Hardcoded Password Found in Cisco Software (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Hardcoded Password Found in Cisco Software (bleepingcomputer.com)

Posted by msmash on Thursday March 8, 2018 @02:05AM from the security-woes dept.

Cisco released 22 security advisories yesterday, including two alerts for critical fixes, one of them for a hardcoded password that can give attackers full control over a vulnerable system. From a report: The hardcoded password issue affects Cisco's Prime Collaboration Provisioning (PCP), a software application that can be used for the remote installation and maintenance of other Cisco voice and video products. Cisco PCP is often installed on Linux servers. Cisco says that an attacker could exploit this vulnerability (CVE-2018-0141) by connecting to the affected system via Secure Shell (SSH) using the hardcoded password. The flaw can be exploited only by local attackers, and it also grants access to a low-privileged user account. In spite of this, Cisco has classified the issue as "critical." Although this vulnerability has a Common Vulnerability Scoring System (CVSS) Base score of 5.9, which is normally assigned a Security Impact Rating (SIR) of Medium, there are extenuating circumstances that allow an attacker to elevate privileges to root. For these reasons, the SIR has been set to Critical.

13 of 52 comments (clear)

Min score:

Reason:

Sort:

Pedantic nazi strikes! by 140Mandak262Jamuna · 2018-03-08 02:17 · Score: 3, Informative

Although this vulnerability has a Common Vulnerability Scoring System (CVSS) Base score of 5.9, which is normally assigned a Security Impact Rating (SIR) of Medium, there are extenuating circumstances that allow an attacker to elevate privileges to root. For these reasons, the SIR has been set to Critical.
Emphasis mine.
Extenuating circumstances will reduce the amount of guilt. Here escalating local user privileges to root is not extenuating circumstances. Perhaps aggravating circumstances would fit this sentence better.
Yours Sincerely,
Friendly neighborhood pedantic nazi.

--
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
1. Re:Pedantic nazi strikes! by MagicM · 2018-03-08 02:53 · Score: 2
  
  subscribe
Hardcoded passwords by execthts · 2018-03-08 02:22 · Score: 4, Insightful

So in 2018 we're still seeing hardcoded passwords in enterprise products?
1. Re:Hardcoded passwords by Anonymous Coward · 2018-03-08 02:43 · Score: 2, Insightful
  
  Hardcoded passwords are insecure, but oh so convenient.
  Security is expensive, annoys users, and doesn't increase sales.
  Security will always be an afterthought.
2. Re:Hardcoded passwords by postbigbang · 2018-03-08 03:13 · Score: 3, Insightful
  
  No one will fall on their sword.
  Not the coder.
  Not the team leader.
  Not QA.
  Not the development lead.
  Not the product manager.
  Not the code review staff.
  Have a nice day. Fast and loose means shareholder return.
  
  --
  ---- Teach Peace. It's Cheaper Than War.
3. Re:Hardcoded passwords by Anonymous Coward · 2018-03-08 06:08 · Score: 2, Interesting
  
  Unfortunately, yes. I remember quite a few instances where me or the coworker next desk found a hard coded password, an admin password in clear text in a world readable file in a world readable directory, an admin password passed on the command line to a process that runs for several minutes, or similar dumb shit. Across three different companies, the various development teams always some dumb shit reason why playing loose with security is not a problem.
4. Re:Hardcoded passwords by scdeimos · 2018-03-08 09:40 · Score: 3
  Yes, this is 2018 and we're still seeing hardcoded passwords in Cisco products. How could anyone be surprised by this?
  
  CVE-2004-0391 Cisco Wireless LAN Solution Engine (WLSE) 2.0 through 2.5 and Hosting Solution Engine (HSE) 1.7 through 1.7.3 have a hardcoded username and password
  CVE-2006-3286 Cisco Wireless Control System (WCS) for Linux and Windows before 3.2(63) stores a hard-coded username and password in plaintext within unspecified files
  CVE-2007-2032 Cisco Wireless Control System (WCS) before 4.0.96.0 has a hard-coded FTP username and password
  CVE-2012-4088 Cisco Unified Computing System (UCS) has a hardcoded password
  CVE-2015-4196 Cisco Unified Communications Domain Manager (CDM) 8.x has a hardcoded password
  CVE-2015-6316 Cisco Mobility Services Engine (MSE) through 8.0.120.7 allows logins with hardcoded password
  CVE-2016-1394 Cisco Firepower System Software 6.0.0 through 6.1.0 has a hardcoded account
  CVE-2017-6626 Cisco Finesse Notification Service for Cisco Unified Contact Center Enterprise (UCCE) 11.5(1) and 11.6(1) have a hardcoded password
  These are just the first page of results for hardcoded passwords relating to Cisco software and appliances [CVE Cisco hardcoded password site:nvd.nist.gov] - according to Google there are over 300 of them. You'd think Cisco would have been burned enough on this already but I guess some companies never learn.
  Stay tuned for more exciting hardcoded password shenanigans from Cisco.
Re:Calm down folks, it's not that bad.... by 110010001000 · 2018-03-08 03:08 · Score: 3, Funny

