Cisco Security Vulnerability Thread.
-
@black3dynamite said in Cisco Security Vulnerability Thread.:
@travisdh1 Is your hatred towards Ubuntu the same with Cisco? The fact that you created a thread just for it makes me think so.
Lol, I wouldn't classify it as much but a lot of people do hate Ubuntu/Debian... unwarranted in my opinion but hey what can I say, I am biased
-
@dbeato said in Cisco Security Vulnerability Thread.:
@black3dynamite said in Cisco Security Vulnerability Thread.:
@travisdh1 Is your hatred towards Ubuntu the same with Cisco? The fact that you created a thread just for it makes me think so.
Lol, I wouldn't classify it as much but a lot of people do hate Ubuntu/Debian... unwarranted in my opinion but hey what can I say, I am biased
I hate Ubuntu, but Debian is fine.
-
@JaredBusch said in Cisco Security Vulnerability Thread.:
@dbeato said in Cisco Security Vulnerability Thread.:
@black3dynamite said in Cisco Security Vulnerability Thread.:
@travisdh1 Is your hatred towards Ubuntu the same with Cisco? The fact that you created a thread just for it makes me think so.
Lol, I wouldn't classify it as much but a lot of people do hate Ubuntu/Debian... unwarranted in my opinion but hey what can I say, I am biased
I hate Ubuntu, but Debian is fine.
Point taken.
-
@travisdh1 said in Cisco Security Vulnerability Thread.:
Two Cisco ESA (Email Security Gateway) DDOS vulnerabilities today:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-esa-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-esa-url-dosAt least these weren't hard coded passwords!
-
@dafyre said in Cisco Security Vulnerability Thread.:
@travisdh1 said in Cisco Security Vulnerability Thread.:
Two Cisco ESA (Email Security Gateway) DDOS vulnerabilities today:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-esa-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-esa-url-dosAt least these weren't hard coded passwords!
That we know of!
-
Only 23 vulnerabilities announced yesterday. I don't have the time to weed through them all!
-
@travisdh1 said in Cisco Security Vulnerability Thread.:
Only 23 vulnerabilities announced yesterday. I don't have the time to weed through them all!
Turns out, one is significantly worse than the unpublicized admin credentials. Their SBS line has the default admin and password account active until you create another admin account. Published admin credentials. FFS Cisco.
-
Cisco Network Assurance Engine CLI default user/password. At this point, I'm assuming anything Cisco has an unpublished admin user/password somewhere!
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190212-nae-dos
-
@travisdh1 said in Cisco Security Vulnerability Thread.:
Cisco Network Assurance Engine CLI default user/password. At this point, I'm assuming anything Cisco has an unpublished admin user/password somewhere!
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190212-nae-dos
This one seems like an actual bug, and not a hard coded password.
From what I read, the TL;DR version is that when you change your web interface password, it doesn't change your CLI password.
-
@dafyre said in Cisco Security Vulnerability Thread.:
@travisdh1 said in Cisco Security Vulnerability Thread.:
Cisco Network Assurance Engine CLI default user/password. At this point, I'm assuming anything Cisco has an unpublished admin user/password somewhere!
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190212-nae-dos
This one seems like an actual bug, and not a hard coded password.
From what I read, the TL;DR version is that when you change your web interface password, it doesn't change your CLI password.
I didn't get a chance to do more than glance at this one. That's actually worse. How do you screw up a credential system that bad?
-
@travisdh1 said in Cisco Security Vulnerability Thread.:
@dafyre said in Cisco Security Vulnerability Thread.:
@travisdh1 said in Cisco Security Vulnerability Thread.:
Cisco Network Assurance Engine CLI default user/password. At this point, I'm assuming anything Cisco has an unpublished admin user/password somewhere!
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190212-nae-dos
This one seems like an actual bug, and not a hard coded password.
From what I read, the TL;DR version is that when you change your web interface password, it doesn't change your CLI password.
I didn't get a chance to do more than glance at this one. That's actually worse. How do you screw up a credential system that bad?
Agreed. My thinking when I originally replied was, "Well, at least this isn't a hard coded backdoor password" lol.
But I think you're right, it is worse in some ways.
-
@dafyre said in Cisco Security Vulnerability Thread.:
@travisdh1 said in Cisco Security Vulnerability Thread.:
@dafyre said in Cisco Security Vulnerability Thread.:
@travisdh1 said in Cisco Security Vulnerability Thread.:
Cisco Network Assurance Engine CLI default user/password. At this point, I'm assuming anything Cisco has an unpublished admin user/password somewhere!
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190212-nae-dos
This one seems like an actual bug, and not a hard coded password.
From what I read, the TL;DR version is that when you change your web interface password, it doesn't change your CLI password.
I didn't get a chance to do more than glance at this one. That's actually worse. How do you screw up a credential system that bad?
Agreed. My thinking when I originally replied was, "Well, at least this isn't a hard coded backdoor password" lol.
