A vulnerability in the Cisco Mobility Services Engine (MSE) could allow an unauthenticated, remote attacker to log in to the MSE with the default oracle account. This account does not have full administrator privileges. The vulnerability is due to a user account that has a default and static password. This account is created at installation and cannot be changed or deleted without impacting the functionality of the system. An attacker could exploit this vulnerability by remotely connecting to the affected system via SSH using this account. A successful exploit could allow the attacker to log in to the MSE using the default oracle account. Cisco has released software updates that address this vulnerability. A workaround that mitigates this vulnerability is available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151104-mse-cred
[mse]# getserverinfo
Health Monitor is running
Retrieving MSE Services status.
MSE services are up, getting the status
-------------
Server Config
-------------
Product name: Cisco Mobility Service Engine
Version: 8.0.120.1
Health Monitor Ip Address: 1.1.1.1
High Availability Role: 1
Hw Version: V01
Hw Product Identifier: AIR-MSE-3365-K9
Hw Serial Number: FCH1841V0YL
[mse]# cmxctl version
----------------------------------------------------------------------
Build Version : 10.2.0
Build Time : 2015-10-19 11:20:06.632222
----------------------------------------------------------------------
mse> grep "user oracle" /var/log/secure* | grep "sshd:session"
DenyUsers oracle
ssh -l oracle
ssh -l root
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Version | Description | Section | Status | Date |
---|---|---|---|---|
1.0 | Initial public release. | - | Final | 2015-November-04 |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.