Cisco is warning admins to install an update that addresses a static password bug in the Cisco Common Services Platform Collector (CSPC).
The flaw, CVE-2019-1723, could be used by a remote attacker to log into a CSPC device using a static password for its default account. Cisco notes that the default account does not have administrative privileges.
According to David Coomber, the researcher who reported the bug to Cisco, an attacker could access the CSPC via SSH or console and use the hardcoded credentials to gain a shell on the vulnerable system.
Coomber informed Cisco of the issue on February 14, just under a month before the new patch on Wednesday. The flaw affects Cisco CSPC releases 2.7.2 through 18.104.22.168 and all releases of 2.8.x prior to 22.214.171.124.
Admins may also need to update Cisco Smart Net Total Care (SmartNet) Network Collector and Cisco Partner Support Service (PSS) Network Collector, both of which use CSPC. The collector software collects information about other Cisco devices to produce inventory reports.
The bug is fixed in Cisco CSPC 2.7.x branch with the release 126.96.36.199, while the issue is fixed in the CSPC 2.8.x branch in release 188.8.131.52.
The flaw has been given a rating of 9.8 out of 10 under the Common Vulnerability Scoring System (CVSS).
Cisco notes there is a workaround for this bug however customers need to file a request with the Cisco Technical Assistance Center (TAC) or contact an engineer if they are subscribed to Cisco Network Optimization Service (NOS) or Cisco Business Critical Services (BCS).
Cisco earlier this week warned that attackers were scanning for a separate critical flaw affecting the web interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router.