Full Report
Cisco has removed a backdoor account from its Unified Communications Manager (Unified CM), which would have allowed remote attackers to log in to unpatched devices with root privileges. [...]
Analysis Summary
# Vulnerability: Hardcoded Root SSH Credentials in Cisco Unified CM
## CVE Details
- CVE ID: Not explicitly provided in the text.
- CVSS Score: Not explicitly provided in the text, but the presence of hardcoded root credentials suggests a high severity risk.
- CWE: CWE-798 (Use of Hard-coded Credentials)
## Affected Systems
- Products: Cisco Unified CM (CallManager)
- Versions: Specific vulnerable versions are not listed in the summary text, but the issue is noted as requiring remediation.
- Configurations: Implied to affect installations where these hardcoded credentials persist.
## Vulnerability Description
Cisco Unified CM (CallManager) was found to contain hardcoded root credentials for SSH access. This potentially allows an attacker with access to the underlying system to gain high-privilege access (root) without needing valid authentication or exploiting a complex flaw. The text notes that an attacker could potentially use commands like `file get activelog syslog/secure` to retrieve sensitive information, indicating direct file/system access is possible.
## Exploitation
- Status: Implied to be a significant risk, similar to other recent Cisco hardcoded credential issues which have been exploited (e.g., CSLU backdoor).
- Complexity: Likely Low, as hardcoded credentials remove the requirement for authentication bypass or complex exploitation chains.
- Attack Vector: Likely Local or Network (if SSH is externally accessible).
## Impact
- Confidentiality: High (Root access allows reading any file, including sensitive configuration and logs).
- Integrity: High (Root access allows modification or destruction of system files/configurations).
- Availability: High (Root access allows for system shutdown or complete compromise).
## Remediation
### Patches
- Specific patch versions are not mentioned, but Cisco has released updates to remove this backdoor root account. Administrators must consult the relevant Cisco Security Advisory for the specific product/version updates.
### Workarounds
- The article suggests that the vulnerability is related to the persistence of hardcoded credentials, which were previously active in specific file paths/commands. Consultation with Cisco advisories for specific mitigation steps concerning SSH access control is recommended until patching is complete.
## Detection
- Indicators of compromise: Unauthorized access or unexpected file retrieval attempts related to system log files (e.g., `/var/log/secure` or equivalent debug/activity logs).
- Detection methods and tools: Monitoring SSH logins for use of known non-standard or hardcoded usernames. Review configuration files for hidden or undocumented user accounts.
## References
- Vendor Advisories: Cisco Security Advisories related to hardcoded credentials in Unified CM.
- Relevant links:
- bleepingcomputer: `https://www.bleepingcomputer.com/news/security/cisco-removes-unified-cm-callManager-backdoor-root-account/`