A week after admitting that several of its security appliances ship with static SSH keys, Cisco warned customers on Wednesday that its Unified Communications Domain Manager platform has a default, static password for an account that carries root privileges.
The vulnerability affects versions of the software prior to 4.4.5 and the company said there are no workarounds for it. An attacker who is able to find a vulnerable device would be able to connect to it over SSH and gain complete control of the device.
“A vulnerability in the Cisco Unified Communications Domain Manager Platform Software could allow an unauthenticated, remote attacker to login with the privileges of the _root _user and take full control of the affected system,” the Cisco advisory says.
“The vulnerability occurs because a privileged account has a default and static password. This account is created at installation and cannot be changed or deleted without impacting the functionality of the system. An attacker could exploit this vulnerability by remotely connecting to the affected system via SSH using this account. An exploit could allow the attacker to take full control of the affected system.”
A year ago, Cisco said that the same UCDM product included a default private SSH key that is stored insecurely.
“The vulnerability is due to the presence of a default SSH private key, which is stored in an insecure way on the system. An attacker could exploit this vulnerability by obtaining the SSH private key. For example, the attacker might reverse engineer the binary file of the operating system. This will allow the attacker to connect by using the support account to the system without requiring any form of authentication. An exploit could allow the attacker to gain access to the system with the privileges of the root user,” the advisory from July 2014 says.
And just last week the company issued a similar advisory for default private and host SSH keys in three of its security appliances. In the case of the default hard-coded credentials in the UCDM, Cisco has fixed the vulnerability in version 4.4.5 of the platform software and its security teams said it is not aware of any public exploitation of the vulnerability.