Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Warning: Cisco RW community backdoor.

  • From: John Fraizer
  • Date: Tue Feb 27 00:20:00 2001

On Mon, 26 Feb 2001, Omachonu Ogali wrote:

> Please, stop the damn FUD, how do you know it wasn't accidentally left
> in by a programmer doing debugging? I bet you assume all buffer overflows
> are purposely put in also, eh? Sure. I expect it to cut back on your
> confidence in Cisco IOS, but also, what's this noise about code? Do you 
> happen to have a hold on IOS source code or something that you personally
> audit?
> -- 
> Omachonu Ogali

I expect an organization as large as Cisco, with a QA section as large as
Ciscos to NOT leave things accidentally in code.

Buffer overflows, while APIMA, are accidental in nature, sometimes brought
on by incompetence, more often brought on my inexperience.

As for having IOS source, no, I don't.  I won't even say that if I did
have access to the source I would have found it.  I do know that if the
source was open, it would have been found much earlier and I will say that
every decent programmer that has put things in code for degugging COMMENTS
such code in a manner that it is easy to grep and remove.

In Ciscos defence, it appears that the ILMI community is there for ATM
functionality.  It would have been nice for them to have noticed this
"feature" in the SNMP implementation and caused the code to add it to the
config where it was PLAINLY visible.

Basically, someone, perhaps many people, knew about this issue and did not
act on it.  This is not IMHO the proper way to treat a security issue.

It has already been stated that the damage caused by this "feature" is
limited.  _ANY_ unauthorized changes to router configs is a VERY BAD thing
though and as such, this is a VERY BAD thing.

I appreciate your direct approach.  In the future, I would also appreciate
your not cursing me.  I don't know you.  You don't know me.  Lets be
professional, OK?

If you choose to reply, please do so off-list.

John Fraizer
EnterZone, Inc

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.