But I think you're right, it is worse in some ways.
I don't follow - this is a bug - we're human, we make mistakes.
A hard coded password is not a mistake, it's a decision.
Unless I'm missing something, a hard coded password is much worse.
-
@travisdh1 said in Cisco Security Vulnerability Thread.:
@dafyre said in Cisco Security Vulnerability Thread.:
@travisdh1 said in Cisco Security Vulnerability Thread.:
Cisco Network Assurance Engine CLI default user/password. At this point, I'm assuming anything Cisco has an unpublished admin user/password somewhere!
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190212-nae-dos
This one seems like an actual bug, and not a hard coded password.
From what I read, the TL;DR version is that when you change your web interface password, it doesn't change your CLI password.
I didn't get a chance to do more than glance at this one. That's actually worse. How do you screw up a credential system that bad?
This is actually a very common design. Nearly all systems are this way. One password is to the system, one is to the application on the system. Totally normal.
-
@scottalanmiller said in Cisco Security Vulnerability Thread.:
@travisdh1 said in Cisco Security Vulnerability Thread.:
@dafyre said in Cisco Security Vulnerability Thread.:
@travisdh1 said in Cisco Security Vulnerability Thread.:
Cisco Network Assurance Engine CLI default user/password. At this point, I'm assuming anything Cisco has an unpublished admin user/password somewhere!
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190212-nae-dos
This one seems like an actual bug, and not a hard coded password.
From what I read, the TL;DR version is that when you change your web interface password, it doesn't change your CLI password.
I didn't get a chance to do more than glance at this one. That's actually worse. How do you screw up a credential system that bad?
This is actually a very common design. Nearly all systems are this way. One password is to the system, one is to the application on the system. Totally normal.
You're assuming it was supposed to be designed that way.
-
@travisdh1 said in Cisco Security Vulnerability Thread.:
@scottalanmiller said in Cisco Security Vulnerability Thread.:
@travisdh1 said in Cisco Security Vulnerability Thread.:
@dafyre said in Cisco Security Vulnerability Thread.:
@travisdh1 said in Cisco Security Vulnerability Thread.:
Cisco Network Assurance Engine CLI default user/password. At this point, I'm assuming anything Cisco has an unpublished admin user/password somewhere!
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190212-nae-dos
This one seems like an actual bug, and not a hard coded password.
From what I read, the TL;DR version is that when you change your web interface password, it doesn't change your CLI password.
I didn't get a chance to do more than glance at this one. That's actually worse. How do you screw up a credential system that bad?
This is actually a very common design. Nearly all systems are this way. One password is to the system, one is to the application on the system. Totally normal.
You're assuming it was supposed to be designed that way.
No, I'm stating that it is super normal and expected. It's only that you assume that it is supposed to be designed differently that makes it seem weird. It's good to tie the two together in many cases, but very few vendors do, it should never be assumed.
-
@scottalanmiller said in Cisco Security Vulnerability Thread.:
@travisdh1 said in Cisco Security Vulnerability Thread.:
@scottalanmiller said in Cisco Security Vulnerability Thread.:
@travisdh1 said in Cisco Security Vulnerability Thread.:
@dafyre said in Cisco Security Vulnerability Thread.:
@travisdh1 said in Cisco Security Vulnerability Thread.:
Cisco Network Assurance Engine CLI default user/password. At this point, I'm assuming anything Cisco has an unpublished admin user/password somewhere!
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190212-nae-dos
This one seems like an actual bug, and not a hard coded password.
From what I read, the TL;DR version is that when you change your web interface password, it doesn't change your CLI password.
I didn't get a chance to do more than glance at this one. That's actually worse. How do you screw up a credential system that bad?
This is actually a very common design. Nearly all systems are this way. One password is to the system, one is to the application on the system. Totally normal.
You're assuming it was supposed to be designed that way.
No, I'm stating that it is super normal and expected. It's only that you assume that it is supposed to be designed differently that makes it seem weird. It's good to tie the two together in many cases, but very few vendors do, it should never be assumed.
Then shouldn't you also have different account names as well? Not having a different account name, or documentation clearly spelling the difference out, creates a human based security hole. (Not that people actually read documentation.)
Also, just because it's common, doesn't mean it's right. (Just getting it out there.)
-
Only 17 more on the list this morning. Most of them are probably not horrible, but there are some remote vulnerabilities in there. No, I haven't reviewed any of them myself yet.
https://tools.cisco.com/security/center/publicationListing.x
-
RV110W, RV130W, and RV215W routers management interface remote vulnerability.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-rmi-cmd-ex
-
Go patch all your Cisco things. Lots of stuff they classify as High priority and a fix for the router vulnerability from last week.
-
Only 2 things today. They must have had a slow week.
https://www.us-cert.gov/ncas/current-activity/2019/03/13/Cisco-Releases-Security-Updates
According to CISA, one is yet another hardcoded credential, and one is a DDOS vulnerability.
