Hardcoded Password Found in Cisco Software

Cisco released 22 security advisories yesterday, including two alerts for critical fixes, one of them for a hardcoded password that can give attackers full control over a vulnerable system. From a report: The hardcoded password issue affects Cisco's Prime Collaboration Provisioning (PCP), a software application that can be used for the remote installation and maintenance of other Cisco voice and video products. Cisco PCP is often installed on Linux servers. Cisco says that an attacker could exploit this vulnerability (CVE-2018-0141) by connecting to the affected system via Secure Shell (SSH) using the hardcoded password. The flaw can be exploited only by local attackers, and it also grants access to a low-privileged user account. In spite of this, Cisco has classified the issue as "critical." Although this vulnerability has a Common Vulnerability Scoring System (CVSS) Base score of 5.9, which is normally assigned a Security Impact Rating (SIR) of Medium, there are extenuating circumstances that allow an attacker to elevate privileges to root. For these reasons, the SIR has been set to Critical.

Pedantic nazi strikes!

[140Mandak262Jamuna]

Although this vulnerability has a Common Vulnerability Scoring System (CVSS) Base score of 5.9, which is normally assigned a Security Impact Rating (SIR) of Medium, there are extenuating circumstances that allow an attacker to elevate privileges to root. For these reasons, the SIR has been set to Critical.

Emphasis mine.

Extenuating circumstances will reduce the amount of guilt. Here escalating local user privileges to root is not extenuating circumstances. Perhaps aggravating circumstances would fit this sentence better.

Yours Sincerely,

Friendly neighborhood pedantic nazi.

neverending story of good PR

[AlwinBarni]

Cisco says that an attacker could exploit this vulnerability ...

I like it - "could" is such a euphemism for a hard-coded password.

Decades ago people dreamed of flying to the stars in XXI century, and instead we have:
* cars with intelligent performance management, which cheat on emission tests and cause thousands premature deaths
* notebooks which intelligently improve user experience, by hijacking encrypted communication injecting ads and rendering all the security useless
* music discs, which (again) improve users experience helping them manage their collections by bypassing their system security to install malware in core of their OS
* brand CPUs, which are designed to be so fast, that they do not even bother to check who is accessing the data, and of course no-one should be worried since it affects "all" CPUs in existence
* and apps with hard-coded password, which could, just potentially could be considered a vulnerability
* not to mention the best business model ever, when one makes money by being lousy with guarding sensitive personal information and later gets payed to inform that the very data might not identify proper person, because it was stolen