Attackers can gain access to various systems by using built-in default usernames and passwords.
Description
A malicious attacker can gain access to various system accounts by using built-in default usernames and passwords. This vulnerability requires a low skill set to exploit and could possibly allow an attacker to manipulate systems and shut them down.
For example, an attacker can gain access to a default account by utilizing telnet to access a system. When the telnet session is established, an attacker can use the username and password assigned to the default account to gain access to the hardware or software under attack. This allows the attacker to gain unauthorized access to the system.
Warning Indicators
System logs and user account histories may show signs of unusual activity in these accounts.
IntelliShield Analysis
Any product shipped from the vendor usually will have the default or sample accounts and passwords installed before the customer receives them.
TruSecure recommends that System Administrators (SA) check if these default accounts exist and either remove them or change the passwords immediately. Some of these accounts are set up for maintenance, performing system checks and performing service on the equipment. SAs should check with their vendor and refer to their service contracts for the existence and use of these accounts.
The default accounts and passwords are widely known and many are published at various websites. Often times these accounts carry root permissions, as these permissions are required to perform system servicing.
These accounts have been used repeatedly by attackers to access systems.
Vendor Announcements
There are no vendor announcements.
Impact
The ultimate impact of this vulnerability depends upon which systems have been accessed by an attacker and the level of permission used for the attacks. System Administrators commonly change default passwords before launching products.
Failure to remove these accounts completely, especially at the root level access, could result in total compromise of the system. If an attacker could gain root access to vital corporate information or networks, the exploitation of such a vulnerability may allow networks to be disabled, costing companies the ability to continue with everyday operations.
Technical Information
Generally, these default accounts are used for customer support in emergency situations. An example of an emergency situation would be for a customer who forgot the administrative or root account password.
Administrators can query the vendors for default or sample accounts, which are pre-installed in the system, and also question them about the necessity of having these accounts. They may set up new accounts with limited permissions as required to prevent such attacks.
If these accounts cannot be removed from the system, System and Network Administrators should closely monitor these accounts.
Safeguards
When negotiating new system and service agreements, ensure that you know what accounts and level of access are required for services.
Administrators should remove any default or sample accounts at installation.
Patches/Software
There are no patches available.
Signatures
Cisco Systems Cisco Intrusion Prevention System (IPS) 6.0
The security vulnerability applies to the following combinations of products.
Primary Products:
IntelliShield
Security Activity Bulletin
Original Release Base
Associated Products:
N/A
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
