Oi, Cisco! Who left the 'high privilege' login for Smart Software Manager just sitting out in the open? Cisco has released fixes to address 17 vulnerabilities across its networking and unified communications lines. The bundle includes one fix for a critical issue and six patches for bugs deemed high-risk vulnerabilities. They include remote access and code execution, elevation of privilege, denial of service, and cross-site …
To put this sort of vulnerability in perspective, Smart Software Manager is a VM appliance where users/devices interact via a web interface/API's. It is used to provide dynamic licence management rather than allowing devices to connect directly/via a proxy to Cisco servers for high security/limited connectivity environments.
An account with a fixed username/password was included in the VM. It has been discovered and fixed. Likely security impact? Close to zero as in a high security environment it would be heavily firewalled (i.e. located on a management network with access to the system heavily restricted and only outbound access to Cisco permitted).
Would equivalent systems have similar issues? If they don't autobuild the VM's with password randomisation for any builtin service/application accounts that aren't exposed to end users? Probably... This has been a recurring issue across manufacturers with appliance-type systems.
I agree, I have made assumptions, but this is a management plane device so best practice would be to avoid exposing it to anything that may potentially be harmful (based on a risk assessment for your environment and what you deem harmful) and if necessary secure with firewalls and other ACL's. If you are handling third-party traffic (i.e. a service provider) then you should keep your management plane separate from the data plane.
You're right - it shouldn't happen. The perspective I was aiming to provide was why it happens (and yes, I've attempted to create appliance type VM's and some of the parts are tricky get working once you create random passwords when you go back and "fix" one little script to carry out maintenance or similar).
The main perspective I was hoping to correct was that announcing a bugfix in optional software designed for limited environments was some sort of earth shattering security issue - compared to say the WordPress plugin issue announced earlier in the week with exploits in the wild, this is more likely to be used for an unauthorised maintenance path than an actual exploit. Unless someone has done something really dumb.
"a bug caused by the presence of a high-privilege account with a static password present in the Cisco Smart Software Manager tool."
If this was a San Fran'cisco' author reporting on Huawei there would be shouts of Backdoor and evil Chinese company but it's American Cisco so it's a bug.
#JustSayin (and will keep saying until the stupidness stops but alas that might take as long as el-reg switching to secure https login pages about 3 years after my handle here started prodding)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
