Again, they did NOT access the server directly - I had to login first w/
the pnadmin account. Still, the "expert" account has a pw known only to
Cisco and I'm not thrilled with that either.
Brent Stackhouse, GSEC/GCIH
VP of Security
Solis Security, Inc.
Austin, Texas
512-417-9772
www.solissecurity.com
Jason wrote:
fortunately I do not have MARS to play with but if you did not have to
"set" a password for them to use with the expert account I find it very
suspect.
When they accessed the box was it through a shared terminal where you
were watching the session or did they access it over the network remotely?
That you had to log into the system as pnadmin suggests that it was a
shared session and then they performed a sudo or su to expert. This
would then suggest that the expert account has a fixed password. If it
required a local account first that indicates remote access is denied
for expert. While this is preferable it is not fool proof. Any
vulnerability presenting local shell access could then allow expert
access if the password was known.
I ask because it would not be the first time a Cisco product had an
undocumented account with a default/predictable/easy to guess password.
Perhaps someone from Cisco can clarify these points.
Brent Stackhouse wrote:
It did cross my mind that there might be a backdoor/default account that
is remotely accessible but TAC said that "expert" access cannot be used
without having an existing, valid account on the system. To reiterate,
per TAC, you cannot simply login to a MARS appliance via SSH or SSL with
the "expert" account. I have not attempted to verify the veracity of
that statement but during the specific support issue I worked with TAC
on, I was instructed to login with the pnadmin account (and a password
known only to me) before TAC could use the expert mode.
If you have a MARS, go to the CLI and type "expert" - I believe it'll
prompt for a password.
Part of the point is that a similar issue will happen again which will
require TAC access to the MARS OS and I'm wondering what Cisco's plan is
to deal with that in the future. The MARS manager I spoke with during
this support issue provided this rationale: there is a lot of
easily-accessible intellectual property, due to their use of shell
scripts, Java, etc., that they'd prefer stay obscured. I mentioned that
someone could probably rip out the hard drive and access it anyway but
he said it would still be protected. Um, okay, maybe so and I'm not
really a forensics guy. I just know that this is not a typical Cisco
approach and it caused a major support headache for me and a major client.
Brent Stackhouse, GSEC/GCIH
VP of Security
Solis Security, Inc.
Austin, Texas
512-417-9772
www.solissecurity.com
Jason wrote:
3. The MARS OS is a Linux distro but users can't get to the actual
OS. This wouldn't normally be a problem but there was a bad MARS
build that was published recently, yanked within a day or so, and
then required a TAC engineer to remotely login to the MARS box to fix
it. This is contrary to every other Cisco device, including
Linux-based 42xx IDS/IPS, that I've worked with.
Can I read into that statement that there is a some form of capability
that does allow access to the OS but only to Cisco TAC? Did you need to
enable an account and password for that access or simply access to the
system?
smime.p7s
Description: S/MIME Cryptographic Signature
