Cisco fixes a static default credential issue in Smart Software Manager tool

Pierluigi Paganini February 20, 2020

Cisco has released security updates to address 17 vulnerabilities affecting its networking and unified communications product lines.

Cisco has released security patches to fix 17 vulnerabilities affecting its networking and unified communications product lines.

The types of fixed vulnerabilities include remote access and code execution, elevation of privilege, denial of service, and cross-site request forgeries.

One of the flaws patched the IT giant is a critical issue, tracked as CVE-2020-3158, while six vulnerabilities are rated as high-risk severity.

The CVE-2020-3158 flaw is related to the presence of a system account that has a default and static password in the Smart Software Manager tool.

“A vulnerability in the High Availability (HA) service of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to access a sensitive part of the system with a high-privileged account.” reads the advisory published by Cisco.

“The vulnerability is due to a system account that has a default and static password and is not under the control of the system administrator.”

An attacker could exploit the flaw by using this default account to connect to a vulnerable system and obtain read and write access to system data.

The issue could expose a sensitive portion of the system, but Cisco pointed out that the attacker would not have full administrative rights to control the device.

The vulnerability affects Cisco Smart Software Manager On-Prem releases prior to the 7-202001 version, only if the High Availability (HA) feature is enabled (HA is not enabled by default).

Cisco Small Business Routers

Cisco also addressed privilege escalation vulnerabilities in Unified Contact Center (CVE-2019-1888) and Data Center Network Manager (CVE-2020-3112). The tech giant fixed a code execution vulnerability in NFV Infrastructure Sotware (CVE-2020-3138) that could be exploited only by local attackers.

The list of addressed flaws includes two DoS flaws, tracked CVE-2019-1947 and CVE-2019-1983 respectively, in the Cisco Email Security Appliance.

The remaining flaws patched by the company are a SQL injection in Cloud Web Security (CVE-2020-3154) and remote code execution bugs in the Cisco IP Phone (CVE-2020-3111).

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment