Cisco hard-coded password bug gives attackers root on Linux machines

Cisco has removed a hardcoded password in its Prime Collaboration Provisioning (PCP) Software that gave attackers root on the Linux systems.

The hardcoded password bug affects software that enterprise organizations can use for speedy installs of Cisco’s unified communications gear and TelePresence components.  

The bug is useless to remote attackers but someone with local access to a server running PCP could use the hardcoded password to log in to the underlying Linux operating system via Secure Shell (SSH). 

The bug is rated critical despite its Common Vulnerability Scoring System (CVSS) Base score of just 5.9 due to “extenuating circumstances” that bumped the medium impact issue up to critical.

“A successful exploit could allow the attacker to access the underlying operating system as a low-privileged user. After low-level privileges are gained, the attacker could elevate to root privileges and take full control of the device,” notes Cisco in its advisory. 

The bug only affects PCP software release 11.6 and not earlier builds. Admins can check which build they’re running by logging in to PCP, hitting settings and clicking “About” . The issue is fixed in PCP software release 12.1 and later. 

US CERT has advised admins to review systems affected by this bug and two more of 21 issues that Cisco released fixes for on Wednesday.    

Another critical issue stems from a Java deserialization vulnerability affecting Cisco’s Secure Access Control System (ACS), which allows anyone on the internet to execute arbitrary commands on an affected ACS device. 

An attacker can exploit an affected device by sending a specially crafted serialized Java object that if successful would allow them to execute arbitrary commands with root privileges on the affected device. 

The bug affects all releases of Cisco Secure ACS prior to release 5.8 patch 9. Cisco has provided a script to identify which release is running on a system.

The third bug US-CERT cautioned admins over affects the FTP server of the Cisco Web Security Appliance (WSA). Anyone on the internet who knows the IP address of an affected device could log into the FTP server by inputting any username and password. 

WSA doesn’t validate credentials properly, according to Cisco, meaning it “could allow an unauthenticated, remote attacker to log in to the FTP server of the device without a valid password” or a valid username.

WSA devices are vulnerable only if FTP has been enabled and the feature is disabled by default, according to Cisco. 

Cisco's advisory provides three methods to determine of FTP has been enabled.