How Cisco Fixed An Undocumented SSH Support Tunnel In Umbrella (umbrella.com) 24
"Vulnerability due to always-on SSH Tunnel -- RESOLVED" reads a Cisco service update. An anonymous reader writes:
Described by a recent security blog post, Cisco hid a SSH backdoor in its Cisco Umbrella product, which they were using for support. Affected organizations can install version 2.1.0 of their virtual appliance which has the backdoor removed.
Cisco has described Umbrella as "the first Secure Internet Gateway in the cloud," though the now-closed tunnel "auto-initiated from the customer's appliance to Cisco's SSH Hubs in the Umbrella datacenters." Cisco adds that it "did not require explicit customer approval before establishment." Access to the terminating server required valid keys and was provided only to privileged support personnel within the Cisco Umbrella network space. Customers could prevent this tunnel from getting established by blocking the relevant firewall ports. However, in the case of customers who allowed establishment of the tunnel, an attacker who obtained access to the internal Cisco terminating server could use the SSH tunnel as a backdoor to obtain full control of the VA device at the customer's premises...
It is our policy that any undocumented methods of entry into your network devices be considered a vulnerability due to the potential risk of an attacker leveraging this tunnel to gain access to your network. While Cisco has NO indications that our remote support SSH hubs have ever been compromised, Cisco has made significant changes to the behavior of the remote support tunnel capability to further secure the feature...
To address this vulnerability, the Umbrella Virtual Appliance version 2.1.0 now requires explicit customer approval before an SSH tunnel from the VA to the Cisco terminating server can be established... . For additional security, customer is required to provide tunnel configuration parameters out-of-band to the Cisco support personnel before tunnel establishment.
Cisco has described Umbrella as "the first Secure Internet Gateway in the cloud," though the now-closed tunnel "auto-initiated from the customer's appliance to Cisco's SSH Hubs in the Umbrella datacenters." Cisco adds that it "did not require explicit customer approval before establishment." Access to the terminating server required valid keys and was provided only to privileged support personnel within the Cisco Umbrella network space. Customers could prevent this tunnel from getting established by blocking the relevant firewall ports. However, in the case of customers who allowed establishment of the tunnel, an attacker who obtained access to the internal Cisco terminating server could use the SSH tunnel as a backdoor to obtain full control of the VA device at the customer's premises...
It is our policy that any undocumented methods of entry into your network devices be considered a vulnerability due to the potential risk of an attacker leveraging this tunnel to gain access to your network. While Cisco has NO indications that our remote support SSH hubs have ever been compromised, Cisco has made significant changes to the behavior of the remote support tunnel capability to further secure the feature...
To address this vulnerability, the Umbrella Virtual Appliance version 2.1.0 now requires explicit customer approval before an SSH tunnel from the VA to the Cisco terminating server can be established... . For additional security, customer is required to provide tunnel configuration parameters out-of-band to the Cisco support personnel before tunnel establishment.
How did they do it?! (Score:3)
Re:How did they do it?! (Score:4)
The "fix" is not what you think. The backdoor is still there, it's just hidden better so some random punk can't exploit it.
If you claim there's really no backdoor, go ahead, prove it! As for Cisco's words, we had them the last time too.
Re: (Score:1)
Aside from the issue of not being able to prove a negative, no integrated vendor is going to offer their source code for peer review. Either you use OSS router & switch software or you trust the manufacturer. Cisco, Juniper, Fortinet, etc have all had widely-reported breaches (in Cisco's case, several).
Re: (Score:1)
I have a CISCO router from my ISP and I've really really really wanted to be rid of it for sooooo long. I didn't get the choice, and repeated complaints have not replaced it. When you see the duplicate packets with Wireshark you know there's a problem but you're never really sure if its intentional or not. Only that this company has a history of appearing in Snowden documents.
All these other companies made themselves into a stasi in waiting by putting in these backdoors. A FISA warrant from agent orange, or
Re: (Score:2)
The proper question is "why would anyone buy a Cisco "secure" appliance after this?"
For the same reason that they continued to use Cisco products after the last time a backdoor was found in them?
Proprietary insecurity remains as-is. (Score:2)
How did they do it? They took advantage of someone's desire for convenience over software freedom (and the practical security benefits one gains from software freedom) to sell them products and services with at least one backdoor.
Naturally, nobody should trust anything from Cisco regardless of how much they paid for it unless that program is free software (free to run, inspect, share, and modify) because that means one's software freedom is respected. But Cisco isn't the only problem organization here, all
Life Imitates Art (Score:1)
In the 'Resident Evil' movies, the big evil corporation that was responsible for destroying the world was called The Umbrella Corp.
Coincidence?
I think not.
Am I reading this right? Seems nigh impossible (Score:2)