back to article Oi, Cisco! Who left the 'high privilege' login for Smart Software Manager just sitting out in the open?

Cisco has released fixes to address 17 vulnerabilities across its networking and unified communications lines. The bundle includes one fix for a critical issue and six patches for bugs deemed high-risk vulnerabilities. They include remote access and code execution, elevation of privilege, denial of service, and cross-site …

  1. HildyJ Silver badge
    Trollface

    They may be bastards, but they're our bastards (LBJ).

    Just imagine the reaction if it had been Huawei.

  2. Anonymous Coward
    Anonymous Coward

    MORE cisco vulns?

    Nohuawei!

    And these are just the ones the NSA lets them 'find' :D

  3. big_D Silver badge
    Facepalm

    No Huawei!

    You see, this is exactly what the NSA has been on about! You just can't trust Huaw... Oh, wait, this is Cisco. Isn't Cisco American? Hey, this can't be!

  4. Pascal Monett Silver badge

    I'm guessing no senator is going to step up and rant about this

    No way any political figure is going to step up to a microphone and rant about how the security of US citizens and institutions was put in grave danger by this.

    Nope. Not gonna happen.

  5. Sanctimonious Prick
    Paris Hilton

    Bugs?

    Who let the dogs out?

    (spelling mistake? Where?)

  6. Anonymous Coward
    Anonymous Coward

    Perspective

    To put this sort of vulnerability in perspective, Smart Software Manager is a VM appliance where users/devices interact via a web interface/API's. It is used to provide dynamic licence management rather than allowing devices to connect directly/via a proxy to Cisco servers for high security/limited connectivity environments.

    An account with a fixed username/password was included in the VM. It has been discovered and fixed. Likely security impact? Close to zero as in a high security environment it would be heavily firewalled (i.e. located on a management network with access to the system heavily restricted and only outbound access to Cisco permitted).

    Would equivalent systems have similar issues? If they don't autobuild the VM's with password randomisation for any builtin service/application accounts that aren't exposed to end users? Probably... This has been a recurring issue across manufacturers with appliance-type systems.

    1. Halfmad Silver badge

      Re: Perspective

      you are making a lot of assumptions on how these are configured in different businesses.

      Low right, high risk - this shouldn't have happened.

      1. Anonymous Coward
        Anonymous Coward

        Re: Perspective

        I agree, I have made assumptions, but this is a management plane device so best practice would be to avoid exposing it to anything that may potentially be harmful (based on a risk assessment for your environment and what you deem harmful) and if necessary secure with firewalls and other ACL's. If you are handling third-party traffic (i.e. a service provider) then you should keep your management plane separate from the data plane.

        You're right - it shouldn't happen. The perspective I was aiming to provide was why it happens (and yes, I've attempted to create appliance type VM's and some of the parts are tricky get working once you create random passwords when you go back and "fix" one little script to carry out maintenance or similar).

        The main perspective I was hoping to correct was that announcing a bugfix in optional software designed for limited environments was some sort of earth shattering security issue - compared to say the WordPress plugin issue announced earlier in the week with exploits in the wild, this is more likely to be used for an unauthorised maintenance path than an actual exploit. Unless someone has done something really dumb.

  7. NonSSL-Login
    Devil

    Backdoor! Oh wait, its not Huawei kit

    "a bug caused by the presence of a high-privilege account with a static password present in the Cisco Smart Software Manager tool."

    If this was a San Fran'cisco' author reporting on Huawei there would be shouts of Backdoor and evil Chinese company but it's American Cisco so it's a bug.

    #JustSayin (and will keep saying until the stupidness stops but alas that might take as long as el-reg switching to secure https login pages about 3 years after my handle here started prodding)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020