lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 13 Mar 2019 18:06:50 -0400
From: David Coomber <>
Subject: Cisco Common Service Platform Collector - Hardcoded Credentials (CVE-2019-1723)

Cisco Common Service Platform Collector - Hardcoded Credentials (CVE-2019-1723)


"The Cisco Common Service Platform Collector (CSPC) is an SNMP-based
tool that discovers and collects information from the Cisco devices
installed on your network. The CSPC software provides an extensive
collection mechanism to gather various aspects of customer device
data. Information gathered by the collector is used by several Cisco
Service offers, such as Smart Net Total Care, Partner Support Service,
and Business Critical Services. The data is used to provide inventory
reports, product alerts, configuration best practices, technical
service coverage, lifecycle information, and many other detailed
reports and analytics for both the hardware and operating system (OS)



The Cisco Common Service Platform Collector (version 2.7.2 through and all releases of 2.8.x prior to contains hardcoded


An attacker able to access the collector via SSH or console could use
the hardcoded credentials to gain a shell on the system and perform a
range of attacks.


February 14, 2019 - Notified Cisco via
February 14, 2019 - Cisco assigned a case number
February 18, 2019 - Cisco confirmed the vulnerability
February 20, 2019 - Cisco provided a tentative 60 day resolution timeline
February 21, 2019 - Provided comments on the proposed timeline
March 11, 2019 - Cisco advised that the issue has been resolved and
that a security advisory will be published on March 13, 2019


Upgrade to Common Service Platform Collector or later
Upgrade to Common Service Platform Collector or later


Thanks to the Cisco PSIRT for their timely response

Powered by blists - more mailing lists