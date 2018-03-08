Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
Security

Hardcoded Password Found in Cisco Software (bleepingcomputer.com) 44

Posted by msmash from the security-woes dept.
Cisco released 22 security advisories yesterday, including two alerts for critical fixes, one of them for a hardcoded password that can give attackers full control over a vulnerable system. From a report: The hardcoded password issue affects Cisco's Prime Collaboration Provisioning (PCP), a software application that can be used for the remote installation and maintenance of other Cisco voice and video products. Cisco PCP is often installed on Linux servers. Cisco says that an attacker could exploit this vulnerability (CVE-2018-0141) by connecting to the affected system via Secure Shell (SSH) using the hardcoded password. The flaw can be exploited only by local attackers, and it also grants access to a low-privileged user account. In spite of this, Cisco has classified the issue as "critical." Although this vulnerability has a Common Vulnerability Scoring System (CVSS) Base score of 5.9, which is normally assigned a Security Impact Rating (SIR) of Medium, there are extenuating circumstances that allow an attacker to elevate privileges to root. For these reasons, the SIR has been set to Critical.

Hardcoded Password Found in Cisco Software More | Reply

Hardcoded Password Found in Cisco Software

Comments Filter:

  • Pedantic nazi strikes! (Score:4, Informative)

    by 140Mandak262Jamuna ( 970587 ) on Thursday March 08, 2018 @09:17AM (#56226859) Journal

    Although this vulnerability has a Common Vulnerability Scoring System (CVSS) Base score of 5.9, which is normally assigned a Security Impact Rating (SIR) of Medium, there are extenuating circumstances that allow an attacker to elevate privileges to root. For these reasons, the SIR has been set to Critical.

    Emphasis mine.

    Extenuating circumstances will reduce the amount of guilt. Here escalating local user privileges to root is not extenuating circumstances. Perhaps aggravating circumstances would fit this sentence better.

    Yours Sincerely,

    Friendly neighborhood pedantic nazi.

  • Hardcoded passwords (Score:4, Insightful)

    by execthts ( 5198257 ) on Thursday March 08, 2018 @09:22AM (#56226881)
    So in 2018 we're still seeing hardcoded passwords in enterprise products?

  • This only allows user level access to the system, not administrative access. So this isn't good, but it's not an open barn door either.

    In order to get root access using this method you are going to need some other exploit to elevate your privileges.

    Somebody got lazy.. They will get this fixed..

  • Cisco says that an attacker could exploit this vulnerability ...

    I like it - "could" is such a euphemism for a hard-coded password.

    Decades ago people dreamed of flying to the stars in XXI century, and instead we have:
    * cars with intelligent performance management, which cheat on emission tests and cause thousands premature deaths
    * notebooks which intelligently improve user experience, by hijacking encrypted communication injecting ads and rendering all the security useless
    * music discs, which (again) improve users experience helping them manage their collections

    • The XXI century is only 18% complete. Give it time. In the meantime here's the glass half full version of your story:

      *cars which can almost drive themselves.
      *small thin slate devices which you can write on with pens, no need for some crappy notebook.
      *music on demand transmitted how you want to the device you want wirelessly
      *brand CPUs which are so fast that the computer performance no longer matters. We do things and they happen, and not even Microsoft can slow us down anymore.
      *an occasional vulnerability d

  • they admit it now because there's another way in, and it makes them look like the good guys. If you buy American network tech, the Americans will have a way in, and when the vulnerabilities become known, everyone will have a way in.

    Buy Ericsson or Nokia, they are safe and have no political allegiance or exist in a country where the government is acting like a terrorist organisation.

  • It's not like Cisco isn't already letting the CPC insert backdoors in firmware anyway.

  • CVEs are with us, get over it.

Slashdot Top Deals

When it is not necessary to make a decision, it is necessary not to make a decision.

Close