Asking The Cisco Systems IPICS Expert: Questions 11-15
August 2nd, 2008 by shawnmer“I don’t want no wait in vain for your love…”–BoB Marley
So here we are with the third installment of security questions for Cisco Systems’ IPICS Expert, questions 11-15. Astute readers (and pesky English majors) will notice that the title is not possessive concerning Cisco Systems’ — tsk, tsk, I had to do this so links in email readers would work and so the title would display correctly in various Web browsers. I suppose I could have gone the Dan York route and added Tiny-URL stuff…perhaps for another post. But, IMHO, Tiny-URL’s are spooky — you never know where they’re going to take you 
So, it’s been a couple of weeks now and I’ve still not heard any answers from the IPICS Expert on either of the two previous posts: Asking The Cisco Systems IPICS Expert: Questions 1-5 and Asking The Cisco Systems IPICS Expert: Questions 6-10.
Further, the IPICS Expert email address (ipicsasktheexpert@cisco.com) still bounces…sigh. A little more promising, however, is some nice people from the Naval Postgraduate School I’ve been chatting with forwarded my questions to three or four people in Cisco’s Tactical Operations group last week, so we’ll see what happens. I’m hoping that these new players can move this process forward. If not, at the very least these questions will be out there drifting through the series of tubes on the Interwebs; for whatever that’s worth.
Question 11:
With IPICS Server V1.X, the documentation states that the INFORMIX user password cannot be changed “… do not change the informix password unless you are prompted to do so by the Cisco IPICS installation or upgrade procedure.” This seems to be a limitation, especially in organizations with password change policies (30/60/90 days, etc.). Has this issue been addressed in IPICS Server V2.0, or does changing the INFORMIX user password render the database unusable?
Cisco Answer
Question 12:
Concerning the IPICS ability to limit the re-use of all IPICS Server users’ previous passwords (default is previous 5), documentation on IPICS Server V2.X indicates that this password limitation does not apply to either the IPICSADMIN or IPICS user accounts. To not enforce this policy across all user accounts on the IPICS Server, especially those which are arguably “superuser” accounts, seems quite odd. Please state the justification for this selective application of password re-use limitation that excluded superuser accounts.
Cisco Answer
Question 13:
Cisco Systems has a history of leaving in undocumented hardcoded, “backdoor” and debugging accounts (username/passwords) in several products over the years. Can you please state here, without any question or uncertainty, that all versions of the the IPICS Server do not contain any hardcoded, backdoor or debugging accounts that are undocumented?
Cisco Answer
Question 14:
IPICS Server V2.X documentation indicates that for the IPICSADMIN and IPICS accounts there is neither a maximum number of invalid login attempts threshold, nor a definable lockout period (e.g. 4 hours) after a specified number of invalid login attempts. Considering that these two accounts are “superuser” level and likely targets of remote brute-force login attempts by attackers, is there any active notification such as pop-up alert, email/page alert, etc. to inform the IPICS Server administrator of such bruteforce login attempts? It seems that the only way an IPICS Server administrator would know she is under a bruteforce attack is to manually review attempted logins in the IPICS Server logs; is this correct?
Cisco Answer
Question 15:
During security audits and testing, customers will often use the Nessus Security Scanner to determine the vulnerabilities, if any, of their system. A common issue with Nessus scans are “false positives” during checks. What, if any, false positives can a Nessus scan of the IPICS Server 2.X can a Cisco customer expect? Please include the various scan options (default, polite, sneaky, paranoid, etc.), plugin sets (default, registered, professional, etc.), and especially host-based scans. I suggest providing the nessus.rc files and NBE-format results as well to prove verification.
Cisco Answer
As with my previous ten (as yet unanswered) questions, I thank you and look forward to your answers.
Shawn Merdinger
Security Researcher
