The company has patched a critical vulnerability in Cisco Video Surveillance Manager that could be exploited to gain root access
Reports of specialists in ethical hacking from the International Institute of Cyber Security say that Cisco has solved a critical vulnerability in the software of Cisco Video Surveillance Manager (VSM) that runs on some Connected Safety and Security Unified Computing System platforms (UCS). This flaw could give an unauthenticated remote attacker the ability to execute arbitrary commands as root on specific systems.
Software running on certain systems includes default and static credentials for the root account that could allow attackers to get the access mentioned. The credentials for the account are not documented.
The security notice published by Cisco mentions that “the vulnerability is due to the presence of predetermined and undocumented static user credentials for the root account of the affected software on certain systems. A malicious actor could exploit this vulnerability by using the account to log on to an affected system”.
The vulnerability affects the launch of the Cisco Video Surveillance Manager (VSM) software in its versions 7.10, 7.11 and 7.11.1. The flaw only affects the systems in which the software was pre-installed by Cisco.
“According to our experts in ethical hacking, this vulnerability exists because the root account of the affected software was not disabled before Cisco installed the software on vulnerable platforms, and the default static user credentials exist for the account. The user’s credentials are not publicly documented”, the company’s notice continues.
Up to now, there are no solutions available for this vulnerability, so VSM users are encouraged to upgrade to version 7.12 to mitigate possible risks.
When being questioned by specialists in ethical hacking, Cisco confirmed that they have no knowledge of any attack that exploits the vulnerability.
“The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability”, concludes the company’s security notice.
Recently, Cisco issued another security warning for critical static credential vulnerabilities in its IOS XE software.