Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hardcoded Password Found in Cisco Software (bleepingcomputer.com)

Posted by msmash on from the security-woes dept.

Cisco released 22 security advisories yesterday, including two alerts for critical fixes, one of them for a hardcoded password that can give attackers full control over a vulnerable system. From a report: The hardcoded password issue affects Cisco's Prime Collaboration Provisioning (PCP), a software application that can be used for the remote installation and maintenance of other Cisco voice and video products. Cisco PCP is often installed on Linux servers. Cisco says that an attacker could exploit this vulnerability (CVE-2018-0141) by connecting to the affected system via Secure Shell (SSH) using the hardcoded password. The flaw can be exploited only by local attackers, and it also grants access to a low-privileged user account. In spite of this, Cisco has classified the issue as "critical." Although this vulnerability has a Common Vulnerability Scoring System (CVSS) Base score of 5.9, which is normally assigned a Security Impact Rating (SIR) of Medium, there are extenuating circumstances that allow an attacker to elevate privileges to root. For these reasons, the SIR has been set to Critical.

30 of 52 comments (clear)

  1. Pedantic nazi strikes! by 140Mandak262Jamuna · · Score: 3, Informative

    Although this vulnerability has a Common Vulnerability Scoring System (CVSS) Base score of 5.9, which is normally assigned a Security Impact Rating (SIR) of Medium, there are extenuating circumstances that allow an attacker to elevate privileges to root. For these reasons, the SIR has been set to Critical.

    Emphasis mine.

    Extenuating circumstances will reduce the amount of guilt. Here escalating local user privileges to root is not extenuating circumstances. Perhaps aggravating circumstances would fit this sentence better.

    Yours Sincerely,

    Friendly neighborhood pedantic nazi.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Pedantic nazi strikes! by MagicM · · Score: 2

      subscribe

  2. Hardcoded passwords by execthts · · Score: 4, Insightful

    So in 2018 we're still seeing hardcoded passwords in enterprise products?

    1. Re:Hardcoded passwords by Anonymous Coward · · Score: 2, Insightful

      Hardcoded passwords are insecure, but oh so convenient.
      Security is expensive, annoys users, and doesn't increase sales.
      Security will always be an afterthought.

    2. Re:Hardcoded passwords by Anonymous Coward · · Score: 1

      From Cisco, having read about them previously, I would think that one must expect hardcoded credentials and backdoors, and crappy software.

      Sort of like having knowing that one rely on 'AT&T as a company, but also knowing that NSA for some time now has had their own tapping station inside AT&T premises for NSA's convenience.

    3. Re: Hardcoded passwords by saloomy · · Score: 1

      No. Ashley Maddison found out this isn't true the hard way.

    4. Re: Hardcoded passwords by DontBeAMoran · · Score: 1

      Doesn't really matter for Ashley Maddison users though, they all want to find something hard.

      --
      #DeleteFacebook
    5. Re:Hardcoded passwords by postbigbang · · Score: 3, Insightful

      No one will fall on their sword.

      Not the coder.

      Not the team leader.

      Not QA.

      Not the development lead.

      Not the product manager.

      Not the code review staff.

      Have a nice day. Fast and loose means shareholder return.

      --
      ---- Teach Peace. It's Cheaper Than War.
    6. Re:Hardcoded passwords by gtall · · Score: 1

      It's Cisco, I don't really think the term "enterprise" applies to them...certainly not if they are capable of this level of obtuseness.

    7. Re:Hardcoded passwords by Anonymous Coward · · Score: 2, Interesting

      Unfortunately, yes. I remember quite a few instances where me or the coworker next desk found a hard coded password, an admin password in clear text in a world readable file in a world readable directory, an admin password passed on the command line to a process that runs for several minutes, or similar dumb shit. Across three different companies, the various development teams always some dumb shit reason why playing loose with security is not a problem.

    8. Re:Hardcoded passwords by scdeimos · · Score: 3

      Yes, this is 2018 and we're still seeing hardcoded passwords in Cisco products. How could anyone be surprised by this?

