Sergey Nivens - Fotolia
Hardcoded credentials continue to bedevil Cisco
Cisco hit by yet another new hardcoded credentials flaw, the latest in a long line of such flaws since last year, this time in its video surveillance manager appliance.
Cisco keeps finding, reporting and patching hardcoded credentials vulnerabilities in its products.
Cisco last week reported, and patched, the latest hardcoded credentials vulnerability in its Cisco Video Surveillance Manager (VSM) software on some of its Cisco Connected Safety and Security Unified Computing System (UCS) platforms. The bug marked the sixth vulnerability this year and the eleventh since the start of 2017 that involved hardcoded credentials or default passwords. Tracked as CVE-2018-15427, the Cisco Video Surveillance Manager Appliance default password vulnerability was rated "critical" and given a Common Vulnerability Scoring System (CVSS) score of 9.8 (out of 10) for enabling a remote unauthenticated attacker to access affected systems through default hardcoded credentials for the root account.
In its security advisory, Cisco explained the latest hardcoded credentials vulnerability in terms very similar to other recent, similar bugs. "The vulnerability is due to the presence of undocumented, default, static user credentials for the root account of the affected software on certain systems. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user."
The Common Weakness Enumeration (CWE) lists the type of vulnerability found most recently in Cisco's surveillance systems under the code CWE-798, Use of Hard-Coded Credentials, and vulnerabilities of this type tend to be considered critical and high risk because of the ease of exploiting them.
"Hardcoded credentials is an issue that has been around forever and is still very present. Managing credentials is hard and error-prone because so many developers use hardcoded credentials when they begin building an application or device and never get around to improving the way credentials are handled," said Chris Wysopal, CTO at CA Veracode.
Hunting for hardcoded credentials
According to the Cisco advisories about these vulnerabilities, the latest vulnerability was found as a result of "internal security testing," as were eight other of the credentials flaws; one was found by the Cisco Technical Assistance Center in the course of resolving a customer support case. One of the eleven-- the June 2018 Cisco Wide Area Application Services Software Static SNMP Credentials Vulnerability -- was reported by an external researcher, and the source for one of the flaws was not specified.
"With our large and diverse product portfolio, we actively seek to identify vulnerabilities through evaluation, set secure development standards and collaborate with our customers and the industry," said a Cisco spokesperson via email. "Specifically, we found this issue through testing."
Tod Beardsley, director of research at Rapid7, said the fact that the latest hardcoded credentials flaw was "discovered and reported through Cisco's own internal security testing" is important. "This tells me that Cisco is taking the inappropriate nature of static, unchangeable credentials on their devices seriously," he said. "I'm hopeful that Cisco can lead by example here, and other vendors of network equipment will similarly realize that static, unchanging passwords are simply no good in today's TCP/IP networks."
More hardcoded credentials vulnerabilities
While many of the credential-related vulnerabilities reported by Cisco since the start of last year have been attributed to the weakness tracked as CWE-798, Use of Hard-Coded Credentials, other vulnerabilities are caused by improper use of default or hardcoded credentials and pertain to other, related weaknesses, such as CWE-255, Credentials Management.
Here are the 10 other vulnerabilities involving credentials, either hardcoded or inappropriately implemented, that were reported by Cisco since the start of 2017:
- 2018-07-18: Cisco Policy Suite Cluster Manager Default Password Vulnerability (CVE-2018-0375)
- 2018-06-6: Cisco Wide Area Application Services Software Static SNMP Credentials Vulnerability (CVE-2018-0329)
Tod Beardsleydirector of research, Rapid7 - 2018-05-16: Cisco Digital Network Architecture Center Static Credentials Vulnerability (CVE-2018-0222)
- 2018-03-28: Cisco IOS XE Software Static Credential Vulnerability (CVE-2018-0150)
- 2018-03-07: Cisco Prime Collaboration Provisioning Hard-Coded Password Vulnerability (CVE-2018-0141)
- 2017-10-20: Cisco AMP for Endpoints Static Key Vulnerability (CVE-2017-12317)
- 2017-09-27: Cisco IOS XE Software for Cisco ASR 1000 Series and cBR-8 Routers Line Card Console Access Vulnerability (CVE-2017-12239)
- 2017-06-07: Cisco Elastic Services Controller Insecure Default Administrator Credentials Vulnerability (CVE-2017-6689)
- 2017-05-03: Cisco Finesse for Cisco Unified Contact Center Enterprise Information Disclosure Vulnerability (CVE-2017-6626)
- 2017-04-05: Cisco Aironet 1830 Series and 1850 Series Access Points Mobility Express Default Credential Vulnerability (CVE-2017-3834)