Cisco Security Vulnerability Thread.

dafyre

@travisdh1 said in Cisco Security Vulnerability Thread.:

@dafyre said in Cisco Security Vulnerability Thread.:

@travisdh1 said in Cisco Security Vulnerability Thread.:

Cisco Network Assurance Engine CLI default user/password. At this point, I'm assuming anything Cisco has an unpublished admin user/password somewhere!

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190212-nae-dos

This one seems like an actual bug, and not a hard coded password.

From what I read, the TL;DR version is that when you change your web interface password, it doesn't change your CLI password.

I didn't get a chance to do more than glance at this one. That's actually worse. How do you screw up a credential system that bad?

Agreed. My thinking when I originally replied was, "Well, at least this isn't a hard coded backdoor password" lol.

But I think you're right, it is worse in some ways.

Dashrender

@dafyre said in Cisco Security Vulnerability Thread.:

@travisdh1 said in Cisco Security Vulnerability Thread.:

@dafyre said in Cisco Security Vulnerability Thread.:

@travisdh1 said in Cisco Security Vulnerability Thread.:

Cisco Network Assurance Engine CLI default user/password. At this point, I'm assuming anything Cisco has an unpublished admin user/password somewhere!

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190212-nae-dos

This one seems like an actual bug, and not a hard coded password.

From what I read, the TL;DR version is that when you change your web interface password, it doesn't change your CLI password.

I didn't get a chance to do more than glance at this one. That's actually worse. How do you screw up a credential system that bad?

Agreed. My thinking when I originally replied was, "Well, at least this isn't a hard coded backdoor password" lol.

But I think you're right, it is worse in some ways.

I don't follow - this is a bug - we're human, we make mistakes.

A hard coded password is not a mistake, it's a decision.

Unless I'm missing something, a hard coded password is much worse.

scottalanmiller

@travisdh1 said in Cisco Security Vulnerability Thread.:

@dafyre said in Cisco Security Vulnerability Thread.:

@travisdh1 said in Cisco Security Vulnerability Thread.:

Cisco Network Assurance Engine CLI default user/password. At this point, I'm assuming anything Cisco has an unpublished admin user/password somewhere!

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190212-nae-dos

This one seems like an actual bug, and not a hard coded password.

From what I read, the TL;DR version is that when you change your web interface password, it doesn't change your CLI password.

I didn't get a chance to do more than glance at this one. That's actually worse. How do you screw up a credential system that bad?

This is actually a very common design. Nearly all systems are this way. One password is to the system, one is to the application on the system. Totally normal.

travisdh1

@scottalanmiller said in Cisco Security Vulnerability Thread.:

@travisdh1 said in Cisco Security Vulnerability Thread.:

@dafyre said in Cisco Security Vulnerability Thread.:

@travisdh1 said in Cisco Security Vulnerability Thread.:

Cisco Network Assurance Engine CLI default user/password. At this point, I'm assuming anything Cisco has an unpublished admin user/password somewhere!

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190212-nae-dos

This one seems like an actual bug, and not a hard coded password.

From what I read, the TL;DR version is that when you change your web interface password, it doesn't change your CLI password.

I didn't get a chance to do more than glance at this one. That's actually worse. How do you screw up a credential system that bad?

This is actually a very common design. Nearly all systems are this way. One password is to the system, one is to the application on the system. Totally normal.

You're assuming it was supposed to be designed that way.

scottalanmiller

@travisdh1 said in Cisco Security Vulnerability Thread.:

@scottalanmiller said in Cisco Security Vulnerability Thread.:

@travisdh1 said in Cisco Security Vulnerability Thread.:

@dafyre said in Cisco Security Vulnerability Thread.:

@travisdh1 said in Cisco Security Vulnerability Thread.:

Cisco Network Assurance Engine CLI default user/password. At this point, I'm assuming anything Cisco has an unpublished admin user/password somewhere!

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190212-nae-dos

This one seems like an actual bug, and not a hard coded password.

From what I read, the TL;DR version is that when you change your web interface password, it doesn't change your CLI password.

I didn't get a chance to do more than glance at this one. That's actually worse. How do you screw up a credential system that bad?

This is actually a very common design. Nearly all systems are this way. One password is to the system, one is to the application on the system. Totally normal.

You're assuming it was supposed to be designed that way.

No, I'm stating that it is super normal and expected. It's only that you assume that it is supposed to be designed differently that makes it seem weird. It's good to tie the two together in many cases, but very few vendors do, it should never be assumed.

travisdh1

@scottalanmiller said in Cisco Security Vulnerability Thread.:

@travisdh1 said in Cisco Security Vulnerability Thread.:

@scottalanmiller said in Cisco Security Vulnerability Thread.:

@travisdh1 said in Cisco Security Vulnerability Thread.:

@dafyre said in Cisco Security Vulnerability Thread.:

@travisdh1 said in Cisco Security Vulnerability Thread.:

Cisco Network Assurance Engine CLI default user/password. At this point, I'm assuming anything Cisco has an unpublished admin user/password somewhere!

