Cisco released 22 security advisories yesterday, including two alerts for critical fixes, one of them for a hardcoded password that can give attackers full control over a vulnerable system.
The hardcoded password issue affects Cisco's Prime Collaboration Provisioning (PCP), a software application that can be used for the remote installation and maintenance of other Cisco voice and video products. Cisco PCP is often installed on Linux servers.
Cisco says that an attacker could exploit this vulnerability (CVE-2018-0141) by connecting to the affected system via Secure Shell (SSH) using the hardcoded password.
The flaw can be exploited only by local attackers, and it also grants access to a low-privileged user account. In spite of this, Cisco has classified the issue as "critical."
Although this vulnerability has a Common Vulnerability Scoring System (CVSS) Base score of 5.9, which is normally assigned a Security Impact Rating (SIR) of Medium, there are extenuating circumstances that allow an attacker to elevate privileges to root. For these reasons, the SIR has been set to Critical.
The reasons are that an attacker can infect another device on the same network and use it as a proxy for his SSH connection to the vulnerable Cisco PCP instance, allowing for remote, over-the-Internet exploitation.
Source: https://www.bleepingcomputer.com/news/security/hardcoded-password-found-in-cisco-software/
(Score: 4, Insightful) by bob_super on Friday March 09 2018, @08:56PM (11 children)
Too bad TFA doesn't show the password.
Add that one, carved on a stone tablet, to the growing pile of things to throw at the face of anyone who would entrust backdoor keys to any entity.
(Score: 1) by Ethanol-fueled on Friday March 09 2018, @09:02PM (7 children)
It's CIA passwords.
FIGHT THEM! They will kill you if they don't succeed!
(Score: 2) by insanumingenium on Friday March 09 2018, @09:16PM (6 children)
Come on Ethy, Hanlon's razor isn't going to steer us wrong here.
(Score: 1) by Ethanol-fueled on Friday March 09 2018, @10:18PM (5 children)
Cisco devices are subject to ITAR, for some reason.
Cisco devices have hardcoded backdoors that NSA and China know about because it's okay for China to steal American secrets as long as they're fattening American congressmens' wallets by buying property at a huge markup while fucking the rest of the American population. You and I in the military industrial complex know that all Chinks are stealing our secrets. Trump! Stop Chinese citizens from being employed with us! Stop them from owning American property!
What a fucking national security joke. Trump! Drain the Chinese fifth-columnist swamp! They are stealing our military secrets wholesale!
(Score: 2) by insanumingenium on Friday March 09 2018, @10:26PM (4 children)
ITAR, is a completely shitty law, how they think they can legislate mathematics as a weapon has never made sense to me, but it absolutely doesn't involve mandatory backdoors. It just involves not shipping "weapons" to forbidden countries. As someone who has actually shipped ITAR controlled products I can tell you it is a rubber stamp process.
(Score: 1, Informative) by Ethanol-fueled on Friday March 09 2018, @10:40PM (3 children)
It is a rubber-stamp process. But you are not American. I am. We will destroy you.
(Score: 3, Funny) by insanumingenium on Friday March 09 2018, @10:56PM (2 children)
Riiiight, guess I will have to turn in my passport, guns, and pet bald eagle now.
(Score: 3, Funny) by LoRdTAW on Saturday March 10 2018, @01:28AM (1 child)
You forgot bacon, or are you one of "those" people?
(Score: 2) by insanumingenium on Monday March 12 2018, @03:38PM
You can take my pork from my cold dead hands μολὼν λαβέ.
(Score: 2, Funny) by Anonymous Coward on Friday March 09 2018, @09:27PM
I bet the password is "hunter2".
(Score: 3, Funny) by drussell on Friday March 09 2018, @09:43PM (1 child)
LOL... yeah, I was going to say....
"Was it 123456?" :)
(Score: 2) by VanessaE on Saturday March 10 2018, @08:55PM
No, it was 1-2-3-4-5, same as on the CEO's luggage.
