[167794] in North American Network Operators' Group
Re: NSA able to compromise Cisco, Juniper, Huawei switches
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Mon Dec 30 09:35:15 2013
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: "nanog@nanog.org list" <nanog@nanog.org>
Date: Mon, 30 Dec 2013 14:34:52 +0000
In-Reply-To: <CALFTrnNzUUzPf_Lmu8+fLcddpK9-Pknx89AfXcX--VN6d3u0sQ@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Dec 30, 2013, at 8:07 PM, Ray Soucy <rps@maine.edu> wrote:
> I hope Cisco, Juniper, and others respond quickly with updated images for=
all platforms affected before the details leak.
During my time at Cisco, I was involved deeply enough with various platform=
teams as well as PSIRT, etc., to assert with a pretty high degree of confi=
dence that there were no deliberate secret backdoors inserted into any majo=
r Cisco router/switch code prior to 2009, when I left Cisco. And Cisco is =
such a large company, with so many people involved in coding, compilation, =
auditing, security issue remediation, et. al. that I doubt very seriously t=
hat something like that could be accomplished without leaking pretty prompt=
ly.
In terms of exploits, the Cisco PSIRT team work with security researchers a=
ll the time; while I wasn't a member of PSIRT, I worked very closely with t=
hem, and if they'd run across something like that prior to 2009, I'm pretty=
sure I'd know about it. Every so often, they'd find a non-router/-switch =
product with default admin credentials, and would work with the product tea=
m in question to fix it (this is all public knowledge; you can look through=
PSIRT advisories on cisco.com and find advisories for default admin creden=
tials for various products, along with links to fixed software versions). =
=20
And I was also pretty well-acquainted with most of the major software/platf=
orm architects, some of whom are still there; none of them would be a party=
to something like a hidden backdoor, because they all know that it would o=
nly be a matter of time until it was found and exploited. The lawful inter=
cept stuff is a partial exception to this, but Fred Baker, Chip Sharp, and =
Bill Foster went out of their way to proof it as much as possible against u=
nauthorized exploitation, as long as it's implemented correctly, and they p=
ut it out there in the public domain via RFC3924. =20
In point of fact, RFC3924 was intended to pre-empt pressure for secret back=
doors from LEAs; the idea was to get something that was reasonably secure i=
f implemented correctly out there in the public domain, and adopted as a st=
andard, so that network infrastructure vendors could point to an RFC in ord=
er to fend off demands for all this secret-squirrel nonsense.
Lawful intercept systems have been exploited in the wild by malicious insid=
ers, but none of the incidents I know about involved Cisco gear. CVE-2008-=
0960 indirectly impacted lawful intercept due to its SNMP management plane,=
but responsible network operators should've patched this by now, and shoul=
d've implemented all the generic BCPs surrounding management-plane traffic,=
as well. I can't speak for the various third-party lawful-intercept media=
tion systems, as I've no firsthand knowledge of those.
My assumption is that this allegation about Cisco and Juniper is the result=
of non-specialists reading about lawful intercept for the first time, and =
failing to do their homework.
I don't work for Cisco, and I can't speak for them, but I simply don't find=
the allegation that there are backdoors hidden in Cisco router/switch code=
to be credible. Maybe I'm wrong; but since folks are constantly fuzzing C=
isco code and looking for ways to exploit it, my guess is that any backdoor=
s would've been found and exploits would be in use in the wild to such a de=
gree that it would've become apparently a long time ago.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