Yeah, good point. It isn't bad that an enterprise networking company left a hardcoded password in their products in 2018. Thanks for the reality check.
neverending story of good PR by AlwinBarni · 2018-03-08 03:19 · Score: 2, Informative

Cisco says that an attacker could exploit this vulnerability ...
I like it - "could" is such a euphemism for a hard-coded password.

Decades ago people dreamed of flying to the stars in XXI century, and instead we have:
* cars with intelligent performance management, which cheat on emission tests and cause thousands premature deaths
* notebooks which intelligently improve user experience, by hijacking encrypted communication injecting ads and rendering all the security useless
* music discs, which (again) improve users experience helping them manage their collections by bypassing their system security to install malware in core of their OS
* brand CPUs, which are designed to be so fast, that they do not even bother to check who is accessing the data, and of course no-one should be worried since it affects "all" CPUs in existence
* and apps with hard-coded password, which could, just potentially could be considered a vulnerability
* not to mention the best business model ever, when one makes money by being lousy with guarding sensitive personal information and later gets payed to inform that the very data might not identify proper person, because it was stolen
1. Re:neverending story of good PR by thegarbz · 2018-03-08 08:31 · Score: 2
  
  The XXI century is only 18% complete. Give it time. In the meantime here's the glass half full version of your story:
  *cars which can almost drive themselves.
  *small thin slate devices which you can write on with pens, no need for some crappy notebook.
  *music on demand transmitted how you want to the device you want wirelessly
  *brand CPUs which are so fast that the computer performance no longer matters. We do things and they happen, and not even Microsoft can slow us down anymore.
  *an occasional vulnerability discovered and patched
  *and companies offer you a world of wealth free of charge in return for training their AIs to better serve you ever more useful apps that make your life easier based on your data.
  WHAT A TIME TO BE ALIVE!
  Technology is awesome. The world is great. It's just a shame it's ruined by a few killjoys that seem to spend their lives focusing on the few negatives while we live easier, longer, richer, and better than we ever have in the past and in a century where we're incredibly bloodly likely not only to achieve that dream of flying cars but potentially also colonise another planet or start offering space tourism given how we have made HUGE technological leaps in only the first 18%.
  Have a beer man and lighten up a bit. Life's good. You owe it to yourself. And if you destroy your liver in the process we can fix that shit too.
Re:Calm down folks, it's not that bad.... by 110010001000 · 2018-03-08 03:27 · Score: 2

You are right. Allowing unknown users into your enterprise network via a hardcoded backdoor isn't that bad. Thanks for putting my mind at ease!
Re:Calm down folks, it's not that bad.... by Khyber · 2018-03-08 05:14 · Score: 2

It's not bad if the hardcoded password is UNIQUE TO EACH DEVICE.
Of course, that introduces other logistical/support issues, but hardcoded passwords aren't a stupid idea if properly designed and implemented.

--
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Re:Calm down folks, it's not that bad.... by Hal_Porter · 2018-03-08 06:10 · Score: 3, Interesting

BT in the UK have a per device preprogrammed serial number for admin access to routers - they have a sticker on the underside of the device with the admin password and the Wifi password.
http://bt.custhelp.com/app/ans...
You can still change both though.
It's actually not a bad scheme at all - it means most people who don't care about this stuff will end up with a secure admin/wifi password and if someone cracked the scheme people who do care would still be able to change it.
And it's better than the usual router scheme of setting the password to something dumb like 'admin'. Most people won't change it which means they're vulnerable.
NB - Nothing in this comment should be taken to imply that BT are not an awful company to deal with most of the time, I just think the password scheme they use on routers is actually pretty sensible.

--
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;