Cisco, the world’s top service provider of top rated networking devices and company computer software, has unveiled today fifteen protection updates, which includes a repair for an difficulty that can be described as a backdoor account.
This most up-to-date patch marks the seventh time this year when Cisco has taken out a backdoor account from a single of its products and solutions, with the other prior six fixes outlined below:
- March – CVE-2018-0141 – Cisco Key Collaboration Provisioning
- March – CVE-2018-0150 – Cisco IOS XE functioning program
- May perhaps – CVE-2018-0222 – Cisco Digital Community Architecture
- June – CVE-2018-0329 – Cisco Huge Region Application Services
- July – CVE-2018-0375 – Cisco Policy Suite Cluster Manager
- September – CVE-2018-15427 – Cisco Video Surveillance Manager
- November – CVE-2018-15439 – Cisco Tiny Business enterprise Switches
In the majority of the circumstances previously mentioned, the backdoor accounts were being practically nothing a lot more than debugging profiles that have been still left inside Cisco computer software/firmware following manufacturing unit screening or debugging operations.
5 of the 7 backdoor accounts were being identified by Cisco’s internal testers, with only CVE-2018-0329 and this month’s CVE-2018-15439 getting found by external protection researchers.
The company has been intentionally and frequently combing the supply code of all of its computer software because December 2015, when it started out a huge internal audit.
Cisco started out that method following protection researchers found what looked to be an intentional backdoor in the supply code of ScreenOS, the functioning program of Juniper, a single of Cisco’s rivals. The Juniper ScreenOS backdoor authorized distant attackers to decrypt VPN traffic passing through Juniper devices running specified versions of ScreenOS.
Juniper experienced a huge reputational damage following the 2015 revelation, and this could secretly be the motive why Cisco has averted utilizing the expression “backdoor account” all year for the 7 “backdoor account” challenges. Alternatively, Cisco opted for a lot more complex wordings these kinds of as “undocumented, static user credentials for the default administrative account,” or “the impacted computer software enables a privileged user account without having notifying administrators of the program.”
It is correct that utilizing these kinds of phrasings could make Cisco look disingenuous, but let’s not ignore that Cisco has been ferreting these backdoor accounts mainly on its have, and has been striving to repair them without having scaring shoppers or impacting its have stock price tag along the way.
Aspect observe: Today’s most up-to-date batch of Cisco protection fixes also involved patches for two other challenges, both equally of which acquired a 9.8 severity ranking on a scale from one to ten. The first was a now-classic Java serialization difficulty that sales opportunities to root-stage distant code execution in Cisco Unity Convey products and solutions, while the next was an authentication bypass due to an insecure configuration of Cisco Stealthwatch Administration Console methods.