Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hardcoded Password Found in Cisco Software (bleepingcomputer.com)

Posted by msmash on from the security-woes dept.

Cisco released 22 security advisories yesterday, including two alerts for critical fixes, one of them for a hardcoded password that can give attackers full control over a vulnerable system. From a report: The hardcoded password issue affects Cisco's Prime Collaboration Provisioning (PCP), a software application that can be used for the remote installation and maintenance of other Cisco voice and video products. Cisco PCP is often installed on Linux servers. Cisco says that an attacker could exploit this vulnerability (CVE-2018-0141) by connecting to the affected system via Secure Shell (SSH) using the hardcoded password. The flaw can be exploited only by local attackers, and it also grants access to a low-privileged user account. In spite of this, Cisco has classified the issue as "critical." Although this vulnerability has a Common Vulnerability Scoring System (CVSS) Base score of 5.9, which is normally assigned a Security Impact Rating (SIR) of Medium, there are extenuating circumstances that allow an attacker to elevate privileges to root. For these reasons, the SIR has been set to Critical.

52 comments

  1. Pedantic nazi strikes! by 140Mandak262Jamuna · · Score: 3, Informative

    Although this vulnerability has a Common Vulnerability Scoring System (CVSS) Base score of 5.9, which is normally assigned a Security Impact Rating (SIR) of Medium, there are extenuating circumstances that allow an attacker to elevate privileges to root. For these reasons, the SIR has been set to Critical.

    Emphasis mine.

    Extenuating circumstances will reduce the amount of guilt. Here escalating local user privileges to root is not extenuating circumstances. Perhaps aggravating circumstances would fit this sentence better.

    Yours Sincerely,

    Friendly neighborhood pedantic nazi.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Pedantic nazi strikes! by MagicM · · Score: 2

      subscribe

    2. Re:Pedantic nazi strikes! by Anonymous Coward · · Score: 0

      Thank you for teaching me I'd been using the word wrong all my life!

    3. Re: Pedantic nazi strikes! by Anonymous Coward · · Score: 0

      Thanks for making my day :)

    4. Re: Pedantic nazi strikes! by Anonymous Coward · · Score: 0

      And thank you for making mine :)

  2. Just in case by Anonymous Coward · · Score: 0

    they forget it. Don't have a cow, man! This is not a Stormy Daneils lawsuit!

    1. Re:Just in case by Anonymous Coward · · Score: 0

      +1

  3. Hardcoded passwords by execthts · · Score: 4, Insightful

    So in 2018 we're still seeing hardcoded passwords in enterprise products?

    1. Re:Hardcoded passwords by Anonymous Coward · · Score: 2, Insightful

      Hardcoded passwords are insecure, but oh so convenient.
      Security is expensive, annoys users, and doesn't increase sales.
      Security will always be an afterthought.

    2. Re:Hardcoded passwords by Anonymous Coward · · Score: 1

      From Cisco, having read about them previously, I would think that one must expect hardcoded credentials and backdoors, and crappy software.

      Sort of like having knowing that one rely on 'AT&T as a company, but also knowing that NSA for some time now has had their own tapping station inside AT&T premises for NSA's convenience.

    3. Re: Hardcoded passwords by saloomy · · Score: 1

      No. Ashley Maddison found out this isn't true the hard way.

    4. Re: Hardcoded passwords by DontBeAMoran · · Score: 1

      Doesn't really matter for Ashley Maddison users though, they all want to find something hard.

      --
      #DeleteFacebook
    5. Re:Hardcoded passwords by postbigbang · · Score: 3, Insightful

      No one will fall on their sword.

      Not the coder.

      Not the team leader.

      Not QA.

      Not the development lead.

      Not the product manager.

      Not the code review staff.

      Have a nice day. Fast and loose means shareholder return.

      --
      ---- Teach Peace. It's Cheaper Than War.
    6. Re:Hardcoded passwords by gtall · · Score: 1

      It's Cisco, I don't really think the term "enterprise" applies to them...certainly not if they are capable of this level of obtuseness.

