Sign in / up

back to article Cisco automation code needs manual patch

In Cisco's weekly security update list, there are three critical bugs affecting its Elastic Services Controller and Ultra Services Framework. Switchzilla warns its Elastic Services Controller (a network function virtualisation management environment) has static default credentials that would let a remote attacker log into the …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. CheesyTheClown

    This is very common in Cisco products

    Cisco is great at making products on top of Linux and Apache tools, but they are utterly useless at securing Linux and Apache tools. Currently dozens (maybe more) Linux kernel exploits work against ISE since Cisco doesn't enable configuration of RHEL updates on those boxes. As a result, they are very often very vulnerable. They also are wide open to Tomcat attack vectors because the version of Tomcat running on ISE is ancient and unmatched.

    As for root passwords... install ISE on KVM twice (or more) and mount the qcow images on a Linux box after. You'll find that the password for root is the same on all those images. While ssh access as root appears to be disabled, there are a few other accounts with the same issue.

    I don't even want to talk about Prime. It's a disaster with these regards.

    Surprisingly enough APIC-EM for now seems ok, but that's because about 90% of the APIC-EM platform is a Linux containers host called grapevine. I think the people who worked on that were somewhat more competent (I believe they're mostly European, not the normal 50 programmers/indentured servants for the price of 1 that Cisco typically uses).

    I haven't started hacking on IOS-XE... I actually don't look for these bugs. I just write a lot of code against Cisco systems and it seems like every 5 minutes there's another security disaster waiting to happen. They have asked me to help them resolve them but it would require hundreds of hours of my time to file bug reports and I can't waste work hours on solving their problems for them.

    Oh... if you're thinking "oh my god, I have to dump Cisco", don't bother, the only boxes currently I would trust for security is white box and unless you know how to assemble a team of system level software and hardware engineers (no... that really smart guy you know from college doesn't count) you should steer clear of those. The companies who use those successfully are the same ones who designed them.

    Cisco, you need a bug bounty program. Even if I could make $100 for each bug I stumble on, I would invest the half hour-hour it takes to write a meaningful bug report. Then you can fix this stuff before it ends up a headline.

    5 0 Reply
    1. elip
      Reply Icon

      Re: This is very common in Cisco products

      ^^^ "...securing Linux and Apache...".

      I understand vendors that use underlying tools in their own products are clueless on securing the configuration, but at some point, somebody in the Linux camp is going to have to start taking security seriously (PaX guys don't count - they've long been ostracized and are no longer in the camp).

      Your claim that you have to assemble a team of software and hardware engineers to run network infrastructure on white-box hardware is... misleading, at least. I guess it depends on what your definition of white-box is, but plenty of people (more and more it seems) are running small, medium, and large enterprises leveraging nothing *but* open source (whether Linux or BSD) for their network and other infrastructure workloads. Some, are even presenting at conferences showing others how they too can "dump Cisco". Even as a Cisco stock-holder, I fully agree with these folks: if you want to know what's happening on your network devices, and be able to patch your OS in a timely manner, dump Cisco.

      1 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like