Hardcoded Password Found in Cisco Software (bleepingcomputer.com) 52
Cisco released 22 security advisories yesterday, including two alerts for critical fixes, one of them for a hardcoded password that can give attackers full control over a vulnerable system. From a report: The hardcoded password issue affects Cisco's Prime Collaboration Provisioning (PCP), a software application that can be used for the remote installation and maintenance of other Cisco voice and video products. Cisco PCP is often installed on Linux servers. Cisco says that an attacker could exploit this vulnerability (CVE-2018-0141) by connecting to the affected system via Secure Shell (SSH) using the hardcoded password. The flaw can be exploited only by local attackers, and it also grants access to a low-privileged user account. In spite of this, Cisco has classified the issue as "critical." Although this vulnerability has a Common Vulnerability Scoring System (CVSS) Base score of 5.9, which is normally assigned a Security Impact Rating (SIR) of Medium, there are extenuating circumstances that allow an attacker to elevate privileges to root. For these reasons, the SIR has been set to Critical.
Pedantic nazi strikes! (Score:4, Informative)
Although this vulnerability has a Common Vulnerability Scoring System (CVSS) Base score of 5.9, which is normally assigned a Security Impact Rating (SIR) of Medium, there are extenuating circumstances that allow an attacker to elevate privileges to root. For these reasons, the SIR has been set to Critical.
Emphasis mine.
Extenuating circumstances will reduce the amount of guilt. Here escalating local user privileges to root is not extenuating circumstances. Perhaps aggravating circumstances would fit this sentence better.
Yours Sincerely,
Friendly neighborhood pedantic nazi.
Re: (Score:2)
subscribe
Hardcoded passwords (Score:4, Insightful)
Re: (Score:2, Insightful)
Hardcoded passwords are insecure, but oh so convenient.
Security is expensive, annoys users, and doesn't increase sales.
Security will always be an afterthought.
Re: Hardcoded passwords (Score:2)
No. Ashley Maddison found out this isn't true the hard way.
Re: (Score:2)
Doesn't really matter for Ashley Maddison users though, they all want to find something hard.
Re: (Score:2)
Re: (Score:1)
From Cisco, having read about them previously, I would think that one must expect hardcoded credentials and backdoors, and crappy software.
Sort of like having knowing that one rely on 'AT&T as a company, but also knowing that NSA for some time now has had their own tapping station inside AT&T premises for NSA's convenience.
Re:Hardcoded passwords (Score:4, Insightful)
No one will fall on their sword.
Not the coder.
Not the team leader.
Not QA.
Not the development lead.
Not the product manager.
Not the code review staff.
Have a nice day. Fast and loose means shareholder return.
Re: (Score:2)
CIA/NSA have agents in all major vendor planting bugs in hardware and software.
Nothing from the USA can be trusted
As opposed to China I suppose?
Re: (Score:1)
Well, it is pretty much the same, but that is whataboutism.
The better solution is to not use hardware from either of them.
If you absolutely have to you need to consider who is most likely to abuse their backdoor.
Will CIA/NSA use it to hunt terrorism or for industrial espionage. (They have been known to pass on business information to benefit American companies before.)
Will China use it for domestic or industrial espionage. (Both are common.)
Are you a likely target for either of them?
Re: (Score:2)
I agree with part of what you wrote: proprietary software organizations that have known NSA, CIA, etc. ties are certainly not to be trusted. But the reason they're not to be trusted has nothing to do with the country they call home. American proprietors, for instance, were not to be trusted regardless of any ties to mass surveillance. The linkage to mass surveillance is piling on; taking something that's already rejectable (proprietary software) and adding more reason to be suspicious. We have to treat all
Re: (Score:2)
It's Cisco, I don't really think the term "enterprise" applies to them...certainly not if they are capable of this level of obtuseness.
