Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Cisco, haven't we learned anything? (technician reset)

  • From: Hank Nussbacher
  • Date: Thu Jan 12 09:19:15 2006

On Thu, 12 Jan 2006, Gadi Evron wrote:

> In this
> (http://blogs.securiteam.com/wp-admin/post.php?action=edit&post=207) recent
> Cisco advisory, the company alerts us to a security problem
> with Cisco MARS (Cisco Security Monitoring Analysis and Response System).
>
> The security issue is basically a user account on the system that will
> give you root when accessed.
...
> Now? if Cisco knowingly put it there, shame on them. If somebody put it
> there without their knowledge? well, shame on them.

Cisco acquired Protego in Dec 2004 and thereby acquired MARS:
http://www.infoworld.com/article/04/12/20/HNciscoprotego_1.html

Cisco didn't put it in there - they bought the bug for $65M. :-)

>
> Okay, but how about other vulnerabilities of this type? Are there any more
> backdoors to other Cisco products?
> If not, why wouldn?t they just come out and say that?
> ?There are NO other such backdoors in our products?.

I am sure there are more.  The previous one I remember was with their
Riverhead purchase:
http://www.cisco.com/en/US/products/products_security_advisory09186a008037d0c5.shtml

and before that was:
http://www.cisco.com/en/US/products/products_security_advisory09186a00802119c8.shtml
but I don't know which company was purchased to introduce that one.

I think Cisco just doesn't check the product closely enough and trusts the
R&D coders and doesn't introduce an external security QA to the product
being purchased.

-Hank




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.