A new critical Cisco vulnerability has been caused by the vendor hard-coding passwords into a “high-end firewall” that is "designed to meet the security requirements of large enterprises [and] datacenters.”
The use of static credentials is one of the “product security bad practices that are deemed exceptionally risky” flagged by CISA this month in a new report issued as part of its ongoing Secure by Design initiative.
Cisco's security advisory warns that a "Static Credential Vulnerability" in Cisco Firepower Threat Defense (FTD) Software for Cisco Firepower 1000, 2100, 3100, and 4200 Series could "allow an unauthenticated, local attacker to access an affected system". The bug has been given a 9.3 CVSS score.
"This vulnerability is due to the presence of static accounts with hard-coded passwords on an affected system," Cisco wrote.
"An attacker could exploit this vulnerability by logging in to the CLI of an affected device with these credentials. A successful exploit could allow the attacker to access the affected system and retrieve sensitive information, perform limited troubleshooting actions, modify some configuration options, or render the device unable to boot to the operating system, requiring a reimage of the device."
Cisco has released free software updates that address the vulnerability. There is also a workaround for the vulnerability for customers who can't upgrade to a fixed release - but they will need to contact the Cisco Technical Assistance Center (TAC)
READ MORE: Cisco celebrates "second strongest year" ever, cuts 7% of its workforce
Checking Cisco's credentials
This is not the first time Cisco has announced a static credential vulnerability.
In October 2023, it issued an advisory about a bug in Cisco Emergency Responder with a 9.8 CVSS score, which can allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has "default, static credentials that cannot be changed or deleted." It also warned of a similar bug in 2018 and again in 2021.
In its latest warning about Product Security Bad Practices, CISA highlights the "presence of default passwords" as a security risk.
"The release of a product used in service of critical infrastructure or NCFs with default passwords, which CISA defines as universally-shared passwords that are present by default across a product, is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety," CISA wrote.
READ MORE: Critical Cisco vulnerability CVE-2024-20419 lets unauthenticated attackers change admin passwords
How to mitigate the risk of static credentials
It advised software manufacturers to "ensure that default passwords are not
present in a product" and offered the following guidance:
- Set initial passwords that are unique and randomly generated for each instance of the product.
- Prompt the engineers who set up products to ensure they establish a strong password at the start of the installation.
- Offer temporary setup passwords that automatically disable after the setup is completed, prompting users to configure a secure password or adopt more advanced authentication methods, such as multi-factor authentication.
- Require physical access for the initial setup stage and " specification of instance-unique credentials."
- Run initiatives that help users transition existing installations from default passwords to more secure authentication solutions.
The Mitre Corporation, keeper of the CVEs, highlights two potential consequences of using hard-coded passwords.
"If hard-coded passwords are used, it is almost certain that malicious users will gain access to the account in question," it warned. "Any user of the product that hard codes passwords may be able to extract the password. Client-side systems with hard-coded passwords pose even more of a threat, since the extraction of a password from a binary is usually very simple."
Static credentials can also expose resources or functionality to "unintended actors", giving attackers a chance to access sensitive information or execute arbitrary code.
"If the password is ever discovered or published (a common occurrence on the internet), then anybody with knowledge of this password can access the product," the Mitre Corporation warned. "Finally, since all installations of the product will have the same password, even across different organizations, this enables massive attacks such as worms to occur."
