Cisco Common Service Platform Collector - Hardcoded Credentials (CVE-2019-1723) -- https://www.info-sec.ca/advisories/Cisco-Collector.html Overview "The Cisco Common Service Platform Collector (CSPC) is an SNMP-based tool that discovers and collects information from the Cisco devices installed on your network. The CSPC software provides an extensive collection mechanism to gather various aspects of customer device data. Information gathered by the collector is used by several Cisco Service offers, such as Smart Net Total Care, Partner Support Service, and Business Critical Services. The data is used to provide inventory reports, product alerts, configuration best practices, technical service coverage, lifecycle information, and many other detailed reports and analytics for both the hardware and operating system (OS) software." (https://www.cisco.com/c/en/us/support/cloud-systems-management/common-services-platform-collector-cspc/products-installation-guides-list.html) Issue The Cisco Common Service Platform Collector (version 2.7.2 through 2.7.4.5 and all releases of 2.8.x prior to 2.8.1.2) contains hardcoded credentials. Impact An attacker able to access the collector via SSH or console could use the hardcoded credentials to gain a shell on the system and perform a range of attacks. Timeline February 14, 2019 - Notified Cisco via psirt@xxxxxxxxx February 14, 2019 - Cisco assigned a case number February 18, 2019 - Cisco confirmed the vulnerability February 20, 2019 - Cisco provided a tentative 60 day resolution timeline February 21, 2019 - Provided comments on the proposed timeline March 11, 2019 - Cisco advised that the issue has been resolved and that a security advisory will be published on March 13, 2019 Solution Upgrade to Common Service Platform Collector 2.7.4.6 or later Upgrade to Common Service Platform Collector 2.8.1.2 or later https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190313-cspcscv Acknowledgements Thanks to the Cisco PSIRT for their timely response