NSA able to compromise Cisco, Juniper, Huawei switches

Dobbins, Roland rdobbins at arbor.net
Mon Dec 30 14:34:52 UTC 2013

On Dec 30, 2013, at 8:07 PM, Ray Soucy <rps at maine.edu> wrote:

> I hope Cisco, Juniper, and others respond quickly with updated images for all platforms affected before the details leak.

During my time at Cisco, I was involved deeply enough with various platform teams as well as PSIRT, etc., to assert with a pretty high degree of confidence that there were no deliberate secret backdoors inserted into any major Cisco router/switch code prior to 2009, when I left Cisco.  And Cisco is such a large company, with so many people involved in coding, compilation, auditing, security issue remediation, et. al. that I doubt very seriously that something like that could be accomplished without leaking pretty promptly.

In terms of exploits, the Cisco PSIRT team work with security researchers all the time; while I wasn't a member of PSIRT, I worked very closely with them, and if they'd run across something like that prior to 2009, I'm pretty sure I'd know about it.  Every so often, they'd find a non-router/-switch product with default admin credentials, and would work with the product team in question to fix it (this is all public knowledge; you can look through PSIRT advisories on cisco.com and find advisories for default admin credentials for various products, along with links to fixed software versions).  

And I was also pretty well-acquainted with most of the major software/platform architects, some of whom are still there; none of them would be a party to something like a hidden backdoor, because they all know that it would only be a matter of time until it was found and exploited.  The lawful intercept stuff is a partial exception to this, but Fred Baker, Chip Sharp, and Bill Foster went out of their way to proof it as much as possible against unauthorized exploitation, as long as it's implemented correctly, and they put it out there in the public domain via RFC3924.  

In point of fact, RFC3924 was intended to pre-empt pressure for secret backdoors from LEAs; the idea was to get something that was reasonably secure if implemented correctly out there in the public domain, and adopted as a standard, so that network infrastructure vendors could point to an RFC in order to fend off demands for all this secret-squirrel nonsense.

Lawful intercept systems have been exploited in the wild by malicious insiders, but none of the incidents I know about involved Cisco gear.  CVE-2008-0960 indirectly impacted lawful intercept due to its SNMP management plane, but responsible network operators should've patched this by now, and should've implemented all the generic BCPs surrounding management-plane traffic, as well.  I can't speak for the various third-party lawful-intercept mediation systems, as I've no firsthand knowledge of those.

My assumption is that this allegation about Cisco and Juniper is the result of non-specialists reading about lawful intercept for the first time, and failing to do their homework.

I don't work for Cisco, and I can't speak for them, but I simply don't find the allegation that there are backdoors hidden in Cisco router/switch code to be credible.  Maybe I'm wrong; but since folks are constantly fuzzing Cisco code and looking for ways to exploit it, my guess is that any backdoors would've been found and exploits would be in use in the wild to such a degree that it would've become apparently a long time ago.

Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

More information about the NANOG mailing list