Cisco Issues Patch For Nexus Switches To Remove Hardcoded Credentials

itwbennett writes: Cisco Systems has released critical software updates for its Nexus 3000 and 3500 switches to remove a default administrative account with static credentials that could allow remote attackers access to a bash shell with root privileges, meaning that they can fully control the device. The account is created at installation time by the Cisco NX-OS software that runs on these switches and it cannot be changed or deleted without affecting the system's functionality, Cisco said in an advisory. The affected devices are: Cisco Nexus 3000 Series switches running NX-OS 6.0(2)U6(1), 6.0(2)U6(2), 6.0(2)U6(3), 6.0(2)U6(4) and 6.0(2)U6(5) and Cisco Nexus 3500 Platform switches running NX-OS 6.0(2)A6(2), 6.0(2)A6(3), 6.0(2)A6(4), 6.0(2)A6(5) and 6.0(2)A7(1).

Re:So pretty much everyone, now.

[Sax+Russell+5449D29A]

Privilege escalation, unauthenticated remote commands to system daemons running with admin privileges... this is everyday life with the biggest IT shops out there.

What's even worse? They don't care! Countless times have I sent these big companies detailed bug/security reports only to find the exact same fucking "feature" in their systems a year later. The only way to make a difference is to stop giving them money, if even for a while. Then they usually come back to you and *might* listen.