Cisco Fixes Critical Flaw In Surveillance Appliances

Cisco has urged system administrators to patch the company’s Video Surveillance Manager software to fix a bug involving root account credentials that were mistakenly left hard-coded into devices.

The company gave the bug a ranking of 9.8 out of 10, emphasising that it is highly critical.

The issue involves credentials for a root-level administrator account that was created at some point during the development process and was never removed.

If attackers discovered the credentials they would be able to gain administrative access to any of the affected systems, effectively taking control of them.

Undocumented root account

“The vulnerability is due to the presence of undocumented, default, static user credentials for the root account of the affected software on certain systems,” Cisco said in its advisory.

“An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user.”

The bug affects Cisco Video Surveillance Manager (VSM) releases 7.10, 7.11 and 7.11.1 on several of Cisco’s Connected Safety and Security Unified Computing System (UCS) appliances.

The affected models include CPS-UCSM4-1RU-K9, CPS-UCSM4-2RU-K9, KIN-UCSM5-1RU-K9 and KIN-UCSM5-2RU-K9, Cisco said.

The company says the software is affected if it was preinstalled by Cisco and is running on the UCS platforms listed above.

Administrator credentials

Releases earlier than VSM Software 7.9 are not affected, and neither are later versions if they were installed as updates to VSM 7.9. VSM Software on VMware’s ESXi platform is also unaffected.

The credentials for accessing the root account have not been publicly disclosed, and were found during internal testing, Cisco said. The fix removes the root-level account involved.

Cisco recently fixed a similar bug involving static credentials, which affected the Linux variant of Cisco’s network operating system IOS XE.

The bug was patched in March but last week extended its advisory to cover IOS XE software running on the Integrated Services Virtual Router (ISRv).

Other hard-coded passwords have been removed from Cisco’s Digital Network Architecture (DNA) Centre and Cisco Prime Collaboration Provisioning (PCP) software.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

2 days ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

3 days ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

3 days ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

3 days ago

Former Policy Boss At X, Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

3 days ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

3 days ago