Cisco Common Service Platform Collector - Hardcoded Credentials (CVE-2019-1723)

Posted iamsoscared

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Cisco Common Service Platform Collector - Hardcoded Credentials (CVE-2019-1723)相关的知识,希望对你有一定的参考价值。

Cisco Common Service Platform Collector - Hardcoded Credentials (CVE-2019-1723)
--
https://www.info-sec.ca/advisories/Cisco-Collector.html

Overview

"The Cisco Common Service Platform Collector (CSPC) is an SNMP-based 
tool that discovers and collects information from the Cisco devices installed on your network. The CSPC software provides an extensive collection mechanism to gather various aspects of customer device data. Information gathered by the collector is used by several Cisco Service offers, such as Smart Net Total Care, Partner Support Service, and Business Critical Services. The data is used to provide inventory reports, product alerts, configuration best practices, technical service coverage, lifecycle information, and many other detailed.

reports and analytics for both the hardware and operating system (OS) software."

 (https://www.cisco.com/c/en/us/support/cloud-systems-management/common-services-platform-collector-cspc/products-installation-guides-list.html)


Issue

The Cisco Common Service Platform Collector (version 2.7.2 through 2.7.4.5 and all releases of 2.8.x prior to 2.8.1.2) contains hardcoded credentials.


Impact

An attacker able to access the collector via SSH or console could use the hardcoded credentials to gain a shell on the system and perform a range of attacks.


Timeline

February 14, 2019 - Notified Cisco via [email protected]
February 14, 2019 - Cisco assigned a case number
February 18, 2019 - Cisco confirmed the vulnerability
February 20, 2019 - Cisco provided a tentative 60 day resolution timeline
February 21, 2019 - Provided comments on the proposed timeline
March 11, 2019 - Cisco advised that the issue has been resolved and
that a security advisory will be published on March 13, 2019

Solution

Upgrade to Common Service Platform Collector 2.7.4.6 or later
Upgrade to Common Service Platform Collector 2.8.1.2 or later

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190313-cspcscv

以上是关于Cisco Common Service Platform Collector - Hardcoded Credentials (CVE-2019-1723)的主要内容,如果未能解决你的问题,请参考以下文章

公司加域的电脑,今天登录时候cisco anyconnect 出现"vpn service not available",求如何解决

HongHu common-service 项目构建过程

Spring Cloud云服务架构 - common-service 项目过程构建

Spring Cloud云服务架构 - common-service 项目过程构建

spring cloud云服务 - HongHu common-service 项目构建过程

整合spring cloud云服务架构 - common-service 项目构建过程