<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

</head>

<body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">

With respect to storing passwords the intent for the ssh username/password field for IP phones is something that was generally not considered very sensitive info. The separation of ssh credentials from enabling SSH was also done to help mitigate the fact that

 this info is available to anyone by default.

<div class=""><br class="">

</div>

<div class="">For TP endpoints while their admin credentials can be configured in UCM the endpoint ignores that setting unless the TFTP config file is encrypted, for just this reason. </div>

<div class=""><br class="">

</div>

<div class="">With respect to the fix in 12.0 I haven’t figured that out just yet. The id and name attributes on the HTML inputs are different, but both have type “password”. Personally I can’t imagine why the browser would think a stored credential from one

 html element should be autofilled into an entirely different field, but I guess the browser is trying to be helpful.</div>

<div class=""><br class="">

</div>

<div class="">The only big difference I can see in 12.0 is the proper use of tags in the input and labels associated with them. </div>

<div class="">10.5</div>

<div class="">

<div class=""></div>

<blockquote type="cite" class="">

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span><td></div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span><label for="SSHPASSWORD">Secure Shell Password </label></div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span></td></div>

<div class="">   <span class="Apple-tab-span" style="white-space:pre"> </span><td></div>

<div class="">   <span class="Apple-tab-span" style="white-space:pre"> </span><input autocomplete="off" id="SSHPASSWORD" name="sshpassword" maxlength="200" size="50" value="" onchange="issshpasswordValid(this)" type="password"></div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span></td></div>

</blockquote>

</div>

<div class=""><br class="">

</div>

<div class="">12.x</div>

<div class="">

<div class=""></div>

</div>

<blockquote type="cite" class="">

<div class="">

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span><td></div>

<div class="">   <span class="Apple-tab-span" style="white-space:pre"> </span><label id="SSHPASSWORD_ID" for="SSHPASSWORD">Secure Shell Password </label></div>

<div class="">   <span class="Apple-tab-span" style="white-space:pre"> </span></td></div>

<div class="">   <span class="Apple-tab-span" style="white-space:pre"> </span><td></div>

<div class="">   <span class="Apple-tab-span" style="white-space:pre"> </span><input autocomplete="off" id="SSHPASSWORD" name="sshpassword" maxlength="288" size="50" value="" onchange="issshpasswordValid(this)" type="password”></div>

</div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span></td></div>

</blockquote>

<div class=""><br class="">

</div>

<div class="">Not a ton of changes between those two. The maxlength change is directly from the defect I cited earlier. </div>

<div class=""><br class="">

</div>

<div class="">For the login it seems to be unchanged from 10.5 to 12.x.</div>

<div class="">

<div class=""></div>

<blockquote type="cite" class="">

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span><tr></div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span><td class="cuesLoginField">Password</td></div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span></tr></div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span><tr></div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span><td class="cuesLoginField"></div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span><input size="20" autocomplete="off" name="j_password" maxlength="128" type="password"></div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span></td></div>

<div class=""><span class="Apple-tab-span" style="white-space:pre"></span></tr></div>

</blockquote>

</div>

<div class=""><br class="">

</div>

<div class="">I’m not an expert in HTML autocomplete so it’s going to take some more testing to figure out exactly why the login credentials aren’t auto-filled in this field any longer.</div>

<div class=""><br class="">

</div>

<div class=""><br class="">

</div>

<div class="">-Ryan </div>

<div><br class="">

<div class="">On Mar 15, 2018, at 9:38 AM, Anthony Holloway <<a href="mailto:avholloway+cisco-voip@gmail.com" class="">avholloway+cisco-voip@gmail.com</a>> wrote:</div>

<br class="Apple-interchange-newline">

<div class="">

<div dir="ltr" class="">It's certainly a complicated problem: .  Also, Cisco is storing the password in the DB encrypted, as you could see by modifying the SQL query to:

<div class=""><br class="">

</div>

<div class=""><b class=""><font face="monospace" class="">run sql select name, sshuserid, sshpassword from device where sshuserid is not null and sshuserid <> ''</font></b></div>

<div class=""><br class="">

</div>

<div class="">Which is what the defect Ryan posted is talking about, the stored encrypted password length.</div>

<div class=""><br class="">

</div>

<div class="">However, the TFTP files do contain the plain text credentials.  You could encrypt your TFTP config files to protect yourself completely, but who's doing that these days?</div>

<div class=""><br class="">

</div>

<div class="">And lastly, like I said before, this is also happening with the Energy Wise fields, albeit on other web pages, and those are stored in the DB in plain text.</div>

<div class=""><br class="">

</div>

<div class="">E.g.,</div>

<div class=""><br class="">

</div>

<div class=""><b class=""><font face="monospace" class="">run sql select xml from enterprisephoneconfigxml</font></b><font face="monospace" class=""><b class=""> where xml like '%energy%'</b></font><br class="">

