Hardcoded Password Found in Cisco Software


[H]F Junkie
Apr 25, 2001
Cisco is constantly releasing security advisories for their products, but the recent advisory has an interesting little tidbit about a hardcoded password. Believe it or not their Prime Collaboration Provisioning software app has a hardcoded password that can be exploited by a local attacker. There is no mitigation for this and Cisco customers are advised to patch the PCP application ASAP. In this day and age I just can't fathom a hardcoded password......you're supposed to be better than that Cisco.

The reasons are that an attacker can infect another device on the same network and use it as a proxy for his SSH connection to the vulnerable Cisco PCP instance, allowing for remote, over-the-Internet exploitation.

Furthermore, there is a large number of elevation-of-privilege exploits affecting the Linux operating system that an attacker can use and gain root access. Hence, Cisco's decision to classify this flaw as "critical" even with a CVSS score of 5.9 out of a maximum of 10.
If you think Cisco is brighter than this, then you haven't been dealing with Cisco much lately. They seem super-focused on branching out well beyond their core route/switch products by acquiring different companies then quickly giving them the "Cisco treatment" and branding. In the mean time, their previous acquisitions continue to suffer with poor or non-existent documentation. It's only recently that the instructions for configuring email alerts with Unity voicemail have actually ha the correct commands, for example. The QM call recording system - the documentation makes no reference whatsoever as to what needs to be backed up. Thus every client with this application, now being upgraded to the latest version, has a SQL database where the logs are several gigs in size and the database proper is only a few megs - it hasn't been backed up in 5 or 6 years. Their Jabber collab system makes Skype look liek the most incredible piece of software ever. Despite a complete wipe (including registry purge) and reinstall, it insists on pointing to internal servers for the phone stuff, when I don;t even HAVE a phone profile. There's an option to check to disable phone features, but it does nothing - it still prompts me for credentials. The documentation for setting up identity federation might as well not even exist for all the information it provides. Now they want to position AMP as the rapid response solution to malware - great, but unless you have a Cisco account, you can't just jump in and download it immediately when needed like you can any of the other more well known products. Stop buying more companies, Cisco. Fix the stuff you already have. I totally buy having a hard coded password in a system is not them being forced to put it there by the NSA or any other intelligence agency.
This is history repeating. Cisco got caught embedding passwords and key files into firmware many times before!
That's what you get for messing with PCP. Stuff will leave you vulnerable and mess your sh** up.
You can say "shit" around here, why the "fuck" not? We're all grownups, and this is not CBS :D

One thing I learned when I got out of the service is, just because you are allowed to say something, it doesn't mean you have to. You knew what I meant, and for any of our members that decided to let their kids hang around us, I didn't throw our crass culture right in their faces.
maybe the hardcoded password got leaked and all the patch does is change it to another password