[c-nsp] Cisco Security Advisory: Cisco Mobility Services Engine Static Credential Vulnerability

Wed Nov 4 11:06:57 EST 2015

A vulnerability in the Cisco Mobility Services Engine (MSE) could 
allow an unauthenticated, remote attacker to log in to the MSE with 
the default oracle account. This account does not have full administrator 
privileges.

The vulnerability is due to a user account that has a default and static 
password. This account is created at installation and cannot be changed 
or deleted without impacting the functionality of the system. An attacker 
could exploit this vulnerability by remotely connecting to the affected 
system via SSH using this account. A successful exploit could allow the 
attacker to log in to the MSE using the default oracle account.

Cisco has released software updates that address this vulnerability. A 
workaround that mitigates this vulnerability is available.

This advisory is available at the following link: 

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151104-mse-cred

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)

iQIVAwUBVjU/CIpI1I6i1Mx3AQKNjg/9GI0PcbZpae1heXAxTQRq4eKBKlzxIECj
gJeC8r8CPUtFnjzxRWx7JmcqWXCD9Yo1/XEOmD+O3bmfc6xg3Ek0XTT08YS5vIi0
hyLW3m1imMElicStf8qB8g0fvGKJksgxnkkwi0gSxTnW9KKfolgNjLFmdjYe7FSs
4JgyqhxMwO46GNXwX6yJL3MfRVCyShQfsQoTKT+x3g+geXdcVcETiSCChZmmqIXJ
rUeVpBQf1uGjteuOWUW2DDnztcFSBVt/1t9v5BakgX6sX/pEU6W87NQgq5Gn+1Ur
v0XTO1FC9MmXe5E7JFBT8bq6EhQ8ZtqNSh+hjiqx8pMiMUaMB2igPmMknCsVybKI
7y9A4i5+J6TkG96KEtXqbNOer1rejjS3j83Io1yfJe3tUbr/a3t+Mu5pywJEt83N
esyDSV6M9FCK9dlhugvoTvw6g9vsmRBwr9gLDhzWbRojMdfIX3DIawgrbmWYLZi4
Zh8y4aADE7jXlVV2viJrSeGVnCYJus5ZBZfWUcnXK8DDVmc1811HOoZ9NBYz10NV
KU77Xd4ABMGxTpzhGRMmZ3BS0pPSCcOtXFID4HBZikRzNd5o0nESnCw/XJN2AbF+
28jvo2LkVc3K/QJLOivLqAa3E4kK5MM0RzIqQnlt5LHAVZXuvH4Ozjfn1Aev1AFp
cs6ZocWGsjg=
=QO9M
-----END PGP SIGNATURE-----