</div>

<div class=""><br class="">

</div>

<div class="">Output will contain the following if impacted "<font face="monospace" class=""><energyWiseDomain>theuser</energyWiseDomain><energyWiseSecret>thepassword</energyWiseSecret></font>" which is also transmitted in plain text to phones via the phone

 XML config file.</div>

<div class=""><br class="">

</div>

<div class="">There may be others too.</div>

<div class=""><br class="">

<div class="gmail_quote">

<div dir="ltr" class="">On Thu, Mar 15, 2018 at 11:02 AM Lelio Fulgenzi <<a href="mailto:lelio@uoguelph.ca" class="">lelio@uoguelph.ca</a>> wrote:<br class="">

</div>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div lang="EN-US" link="#0563C1" vlink="#954F72" class="">

<div class="m_-7952912200462786579WordSection1">

<p class="MsoNormal"><u class=""></u> <u class=""></u></p>

<p class="MsoNormal">Thank you very much for bring this to the group’s attention. And for providing some great troubleshooting steps to see whether we might be affected. Thanks to others for providing other information as well.<u class=""></u><u class=""></u></p>

<p class="MsoNormal"><u class=""></u> <u class=""></u></p>

<p class="MsoNormal"><u class=""></u> <u class=""></u></p>

<p class="MsoNormal">On the one hand, I see it being a browser issue – autocompleting when it shouldn’t (although you’re asked at least once, are you not?) and ignoring the autocomplete=false…. But…<u class=""></u><u class=""></u></p>

<p class="MsoNormal"><u class=""></u> <u class=""></u></p>

<p class="MsoNormal">Should Cisco really be storing passwords in clear text anywhere?<u class=""></u><u class=""></u></p>

<p class="MsoNormal"><u class=""></u> <u class=""></u></p>

<p class="MsoNormal"><u class=""></u> <u class=""></u></p>

<p class="MsoNormal"><u class=""></u> <u class=""></u></p>

<p class="MsoNormal"><u class=""></u> <u class=""></u></p>

<p class="MsoNormal"><span style="font-family:"Arial",sans-serif" class="">---<u class=""></u><u class=""></u></span></p>

<p class="MsoNormal"><b class=""><span style="font-family:"Arial",sans-serif" class="">Lelio Fulgenzi, B.A.</span></b><span style="font-family:"Arial",sans-serif" class=""> | Senior Analyst<u class=""></u><u class=""></u></span></p>

<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:#333333" class="">Computing and Communications Services</span><span style="font-family:"Arial",sans-serif" class=""> | University of Guelph<u class=""></u><u class=""></u></span></p>

<p class="MsoNormal"><span style="font-family:"Arial",sans-serif" class="">Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1<u class=""></u><u class=""></u></span></p>

<p class="MsoNormal"><span style="font-family:"Arial",sans-serif" class=""><a href="tel:(519)%20824-4120" value="+15198244120" target="_blank" class="">519-824-4120 Ext. 56354</a> |

<a href="mailto:lelio@uoguelph.ca" target="_blank" class=""><span style="color:#0563c1" class="">lelio@uoguelph.ca</span></a><u class=""></u><u class=""></u></span></p>

<p class="MsoNormal"><span style="font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>

<p class="MsoNormal"><a href="http://www.uoguelph.ca/ccs" target="_blank" class=""><span style="font-family:"Arial",sans-serif;color:blue" class="">www.uoguelph.ca/ccs</span></a><span style="font-family:"Arial",sans-serif;color:#1f497d" class=""> | @UofGCCS

 on Instagram, Twitter and Facebook<u class=""></u><u class=""></u></span></p>

<p class="MsoNormal"><span style="font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>

<div class=""><br class="webkit-block-placeholder">

</div>

<span id="cid:1622a7b4d2b4cff311"><image001.png></span><u class=""></u><u class=""></u>

<div class=""><br class="webkit-block-placeholder">

</div>

<p class="MsoNormal"><u class=""></u> <u class=""></u></p>

<div class=""><br class="webkit-block-placeholder">

</div>

</div>

</div>

<div lang="EN-US" link="#0563C1" vlink="#954F72" class="">

<div class="m_-7952912200462786579WordSection1">

<p class="MsoNormal"><b class="">From:</b> cisco-voip [mailto:<a href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank" class="">cisco-voip-bounces@puck.nether.net</a>]

<b class="">On Behalf Of </b>Anthony Holloway<br class="">

</p>

</div>

</div>

<div lang="EN-US" link="#0563C1" vlink="#954F72" class="">

<div class="m_-7952912200462786579WordSection1">

<p class="MsoNormal"><b class="">Sent:</b> Wednesday, March 14, 2018 9:50 PM</p>

</div>

</div>

<div lang="EN-US" link="#0563C1" vlink="#954F72" class="">

<div class="m_-7952912200462786579WordSection1">

<p class="MsoNormal"><br class="">

<b class="">To:</b> Cisco VoIP Group <<a href="mailto:cisco-voip@puck.nether.net" target="_blank" class="">cisco-voip@puck.nether.net</a>><br class="">

