Cisco: There is no fixed software for this issue.

Fri Feb 4 01:55:02 EST 2005

Jericho

I think it is time to give up on Cisco.

Most professionals in the security industry have long since given up on vendors such as Microsoft and resigned ourselves to the fact that they don't understand security, and that for all the marketing and PR these companies never will. Year after year, we see stupid and trivial security bugs pop up in their software. Often times these are the same vulnerabilities reborn with a new product, or the same class of vulnerabilities creeping back into the code due to poor programming practices. In other cases, vulnerabilities are found and supposedly patched by vendors. Days or weeks later, it is discovered that the patch does not fully mitigate the original problem and can be bypassed and the software is still vulnerable.

Yesterday, Cisco Systems, Inc. posted a new security advisory announcing a vulnerability in one of their product lines. This is not new for Cisco by any means as they have released 155 security advisories dating back to June 1, 1995. Why is this one different? The proverbial straw that broke the camel's back perhaps. The issue is not that just another vulnerability affects their products, nor it is the amount of issues Cisco has posted over the years. While depressing to anyone responsible for the security of one of their devices, it is mostly manageable. Cisco has been fairly good about addressing problems in the past, providing patches and solid workarounds and eventually selling new versions of their software that aren't affected. Until now.

There are two issues with the latest advisory covering a vulnerability in Cisco IP/VC Products. Either issue unto themselves should have Cisco customers up in arms demanding better products and better service. As long as companies continue to buy from and support irresponsible and unethical vendors, they will continue to deliver over-priced insecure software.

Issue #1: Security 101

Quoting from the advisory:

Hard-coded Simple Network Management Protocol (SNMP) community strings are present in Cisco IP/VC Videoconferencing System models 3510, 3520, 3525 and 3530. Any user who has access to the vulnerable devices and knows the community strings, can obtain total control of the device.

The fact that any product is still shipped with a default SNMP community string enabled is ridiculous. Every security organization and company has long since warned about the dangers associated with this. It is reprehensible that Cisco would sell a product with such poor security practices. More disturbing is that this is not the first time Cisco has done this.

http://www.cisco.com/warp/public/707/ios-snmp-community-vulns-pub.shtml
For Public Release 2001 February 28 11:00 US/Eastern (UTC-0500)
Cisco Security Advisory: Cisco IOS Software Multiple SNMP Community String Vulnerabilities

http://www.cisco.com/warp/public/707/ons-multiple-vuln-pub.shtml
For Public Release 2002 October 31 at 1600 UTC
Cisco Security Advisory: Cisco ONS15454 and Cisco ONS15327 Vulnerabilities

After two prior advisories over the same vulnerability, after four years, they continue to do it. Why can't they learn? But wait..

Issue #2: The Fix

Summary
=======
Hard-coded Simple Network Management Protocol (SNMP) community strings
are present in Cisco IP/VC Videoconferencing System models 3510, 3520,
3525 and 3530. Any user who has access to the vulnerable devices and
knows the community strings, can obtain total control of the device.

Impact
======
A user with knowledge of the community strings can gain full control of
the device. Such user can, among other things, create new services,
terminate or affect existing sessions, and redirect traffic to a
different destination.

Not only does Cisco ship this product with a default SNMP community string, they hard code it into the operating system so that administrators can't change it. This potentially offers a remote attacker complete control over the device. Thanks Cisco! But wait..

Software Versions and Fixes
===========================
Cisco will not provide fixed software for this vulnerability. Customers
are strongly advised to deploy the mitigation measures described in the
Workaround section.

Obtaining Fixed Software
========================
There is no fixed software for this issue. All customers are strongly advised to deploy the mitigation measures.

What?! Cisco refuses to provide fixed software for this vulnerability? Instead, they want their customers to rely on the mitigation recommendation they provide.

Workarounds
===========
The only mitigation for this vulnerability is to disable SNMP traffic at
the switch port that is connected to the affected device. If that cannot
be done, the SNMP traffic to the IP/VC device should be blocked at the
nearest possible point. In order for the mitigation to be successful all
possible paths to the device must be protected.

In short, to effectively secure this device while it is running SNMP, Cisco recommends that you use other devices to make it secure. Imagine if every vendor had a product that was so insecure, it required additional devices to protect it? It would be near impossible and cost prohibitive to manage network security. If you can't block SNMP traffic as they recommend, then you are resigned to run a vulnerable device or disable its functionality. If you are on a shared network, you may be resigned to suffer as your neighbor runs this vulnerable hardware and cannot or does not want to fix it.

Oh wait, there is one other solution available.

Additionally, customers who are considering replacing the affected models can contact their Cisco sales representative.

Instead of offering a fix for the devices already deployed, Cisco would like you to contact a sales representative to purchase a new device/version. Why? Because the new models have a different default community string (or if you are lucky, no default) as well as more administrative control over what services can be easily disabled (including SNMP).

http://www.cisco.com/en/US/products/hw/video/ps1870/prod_bulletin09186a00801778bf.html

Improved Security

Configurable security levels for IT management allowing or preventing Telnet, SNMP, PING and FTP

To summarize: Cisco sold a product line with a critical vulnerability. Instead of offering a free fix like a responsible and ethical vendor, they tell customers to use third party devices to handle security for their own. If this is not an option, Cisco will sell you a newer version that fixes the problem. For organizations that rely on security and use Cisco products, this is an ugly choice that is reminiscent of Microsoft.

Thankfully, Cisco Systems, Inc. only sells routers, not automobiles.




Copyright 2005 by Brian Martin. Permission is granted to quote, reprint or redistribute provided the text is not altered, and appropriate credit is given. I'd like to specifically thank Chris Wysopal and Raven Alder for comments that contributed to this article.



Republished at: http://www.theage.com.au/articles/2005/02/16/1108500132772.html.

Republished at: http://www.smh.com.au/articles/2005/02/16/1108500132772.html.


main page ATTRITION feedback