A critical vulnerability in the Cisco Video Surveillance Manager software has been uncovered, which could allow an unauthenticated, remote attacker to log in and execute arbitrary commands as the root user.
The issue is a simple one: Affected versions contain static user credentials for the root account.
“The vulnerability is due to the presence of undocumented, default, static user credentials for the root account of the affected software on certain systems,” Cisco said in its advisory, issued Friday. “An attacker could exploit this vulnerability by using the account to log in to an affected system.”
Fortunately, the user credentials are not documented publicly – and Cisco said it was unaware of exploits circulating in the wild.
The flaw affects instances of VSM versions 7.10, 7.11 and 7.11.1 running on certain Cisco Connected Safety and Security Unified Computing System (UCS) platforms (CPS-UCSM4-1RU-K9, CPS-UCSM4-2RU-K9, KIN-UCSM5-1RU-K9 and KIN-UCSM5-2RU-K9). Also, to be vulnerable, the software would have to have been preinstalled by Cisco, according to the vendor, which uncovered the bug during routine security checks.
There are no workarounds that address the vulnerability, but Cisco has issued a patch in the latest version of the software.
“In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release [Cisco VSM Software Release 7.12].”
The advisory comes in the same week that Cisco issued a second warning for another critical static credential bug, this one in its IOS XE software. That security bulletin comes more than six months after the company initially reported the bug and provided a software fix.
Hardcoded and static credentials have been at the root of many a critical vulnerability over the years. Earlier in the year, PC maker Lenovo issued a fix for a hardcoded password flaw impacting ThinkPad, ThinkCentre and ThinkStation laptops. The problem affected nearly a dozen Lenovo laptop models that run versions of Microsoft Windows 7, 8 and the 8.1 operating system. And at Black Hat 2018, researchers from Threatcare and IBM X-Force Red found hardcoded password issues plaguing smart-city deployments.