Cisco releases patch for error that gives hackers control over systems

Cisco released a patch for its Video Surveillance Manager. There was an error in the software that caused credentials to be hardcoded in the root account. Hackers could therefore control an affected system as a root user, should they discover the credentials.

Cisco recommends administrators of applications running on the surveillance software to install the patch as soon as possible, reports ZDNet. The error exists because it does not disable the credentials of the root account and the standard credentials before installing the software. The credentials have not been made public.

“The vulnerability is caused by the presence of undocumented, standard, static user-credentials for the root account of the affected software on some systems,” says the company. “A hacker can exploit this vulnerability by using the account to log into the affected system. A successful exploit may allow the hacker to log in and execute commands as the root user.”

The error called CVE-2018-15427 affects previously installed instances of Cisco Video Surveillance Manager Software versions 7.10, 7.11 and 7.11.1, on four of the Connected Safety and Security Unified Computing System appliances. The models affected include CPS-UCSM4-1RU-K9, CPS-UCSM4-2RU-K9, KIN-UCSM5-1RU-K9 and KIN-UCSM5-2RU-K9.

Linux

This is not the first time that such an error has been found in Cisco software. In March, a patch was released for a similar problem in IOS XE. Last week it was announced that this error also affected IOS XE software running on Cisco’s Integrated Services Virtual Router.

This year the company removed several errors where passwords were hardcoded in the software. The errors were found in the Digital Network Architecture Center and Cisco Prime Collaboration Provisioning, among others.