This article is more than 1 year old
Oi, Cisco! Who left the 'high privilege' login for Smart Software Manager just sitting out in the open?
Critical fix for static credential headlines latest patch rollout
Cisco has released fixes to address 17 vulnerabilities across its networking and unified communications lines.
The bundle includes one fix for a critical issue and six patches for bugs deemed high-risk vulnerabilities. They include remote access and code execution, elevation of privilege, denial of service, and cross-site request forgeries.
The lone critical bulletin is for CVE-2020-3158, a bug caused by the presence of a high-privilege account with a static password present in the Cisco Smart Software Manager tool.
"The vulnerability is due to a system account that has a default and static password and is not under the control of the system administrator," Cisco said. "An attacker could exploit this vulnerability by using this default account to connect to the affected system."
Another week, another bunch of Windows 10 machines punched by a patchREAD MORE
Because Smart Software Manager handles software licenses and keys, there's not a massive risk to sensitive corporate data from this flaw. But an unremovable high-privilege account with a static password is not something anyone wants, so it's recommended that admins update their software to scrub the static account ASAP.
Also addressed in this Switchzilla patch bundle were privilege escalation bugs in Unified Contact Center (CVE-2019-1888) and Data Center Network Manager (CVE-2020-3112) along with a code execution bug in NFV Infrastructure Sotware (CVE-2020-3138) that requires local access.
While denial of service flaws generally are not considered a big risk, they become much more serious when found in network security appliances. Such is the case with CVE-2019-1947 and CVE-2019-1983, both in the Cisco Email Security Appliance.
Other, less-serious flaws, include SQL injection in Cloud Web Security (CVE-2020-3154) and remote code execution bugs in the Cisco IP Phone (CVE-2020-3111). ®