[cisco-voip] CUCM and Auto Fill Credentials

Anthony Holloway avholloway+cisco-voip at gmail.com
Wed Mar 14 21:49:49 EDT 2018


I'm working on something, and was wondering if you could check something
for me, so I can better understand why and how often this is happening.

So, I was looking at phone config file today, and I noticed the ccmadmin
username and password was in the XML, and in plain text nonetheless.

I found out that the browser, when told to remember your credentials, will
treat the SSH username/password fields as login fields whenever you modify
a phone, and you might be unknowingly save your credentials for clear text
view by unauthenticated users.

Is anyone already aware of this?

You could you run the following command on your clusters:

*run sql select name, sshuserid from device where sshuserid is not null and
sshuserid <> ""*

Then in the output, if there are any hits, look at the config XML file for
the phone and see if the passwords are there.

E.g.,

output might be:

*SEP6899CD84B710 aholloway*

So then you would navigate your browser to:

*http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml*

You then might have to view the HTML source of the page, because the
browser might mess up the output.

You're then looking for the following two fields, your results will vary:

*<sshUserId>aholloway</sshUserId>*
*<sshPassword>MyP at ssw0rd</sshPassword>*

Then, since we now know it's happening, get list of how many different
usernames you have with this command:

*run sql select distinct sshuserid from device where sshuserid is not null
and sshuserid <> "" order by sshuserid*

This could also be happening with Energy Wise settings, albeit not on the
same web pages.

I'm curious about two things:

1) Is it even happening outside of my limited testing scenarios?
2) How many different usernames and passwords were there?

If the answers are yes, and 1 or more, then this is an issue Cisco should
address.

The reason it's happening is because the way in which browsers identify
login forms, is different from the way in which web developers understand
it to work.  Cisco uses the element attribute on these fields "autocomplete
= false" and unfortunately, most browser ignore that directive.

I have noticed that this does not happen, if you have more than 1 saved
password for the same site, rather it will only happen if you use the same
login for the entire site.  Our highest chance of seeing this happen are
for operations teams where they login with their own accounts, and do not
use DRS or OS Admin.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180314/72ea3fac/attachment.html>


More information about the cisco-voip mailing list