(Score: 3, Informative) by frojack on Friday March 09 2018, @09:37PM (3 children)
A password for ssh access does you nothing without an account on the host machine.
The vague description suggests that this password is used to log into an account that is installed on Linux during the installation of the Prime Collaboration Provisioning software.
OR
perhaps the PCP software itself listens on some port for an ssh-like connection.
Pretty unclear, even when you read the CVE.
They also indicate
So that sounds like THEIR software requires an account on the linux box, and that account has some additional root equivalency (sudo authority perhaps?).
So two vulnerabilities in one.
No, you are mistaken. I've always had this sig.
(Score: 2) by drussell on Friday March 09 2018, @09:45PM (2 children)
It would if it is the password for root. ;)
(Score: 1, Touché) by Anonymous Coward on Friday March 09 2018, @10:16PM
...and your system is naive enough to have such an acco. :)
(Score: 3, Insightful) by frojack on Friday March 09 2018, @10:40PM
Cisco is clearly worried it doesn't have to be root. Now why is that?
No, you are mistaken. I've always had this sig.
(Score: 0, Troll) by cocaine overdose on Friday March 09 2018, @09:46PM (5 children)
Press backspace 28 times to pay respects.
If you're going to use software, why would you trust it to a closed source? Even then, why would you put your faith into an enterprise to make sure your software runs the way it should? The only reason I can think of is people believe the time to set everything up (and find someone that knows how to set it up from scratch) is too great. Look at this:
Is this the motto? Why is it in the benefits list? I don't have a clue what this could mean.
So far, I'm not sold on this "PCP." I think I'll stick to my old dealer, thank you. And RHEL too. Why the fuck would anyone use RHEL? OpenBSD is leagues better in every way to RHEL (unless you're trying to an unstable baremetal machine, then you'd be compiling from scratch, and I wouldn't be telling you this because you already know). Is it the support? Support for "what?" What is there that is so esoteric and arcane that it can't be found in any man page? Did your server-monkey decide to symlink all of your server files to an external drive? "Look boss, only 5MB!" Fucks sake. I tried using RHEL. The GUI overcomplicates things. Let me fdsik, mkfs, LVM, and mdadm on the command line. I can do it in less time than it takes to figure out your asinine GUI layout.
(Score: 4, Insightful) by bob_super on Friday March 09 2018, @10:12PM (4 children)
Or maybe you could take a minute to consider that this nutty marketing buzzword soup is targeted at CIOs of companies with networks of hundreds to tens of thousands of machines, most of which are probably administered very remotely.
(Score: 1) by cocaine overdose on Friday March 09 2018, @10:17PM (1 child)
I considered that and I addressed it. And I will repeat my self: "it's better in every way not to use enterprise solutions -- if you're not skimping on quality."
(Score: 4, Funny) by frojack on Friday March 09 2018, @10:38PM
Of course they are skimping on quality.
When was the last time you priced out replacing 20,000 Windows XP machines?
How else are you going to do network management on your far flung campuses so that your (salesmen, accountants, paper pushers) can get something done instead of installing yet another patch tuesday upgrade?
You are delusional if you think all these people are running high end machines. You are crazy if you let them choose the software they run.
You get a contract from low-bidder computer supplier, you get a site license from Microsoft, you burn images to hard drives on bare bones machine. They need a Browser, Office Suite and Outlook and nothing else.
Next month, another 20,000 machines.
You don't need, and can't afford no sinkin quality. Come around here with that mentality and they will send you packin.
No, you are mistaken. I've always had this sig.
(Score: 4, Insightful) by insanumingenium on Friday March 09 2018, @10:32PM
You forgot that those CIOs probably have no idea how the actual administration happens, but are tasked with making it "more agile" or some other BS idea.
(Score: 2) by LoRdTAW on Saturday March 10 2018, @01:30AM
Did you happen to see his name? Says it all.
(Score: 2) by tangomargarine on Friday March 09 2018, @10:28PM
A drug epidemic sweeps the IT world! News, weather, and sports at 7.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"