Re: Cisco, haven't we learned anything? (technician reset)

[Hank Nussbacher <hank () efes iucc ac il>]

On Thu, 12 Jan 2006, Gadi Evron wrote:

> In this
> (http://blogs.securiteam.com/wp-admin/post.php?action=edit&post=207) recent
> Cisco advisory, the company alerts us to a security problem
> with Cisco MARS (Cisco Security Monitoring Analysis and Response System).
>
> The security issue is basically a user account on the system that will
> give you root when accessed.
...
> Now? if Cisco knowingly put it there, shame on them. If somebody put it
> there without their knowledge? well, shame on them.

Cisco acquired Protego in Dec 2004 and thereby acquired MARS:
http://www.infoworld.com/article/04/12/20/HNciscoprotego_1.html

Cisco didn't put it in there - they bought the bug for $65M. :-)

> Okay, but how about other vulnerabilities of this type? Are there any more
> backdoors to other Cisco products?
> If not, why wouldn?t they just come out and say that?
> ?There are NO other such backdoors in our products?.

I am sure there are more.  The previous one I remember was with their
Riverhead purchase:
http://www.cisco.com/en/US/products/products_security_advisory09186a008037d0c5.shtml

and before that was:
http://www.cisco.com/en/US/products/products_security_advisory09186a00802119c8.shtml
but I don't know which company was purchased to introduce that one.

I think Cisco just doesn't check the product closely enough and trusts the
R&D coders and doesn't introduce an external security QA to the product
being purchased.

-Hank