Cisco has patched vulnerability in its video surveillance manager software that could give an unauthenticated, remote attacker the ability to execute arbitrary commands on targeted systems.
A essential vulnerability within the Cisco Video surveillance Manager software has been uncovered, that may permit an unauthenticated, remote attacker to log in and execute impulsive commands because the root user.
The issue could be a easy one: Affected versions contain static user credentials for the foundation account.
“The vulnerability is because of the presence of unsupported, default, static user credentials for the foundation account of the affected software system on bound systems,” Secnic advisory, issued Friday. “An attacker may exploit this vulnerability by using the account to log in to an affected system.”
Fortunately, the user credentials aren’t documented in public – and Cisco said it had been unaware of exploits current within the wild.
The flaw affects instances of VSM versions 7.10, 7.11 and 7.11.1 running on bound Cisco Connected Safety and Security Unified computing system (UCS) platforms (CPS-UCSM4-1RU-K9, CPS-UCSM4-2RU-K9, KIN-UCSM5-1RU-K9 and KIN-UCSM5-2RU-K9). Also, to be vulnerable, the software system would need to be preinstalled by Cisco, in step with the seller that uncovered the bug throughout routine security checks.
There are no workarounds that address the vulnerability, but Cisco has issued a patch in the latest version of the software.
“In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release [Cisco VSM Software Release 7.12].”
The advisory comes within the same week that Cisco issued a second warning for an additional crucial static certificate bug, this one in its IOS xe software package. That security bulletin comes over six months once the corporate at the start rumored the bug and provided a software fix.
Hardcoded and static credentials are at the foundation of the many a crucial vulnerability over the years. Earlier within the year, computer maker Lenovo issued a fix for a hardcoded password flaw impacting ThinkPad, ThinkCentre and ThinkStation laptops. the matter affected nearly a dozen Lenovo portable computer models that run versions of Microsoft Windows seven, eight and therefore the 8.1 package. And at Black Hat 2018, researchers from Threatcare and IBM X-Force Red found hardcoded password issues plaguing smart-city deployments.