Network World recently published an article entitled Cisco says FTP feature in IOS is a hacker backdoor. The opening paragraph reads as follows:
Cisco says a flaw in the FTP server utility in its IOS router/switch software could be used as a backdoor by attackers.
Do you see the discrepancy? The opening statement is inconsistent with the title of the article. Are they saying that the flaw could be used as a backdoor, or that the flaw itself is a backdoor?
Any vulnerability that is remote, pre-authentication, and trivial to exploit could be used as a backdoor of sorts, once details emerge and somebody publishes an exploit script that the kiddies can use. This would clearly be a big story, considering the sheer number of Cisco routers that will require patching. However, if the flaw itself is a backdoor, that implies that the vulnerability was introduced maliciously, either by an insider or by someone who broke into Cisco’s network and modified the IOS codebase. This would be a HUGE story, because now you have to wonder about the extent to which the IOS codebase has been compromised.
First let’s break down the Cisco advisory. Like most vendor advisories, you don’t get many technical details. However, here is what we do know:
- A remote attacker can bypass the IOS FTP server authentication mechanism
- Having bypassed authentication, the attacker can read or write any file on the router’s filesystem, including the startup-config file
- The vulnerability gets the maximum possible CVSS rating of 10.0 because it is remote, pre-authentication, and trivially exploitable, with full confidentiality, integrity, and availability impact
But wait, what’s this? There’s also a Denial of Service vulnerability? Apparently, you can make IOS reload through the FTP interface, and repeatedly triggering this reload (think reboot) could effectively create an outage. The important part is that there’s a way to force a reload.
The advisory also says that a remote attacker could “cause the affected device to reload, or execute arbitrary code” but I’m not so sure about the arbitrary code part. Maybe they just mean arbitrary IOS commands.
Basically, an attacker could take control of the router a couple different ways. Network security guys, correct me if I am off base here or omitting any good attack vectors:
- Fast but clumsy: Retrieve the startup-config, alter the commands used to set the line password and enable password, upload the modified startup-config, force a reload, and login using the new passwords
- Slower but less obvious: Retrieve the startup-config, crack the passwords (difficulty dependent on whether they are configured as “passwords” or “secrets”), and login using the cracked passwords
Again, the vulnerability is undoubtedly a big deal, in and of itself. But what I really want to know is whether this was an intentional backdoor planted in the codebase or just a horribly dumb implementation error. The ability to not only bypass authentication but also force a reload seems a little suspicious, but we won’t know for sure unless Cisco discloses more information. More importantly, if it does turn out to be a bonafide backdoor, what does this say about Cisco’s SDLC?