Re: NSA able to compromise Cisco, Juniper, Huawei switches

["Dobbins, Roland" <rdobbins () arbor net>]

On Dec 30, 2013, at 8:07 PM, Ray Soucy <rps () maine edu> wrote:

> I hope Cisco, Juniper, and others respond quickly with updated images for all platforms affected before the details 
> leak.

During my time at Cisco, I was involved deeply enough with various platform teams as well as PSIRT, etc., to assert 
with a pretty high degree of confidence that there were no deliberate secret backdoors inserted into any major Cisco 
router/switch code prior to 2009, when I left Cisco.  And Cisco is such a large company, with so many people involved 
in coding, compilation, auditing, security issue remediation, et. al. that I doubt very seriously that something like 
that could be accomplished without leaking pretty promptly.

In terms of exploits, the Cisco PSIRT team work with security researchers all the time; while I wasn't a member of 
PSIRT, I worked very closely with them, and if they'd run across something like that prior to 2009, I'm pretty sure I'd 
know about it.  Every so often, they'd find a non-router/-switch product with default admin credentials, and would work 
with the product team in question to fix it (this is all public knowledge; you can look through PSIRT advisories on 
cisco.com and find advisories for default admin credentials for various products, along with links to fixed software 
versions).  

And I was also pretty well-acquainted with most of the major software/platform architects, some of whom are still 
there; none of them would be a party to something like a hidden backdoor, because they all know that it would only be a 
matter of time until it was found and exploited.  The lawful intercept stuff is a partial exception to this, but Fred 
Baker, Chip Sharp, and Bill Foster went out of their way to proof it as much as possible against unauthorized 
exploitation, as long as it's implemented correctly, and they put it out there in the public domain via RFC3924.  

In point of fact, RFC3924 was intended to pre-empt pressure for secret backdoors from LEAs; the idea was to get 
something that was reasonably secure if implemented correctly out there in the public domain, and adopted as a 
standard, so that network infrastructure vendors could point to an RFC in order to fend off demands for all this 
secret-squirrel nonsense.

Lawful intercept systems have been exploited in the wild by malicious insiders, but none of the incidents I know about 
involved Cisco gear.  CVE-2008-0960 indirectly impacted lawful intercept due to its SNMP management plane, but 
responsible network operators should've patched this by now, and should've implemented all the generic BCPs surrounding 
management-plane traffic, as well.  I can't speak for the various third-party lawful-intercept mediation systems, as 
I've no firsthand knowledge of those.

My assumption is that this allegation about Cisco and Juniper is the result of non-specialists reading about lawful 
intercept for the first time, and failing to do their homework.

I don't work for Cisco, and I can't speak for them, but I simply don't find the allegation that there are backdoors 
hidden in Cisco router/switch code to be credible.  Maybe I'm wrong; but since folks are constantly fuzzing Cisco code 
and looking for ways to exploit it, my guess is that any backdoors would've been found and exploits would be in use in 
the wild to such a degree that it would've become apparently a long time ago.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

          Luck is the residue of opportunity and design.

                       -- John Milton