Cisco Issues Patch For Nexus Switches To Remove Hardcoded Credentials

itwbennett writes: Cisco Systems has released critical software updates for its Nexus 3000 and 3500 switches to remove a default administrative account with static credentials that could allow remote attackers access to a bash shell with root privileges, meaning that they can fully control the device. The account is created at installation time by the Cisco NX-OS software that runs on these switches and it cannot be changed or deleted without affecting the system's functionality, Cisco said in an advisory. The affected devices are: Cisco Nexus 3000 Series switches running NX-OS 6.0(2)U6(1), 6.0(2)U6(2), 6.0(2)U6(3), 6.0(2)U6(4) and 6.0(2)U6(5) and Cisco Nexus 3500 Platform switches running NX-OS 6.0(2)A6(2), 6.0(2)A6(3), 6.0(2)A6(4), 6.0(2)A6(5) and 6.0(2)A7(1).

Cisco can blame someone else...

[Andrew+Lindh]

Nuova Systems developed the Nexus switches (for cisco) and then Cisco bought the company. The Nexus 3000 is also listed as using more off-the-shelf merchant silicon. So maybe the just used the reference code that came with the cheaper chips? In the end it's still Cisco's responsibility to secure the systems they sell no matter where the stuff came from. This is not the first time cisco took over another company's work...

Nuova: http://www.networkworld.com/ar...
Nexus 3000: https://en.wikipedia.org/wiki/...
Acquisitions: https://en.wikipedia.org/wiki/...