      These are just the first page of results for hardcoded passwords relating to Cisco software and appliances [CVE Cisco hardcoded password site:nvd.nist.gov] - according to Google there are over 300 of them. You'd think Cisco would have been burned enough on this already but I guess some companies never learn.

      Stay tuned for more exciting hardcoded password shenanigans from Cisco.

    9. Re: Hardcoded passwords by BronsCon · · Score: 1

      To be fair, the male users wanted to find something soft and probably wet.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    10. Re:Hardcoded passwords by sad_ · · Score: 1

      the real question should be:
      why do enterprises continue to buy these poor products? it puts them in danger and cisco has shown over and over that they don't learn.

      --
      On a long enough timeline, the survival rate for everyone drops to zero.
  3. Calm down folks, it's not that bad.... by bobbied · · Score: 1

    This only allows user level access to the system, not administrative access. So this isn't good, but it's not an open barn door either.

    In order to get root access using this method you are going to need some other exploit to elevate your privileges.

    Somebody got lazy.. They will get this fixed..

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    1. Re:Calm down folks, it's not that bad.... by 110010001000 · · Score: 3, Funny

      Yeah, good point. It isn't bad that an enterprise networking company left a hardcoded password in their products in 2018. Thanks for the reality check.

    2. Re:Calm down folks, it's not that bad.... by 110010001000 · · Score: 2

      You are right. Allowing unknown users into your enterprise network via a hardcoded backdoor isn't that bad. Thanks for putting my mind at ease!

    3. Re:Calm down folks, it's not that bad.... by 110010001000 · · Score: 1

      Yeah, you are right. Hard coded backdoors in enterprise software isn't a problem. I am just being pedantic and need to relax!

    4. Re:Calm down folks, it's not that bad.... by Khyber · · Score: 2

      It's not bad if the hardcoded password is UNIQUE TO EACH DEVICE.

      Of course, that introduces other logistical/support issues, but hardcoded passwords aren't a stupid idea if properly designed and implemented.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    5. Re:Calm down folks, it's not that bad.... by Hal_Porter · · Score: 3, Interesting

      BT in the UK have a per device preprogrammed serial number for admin access to routers - they have a sticker on the underside of the device with the admin password and the Wifi password.

      http://bt.custhelp.com/app/ans...

      You can still change both though.

      It's actually not a bad scheme at all - it means most people who don't care about this stuff will end up with a secure admin/wifi password and if someone cracked the scheme people who do care would still be able to change it.

      And it's better than the usual router scheme of setting the password to something dumb like 'admin'. Most people won't change it which means they're vulnerable.

      NB - Nothing in this comment should be taken to imply that BT are not an awful company to deal with most of the time, I just think the password scheme they use on routers is actually pretty sensible.

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    6. Re: Calm down folks, it's not that bad.... by Monster_user · · Score: 1

      It seems to be an industry standard for ISP routers in the USA at this point.

  4. Re:Another backdoor? by DontBeAMoran · · Score: 1

    If it's Dr. Alphonse Mephesto, the eccentric geneticist and stereotypical mad scientist from South Park, there's going to be four backdoors.

    --
    #DeleteFacebook
  5. neverending story of good PR by AlwinBarni · · Score: 2, Informative

    Cisco says that an attacker could exploit this vulnerability ...

    I like it - "could" is such a euphemism for a hard-coded password.

    Decades ago people dreamed of flying to the stars in XXI century, and instead we have:
    * cars with intelligent performance management, which cheat on emission tests and cause thousands premature deaths
    * notebooks which intelligently improve user experience, by hijacking encrypted communication injecting ads and rendering all the security useless
    * music discs, which (again) improve users experience helping them manage their collections by bypassing their system security to install malware in core of their OS
    * brand CPUs, which are designed to be so fast, that they do not even bother to check who is accessing the data, and of course no-one should be worried since it affects "all" CPUs in existence
    * and apps with hard-coded password, which could, just potentially could be considered a vulnerability
    * not to mention the best business model ever, when one makes money by being lousy with guarding sensitive personal information and later gets payed to inform that the very data might not identify proper person, because it was stolen

