Cisco says it's launched a deep-dive review of its own code base for signs of tampering. The networking giant's move comes after rival Juniper Networks revealed that it discovered "unauthorized code" in its ScreenOS firmware that introduced serious security flaws that would allow attackers to remotely access devices without authentication as well as decrypt encrypted VPN communications (see Who Backdoored Juniper's Code?).
Security experts say that all vendors that develop networking products should be taking the same steps as Cisco. "The real issue here is that it's very likely that other vendors fell for the same problem [as Juniper]," Johannes Ullrich, dean of research for the SANS Institute, tells me. And it's not the only potential case of massive code fiddling that's come over the past couple of years, he adds, noting that the jury is still out on whether the Heartbleed bug was purposefully added to OpenSSL.
"All networking vendors need to be taking a good, hard look at their code base and publicly reporting what they discover."
To Cisco's credit, the company says it launched the new source code review of its own accord, noting that it hasn't been contacted by any law enforcement agencies or security researchers warning that they have found signs of Juniper-like backdoors.
Responding to that discovery, Cisco notes that its developer guidelines prohibit any such functionality being added to its code. "We have a 'no backdoor' policy," says Anthony Grieco, senior director of Cisco's Orwellian-sounding "Security and Trust Organization," in a blog post. "Our development practices specifically prohibit any intentional behaviors or product features designed to allow unauthorized device or network access, exposure of sensitive device information or a bypass of security features or restrictions."
But Juniper Networks could just as easily have proclaimed that it has a "no backdoor" policy. Yet someone still made attacker-friendly changes to ScreenOS in 2012, and again in 2013, and Juniper Networks CIO Bob Worrall says the company only recently spotted them.
Looking For Unauthorized Changes
Cisco says it has directed its Product Security Incident Response Team - PSIRT - to conduct the new code review, including looking for signs of broken or weak crypto. "Although our normal practices should detect unauthorized software, we recognize that no process can eliminate all risk," Grieco says. "Our additional review includes penetration testing and code reviews by engineers with deep networking and cryptography experience."
The review is being tracked as a stand-alone case - PSIRT-0551621891 in Cisco parlance - and the company promises to describe any vulnerabilities that it finds in accordance with its security policy.
For the government agencies and corporate organizations - and their customers - that rely on networking equipment to safely route and secure their data, this is a great first step.
Juniper may not have been the only technology vendor that had backdoors added to its source code, warns Johannes Ullrich of the SANS Institute.
Others Must Follow
But are Cisco and Juniper going it alone? I've reached out to the following Juniper rivals in the firewall and networking space to ask them if they plan to follow Cisco's lead by conducting a deep-dive code review, and then publicly describe what, if anything, they find.
Here's who I've heard back from so far:
- Fortinet: All of the company's FortiGate integrated security platforms run FortiOS, a spokeswoman tells me. "In addition to ISO industry-leading best practices, we have implemented and comply with an in-depth, rigorous review process that includes multiple tiers of inspection, internal and third-party audits and automated triggers and tools across the entire development of our source code," she says. "We regularly evaluate our review processes and are confident that we have taken proper measures to ensure the integrity and protection of our operating code and platform."
- Palo Alto Networks: "We do rigorous continuous testing on our products, including code reviews and penetration testing performed by third parties," a spokesman says. "A full code review is performed as a standard component of every software release and was last completed this summer as part of our PAN-OS/Panorama 7.0 release. Additionally, we are very diligent in ensuring the highest integrity in the software and hardware, including ongoing reviews of our supply chain system and partners, rigorous internal security measures, and ensuring best practices in development."
- Alcatel-Lucent: A spokesman says the company "was made aware of Juniper's security vulnerabilities through an internal Product Security Incident Response team process." But he says that because the company's Alcatel-Lucent's SR OS firmware does not employ the Dual_EC algorithm, "the IP routing product lines - specifically 7450, 7710, 7750, 7950, 7210 and 7705 - are not vulnerable to this issue."
- Brocade: A spokeswoman says, "Brocade has seen none of the indicators discussed in Juniper's disclosure; however, as the security of our customers is of paramount importance, we have initiated a review based on the incident."
- Polycom: "This is not something we will comment on," a spokeswoman says.
And here's who I'm still waiting to hear back from:
- Blue Coat Systems
- Check Point Software Technologies
All networking vendors need to be taking a good, hard look at their code base and publicly reporting what they discover. I'll update this post as I hear back.
Update: Alcatel-Lucent response added (13-jan-2016); Brocade response added (18-jan-2016). Polycom respond added (19-jan-2016).