back to article Cisco's Smart Licensing Utility flaws suggest it's pretty dumb on security

If you're running Cisco's supposedly Smart Licensing Utility, there are two flaws you ought to patch right now. "Multiple vulnerabilities in Cisco Smart Licensing Utility could allow an unauthenticated, remote attacker to collect sensitive information or administer Cisco Smart Licensing Utility services on a system while the …

  1. Anonymous Coward
    Anonymous Coward

    What, again?

    This isn't the first time some cisco thing turns out to come with hard-coded full-access credentials. One previous occurrence was with their VoIP provisioning suite, maybe?

    And of course you need a current-and-paid-up service contract or their broken software remains broken for you. In a better world this would give rise to lawsuits of having sold goods that turn out to be unfit-for-service (as Software Does Not Fail). As it is, cisco manages to fleece their customers even in failure. I'd boot them off my preferred suppliers list if they were on it.

    1. Pascal Monett Silver badge

      Re: What, again?

      Indeed.

      Thank goodness we all got rid of that supreme menace that was Huawei, right ?

      With friends like Cisco, who needs enemies ?

      P.S. : thanks for the linked article - I'll be keeping that as a reference

  2. Mobster

    One issue with Cisco is that in order to patch, you need a support contract to be able to download said patch. So having bought and paid for a product, which turns out to be defective and needing a patch, you now have to pay more.

    1. Potemkine! Silver badge
      Flame

      Fed up with Shitsco.

      No surprise. I discovered that even if we pay a Cisco's partner to support an IPBX, this isn't enough, we have to pay Cisco even more if we want help if the problem is serious. The support we pay (a lot) is useless when we need it. This so-called partner also ask us to pay an extra of 6,000 € to update a certificate... something that took me half an hour to do when I found the correct procedure. This is an ecosystem of thieves.

      The consequence? We'll do whatever possible to get rid of Cisco's IPBX. It's over-complicated to manage, it's expensive, and now we know that programming (hard coded credentials... WTF!) is shitty. The day we'll get rid of that pile of crap we'll make a party to celebrate.

  3. Anonymous Coward
    Anonymous Coward

    I deem the need for a security update a product defect

    So having to PAY to merely keep it secure is unacceptable, that's just plain vanilla blackmail. Fine network you have there, would be a shame if something broke in..

    Product upgrades? OK, fine, but not security. Good that I know now - busy setting up something new and Cisco ain't gonna be part of it.

  4. Ball boy Silver badge

    "log in to an affected system by using a static administrative credential"

    Remind me, someone: exactly how long have Cisco been in the networking business?

    Hard coding-admin passwords doesn't even meet the threshold for schoolboy* error. For a business deeply embedded in the comms game, such an act should be defined as gross negligence/incompetence.

    *Substitute as required

    1. pc-fluesterer.info

      Backdoor

      "negligence/incompetence" - that is the nice view.

      I for one would presume intention.

      They may have gotten a gag order (NSL).

      1. Sok Puppette

        Re: Backdoor

        NSLs can't do that.

        What can do that is putting the morons in charge of the "licensing system" because nobody else wants to work on it. And in fact nobody else wants to think about it or look at it. The suits tell your project to stick this crap in on pain of death, and you do it. Meanwhile said crap escapes all the normal processes because it's not really a product, but is really a priority for the MBAs.

        ... and note that the crap itself actually serves no essential function and should not exist.

    2. sanmigueelbeer

      Re: "log in to an affected system by using a static administrative credential"

      exactly how long have Cisco been in the networking business

      And this is why Cisco does not have "Bug Bounties" program.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like