back to article Cisco warns of critical flaw in Emergency Responder code

Cisco has issued a security advisory about a vulnerability in its Emergency Responder software that would allow an unauthenticated remote attacker to log in to an affected device using the root account. The vulnerability, designated CVE-2023-20101, arises from the fact that the root account has default, static credentials that …

  1. Chris Miller

    "released January, 2019"

    Good grief! This would have been considered a fundamental flaw in 1989, but in 2019??

  2. Anonymous Coward
    Anonymous Coward

    What's the problem with hard coded credentials? Someone leaves the business. Still got a way in. Someone forgets the password, Still got a way in. It's a win all round. Sure there may be some naysayers about other people that can get these credentials but isn't it worth the risk for the peace of mind that you will always have a way in? I sometimes leave the keys in my front door on the way out in case I lose them. Never lost my keys that way.

    1. tfewster
      Facepalm

      You missed the <sarcasm> tag or Joke Alert icon.

      Ah, the days when you could just do a web search for "default password $DEVICE"...

      1. Anonymous Coward
        Anonymous Coward

        You can still do that as there are many devices that still don't force you to change it the first time you use it. It's like moving into a new house and not changing the locks. I remember those halcyon days however I was a good person and never used it to harm anyone. I say that but I did change an open Wi-Fi network name in a bar to "big floppy donkey dick". I was a little drunk and thought it quite funny. I was tempted to lock it but decided against it even in my inebriated state.

        Did I really need a sarcasm tag good person?

  3. Doctor Syntax Silver badge

    "The inclusion of hard-coded credentials is a textbook security flaw."

    Good to see developers following the textbook.

    1. CrazyOldCatMan Silver badge

      Good to see developers following the textbook.

      For once..

  4. Arthur Daily

    On CISCO

    After their enterprise stuff had at least 5 backdoors, after EAL certification, I assumed CISCO would never never do that again, ever. Boy I was wrong. Now we need to suspect ladder attacks are built in. I pity Apple, as some of the Nxx ladder stuff has been brilliant. The right question to ask CISCO - is HOW did this get past their redoubled QA?

    1. sanmigueelbeer
      Coat

      Re: On CISCO

      After their enterprise stuff had at least 5 backdoors

      And about a dozen plus more no one has discovered. Yet.

      HOW did this get past their redoubled QA?

      Cisco no longer has the ability to publish technical documents and release notes that make sense, QA codes would be an even bigger hurdle.

  5. Kraggy

    So will Cisco find out which idiot programmer did this and ensure they never touch a line of their code again?

    I doubt it!

    1. Yorick Hunt Silver badge
      Holmes

      They already know - and they promoted him to head of software development because of it. Typical fare.

  6. Anonymous Coward
    Anonymous Coward

    Obviously.....

    .....the "hard coded" authentication is either:

    (1) In an eprom, and different for every box

    (2) In a rom, and the same for every box

    .....so....which is it? Item #2 sounds like a REAL problem!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like