<b class="">Subject:</b> [cisco-voip] CUCM and Auto Fill Credentials<u class=""></u><u class=""></u></p>

</div>

</div>

<div lang="EN-US" link="#0563C1" vlink="#954F72" class="">

<div class="m_-7952912200462786579WordSection1">

<div class=""><br class="webkit-block-placeholder">

</div>

<p class="MsoNormal"><u class=""></u> <u class=""></u></p>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">I'm working on something, and was wondering if you could check something for me, so I can better understand why and how often this is happening.</span><u class=""></u><u class=""></u></p>

</div>

</div>

</div>

<div lang="EN-US" link="#0563C1" vlink="#954F72" class="">

<div class="m_-7952912200462786579WordSection1">

<div class="">

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">So, I was looking at phone config file today, and I noticed the ccmadmin username and password was in the XML, and in plain text nonetheless.<u class=""></u><u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">I found out that the browser, when told to remember your credentials, will treat the SSH username/password fields as login fields whenever you modify a phone, and you

 might be unknowingly save your credentials for clear text view by unauthenticated users.<u class=""></u><u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">Is anyone already aware of this?<u class=""></u><u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">You could you run the following command on your clusters:<u class=""></u><u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><b class=""><span style="font-size:9.5pt;font-family:"Courier New"" class="">run sql select name, sshuserid from device where sshuserid is not null and sshuserid <> ""</span></b><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u><u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">Then in the output, if there are any hits, look at the config XML file for the phone and see if the passwords are there.<u class=""></u><u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">E.g., <u class=""></u><u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">output might be:<u class=""></u><u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><b class=""><span style="font-size:9.5pt;font-family:"Courier New";color:#cc0000" class="">SEP6899CD84B710</span></b><b class=""><span style="font-size:9.5pt;font-family:"Courier New"" class=""> aholloway</span></b><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u><u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">So then you would navigate your browser to:<u class=""></u><u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><b class=""><span style="font-size:9.5pt;font-family:"Courier New"" class=""><a href="http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml" target="_blank" class="">http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml</a></span></b><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u><u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">You then might have to view the HTML source of the page, because the browser might mess up the output.<u class=""></u><u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">You're then looking for the following two fields, your results will vary:<u class=""></u><u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><b class=""><span style="font-size:9.5pt;font-family:"Courier New"" class=""><sshUserId>aholloway</sshUserId></span></b><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u><u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><b class=""><span style="font-size:9.5pt;font-family:"Courier New"" class=""><sshPassword>MyP@ssw0rd</sshPassword></span></b><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u><u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">Then, since we now know it's happening, get list of how many different usernames you have with this command:<u class=""></u><u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><b class=""><span style="font-size:9.5pt;font-family:"Courier New"" class="">run sql select distinct sshuserid from device where sshuserid is not null and sshuserid <> "" order by sshuserid</span></b><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u><u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">This could also be happening with Energy Wise settings, albeit not on the same web pages.<u class=""></u><u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">I'm curious about two things:<u class=""></u><u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">1) Is it even happening outside of my limited testing scenarios?<u class=""></u><u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">2) How many different usernames and passwords were there?<u class=""></u><u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">If the answers are yes, and 1 or more, then this is an issue Cisco should address.<u class=""></u><u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">The reason it's happening is because the way in which browsers identify login forms, is different from the way in which web developers understand it to work.  Cisco uses

 the element attribute on these fields "autocomplete = false" and unfortunately, most browser ignore that directive.<u class=""></u><u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>

</div>

<div class="">

<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">I have noticed that this does not happen, if you have more than 1 saved password for the same site, rather it will only happen if you use the same login for the entire

 site.  Our highest chance of seeing this happen are for operations teams where they login with their own accounts, and do not use DRS or OS Admin.<u class=""></u><u class=""></u></span></p>

</div>

</div>

</div>

</div>

<div lang="EN-US" link="#0563C1" vlink="#954F72" class="">

<div class="m_-7952912200462786579WordSection1">

<div class=""></div>

</div>

</div>

_______________________________________________<br class="">

cisco-voip mailing list<br class="">

<a href="mailto:cisco-voip@puck.nether.net" target="_blank" class="">cisco-voip@puck.nether.net</a><br class="">

<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" rel="noreferrer" target="_blank" class="">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br class="">

</blockquote>

</div>

</div>

</div>

_______________________________________________<br class="">

cisco-voip mailing list<br class="">

<a href="mailto:cisco-voip@puck.nether.net" class="">cisco-voip@puck.nether.net</a><br class="">

https://puck.nether.net/mailman/listinfo/cisco-voip<br class="">

</div>

</div>

<br class="">

</body>

</html>