back to article Cisco warns: Some products might have WannaCrypt vuln

Here's why infosec needs to quit yelling “if you didn't patch it's your fault” about WannaCrypt: Cisco has announced it's investigating which of its products can't be patched against the ransomware. The Register congratulates Cisco for going public, because it's certain that an innumerable number of third-party systems embed …

  1. Anonymous Coward
    Anonymous Coward

    We of the United ATM Vendors Association have this to say...

    Keep your money in little plastic baggies underneath your bed. That's the safest place for your money, we can think of no better alternative, say burying it in your backyard. Still, I'd go with the bed, or closet and a big bag with a dollar or pound sign on it, for comedic effect. But then, don't take our word, we still think providing an out-of-production OS as the core of our product offering is sane, and that we think no one will notice.

  2. Anonymous Coward
    Anonymous Coward

    XPe SP2 here.

    Win XP Embedded SP2 in a product here, Microsoft Patch is unusable (needs SP3).

    Advising customers to evaluate their network and disconnect the product if it's not secure and WannaCry free. Product doesn't depend on Network, so not a big deal.

    I have a kill-switch app ready that just messes up the registry and kills SMB completely, but we're not deploying that, we think that there are still some customers that want to use SMB to get files in/out of the product.

  3. highdiver_2000

    Cisco uses Linux in their products. I can't think of a Cisco product that uses embedded Windows.

    1. Anonymous Coward
      Anonymous Coward

      Cisco uses Cisco IOS (not to be confused with Apple iOS) in their products, but a few that uses Linux or QNX. Don't know if some of the rebadged NAS from Cisco ever used Windows Storage Server.

      Anyway, as Cisco feels compelled to investigate about its Windows-based products, feel free to contact them and advise them about their use of Linux...

      1. Blotto Silver badge

        @LDS

        IOS is derived from Unix / Linux, also they have this thing called IOU, which is IOS On Unix. Cisco are effectively moving their IOS to UNIX where they can, i guess to have a common platform like Juniper does. Its effectively a Unix OS that runs IOS so the original comment wasn't totally wrong, just not all Cisco systems run Unix but it does look like there intention is that all will.

        https://learningnetwork.cisco.com/blogs/vip-perspectives/2011/04/12/cisco-ios-on-unix-labs-are-available-now

        1. Anonymous Coward
          Anonymous Coward

          IOS predates Linux, it was developed in the 1980s. Linux itself is a copycat of Unix, made only in the 1990s.

          How much of IOS is based on the Unixes of the time, I don't know. It chooses its own CLI, anyway, and it's designed to handle specifically networking functions.

          The link you post is six years old, and looks more a learning aid. Junos is based on BSD, probably because staying away from the GPL is often seen as a benefit <G>.

          With SDN pressing, Cisco too will be forced to adopt some of the software it is based upon.

          1. Anonymous Coward
            Anonymous Coward

            Most Cisco routers, switches and other devices pretty unashamedly run Linux now. While booting a Nexus 9000 series switch the other day, it admitted quite clearly to be running CentOS 7. There is a (unsupported) CLI command on the ASR series routers to launch a bash shell from the IOS cli and you get to poke around at the hardware as the Linux kernel sees it.

            The best I saw was a Service Control Engine 8000, that when shut down properly drew an ASCII art penguin via the console, albeit very slowly as it just sat idle waiting for power off.

    2. Anonymous Coward
      Anonymous Coward

      Some of their Telepresence stuff, inherited from Tandberg, still, runs on Windows. One of the Content Server platforms, if I recall correctly, has a Windows VM tucked away inside for transcoding to WMV or some other dead format, but it must be there even if using only MPEG4 for delivery. These platforms do receive regular updates though.

      The only other Cisco device I saw embedded Windows (NT) on was a NAM-1 for the Catalyst 6000, this was quickly superseded by a Linux running one that could be used in the 6500 w/ Sup2 and fabric modules.

  4. redpawn

    Security through insecurity

    Sometimes you just have to destroy a network to save a network. Thank you NSA and all the other TLAs for keeping us safe when you aren't destroying us.

  5. Anonymous Coward
    Anonymous Coward

    MS Product Lifecycle FAQ (including Embedded)...

    "To any other vendors who shipped Windows as the underlying OS for management or client software, or as the embedded operating system, we ask: where are your responses?"

    Er, just wondering whether you've had an answer from (or even asked) MS's spinners whether the relevant fixes have been made available to those licenced to use the still-supported variants of XP Embedded (which isn't quite called that but that's what it is). Without those fixes the other options are a bit limited.

    Extract from https://support.microsoft.com/en-us/help/18581/lifecycle-faq-windows-products

    How does the end of support for Windows XP impact Windows Embedded products?

    Windows Embedded products have their own distinct lifecycles, based on when the product was released and made generally available. It is important for businesses to understand the support implications for these products in order to ensure that systems remain up-to-date and secure. The following Windows Embedded products are based on Windows XP:

    ...

    Windows Embedded Standard 2009. This product is an updated release of the toolkit and componentized version of Windows XP. It was originally released in 2008, and Extended Support will end on January 8, 2019.

    ...

    ++++

    Which rather implies that if builders using a Windows OS in an embedded way had used a Windows OS sold for embedded purposes, rather than using a limited-lifetime desktop Windows, they wouldn't currently be without support. Not that it would have changed the bigger picture, because loads of allegedly supported desktop and server Windows OSes were and are still vulnerable and play an important role in this picture.

  6. John Smith 19 Gold badge
    WTF?

    " products that don't support either manual or automated updates"

    That raises 3 questions.

    1) Why would you design such a product?

    2)Why would ship it?

    3)Did the customers understand that it contained software they could not update in any way?

    1. Christian Berger

      Well you can design firmware which works

      For example I still have my first colour TV. It has a microprocessor inside which manages it. It never received a firmware update, simply because it was simple enough to never need one in over 25 years of duty.

      I also recently got a VCR from 1984-ish. It contains 2 microcomputers and it never got any updates, despite having an external interface.

      The point is to make your firmware as simple as possible, then you have a chance of making it bug-free, or at least without any security critical bugs. However if you choose to support obscure IP-features (like source routing) or artificially increase the complexity of a standard (like in HTTP/2) you wage a risk. There may be reasons to do so, but you have to weigh the advantages against the risk first. Blindly believing that the future lies in more complexity, not less, is what brought us here.

  7. Zippy's Sausage Factory

    Last time I saw one of the tills in my local supermarket rebooting it was still Windows 2000.

    Haven't shopped there in a while.

    You can decide for yourself whether those two things are related, I couldn't possibly comment...

  8. Anonymous Coward
    Terminator

    Other vendors to blame for WannaCrypt

    "Cisco warns: Some products might have WannaCrypt vuln

    The title erroneously implies that a Cisco software product is vulnerable to WannaCrypt. It's interesting watching the media deflect blame from Microsoft for the WannaCrypt disaster.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like