Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Bug Networking Privacy Security Software News Hardware Technology

Cisco Issues Patch For Nexus Switches To Remove Hardcoded Credentials (csoonline.com) 36

itwbennett writes: Cisco Systems has released critical software updates for its Nexus 3000 and 3500 switches to remove a default administrative account with static credentials that could allow remote attackers access to a bash shell with root privileges, meaning that they can fully control the device. The account is created at installation time by the Cisco NX-OS software that runs on these switches and it cannot be changed or deleted without affecting the system's functionality, Cisco said in an advisory. The affected devices are: Cisco Nexus 3000 Series switches running NX-OS 6.0(2)U6(1), 6.0(2)U6(2), 6.0(2)U6(3), 6.0(2)U6(4) and 6.0(2)U6(5) and Cisco Nexus 3500 Platform switches running NX-OS 6.0(2)A6(2), 6.0(2)A6(3), 6.0(2)A6(4), 6.0(2)A6(5) and 6.0(2)A7(1).
This discussion has been archived. No new comments can be posted.

Cisco Issues Patch For Nexus Switches To Remove Hardcoded Credentials

Comments Filter:
  • by Anonymous Coward on Thursday March 03, 2016 @06:13PM (#51632619)

    Is there anyone out there that DOESN'T have a backdoor into their gear? Should I just burn it all and buy cheap old x86 gear and slap OpenBSD on it and manually configure everything myself to ensure that nobody is trying to pull a fast one on me?

    • by Sax Russell 5449D29A ( 4449961 ) <sax.russell@protonmail.com> on Thursday March 03, 2016 @06:41PM (#51632839)

      Privilege escalation, unauthenticated remote commands to system daemons running with admin privileges... this is everyday life with the biggest IT shops out there.

      What's even worse? They don't care! Countless times have I sent these big companies detailed bug/security reports only to find the exact same fucking "feature" in their systems a year later. The only way to make a difference is to stop giving them money, if even for a while. Then they usually come back to you and *might* listen.

    • This kind of back door is so obvious, so stupid, and so NOT NEW, that Cisco CEO Chuck Robbins must be fires over this. There is no excuse to let some govt plant be able to get these back doors in in this day and age. What an embarrassment that CEO is. And anyone who says he is not responsible for this is avoiding the point that this is... SO NOT NEW.
    • by mspohr ( 589790 )

      Yes! You've come up with a good solution.

    • Sure if you think you are a better maker than they are breakers and you have a genuine need to lock down your network that hard by all means build hand crafted secure gatekeepers and monitoring devices so you can control the data flows on your networks and see what is going on without your logs being manipulated. You could also have your infrastructure more layered and virtualise more vulnerable processes so that you can throw them away and load a fresh one if you have suspicions that they are compromised.
    • by AHuxley ( 892839 )
      Thats what some nations are doing. Starting again with their own fabs. Lots of secure local jobs, their own hardware and code.
      Power use is going to be huge, speed slow, heat will need new engineering solutions but the domestic hardware and software will be more secure.
      An imported turn key product with keys floating around, coded back doors, other nations security services... some tech just no worth importing any more.
    • by EEPROMS ( 889169 )
      I know a few guys who make home brew managed switches running a BSD flavour and lately they have been very busy building open source/hardware switches. You would think the switches are expensive and run slow but in fact they are way faster than the big name switches often with built in solid state storage and still cost less. No one in their right mind trusts any big brand switch maker any more because legally they "have to" install a back door and then they"legally" have to lie about it. Also if you go che
  • by OpenSourced ( 323149 ) on Thursday March 03, 2016 @06:18PM (#51632673) Journal

    Step 1: Create a static account on all devices because reasons.
    Step 2: What could possibly go wrong?

  • by flacco ( 324089 ) on Thursday March 03, 2016 @06:19PM (#51632683)

    This brash new start-up is still learning the ropes when it comes to networking and security and stuff. I'm sure it wasn't intentional.

  • by minijedimaster ( 1434893 ) on Thursday March 03, 2016 @06:37PM (#51632817)
    The FBI must have needed access to a single dead terrorist's switch.
  • by Andrew Lindh ( 137790 ) on Thursday March 03, 2016 @06:50PM (#51632913)

    Nuova Systems developed the Nexus switches (for cisco) and then Cisco bought the company. The Nexus 3000 is also listed as using more off-the-shelf merchant silicon. So maybe the just used the reference code that came with the cheaper chips? In the end it's still Cisco's responsibility to secure the systems they sell no matter where the stuff came from. This is not the first time cisco took over another company's work...

    Nuova: http://www.networkworld.com/ar... [networkworld.com]
    Nexus 3000: https://en.wikipedia.org/wiki/... [wikipedia.org]
    Acquisitions: https://en.wikipedia.org/wiki/... [wikipedia.org]

    • by Cramer ( 69040 )

      They all use standard Broadcom trash. (everybody does) The "reference code" (aka: SDK) isn't an OS. It's a library, and if you build it, a diagnostic shell. Any OS, UI, configuration language, etc. are up to the vendor.

      • by Cramer ( 69040 )

        (note: for all the "white box" switches on the market, Broadcom goes out of their way to not give you the actual SDK. Instead their "open" bullshit is an already compiled library.)

  • by Gravis Zero ( 934156 ) on Thursday March 03, 2016 @07:04PM (#51633009)

    i'm just wondering at what point will someone sue a company for undermining the security of the device they were sold and actually win. i mean, if you advertise it as secure and you know you put a hardcoded password in the firmware, it's really just false advertising.

    • Easy answer.

      When that one person has the financial capability to go up against, and overcome, the entire TEAM of lawyers that the company will deploy against them.

      Lawsuits are all about the money. Typically, he who has more of it, wins.

      • Easy answer.

        then you weren't paying attention.

        When that one person has the financial capability to go up against, and overcome, the entire TEAM of lawyers that the company will deploy against them.

        confirmed! i purposely used pronouns to allow for the real possibility of one company suing another. you would be pissed too if you were the lead in an ISP and you found out the routers you have been using have shit for security.

Civilization, as we know it, will end sometime this evening. See SYSNOTE tomorrow for more information.