    1. Re:neverending story of good PR by thegarbz · · Score: 2

      The XXI century is only 18% complete. Give it time. In the meantime here's the glass half full version of your story:

      *cars which can almost drive themselves.
      *small thin slate devices which you can write on with pens, no need for some crappy notebook.
      *music on demand transmitted how you want to the device you want wirelessly
      *brand CPUs which are so fast that the computer performance no longer matters. We do things and they happen, and not even Microsoft can slow us down anymore.
      *an occasional vulnerability discovered and patched
      *and companies offer you a world of wealth free of charge in return for training their AIs to better serve you ever more useful apps that make your life easier based on your data.

      WHAT A TIME TO BE ALIVE!

      Technology is awesome. The world is great. It's just a shame it's ruined by a few killjoys that seem to spend their lives focusing on the few negatives while we live easier, longer, richer, and better than we ever have in the past and in a century where we're incredibly bloodly likely not only to achieve that dream of flying cars but potentially also colonise another planet or start offering space tourism given how we have made HUGE technological leaps in only the first 18%.

      Have a beer man and lighten up a bit. Life's good. You owe it to yourself. And if you destroy your liver in the process we can fix that shit too.

  6. Re:"Nobody got fired buying Cisco" by Hal_Porter · · Score: 1

    CIA/NSA have agents in all major vendor planting bugs in hardware and software.

    Nothing from the USA can be trusted

    As opposed to China I suppose?

    --
    echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
  7. Been saying it for a while, Cisco tech not safe by Anonymous Coward · · Score: 1

    they admit it now because there's another way in, and it makes them look like the good guys. If you buy American network tech, the Americans will have a way in, and when the vulnerabilities become known, everyone will have a way in.

    Buy Ericsson or Nokia, they are safe and have no political allegiance or exist in a country where the government is acting like a terrorist organisation.

  8. Re:"Nobody got fired buying Cisco" by Anonymous Coward · · Score: 1

    Well, it is pretty much the same, but that is whataboutism.
    The better solution is to not use hardware from either of them.
    If you absolutely have to you need to consider who is most likely to abuse their backdoor.
    Will CIA/NSA use it to hunt terrorism or for industrial espionage. (They have been known to pass on business information to benefit American companies before.)
    Will China use it for domestic or industrial espionage. (Both are common.)
    Are you a likely target for either of them?

  9. Old news by thunderclees · · Score: 1

    It's not like Cisco isn't already letting the CPC insert backdoors in firmware anyway.

  10. Slow news day by Virtucon · · Score: 1

    CVEs are with us, get over it.

    --
    Harrison's Postulate - "For every action there is an equal and opposite criticism"
  11. Re:This is why the NSA warns by AHuxley · · Score: 1

    The NSA might actually have to get back into crypto again rather than just expecting big brand hardware to be shipped with a password.
    Designed in the USA. NSA inside.

    --
    Domestic spying is now "Benign Information Gathering"
  12. Re:"Nobody got fired buying Cisco" by jbn-o · · Score: 1

    I agree with part of what you wrote: proprietary software organizations that have known NSA, CIA, etc. ties are certainly not to be trusted. But the reason they're not to be trusted has nothing to do with the country they call home. American proprietors, for instance, were not to be trusted regardless of any ties to mass surveillance. The linkage to mass surveillance is piling on; taking something that's already rejectable (proprietary software) and adding more reason to be suspicious. We have to treat all proprietary software as untrusted (regardless of who or where it comes from) precisely because we don't get the freedoms of free software (to run, inspect, share, and modify).

    Regarding "Nothing from the USA can be trusted": There are lots of American free software developers, and they're all helping us right along side every other free software developer. And as with any other free software, you don't need to trust the developer to trust free software: inspect the code (or get someone you trust to do this for you), make necessary changes, and run the code you trust. I also encourage you to help your community by publishing the improved code.

    Dismissing developers due to the country they come from or work in a way of saying you didn't think through how software freedom works.

    --
    Digital Citizen