Re: (Score:2, Interesting)
Unfortunately, yes. I remember quite a few instances where me or the coworker next desk found a hard coded password, an admin password in clear text in a world readable file in a world readable directory, an admin password passed on the command line to a process that runs for several minutes, or similar dumb shit. Across three different companies, the various development teams always some dumb shit reason why playing loose with security is not a problem.
Re:Hardcoded passwords (Score:4)
Yes, this is 2018 and we're still seeing hardcoded passwords in Cisco products. How could anyone be surprised by this?
These are just the first page of results for hardcoded passwords relating to Cisco software and appliances [CVE Cisco hardcoded password site:nvd.nist.gov] - according to Google there are over 300 of them. You'd think Cisco would have been burned enough on this already but I guess some companies never learn.
Stay tuned for more exciting hardcoded password shenanigans from Cisco.
Re: (Score:2)
the real question should be:
why do enterprises continue to buy these poor products? it puts them in danger and cisco has shown over and over that they don't learn.
Re: (Score:2)
If it's Dr. Alphonse Mephesto, the eccentric geneticist and stereotypical mad scientist from South Park, there's going to be four backdoors.
Calm down folks, it's not that bad.... (Score:2)
This only allows user level access to the system, not administrative access. So this isn't good, but it's not an open barn door either.
In order to get root access using this method you are going to need some other exploit to elevate your privileges.
Somebody got lazy.. They will get this fixed..
Re:Calm down folks, it's not that bad.... (Score:4, Funny)
Re: (Score:3)
Re: (Score:2)
Re: (Score:3)
It's not bad if the hardcoded password is UNIQUE TO EACH DEVICE.
Of course, that introduces other logistical/support issues, but hardcoded passwords aren't a stupid idea if properly designed and implemented.
Re:Calm down folks, it's not that bad.... (Score:4, Interesting)
BT in the UK have a per device preprogrammed serial number for admin access to routers - they have a sticker on the underside of the device with the admin password and the Wifi password.
http://bt.custhelp.com/app/ans... [custhelp.com]
You can still change both though.
It's actually not a bad scheme at all - it means most people who don't care about this stuff will end up with a secure admin/wifi password and if someone cracked the scheme people who do care would still be able to change it.
And it's better than the usual router scheme of setting the password to something dumb like 'admin'. Most people won't change it which means they're vulnerable.
NB - Nothing in this comment should be taken to imply that BT are not an awful company to deal with most of the time, I just think the password scheme they use on routers is actually pretty sensible.
Re: Calm down folks, it's not that bad.... (Score:2)
neverending story of good PR (Score:2, Informative)
Cisco says that an attacker could exploit this vulnerability ...
I like it - "could" is such a euphemism for a hard-coded password.
Decades ago people dreamed of flying to the stars in XXI century, and instead we have:
* cars with intelligent performance management, which cheat on emission tests and cause thousands premature deaths
* notebooks which intelligently improve user experience, by hijacking encrypted communication injecting ads and rendering all the security useless
* music discs, which (again) improve users experience helping them manage their collections
Re: (Score:3)
The XXI century is only 18% complete. Give it time. In the meantime here's the glass half full version of your story:
*cars which can almost drive themselves.
*small thin slate devices which you can write on with pens, no need for some crappy notebook.
*music on demand transmitted how you want to the device you want wirelessly
*brand CPUs which are so fast that the computer performance no longer matters. We do things and they happen, and not even Microsoft can slow us down anymore.
*an occasional vulnerability d
Re: (Score:2)
Designed in the USA. NSA inside.
Been saying it for a while, Cisco tech not safe (Score:1)
they admit it now because there's another way in, and it makes them look like the good guys. If you buy American network tech, the Americans will have a way in, and when the vulnerabilities become known, everyone will have a way in.
Buy Ericsson or Nokia, they are safe and have no political allegiance or exist in a country where the government is acting like a terrorist organisation.
Old news (Score:1)
Slow news day (Score:2)
CVEs are with us, get over it.