Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Friday March 09 2018, @08:46PM   Printer-friendly
from the Cisco-Phencyclidine? dept.

Cisco released 22 security advisories yesterday, including two alerts for critical fixes, one of them for a hardcoded password that can give attackers full control over a vulnerable system.

The hardcoded password issue affects Cisco's Prime Collaboration Provisioning (PCP), a software application that can be used for the remote installation and maintenance of other Cisco voice and video products. Cisco PCP is often installed on Linux servers.

Cisco says that an attacker could exploit this vulnerability (CVE-2018-0141) by connecting to the affected system via Secure Shell (SSH) using the hardcoded password.

The flaw can be exploited only by local attackers, and it also grants access to a low-privileged user account. In spite of this, Cisco has classified the issue as "critical."

Although this vulnerability has a Common Vulnerability Scoring System (CVSS) Base score of 5.9, which is normally assigned a Security Impact Rating (SIR) of Medium, there are extenuating circumstances that allow an attacker to elevate privileges to root. For these reasons, the SIR has been set to Critical.

The reasons are that an attacker can infect another device on the same network and use it as a proxy for his SSH connection to the vulnerable Cisco PCP instance, allowing for remote, over-the-Internet exploitation.

Source: https://www.bleepingcomputer.com/news/security/hardcoded-password-found-in-cisco-software/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0, Troll) by cocaine overdose on Friday March 09 2018, @09:46PM (5 children)

    Press backspace 28 times to pay respects.

    If you're going to use software, why would you trust it to a closed source? Even then, why would you put your faith into an enterprise to make sure your software runs the way it should? The only reason I can think of is people believe the time to set everything up (and find someone that knows how to set it up from scratch) is too great. Look at this:

    Q. What are the benefits of using Cisco Prime Collaboration?
    A. Cisco Prime Collaboration offers the following benefits:
    1. Lower deployment and operating costs through accelerated site rollouts, reduced time to add users, delegation of changes to help desk personnel, optimization of critical collaboration infrastructure and resources, and accelerated troubleshooting to reduce mean time to repair (MTTR)
    2. Improved operational control and consistency with role-based access control and tracking and auditing of all activity for improved accountability and troubleshooting
    3. Greater end-user quality of experience through assurance management capabilities that help isolate service quality issues before affecting users and minimize system and service outages
    4. Increased IT staff productivity through proactive operator notification of issues and facilitation of rapid resolution of problems as well as an intuitive GUI and simplified operator task flows that promote ease of use
    5. Simplified long-term planning and deployment analysis through trend analysis and reporting
    6. Smarter technology investment decisions, capital and operating expense savings through optimization of collaboration resources, and effective capacity planning
    @Source [cisco.com]

    1. My cellphone can do all of that, but I'll skip it because there's no info on exactly what Cisco does to do all of this. I'm assuming it's just proprietary tools to make sysadmin's lives easier, a.k.a training
    2. My name is journaled filesystem and I am here to help. Is this software for Windows? You don't need Cisco to set this up on any Unix box. It'll take you maybe ten minutes if you've never done it before.
    3. Are you an automated config checker database or are you buzzwording me? This might be useful if it's a database, BUT your system should be properly planned from the get-go so you know exactly where your bottlenecks lie. As well, make sure your server monkies can type in English so they don't clobber the keyboard trying to setup iptables.
    4. I was right. See #1. G U I, I U G, U G I. There are a few things GUI does better than CLI, and those things should be automated. The only other thing is monkey-preference and you shouldn't hire people that can't use CLI.
    5. Is this list just 1 point over 6 bullet points and an ungodly amount of sales? I don't know what this means, besides benchmarking and logging, and then doing some sort of simple statistical analysis.
    6. Is this the motto? Why is it in the benefits list? I don't have a clue what this could mean.

    So far, I'm not sold on this "PCP." I think I'll stick to my old dealer, thank you. And RHEL too. Why the fuck would anyone use RHEL? OpenBSD is leagues better in every way to RHEL (unless you're trying to an unstable baremetal machine, then you'd be compiling from scratch, and I wouldn't be telling you this because you already know). Is it the support? Support for "what?" What is there that is so esoteric and arcane that it can't be found in any man page? Did your server-monkey decide to symlink all of your server files to an external drive? "Look boss, only 5MB!" Fucks sake. I tried using RHEL. The GUI overcomplicates things. Let me fdsik, mkfs, LVM, and mdadm on the command line. I can do it in less time than it takes to figure out your asinine GUI layout.

    Starting Score:    1  point
    Moderation   -1  
       Troll=1, Total=1
    Extra 'Troll' Modifier   0  

    Total Score:   0  
  • (Score: 4, Insightful) by bob_super on Friday March 09 2018, @10:12PM (4 children)

    by bob_super (1357) on Friday March 09 2018, @10:12PM (#650260)

    Or maybe you could take a minute to consider that this nutty marketing buzzword soup is targeted at CIOs of companies with networks of hundreds to tens of thousands of machines, most of which are probably administered very remotely.

    • (Score: 1) by cocaine overdose on Friday March 09 2018, @10:17PM (1 child)

      I considered that and I addressed it. And I will repeat my self: "it's better in every way not to use enterprise solutions -- if you're not skimping on quality."

      • (Score: 4, Funny) by frojack on Friday March 09 2018, @10:38PM

        by frojack (1554) on Friday March 09 2018, @10:38PM (#650277) Journal

        if you're not skimping on quality

        Of course they are skimping on quality.

        When was the last time you priced out replacing 20,000 Windows XP machines?
        How else are you going to do network management on your far flung campuses so that your (salesmen, accountants, paper pushers) can get something done instead of installing yet another patch tuesday upgrade?

        You are delusional if you think all these people are running high end machines. You are crazy if you let them choose the software they run.

        You get a contract from low-bidder computer supplier, you get a site license from Microsoft, you burn images to hard drives on bare bones machine. They need a Browser, Office Suite and Outlook and nothing else.
        Next month, another 20,000 machines.

        You don't need, and can't afford no sinkin quality. Come around here with that mentality and they will send you packin.

        --
        No, you are mistaken. I've always had this sig.
    • (Score: 4, Insightful) by insanumingenium on Friday March 09 2018, @10:32PM

      by insanumingenium (4824) on Friday March 09 2018, @10:32PM (#650274) Journal

      You forgot that those CIOs probably have no idea how the actual administration happens, but are tasked with making it "more agile" or some other BS idea.

    • (Score: 2) by LoRdTAW on Saturday March 10 2018, @01:30AM

      by LoRdTAW (3755) on Saturday March 10 2018, @01:30AM (#650328) Journal

      Did you happen to see his name? Says it all.