Cisco Nexus 9000 Switches Allow SSH As Root (opens in new tab)

It allows anyone who knows the default SSH key pair to login as root. How is that not a backdoor?

Backdoor definition: "A backdoor is a method, often secret, of bypassing normal authentication in a computer system."

You’re joking right?

It’s “allow ssh as root with a publicly available ssh key”. Your version is making it sound mundane.

It is impossible to know the motivation of the person who put this here but these constructs have no place in firmware for critical devices and Cisco should have known that for a long time already. Either they truly are idiots or this is malicious.

Ok, we changed to that. Thanks!

Submitted title was "Backdoor Found in Cisco Routers CVE-2019-1804".

I agree , this is not a backdoor in the more commonly understood sense of the term , post-Snowden.

At the same time, your suggested "right title" doesn't seem too accurate either (imo).

When I see the term backdoor, I think of something done intentionally.

Maybe something like: Embeded unsecured credentials , allow attacker remote root ssh access

( it's actually much harder than I initially thought , to phrase)

The mods asked me to email comments like this to the hn@yc.c address in the footer (Contact link), and have been responsive (not necessarily agreed, but they do reply!) when I've done so. I emailed them a link to your comment as the edit request with an attempt of my own:

> CVS-2019-1804: Cisco Nexus 9000 remote root exploit via SSH-over-IPv6

(Yes, it's a backdoor, I ran out of time sorry)

CVS-2019-1804: Cisco Nexus 9000 Switches Allow SSH As Root via IPv6 only.

Which makes it even more likely to be explained by stupidity as to malice.

It's still a bit editorialized since this only affects ACI mode, not the default (and far more common) NX-OS mode.

And plausible deniability is the #1 rule when being malicious. If you know enough to use an asymmetric key instead of a password, but not enough to think it's a good idea to leave the private key there, you're in a weird cross-section of expertise.

> Allow SSH As Root

That sounds like they just erroneously left AllowRootLogins yes in the ssd_config, which would not be a critical vulnerability.

What is a backdoor if not this?

This is exactly why I only buy belkin routers. I can't even connect to it.

Without wanting to start a political flame war it would be great if there was consistency to how we in the tech community and the media treat these types of vulnerabilities. When Huawei have these sorts of bugs they are reported as backdoors. Bugs happen in software be nice if put the nationalism aside and reported it consistently as bugs or vulnerabilities

Nexus 9000, running ACI, not normal NX-OS, as opposed to the ASR 9000 series which are common internet routers.

Cisco model numbers are fun.

Also you should have ACLs in place and VLAN segmentation (assuming their use as pure layer 2 devices) so that only certain authorized sections of the network are even able to reach things like the management ssh and SNMP daemons.

'unauthenticated' should have been in the title of this post

Given that it is a $30k+ piece of kit I suspect not too many people here have them.

As a former Cisco employee, I can tell you why companies never want to open source their security-sensitive products:

Pros of open sourcing a product:

- fewer total number of vulnerabilities

Cons of open sourcing a product:

- more publicly-known vulnerabilities

- less effort required to find new vulnerabilities

The product might be more objectively secure, with more bug reports and more fixes.

But it will be less practically secure. There will be more known vulnerabilities, and many customers can't upgrade, leaving more total vulnerable customers. And worse, now anyone on the internet can try and find new vulnerabilities for $0, while before they'd need to buy a $1,000+ piece of hardware to even get a shot at the compiled code.

The real defense against this problem is security auditing. Security engineers try to hack the device while asking a bunch of questions about SSH connections and private keys. This is the technique most companies employ, often combined with bug bounties.

For most enterprise IT products there is no "open down to the hardware" replacement and there never will be because there isn't a business model to create it.

You know what they say: the S in IoT stands for security.

Cisco hasn't had a good reputation for awhile IMO.

Most places (especially where they have enough money to be buying Cisco Nexus 9k kit) will want some sort of change management, not the vendor to be making arbitrary changes to their critical infrastructure.

Also, given the number and severity of these sort of vulnerabilities in recent times, do you want to give the same companies remote access to your infrastructure as well? :)

> Box vendors should really stop selling unmanaged boxes/solutions

Users should no longer be allowed to own their own hardware? That'll be popular with both the hacker crowd and the high-security people.

What of devices that are never intended to be connected to the wider internet?

Cisco bought meraki that provides a cloud managed solution, but it's only office equipment.

The keypair is essentially some default known value.

You shouldn't be able to use this to connect at all, but apparently works over IPv6.

So you'd have to have the private key, as well as knowing the IPv6 address of the device you're connecting to, and that device would have to have a route to the internet or a location you could connect to it from.

HackerNews: Huueerrggg Huawei can't even write secure code

Cisco: Hold my beer

Heh - people are harvesting compromised secret keys then? Because "guessing" secret keys shouldn't be viable?

It's a switch used in enterprise data centers. It's pretty critical because servers plug directly into it.

ACI control traffic is probably IPv6-only. They may be taking advantage of link-local addressing.

People are calling it a backdoor because presumably it was not documented anywhere.

And they completed it successfully. They literally had a new backdoor every month for years now. No company is that incompetent unless ordered to be so.

A Nexus 9K is an expensive piece of kit, and is not a trivial switch to deploy what with VPC and other configurations being commonplace, so just powering it on will not deliver a workable product. I suspect most if not all deployments follow best practice and have a management VLAN with access lists control limiting the source address of the connecting client, and blocking access to port 22 from other networks.

* Edit * Plus the Nexus the backdoor is only relevant if the switch in using ACI, and not standalone NX-OS mode. ACI training is a 5 day course for advanced engineers. https://www.cisco.com/c/en/us/training-events/training-certi...