    7. Re:Hardcoded passwords by Anonymous Coward · · Score: 2, Interesting

      Unfortunately, yes. I remember quite a few instances where me or the coworker next desk found a hard coded password, an admin password in clear text in a world readable file in a world readable directory, an admin password passed on the command line to a process that runs for several minutes, or similar dumb shit. Across three different companies, the various development teams always some dumb shit reason why playing loose with security is not a problem.

    8. Re:Hardcoded passwords by Anonymous Coward · · Score: 0

      You should ask that to Intel (and AMD etc as well).

    9. Re:Hardcoded passwords by scdeimos · · Score: 3

      Yes, this is 2018 and we're still seeing hardcoded passwords in Cisco products. How could anyone be surprised by this?

      These are just the first page of results for hardcoded passwords relating to Cisco software and appliances [CVE Cisco hardcoded password site:nvd.nist.gov] - according to Google there are over 300 of them. You'd think Cisco would have been burned enough on this already but I guess some companies never learn.

      Stay tuned for more exciting hardcoded password shenanigans from Cisco.

    10. Re: Hardcoded passwords by BronsCon · · Score: 1

      To be fair, the male users wanted to find something soft and probably wet.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    11. Re:Hardcoded passwords by sad_ · · Score: 1

      the real question should be:
      why do enterprises continue to buy these poor products? it puts them in danger and cisco has shown over and over that they don't learn.

      --
      On a long enough timeline, the survival rate for everyone drops to zero.
  4. I believe by Anonymous Coward · · Score: 0

    In the power of love and the power it has to influence the future generations.

    I believe in the strength of life and the light of technology.

    I support, for one, the endless waves of Makers and Deep Somethings washing me of my innumerable sins and those of my forefathers.

    Je suis silicon.

    ~Jean Claude

  5. Another backdoor? by Anonymous Coward · · Score: 0

    How many did you put in there?

    1. Re:Another backdoor? by DontBeAMoran · · Score: 1

      If it's Dr. Alphonse Mephesto, the eccentric geneticist and stereotypical mad scientist from South Park, there's going to be four backdoors.

      --
      #DeleteFacebook
  6. Calm down folks, it's not that bad.... by bobbied · · Score: 1

    This only allows user level access to the system, not administrative access. So this isn't good, but it's not an open barn door either.

    In order to get root access using this method you are going to need some other exploit to elevate your privileges.

    Somebody got lazy.. They will get this fixed..

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    1. Re:Calm down folks, it's not that bad.... by 110010001000 · · Score: 3, Funny

      Yeah, good point. It isn't bad that an enterprise networking company left a hardcoded password in their products in 2018. Thanks for the reality check.

    2. Re:Calm down folks, it's not that bad.... by Anonymous Coward · · Score: 0

      I think the point is that this particular flaw isn't that bad. What it reveals about their QA process, assuming that this account probably was meant to be removed before the software went live, is indeed quite troubling.

    3. Re:Calm down folks, it's not that bad.... by 110010001000 · · Score: 2

      You are right. Allowing unknown users into your enterprise network via a hardcoded backdoor isn't that bad. Thanks for putting my mind at ease!

    4. Re:Calm down folks, it's not that bad.... by Anonymous Coward · · Score: 0

      Sigh... You know, I was 100% behind you during your most recent Intel/AMD meltdown, even when everyone was mocking your bullshit. But now I see you really are just a pedantic asshole. You know what's being said; you just want to fight. Get a hobby, man.

    5. Re:Calm down folks, it's not that bad.... by 110010001000 · · Score: 1

      Yeah, you are right. Hard coded backdoors in enterprise software isn't a problem. I am just being pedantic and need to relax!

    6. Re:Calm down folks, it's not that bad.... by Anonymous Coward · · Score: 0

      You just don't understand enterprise networking.

      We're flying around the universe at Warp Factor 9 under the wise and benevolent leadership of Captain Picard and you're still dodging rape gangs on Turkana IV

      Engage!

    7. Re:Calm down folks, it's not that bad.... by Anonymous Coward · · Score: 0

      To get that additional user elevation exploit, you need to read the TLA manual to gain root credentials for CISCO systems.
      It was posted there, this a the modern layered approach where discovering just a single bug won't divulge the full root exploit.

