freemode.net

Cisco security    [ Software ]

There's a good article on Cisco's latest security vulnerability on attrition.org.   In a nutshell, Cisco has IP-based videoconferencing phones that have a hard-coded SNMP community string turned on by default.   This is perhaps easy for administration purposes, but bad bad bad bad bad for security purposes.   Like the article says, no network equipment vendor should be shipping devices with a default SNMP string turned on, let alone a hard-coded one that can't be changed.   This isn't entirely Cisco's fault, these products came to them via an acquisition; but one wonders why you wouldn't run a security audit and fix these sorts of problems before you slap your corporate logo on a product.

Cisco's response is interesting, in that they WILL NOT provide any fix for this issue, but say to either block SNMP traffic to these devices or buy some new devices to replace these.   I have to say that I agree with the article's stance, that this is not the way to handle a vulnerable product.   Unfortunately, Cisco is not very good at handling these sorts of issues with recently-acquired products.