Essential Guide

Formulating and managing online identity and access control

A comprehensive collection of articles, videos and more, hand-picked by our editors
Q

Cisco TelePresence vulnerability: Mitigate default credentials issues

Network security expert Brad Casey discusses how to mitigate the vulnerability found in Cisco's TelePresence system triggered by default credentials.

A serious vulnerability was recently found in Cisco Systems Inc.'s TelePresence systems that could be triggered due to default credentials being left in place after system setup. Could you provide some security best practices that enterprises could implement for such systems, particularly in regard to the use of unique credentials?

Ask the Expert

Do you have a network security question for our expert? Submit it now via email! (All questions are anonymous)

This was a profound vulnerability, to say the least. Upon installation of the Cisco TelePresence software, an account is created with a default username and password. If an attacker with knowledge of default Cisco usernames and passwords connected to the Cisco TelePresence Web server, they would have administrative access to the system; at that point, the attacker would "own the box."

While a fix -- Cisco TelePresence System Software Release version 1.10.2 -- has been released, some older systems may not support the upgrade. In this case, Cisco recommends that customers:

  • Connect to the system.
  • Proceed to Cisco Unified CM Administration.
  • Select Device > Phone.
  • Search, and select the configured Cisco TelePresence unit.
  • Under the SSH information, change the username helpdesk to pwrecovery, then change the password.

In terms of best practices, the one I think is the most important, yet is overlooked, is that of default usernames and passwords -- especially if you have any Cisco devices within your infrastructure. It is critical to learn the default accounts that are on your network devices and change them. This is such a simple step -- and it's just a matter of adding an item to your setup checklist and knowing what those default credentials are -- but I am amazed at how often it is unheeded.

This was first published in April 2014

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Essential Guide

Formulating and managing online identity and access control

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close