Cisco Patches Critical ‘Default Password’ Bug | Threatpost

Cisco Systems is warning customers that a discovery tool for network devices can be accessed by a remote and unauthenticated attacker. The flaw could allow an adversary to log into the system and collect sensitive data tied to host operating systems and hardware.

The disclosure is part of a Cisco Security Advisory and patch (CVE-2019-1723) issued Wednesday. The vulnerability is rated critical, with a CVSS rating of 9.8.

Affected is the Cisco Common Service Platform Collector (CSPC), a tool used for discovering and collecting information from the Cisco devices installed on a network. The flaw includes a default, static password that can be accessed remotely by an unauthenticated adversary. Cisco stresses, that access to CSPC does not grant administrator privileges to an attacker.

“The vulnerability exists because the affected software has a user account with a default, static password,” Cisco wrote. “An attacker could exploit this vulnerability by remotely connecting to the affected system using this account. A successful exploit could allow the attacker to log in to the CSPC using the default account.”

The CSPC tool is used extensively by Cisco service offerings such as Smart Net Total Care (SmartNet), Partner Support Service (PSS) and Business Critical Services. Data gathered by CSPC includes inventory reports, product alerts, configuration best practices, technical service coverage and lifecycle information for both the hardware and operating system software.

Vulnerable are Cisco CSPC releases 2.7.2 through 2.7.4.5 and all releases of 2.8.x prior to 2.8.1.2. Cisco said it is unaware of a public exploit of the vulnerability.

On Wednesday, Cisco also alerted customers to two high-rated vulnerabilities. One is related to the Cisco Email Security Appliances (CVE-2018-15460) and the other (CVE-2018-0389) Cisco Small Business SPA514G IP Phones.

With the Cisco Email Security Appliances, the security advisory warns that the vulnerability is tied to the devices’ implementation of Session Initiation Protocol processing. “Remote attacker to cause an affected device to become unresponsive, resulting in a denial of service condition,” Cisco wrote.

Cisco said it will not patch or issue a workaround for the email appliance. It explained that the SPA514G IP Phones have reached end-of-life and therefore will not receive an update. It also stressed that similar IP-based phone (SPA51x, SPA51x and SPA52x) are not affected.

The second bug, found in the email message filtering feature of Cisco AsyncOS Software for Cisco Email Security Appliances, leaves impacted systems open to denial of service attacks.

“[The flaw] could allow an unauthenticated, remote attacker to cause the CPU utilization to increase to 100 percent, causing a denial of service (DoS) condition on an affected device,” Cisco wrote.

Cisco said the vulnerability is “due to improper filtering of email messages that contain references to whitelisted URLs.” It said an attacker could exploit the flaw by sending a malicious email message that contains a large number of whitelisted URLs. “A successful exploit could allow the attacker to cause a sustained DoS condition that could force the affected device to stop scanning and forwarding email messages,” it wrote.

Cisco has released a software update and workaround instructions for impacted instances of Cisco AsyncOS Software for Cisco Email Security Appliances.

Don’t miss our free live Threatpost webinar, “Exploring the Top 15 Most Common Vulnerabilities with HackerOne and GitHub,” on Wed., Mar 20, at 2:00 p.m. ET.

Vulnerability experts Michiel Prins, co-founder of webinar sponsor HackerOne, and Greg Ose, GitHub’s application security engineering manager, will join Threatpost editor Tom Spring to discuss what vulnerability types are most common in today’s software, and what kind of impact they would have on organizations if exploited.