Security News > 2020 > February > Oi, Cisco! Who left the 'high privilege' login for Smart Software Manager just sitting out in the open?
Cisco has released fixes to address 17 vulnerabilities across its networking and unified communications lines.
The lone critical bulletin is for CVE-2020-3158, a bug caused by the presence of a high-privilege account with a static password present in the Cisco Smart Software Manager tool.
"The vulnerability is due to a system account that has a default and static password and is not under the control of the system administrator," Cisco said.
Because Smart Software Manager handles software licenses and keys, there's not a massive risk to sensitive corporate data from this flaw.
An unremovable high-privilege account with a static password is not something anyone wants, so it's recommended that admins update their software to scrub the static account ASAP. Also addressed in this Switchzilla patch bundle were privilege escalation bugs in Unified Contact Center and Data Center Network Manager along with a code execution bug in NFV Infrastructure Sotware that requires local access.
News URL
https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/02/19/cisco_february_fixes/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-02-19 | CVE-2020-3158 | Use of Hard-coded Credentials vulnerability in Cisco Smart Software Manager On-Prem 7201910 A vulnerability in the High Availability (HA) service of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to access a sensitive part of the system with a high-privileged account. | 8.8 |