Hardcoded Password Found in Cisco Software

Cisco released 22 security advisories yesterday, including two alerts for critical fixes, one of them for a hardcoded password that can give attackers full control over a vulnerable system. From a report: The hardcoded password issue affects Cisco's Prime Collaboration Provisioning (PCP), a software application that can be used for the remote installation and maintenance of other Cisco voice and video products. Cisco PCP is often installed on Linux servers. Cisco says that an attacker could exploit this vulnerability (CVE-2018-0141) by connecting to the affected system via Secure Shell (SSH) using the hardcoded password. The flaw can be exploited only by local attackers, and it also grants access to a low-privileged user account. In spite of this, Cisco has classified the issue as "critical." Although this vulnerability has a Common Vulnerability Scoring System (CVSS) Base score of 5.9, which is normally assigned a Security Impact Rating (SIR) of Medium, there are extenuating circumstances that allow an attacker to elevate privileges to root. For these reasons, the SIR has been set to Critical.

Re:Hardcoded passwords

Unfortunately, yes. I remember quite a few instances where me or the coworker next desk found a hard coded password, an admin password in clear text in a world readable file in a world readable directory, an admin password passed on the command line to a process that runs for several minutes, or similar dumb shit. Across three different companies, the various development teams always some dumb shit reason why playing loose with security is not a problem.

Re:Calm down folks, it's not that bad....

[Hal_Porter]

BT in the UK have a per device preprogrammed serial number for admin access to routers - they have a sticker on the underside of the device with the admin password and the Wifi password.

http://bt.custhelp.com/app/ans...

You can still change both though.

It's actually not a bad scheme at all - it means most people who don't care about this stuff will end up with a secure admin/wifi password and if someone cracked the scheme people who do care would still be able to change it.

And it's better than the usual router scheme of setting the password to something dumb like 'admin'. Most people won't change it which means they're vulnerable.

NB - Nothing in this comment should be taken to imply that BT are not an awful company to deal with most of the time, I just think the password scheme they use on routers is actually pretty sensible.