The number of security vulnerabilities is rising. 2018 is another record year. There is a couple of theories why that is: Some say it is only more vulnerabilities being reported. Others are saying more money is being spent on finding vulnerabilities. What ever it is, it is a positive thing. Every vulnerability that is found can be fixed and not be used as a zero-day vulnerability.

Regardless of that, 2018 has been an especially bad year for Cisco. It feels like there has not been a day without a major security vulnerability in one of their products. There is a total of 16 CVE reports on Cisco's flagship firewall appliance in 2018.

My Personal Hitlist

There is plenty of Denial-of-Service attacks like CVE-2018-15454 that can be used to remotely shut down your company's network. There are vulnerabilities where an attacker can change system configuration without authentication (CVE-2018-15386, CVE-2018-0448) and hijack traffic. Most severe is the hard-coded backdoor - also known as a pre-configured user with a password only known to Cisco - until somebody else found out.

There is a full list about of all vulnerabilities available on Cisco's Website. Not how many there are in the last couple of days and how many of them are of "high" severity or "critical".

Cisco's Security Report

Unfortunately Cisco is not very transparent about these issues - a common thing with larger vendors. They list them, but usually without further detail. There is a Security Report that is published once a year but can only downloaded after giving your full name, email address, country and company you are working for. Signing up to marketing emails or even phone calls is the goal of this form.

I guess we can all imagine what the intent of the "sales representative" is after you have downloaded the report: Downplaying those security issues. The vast majority of sales people I have ever met never understood basic things about their technology.

They are selling phrases and those phrases are supposed to create a feeling about that there will be someone in the large company who knows what is right and buyers should just trust them.

This is not transparency what Cisco is trying to achieve here. They are collecting addresses of potential customers. This is creating deception about systemic issues with their products. It works very well on many decision makers.

The Quality of Their Security Vulnerabilities

This all is only exceptionally bad because the number of reported vulnerabilities, but also the quality of them. Loads of them were very easily exploitable and the consequences especially severe.

Most surprising is, that loads of them are so simple that they must have been found. I cannot imagine that any code that has been audited still has those remote code execution issues in them because they should be obvious - at least to a trained eye.

One could come to the conclusion that they are not performing any internal audits at all.

Of course an external party cannot audit their code because they do not Open Source it.

Entirely unacceptable is that there are hardcoded credentials in some products. A reason to fail any audit.

There is absolutely no excuse for this.

They are called backdoors and why would somebody put those in there without ever intending to use them? Development never needs any experimental access without authentication; penetration testing never needs them. There is no legitimate reason for a backdoor except unauthorised access to systems deployed in production.

Imagine that those logins are in the wrong hands - which they probably will be. Are you comfortable with anybody else "administering" your routers? Seeing all traffic? Keeping a copy of it? Redirecting parts or all of it? I certainly wouldn't.

A firewall is very sensitive system in a network because there are not that many packets that are not going through it. A jackpot for an intruder.

Luckily, those products are certified

How these products ever pass those certifications that they have is a miracle to me. IPFire does not have any certifications because they are usually more non-sense as these cases here clearly show. Some also require you to not change the code again or you will lose the certification. IPFire is changed every day. We develop, the improve and we fix problems. All that won't be possible then.

IPFire is of course not free from any security vulnerabilities. Those that we have had were of a totally different quality though. They allowed executing of shell commands as an unprivileged user after authentication to the web user interface. This is quite a hurdle for an attacker and makes it very hard to exploit. At no time, there was any chance to take over the whole system or to gain root access to the whole system over the network.

Although IPFire might not have all the enterprise features, you might not even need them. It at least does those things that it can do very well and what it can't do you will be added because we have an active development team whose focus is on security. It is not on marketing. It is not about adding feature after feature at any price. We double-check every change that goes into the code. We share it with you because we do everything in the open. There is nothing to hide.

In my humble opinion...

According to general security guidelines of this project, Cisco has entirely disqualified itself as a vendor of critical infrastructure. There seem to be too many problems in the release process of their software and decisions have been made for which I can see no excuse. They are not advantaging their users.

They charge a lot of money for their products that are clearly lacking basic quality assurance and miss most basic expectations from the customers.

Ask yourself the question if it is worth it paying thousands of dollars to a company that is risking the security of your company?