| ▲ | jeroenhd 5 days ago | |||||||||||||||||||||||||||||||||||||||||||
Surely they don't need backdoors when they can just exploit the awful network security that American networking equipment vendors already come with out of the box? The US needed to smuggle Stuxnet in, but with networking equipment there's a treasure trove of shitty practices. Cisco and Juniper have been caught hiding hard-coded password how many times now? | ||||||||||||||||||||||||||||||||||||||||||||
| ▲ | mr_mitm 5 days ago | parent | next [-] | |||||||||||||||||||||||||||||||||||||||||||
Sometimes it's hard to tell if it's a real bug or a backdoor masquerading as a vulnerability. | ||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||
| ▲ | tcp_handshaker 4 days ago | parent | prev | next [-] | |||||||||||||||||||||||||||||||||||||||||||
>> Surely they don't need backdoors when they can just exploit the awful network security that American networking equipment vendors already come with out of the box? For Cisco they literally keep doing it year after year. They are like the Boeing of the IT world. Its unbelievable how they are still in business and growing...and then people worry about Mythos… :-)) Even Bruce Schneier said that Cisco products have had hard-coded passwords made public repeatedly, and "you'd think it would learn.": https://www.schneier.com/blog/archives/2023/10/cisco-cant-st... Cisco your core vendor...this is way the CEO earns the big bucks... 2010 (CVE-2010-1574): Cisco IE3000 switches shipped with hard-coded SNMP community names public and private. 2017 (CVE-2017-3834): Cisco Aironet 1830/1850 Mobility Express had default credentials that could let an unauthenticated remote attacker take control of the device. 2017 (CVE-2017-6689): Cisco Elastic Services Controller had a default weak hard-coded password for the admin user in the ConfD CLI. 2017 (CVE-2017-12317): Cisco AMP for Endpoints used a static key to protect the connector password 2018 (CVE-2018-0141): Cisco Prime Collaboration Provisioning 11.6 had a hard-coded SSH account password that could allow local access to the underlying Linux OS. 2018 (CVE-2018-0150): Cisco IOS XE had an undocumented privilege-15 account with a default username and password, allowing unauthenticated remote administrative access. 2018 (CVE-2018-15389): Cisco Prime Collaboration Provisioning’s install flow could leave a default hard-coded web admin username/password in place. 2019 (Cisco advisory; credential issue documented in the advisory): Cisco Small Business RV160/RV260/RV340 firmware images were found to contain undocumented accounts and hardcoded password hashes 2021 (CVE-2021-34795): Cisco Catalyst PON ONT devices had a default Telnet credential vulnerability when Telnet was enabled. 2021 (CVE-2021-34757 / CVE-2021-34744): Cisco Business 220 Smart Switches had a static-password issue and a static-key issue 2023 (CVE-2023-20101): Cisco Emergency Responder shipped with static root credentials that could not be changed or deleted, enabling unauthenticated remote login. 2024 (CVE-2024-20412): Cisco Firepower Threat Defense for Firepower 1000/2100/3100/4200 had static accounts with hard-coded passwords And Juniper? And Fortinet ? Yeap...Our CEOs earn big bucks too... - Juniper 2015 (CVE-2015-7755 / CVE-2015-7756): Juniper disclosed unauthorized code in ScreenOS that enabled unauthorized remote administrative access and, separately, VPN traffic decryption on affected versions. 2017 (CVE-2017-2343): Juniper SRX Integrated UserFW had hardcoded credentials in its authentication API. 2019 (CVE-2019-0020): Juniper ATP shipped with hard-coded credentials in the Web Collector instance. 2019 (CVE-2019-0030): Juniper ATP used DES with a hardcoded salt for password hashing - Fortinet 2016 (CVE-2016-1909): FortiOS, FortiAnalyzer, FortiSwitch, and FortiCache had an undocumented Fortimanager_Access account with a hardcoded SSH passphrase. 2019 (CVE-2019-6698): FortiRecorder set a hardcoded admin password on managed FortiCameras. 2019 (CVE-2019-6693): FortiOS / FortiManager / FortiAnalyzer used a hard-coded cryptographic key for sensitive config data 2020 (CVE-2019-16153): FortiSIEM had hard-coded PostgreSQL credentials in its database component. | ||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||
| ▲ | kakacik 5 days ago | parent | prev | next [-] | |||||||||||||||||||||||||||||||||||||||||||
At this point, any US company's products on software and hardware side can be safely considered an espionage asset. Even ignoring well known things like intercepting international packages during transit and putting malware into them. Same goes obviously for ie Chinese stuff, but I don't think you guys realize how for outsider the border between China and US in terms of morality is practically non-existent now. I don't mean it in any snarky way, just looking at facts. Also, China doesn't invade countries half around the world and bring them to utter destruction and misery for generations to come, killing thousands to millions of civilians and creating breeding grounds for things like ISIS. They do their own thing, quietly and patiently, with laser focus and for outsiders its at most 'not great not terrible' category. | ||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||
| ▲ | traderj0e 4 days ago | parent | prev | next [-] | |||||||||||||||||||||||||||||||||||||||||||
It must be easier to do en masse if there are backdoors. Not saying I trust the allegations, but wouldn't be surprised. | ||||||||||||||||||||||||||||||||||||||||||||
| ▲ | expedition32 4 days ago | parent | prev [-] | |||||||||||||||||||||||||||||||||||||||||||
Wait there is network equipment made in the US? I thought everything was basically made in Asia nowadays! Oh and Nokia of course but Europe is just as bad as China in the conservative mind... | ||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||