    8. Re:Calm down folks, it's not that bad.... by Khyber · · Score: 2

      It's not bad if the hardcoded password is UNIQUE TO EACH DEVICE.

      Of course, that introduces other logistical/support issues, but hardcoded passwords aren't a stupid idea if properly designed and implemented.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    9. Re:Calm down folks, it's not that bad.... by Hal_Porter · · Score: 3, Interesting

      BT in the UK have a per device preprogrammed serial number for admin access to routers - they have a sticker on the underside of the device with the admin password and the Wifi password.

      http://bt.custhelp.com/app/ans...

      You can still change both though.

      It's actually not a bad scheme at all - it means most people who don't care about this stuff will end up with a secure admin/wifi password and if someone cracked the scheme people who do care would still be able to change it.

      And it's better than the usual router scheme of setting the password to something dumb like 'admin'. Most people won't change it which means they're vulnerable.

      NB - Nothing in this comment should be taken to imply that BT are not an awful company to deal with most of the time, I just think the password scheme they use on routers is actually pretty sensible.

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    10. Re:Calm down folks, it's not that bad.... by Anonymous Coward · · Score: 0

      Hard coded backdoors in enterprise software isn't a problem.

      You're literally the only person who has said this. Given your proclivity for repeating it, one might be forgiven for assuming you actually believe it.

    11. Re: Calm down folks, it's not that bad.... by Monster_user · · Score: 1

      It seems to be an industry standard for ISP routers in the USA at this point.

  7. neverending story of good PR by AlwinBarni · · Score: 2, Informative

    Cisco says that an attacker could exploit this vulnerability ...

    I like it - "could" is such a euphemism for a hard-coded password.

    Decades ago people dreamed of flying to the stars in XXI century, and instead we have:
    * cars with intelligent performance management, which cheat on emission tests and cause thousands premature deaths
    * notebooks which intelligently improve user experience, by hijacking encrypted communication injecting ads and rendering all the security useless
    * music discs, which (again) improve users experience helping them manage their collections by bypassing their system security to install malware in core of their OS
    * brand CPUs, which are designed to be so fast, that they do not even bother to check who is accessing the data, and of course no-one should be worried since it affects "all" CPUs in existence
    * and apps with hard-coded password, which could, just potentially could be considered a vulnerability
    * not to mention the best business model ever, when one makes money by being lousy with guarding sensitive personal information and later gets payed to inform that the very data might not identify proper person, because it was stolen

    1. Re:neverending story of good PR by thegarbz · · Score: 2

      The XXI century is only 18% complete. Give it time. In the meantime here's the glass half full version of your story:

      *cars which can almost drive themselves.
      *small thin slate devices which you can write on with pens, no need for some crappy notebook.
      *music on demand transmitted how you want to the device you want wirelessly
      *brand CPUs which are so fast that the computer performance no longer matters. We do things and they happen, and not even Microsoft can slow us down anymore.
      *an occasional vulnerability discovered and patched
      *and companies offer you a world of wealth free of charge in return for training their AIs to better serve you ever more useful apps that make your life easier based on your data.

      WHAT A TIME TO BE ALIVE!

      Technology is awesome. The world is great. It's just a shame it's ruined by a few killjoys that seem to spend their lives focusing on the few negatives while we live easier, longer, richer, and better than we ever have in the past and in a century where we're incredibly bloodly likely not only to achieve that dream of flying cars but potentially also colonise another planet or start offering space tourism given how we have made HUGE technological leaps in only the first 18%.

      Have a beer man and lighten up a bit. Life's good. You owe it to yourself. And if you destroy your liver in the process we can fix that shit too.

  8. "Nobody got fired buying Cisco" by Anonymous Coward · · Score: 0

    No longer true now that we know Cisco is just another NSA department.

    CIA/NSA have agents in all major vendor planting bugs in hardware and software.

    Nothing from the USA can be trusted

    1. Re:"Nobody got fired buying Cisco" by Hal_Porter · · Score: 1

      CIA/NSA have agents in all major vendor planting bugs in hardware and software.

