COMPLETE FAILURE by a security vendor to engineer a secure product.
See http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150625-ironport
-
Join the MyBroadband community
South Africa’s biggest forum. Discuss, discover, and connect with thousands of members.
-
Question of the Day: What is your employer's plan for the 30 June protests?
BEWARE!! Complete root access to some Cisco products
- Thread starter nkawit
- Start date
COMPLETE FAILURE by a security vendor to engineer a secure product.
See http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150625-ironport
Sonic2k
Executive Member
- Joined
- Feb 7, 2011
- Messages
- 7,636
- Reaction score
- 4
People make mistakes.. and this is certainly not a "first" for Cisco
It is clear that there was no proper security audit done on the product before release.
They clearly do not have a proper business process in place (security audits) before releasing software products and this behaviour and neglect/incompetence should not be tolerated. They need to get a clue.
And yes, it certainly is NOT the first time either!
Your comment is neither useful, nor does it add value to this thread.
If you or anyone else wants to accept this as "de facto" nowadays and just bend, go right ahead. Or, you could do the right thing and expect a higher level of care and competence from a security vendor.
And yes, I am a Cisco client. I can also say there are vendors out there that do extensive audits on their products before release.
You need to learn not to take security vulnerabilities personally. I suggest you step back for a bit as this was in no way directed to you.
My choice of OS has nothing to do with this thread.
Sonic2k
Executive Member
- Joined
- Feb 7, 2011
- Messages
- 7,636
- Reaction score
- 4
I am not taking anything personally, but I get upset when you attack other users for their comments.
I am in this business from time to time, let me tell you something:
People who can actually do proper security audits are thin on the ground. You have to hire people of dubious integrity i.e. black hat hackers for this kind of activity. Cisco don't do much of that...
I have hacked a Cisco 1700 series router before... easy as taking candy from a baby, but as the owner/user I took steps to mitigate the risk, I didn't get all hot and bothered about it. You also don't see me getting all hot and bothered about the fact that I can ssh into my NAS and nowhere in the manual is this explained, nor the fact that I was able to hack the firmware to add a secondary drive via USB in such a way it has the same full performance as the internal drive.
Necuno
Court Jester
- Joined
- Sep 27, 2005
- Messages
- 58,566
- Reaction score
- 3,437
Please point this out so I may edit my post. At no time did I intend to "attack" anyone, merely point out that Cisco released a product without proper security audits being conducted and people be well aware of this behavior from a security vendor. Furthermore that this behavior should in no way be treated as "defacto".
There is no excuse for proper security audits, especially when you are a security vendor. If they cannot competently conduct or afford the relevant audits on their products they are not release ready.
Did you disclose what you managed to exploit to Cisco and do you have the relevant security release? I am interested in the vector.
I do not know what you construe as me being "hot and bothered". I have written and submitted my complaint and requested information as to why the relevant security audit was not performed and the result of such an audit if one was.
Personally I would not take an undocumented feature as a security vulnerability, unless it can be exploited. In that case I would follow the vendors responsible disclosure procedure to report it.
Last edited:
Sonic2k
Executive Member
- Joined
- Feb 7, 2011
- Messages
- 7,636
- Reaction score
- 4
Mr nkawit, please dream on...
This forum is not Hellopeter.com so your complaint is not going to be acted upon.
First of all, you have this idea that Cisco are a security vendor. Sorry to break it to you but they are not a security vendor, they make networking products.
This forum is not Hellopeter.com so your complaint is not going to be acted upon.
First of all, you have this idea that Cisco are a security vendor. Sorry to break it to you but they are not a security vendor, they make networking products.
No I didn't because I learnt about it by reading hacking books and anecdotes. If you were any good at your job, you'd be active in the infosec space. There is no magic as to how I keep hackers out of the systems I build, most of the time.
I sent my complaint to our account manager. Your reference to hellopeter.com is not relevant, nor would I expect Cisco to reply to this thread.
I posted this thread to warn users of products for which a serious security vulnerability exists.
Cisco sell security products, in this case Email and Web filtering solutions.
My job has no relevance to this thread. I merely requested you provide further information if you reported your exploit to Cisco and if you can provide further information on it as I was interested. If you are unable to do so, thats fine, I was merely curious.
Cisco buy other vendors then rebrand them
As for vendors with security problems, it is a continous thing. Fortinet, Checkpoint, Symantec etc etc have all had security issues at one point or another. I agree though, there should be much more extensive testing done before releases..
