Cisco has patched a critical vulnerability in the Cisco Video Surveillance Manager (VSM) could be exploited by an unauthenticated remote attacker to gain root access.
Cisco has fixed a critical vulnerability in the Cisco Video Surveillance Manager software running on some Connected Safety and Security Unified Computing System (UCS) platforms.
The flaw could give an unauthenticated, remote attacker the ability to execute arbitrary commands as root on targeted systems.
The software running on certain systems includes default, static credentials for the root account that could allow attackers to gain root access.
The credentials for the account are undocumented.
“The vulnerability is due to the presence of undocumented, default, static user credentials for the root account of the affected software on certain systems,” reads the advisory published by Cisco.
“An attacker could exploit this vulnerability by using the account to log in to an affected system.”
The vulnerability impacts Cisco Video Surveillance Manager (VSM) Software releases 7.10, 7.11, and 7.11.1. The flaw only affects systems where the software was preinstalled by Cisco and only impacts the CPS-UCSM4-1RU-K9, CPS-UCSM4-2RU-K9, KIN-UCSM5-1RU-K9, and KIN-UCSM5-2RU-K9 Connected Safety and Security UCS platforms.
“This vulnerability exists because the root account of the affected software was not disabled before Cisco installed the software on the vulnerable platforms, and default, static user credentials exist for the account. The user credentials are not documented publicly,” continues the Cisco advisory.
At the time, there are no workarounds for this vulnerability, users urge to upgrade to VSM Release 7.12 to address the flaw.
Cisco confirmed that it is not aware of any attack leveraging the issue.
“The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability,” Cisco concludes.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.