.
When that one person has the financial capability to go up against, and overcome, the entire TEAM of lawyers that the company will deploy against them.
confirmed! i purposely used pronouns to allow for the real possibility of one company suing another. you would be pissed too if you were the lead in an ISP and you found out the routers you have been using have shit for security.