Cisco has issued a information advisory astir a vulnerability successful its Emergency Responder package that would let an unauthenticated distant attacker to log successful to an affected instrumentality utilizing nan guidelines account.
The vulnerability, designated CVE-2023-20101, arises from nan truth that nan guidelines relationship has default, fixed credentials that cannot beryllium changed aliases deleted. Yet again, information done obscurity proves insufficiently obscure.
"This vulnerability is owed to nan beingness of fixed personification credentials for nan guidelines relationship that are typically reserved for usage during development," Cisco explains successful its advisory. "An attacker could utilization this vulnerability by utilizing nan relationship to log successful to an affected system."
And successful truthful doing, nan attacker could login from wherever and execute arbitrary commands arsenic nan guidelines user. Hence nan guidelines CVSS people of 9.8.
Cisco Emergency Responder is designed to activity pinch Cisco Unified Communications Manager to guarantee that emergency calls get routed to a location-appropriate Public Safety Answering Point (PSAP). It supports real-time location tracking, telephone routing, and automatic notification of information unit pinch nan location of nan caller, among different things.
It's not nan benignant of strategy you want taken complete by those pinch malicious intent.
- IT networks nether onslaught via captious Confluence zero-day. Patch now
- Cat accused of wiping US Veteran Affairs server info aft jumping connected keyboard
- Lorenz ransomware unit bungles blackmail blueprint by leaking 2 years of contacts
- Make-me-root 'Looney Tunables' information spread connected Linux needs your attention
The inclusion of hard-coded credentials is simply a textbook information flaw. Its Common Weakness Enumeration is CWE-798: Use of Hard-coded Credentials - and nan truth that needs a nickname speaks volumes. In 2023, according to information statement MITRE, it ranked 18 among nan apical 25 astir stubborn weaknesses.
MITRE places nan usage of hard-coded credentials into nan class "Weaknesses introduced into a strategy because of a mediocre information architecture aliases mediocre information creation choices."
At slightest Cisco managed to find nan bug "during soul information testing" alternatively than learning astir it from progressive exploitation. It says location are nary workarounds and has released package patches to reside nan issue.
At slightest only 1 peculiar type of nan package is affected: Cisco Emergency Responder Release 12.5(1)SU4. Version 12.5 was released January, 2019.
Prior versions, 11.5(1) and earlier, are not affected. Neither is nan latest version, 14. ®