[cisco-voip] CUCM and Auto Fill Credentials

Anthony Holloway avholloway+cisco-voip at gmail.com
Thu Mar 15 12:38:51 EDT 2018


It's certainly a complicated problem: .  Also, Cisco is storing the
password in the DB encrypted, as you could see by modifying the SQL query
to:

*run sql select name, sshuserid, sshpassword from device where sshuserid is
not null and sshuserid <> ''*

Which is what the defect Ryan posted is talking about, the stored encrypted
password length.

However, the TFTP files do contain the plain text credentials.  You could
encrypt your TFTP config files to protect yourself completely, but who's
doing that these days?

And lastly, like I said before, this is also happening with the Energy Wise
fields, albeit on other web pages, and those are stored in the DB in plain
text.

E.g.,

*run sql select xml from enterprisephoneconfigxml** where xml like
'%energy%'*

Output will contain the following if impacted "
<energyWiseDomain>theuser</energyWiseDomain><energyWiseSecret>thepassword</energyWiseSecret>"
which is also transmitted in plain text to phones via the phone XML config
file.

There may be others too.

On Thu, Mar 15, 2018 at 11:02 AM Lelio Fulgenzi <lelio at uoguelph.ca> wrote:

>
>
> Thank you very much for bring this to the group’s attention. And for
> providing some great troubleshooting steps to see whether we might be
> affected. Thanks to others for providing other information as well.
>
>
>
>
>
> On the one hand, I see it being a browser issue – autocompleting when it
> shouldn’t (although you’re asked at least once, are you not?) and ignoring
> the autocomplete=false…. But…
>
>
>
> Should Cisco really be storing passwords in clear text anywhere?
>
>
>
>
>
>
>
>
>
> ---
>
> *Lelio Fulgenzi, B.A.* | Senior Analyst
>
> Computing and Communications Services | University of Guelph
>
> Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON |
> N1G 2W1
>
> 519-824-4120 Ext. 56354 <(519)%20824-4120> | lelio at uoguelph.ca
>
>
>
> www.uoguelph.ca/ccs | @UofGCCS on Instagram, Twitter and Facebook
>
>
>
> [image: image001.png]
>
>
>
> *From:* cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] *On Behalf
> Of *Anthony Holloway
>
> *Sent:* Wednesday, March 14, 2018 9:50 PM
>
>
> *To:* Cisco VoIP Group <cisco-voip at puck.nether.net>
> *Subject:* [cisco-voip] CUCM and Auto Fill Credentials
>
>
>
> I'm working on something, and was wondering if you could check something
> for me, so I can better understand why and how often this is happening.
>
>
>
> So, I was looking at phone config file today, and I noticed the ccmadmin
> username and password was in the XML, and in plain text nonetheless.
>
>
>
> I found out that the browser, when told to remember your credentials, will
> treat the SSH username/password fields as login fields whenever you modify
> a phone, and you might be unknowingly save your credentials for clear text
> view by unauthenticated users.
>
>
>
> Is anyone already aware of this?
>
>
>
> You could you run the following command on your clusters:
>
>
>
> *run sql select name, sshuserid from device where sshuserid is not null
> and sshuserid <> ""*
>
>
>
> Then in the output, if there are any hits, look at the config XML file for
> the phone and see if the passwords are there.
>
>
>
> E.g.,
>
>
>
> output might be:
>
>
>
> *SEP6899CD84B710** aholloway*
>
>
>
> So then you would navigate your browser to:
>
>
>
> *http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml
> <http://%3ctftpserver%3e:6970/SEP6899CD84B710.cnf.xml>*
>
>
>
> You then might have to view the HTML source of the page, because the
> browser might mess up the output.
>
>
>
> You're then looking for the following two fields, your results will vary:
>
>
>
> *<sshUserId>aholloway</sshUserId>*
>
> *<sshPassword>MyP at ssw0rd</sshPassword>*
>
>
>
> Then, since we now know it's happening, get list of how many different
> usernames you have with this command:
>
>
>
> *run sql select distinct sshuserid from device where sshuserid is not null
> and sshuserid <> "" order by sshuserid*
>
>
>
> This could also be happening with Energy Wise settings, albeit not on the
> same web pages.
>
>
>
> I'm curious about two things:
>
>
>
> 1) Is it even happening outside of my limited testing scenarios?
>
> 2) How many different usernames and passwords were there?
>
>
>
> If the answers are yes, and 1 or more, then this is an issue Cisco should
> address.
>
>
>
> The reason it's happening is because the way in which browsers identify
> login forms, is different from the way in which web developers understand
> it to work.  Cisco uses the element attribute on these fields "autocomplete
> = false" and unfortunately, most browser ignore that directive.
>
>
>
> I have noticed that this does not happen, if you have more than 1 saved
> password for the same site, rather it will only happen if you use the same
> login for the entire site.  Our highest chance of seeing this happen are
> for operations teams where they login with their own accounts, and do not
> use DRS or OS Admin.
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180315/19870409/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1297 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180315/19870409/attachment.png>


More information about the cisco-voip mailing list