zhu difeng - Fotolia
Cisco SSH vulnerability sparks debate over backdoors
Cisco released a patch for a critical vulnerability in Nexus 9000 switches that could allow a remote attacker to gain root access because of the use of a default SSH key pair.
Cisco released a patch for another critical root access vulnerability in its products, but both experts and the vendor itself asserted the flaw was not a backdoor.
The patch, released May 1, remediated a vulnerability in the Cisco Nexus 9000 Series Switch software caused by the presence of a default SSH key pair in the devices. According to the vendor's security advisory, the Cisco SSH key vulnerability "could allow an unauthenticated, remote attacker to connect to the affected system with the privileges of the root user."
The advisory also stated that attackers could use the default key pair to open an SSH connection via IPv6 to vulnerable devices. A Cisco spokesperson said that the vulnerability is not exploitable over IPv4 and only "affects Nexus 9000 Series Fabric Switches in Application Centric Infrastructure mode; it does not affect Nexus 9000 switches in stand-alone mode."
Ron Gula, co-founder of Tenable Inc. and current president and co-founder of Gula Tech Adventures, a cybersecurity venture capital firm, said the Cisco SSH flaw sounded like a failure in security processes.
"Requiring SSH or forms of default encryption increases the complexities of exporting the devices. Telnet is an acceptable form of control on private management networks," Gula said. "Cisco has many controls in place to prevent vulnerabilities like this from shipping, and clearly something went wrong with these processes."
Dan Cornell, CTO of Denim Group, an application security consultancy, noted that shipping devices with default SSH key pairs "might be a major issue, but it isn't surprising. Stuff like this happens all the time."
However, several media reports described the vulnerability as a possible backdoor. Cisco has disclosed and patched a number of vulnerabilities involving hardcoded and default credentials over the last two years.
Rival networking vendor Huawei, which has come under fire for its own security issues, as well as ties to the Chinese government, slammed Cisco via Twitter over the SSH key pair flaw. "Backdoors in Cisco's network switches prove that U.S. homegrown tech equipment is just as flawed as any other," the company said via its "Huawei Facts" Twitter account.
Cisco asserted it was not a backdoor because its company policy prohibits backdoors.
"Per the Cisco Security Vulnerability Policy, Cisco's product development practices specifically prohibit any intentional behaviors or product features that are designed to allow unauthorized device or network access, exposure of sensitive device information, or a bypass of security features or restrictions. This includes undisclosed device access methods or 'backdoors,'" a Cisco spokesperson said. "Unfortunately, despite the best efforts of technology vendors, security vulnerabilities do still occur. When we identify these serious vulnerabilities, we address them with the highest priority."
Cornell said in order for the Cisco SSH key pair to be considered a backdoor it would have had to have been left intentionally, but "nothing that has been reported so far provides any insight into the reasoning for the devices shipping with the default key pair."
"That said, a scary thing about security vulnerabilities is that any security vulnerability could be a backdoor -- if it was inserted into the product intentionally. That is actually the easiest way to insert backdoors into many systems because it provides the developer or vendor with deniability. 'I'm sorry -- I made a coding mistake' is very difficult to refute, especially given the continuing high incidence and prevalence of vulnerabilities in software systems."
Gula said it wouldn't be "fair to call this a backdoor."
"Although this type of vulnerability can be used as a backdoor to access a very small percentage of devices built by Cisco, it would not be used for maintenance or remote support of Cisco customers. It may be used by any of the intelligence agencies doing cyber surveillance, but thus is no different from any other vulnerability on any other networking device," Gula said. "Vulnerabilities can be added by design, but given the wide availability of vulnerabilities in all devices, it is unlikely these were deliberate backdoors. A typical customer of router and network vendors does not have the ability to detect real backdoors for espionage purposes, which are much different than vulnerabilities disclosed from software complexity, coding and distribution issues."