OEM Cisco Systems recently discovered that its embedded Unified Communications Domain Manager (Unified CDM) software contained a default privileged account with a static password that could not be changed or modified, exposing the platform to remote attacks.
Cisco’s Unified CDM tool is part of the Hosted Collaboration System, which is responsible for delivering automation and administration functions to Unified Communications Manager, Unity Connection, Jabber applications, mobiles and software associated customers. The privileged account is created when Unified MDP is first installed and cannot be changed or removed without affecting system functionality. Cisco does not explain exactly why in its security advisory. All the OEM is saying is that the only way to fix it is to install the patches it just delivered.
If the flaw is not fixed, remote attackers could access the platform by connecting via SSH to this default account which has root privileges, which would then give them full control over the system. The vulnerability is rated at level 10, the highest Common Vulnerability Scoring System (CVSS) severity score. This means that exploiting the flaw is easy and can lead to a complete compromise of the confidentiality, integrity and availability of the system. Unified CDM software version 4.4.5 fixes the vulnerability, but additional fixes are available for versions 4.4.3 and 4.4.4 for customers with support contracts.
The issue was discovered by Cisco during internal security testing. For the moment the company cannot say whether or not the flaw is being exploited. Default administrative accounts with hard-coded static passwords are a serious problem, but this phenomenon is not new to networking equipment and other hardware. They are the result of cheap design decisions made at a time when safety was of little importance in product development.
