Cisco left default static credentials on preinstalled VSMs

Sep 21, 2018 17:06 GMT  ·  By

Cisco released an advisory disclosing a vulnerability in its Video Surveillance Manager Appliance that could allow unauthenticated attackers to gain root access using default, static credentials.

The security issue is present because of undocumented default root account credentials left enabled after the software was installed by Cisco.

Furthermore, upon being successfully exploited, the vulnerability gives attackers access to execute any command as the root user.

The vulnerability affects pre-installed Cisco Video Surveillance Manager (VSM) Software, versions 7.10, 7.11, and 7.11.1 available on some Cisco Connected Safety and Security Unified Computing System (UCS) platforms, and it allows remote attackers to log in using static user credentials as the root account.

Moreover, the affected UCS platforms are CPS-UCSM4-1RU-K9, CPS-UCSM4-2RU-K9, KIN-UCSM5-1RU-K9, and KIN-UCSM5-2RU-K9.

Cisco already released security updates for all vulnerabilities outlined in their default password vulnerability advisory

System admins unsure if Cisco's VSM Software is installed and running on their UCS platforms, can check by checking the Model field in the System Settings > Server > General tab after logging in the Cisco Video Surveillance Operations Manager software.

According to Cisco, there are no known workarounds which would help Cisco Video Surveillance Manager (VSM) Software users to mitigate the issue.

The company has announced that a security update has already been released for affects VSM software running on vulnerable UCS platforms.

All customers with licenses for the software and platforms considered vulnerable are advised to upgrade and are also encouraged to get in touch with Cisco's Technical Assistance Center (TAC) or their maintenance providers for further details.