      Nothing from the USA can be trusted

      As opposed to China I suppose?

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    2. Re:"Nobody got fired buying Cisco" by Anonymous Coward · · Score: 1

      Well, it is pretty much the same, but that is whataboutism.
      The better solution is to not use hardware from either of them.
      If you absolutely have to you need to consider who is most likely to abuse their backdoor.
      Will CIA/NSA use it to hunt terrorism or for industrial espionage. (They have been known to pass on business information to benefit American companies before.)
      Will China use it for domestic or industrial espionage. (Both are common.)
      Are you a likely target for either of them?

    3. Re:"Nobody got fired buying Cisco" by jbn-o · · Score: 1

      I agree with part of what you wrote: proprietary software organizations that have known NSA, CIA, etc. ties are certainly not to be trusted. But the reason they're not to be trusted has nothing to do with the country they call home. American proprietors, for instance, were not to be trusted regardless of any ties to mass surveillance. The linkage to mass surveillance is piling on; taking something that's already rejectable (proprietary software) and adding more reason to be suspicious. We have to treat all proprietary software as untrusted (regardless of who or where it comes from) precisely because we don't get the freedoms of free software (to run, inspect, share, and modify).

      Regarding "Nothing from the USA can be trusted": There are lots of American free software developers, and they're all helping us right along side every other free software developer. And as with any other free software, you don't need to trust the developer to trust free software: inspect the code (or get someone you trust to do this for you), make necessary changes, and run the code you trust. I also encourage you to help your community by publishing the improved code.

      Dismissing developers due to the country they come from or work in a way of saying you didn't think through how software freedom works.

      --
      Digital Citizen
  9. why? by Anonymous Coward · · Score: 0

    Why is this still happening?

    1. Re:why? by Anonymous Coward · · Score: 0

      Management vlans not only protect your equipment from your users, it protects your users from your equipment. :)

  10. This is why the NSA warns by Anonymous Coward · · Score: 0

    You see...the three letter brigade has been implementing these things in every network vendor's products for years. That's why they are so adamant about companies not using Huawei equipment in their enterprise environment. How can the NSA monitor your activities if you are using equipment that doesn't have their backdoor installed. That has now extended to their consumer offerings. Ask yourself this question...if a phone from a Chinese OEM is that dangerous why aren't they going after Motorola? They moved manufacture of the devices to China after Lenovo purchased them.

    1. Re:This is why the NSA warns by AHuxley · · Score: 1

      The NSA might actually have to get back into crypto again rather than just expecting big brand hardware to be shipped with a password.
      Designed in the USA. NSA inside.

      --
      Domestic spying is now "Benign Information Gathering"
  11. Hard coded password made by Cisco ? by Anonymous Coward · · Score: 0

    ARE you fucking kidding me??
    Cisco is turning Chinese or what !?

  12. Been saying it for a while, Cisco tech not safe by Anonymous Coward · · Score: 1

    they admit it now because there's another way in, and it makes them look like the good guys. If you buy American network tech, the Americans will have a way in, and when the vulnerabilities become known, everyone will have a way in.

    Buy Ericsson or Nokia, they are safe and have no political allegiance or exist in a country where the government is acting like a terrorist organisation.

  13. Old news by thunderclees · · Score: 1

    It's not like Cisco isn't already letting the CPC insert backdoors in firmware anyway.

  14. Slow news day by Virtucon · · Score: 1

    CVEs are with us, get over it.

    --
    Harrison's Postulate - "For every action there is an equal and opposite criticism"
  15. Via SSH but only "local attackers"??? by Anonymous Coward · · Score: 0

    "...an attacker could exploit this vulnerability (CVE-2018-0141) by connecting to the affected system via Secure Shell (SSH) using the hardcoded password. The flaw can be exploited only by local attackers..."

          Eh?!?!?

  16. backdoor by Anonymous Coward · · Score: 0

    "Hardcoded password"? Just another word for backdoor!

  17. ssh_config by Anonymous Coward · · Score: 0

    Who allows password login on SSH in 2018? Why? (i.e. why trust any vendors)

    PermitRootLogin no
    PasswordAuthentication no