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190212-nae-dos

This one seems like an actual bug, and not a hard coded password.

From what I read, the TL;DR version is that when you change your web interface password, it doesn't change your CLI password.

I didn't get a chance to do more than glance at this one. That's actually worse. How do you screw up a credential system that bad?

This is actually a very common design. Nearly all systems are this way. One password is to the system, one is to the application on the system. Totally normal.

You're assuming it was supposed to be designed that way.

No, I'm stating that it is super normal and expected. It's only that you assume that it is supposed to be designed differently that makes it seem weird. It's good to tie the two together in many cases, but very few vendors do, it should never be assumed.

Then shouldn't you also have different account names as well? Not having a different account name, or documentation clearly spelling the difference out, creates a human based security hole. (Not that people actually read documentation.)

Also, just because it's common, doesn't mean it's right. (Just getting it out there.)

travisdh1

Only 17 more on the list this morning. Most of them are probably not horrible, but there are some remote vulnerabilities in there. No, I haven't reviewed any of them myself yet.

https://tools.cisco.com/security/center/publicationListing.x

travisdh1

RV110W, RV130W, and RV215W routers management interface remote vulnerability.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-rmi-cmd-ex

travisdh1

Go patch all your Cisco things. Lots of stuff they classify as High priority and a fix for the router vulnerability from last week.

https://tools.cisco.com/security/center/publicationListing.x?product=Cisco&sort=-day_sir#~Vulnerabilities

travisdh1

Only 2 things today. They must have had a slow week.

https://www.us-cert.gov/ncas/current-activity/2019/03/13/Cisco-Releases-Security-Updates

According to CISA, one is yet another hardcoded credential, and one is a DDOS vulnerability.

travisdh1

CISA news this morning:

Cisco Releases Security Advisories for Multiple Products
03/20/2019 04:50 PM EDT

Original release date: March 20, 2019
Cisco has released several security advisories to address vulnerabilities in multiple Cisco products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Cisco Security Advisories and apply the necessary updates.
• Cisco IP Phone 8800 Series Path Traversal Vulnerability cisco-sa-20190320-ipptv https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190320-ipptv
• Cisco IP Phone 8800 Series File Upload Denial of Service Vulnerability cisco-sa-20190320-ipfudos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190320-ipfudos
• Cisco IP Phone 8800 Series Authorization Bypass Vulnerability cisco-sa-20190320-ipab https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190320-ipab
• Cisco IP Phone 7800 Series and 8800 Series Remote Code Execution Vulnerability cisco-sa-20190320-ip-phone-rce https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190320-ip-phone-rce
• Cisco IP Phone 8800 Series Cross-Site Request Forgery Vulnerability cisco-sa-20190320-ip-phone-csrf https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190320-ip-phone-csrf

travisdh1

More today. Lots of things classified as High, go patch the Cisco things!

https://tools.cisco.com/security/center/publicationListing.x?product=Cisco&sort=-day_sir#~Vulnerabilities

travisdh1

Just remotely getting configuration information today.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-xeid

scottalanmiller

Youtube Video

travisdh1

Remote access to Sysadmin in Cisco ASR 9000 series.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-asr9k-exr

travisdh1

https://www.networkworld.com/article/3392858/cisco-issues-critical-security-warning-for-nexus-data-center-switches.html

Secret access to switches and firewalls. In addition to the sundry less critical flaws.

travisdh1

https://www.us-cert.gov/ncas/current-activity/2019/05/07/Cisco-Releases-Security-Update-Elastic-Services-Controller

Another remote vulnerability. Just another week in the Cisco world.

NashBrydges

https://www.businesswire.com/news/home/20190513005742/en/Red-Balloon-Security-Discovers-Critical-Vulnerability-Millions

Dashrender

@NashBrydges said in Cisco Security Vulnerability Thread.:

https://www.businesswire.com/news/home/20190513005742/en/Red-Balloon-Security-Discovers-Critical-Vulnerability-Millions

wow

Red Balloon Security researchers have demonstrated physical destruction of Cisco routers by leveraging Thrangrycat via remote exploitation

ouch!

travisdh1

@NashBrydges said in Cisco Security Vulnerability Thread.:

https://www.businesswire.com/news/home/20190513005742/en/Red-Balloon-Security-Discovers-Critical-Vulnerability-Millions

Thanks for posting. Saw this headline, but didn't get to actually read the article yet.