
<html>


<head>


<meta http-equiv="Content-Type" content="text/html; charset=utf-8">


</head>


<body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">


The fix for CSCvb33351 was ported back to 11.5 but won’t be there until 11.5(1)SU5. 


<div class=""><br class="">


</div>


<div class="">


<div class="">-Ryan </div>


<div><br class="">


<div class="">On Apr 30, 2018, at 9:57 AM, Anthony Holloway <<a href="mailto:avholloway+cisco-voip@gmail.com" class="">avholloway+cisco-voip@gmail.com</a>> wrote:</div>


<br class="Apple-interchange-newline">


<div class="">


<div dir="ltr" class="">Good point.</div>


<br class="">


<div class="gmail_quote">


<div dir="ltr" class="">On Mon, Apr 30, 2018 at 8:22 AM Lelio Fulgenzi <<a href="mailto:lelio@uoguelph.ca" class="">lelio@uoguelph.ca</a>> wrote:<br class="">


</div>


<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">


<div lang="EN-US" link="blue" vlink="purple" class="">


<div class="m_4076692036444802707WordSection1">


<p class="MsoNormal"><u class=""></u> <u class=""></u></p>


<p class="MsoNormal">But, it’s not that the “endpoint is vulnerable to security breach” – it’s the whole system!<u class=""></u><u class=""></u></p>


</div>


</div>


<div lang="EN-US" link="blue" vlink="purple" class="">


<div class="m_4076692036444802707WordSection1">


<p class="MsoNormal"><u class=""></u> <u class=""></u></p>


<p class="MsoNormal"><span style="font-family:"Arial",sans-serif" class="">---<u class=""></u><u class=""></u></span></p>


<p class="MsoNormal"><b class=""><span style="font-family:"Arial",sans-serif" class="">Lelio Fulgenzi, B.A.</span></b><span style="font-family:"Arial",sans-serif" class=""> | Senior Analyst<u class=""></u><u class=""></u></span></p>


<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:#333333" class="">Computing and Communications Services</span><span style="font-family:"Arial",sans-serif" class=""> | University of Guelph<u class=""></u><u class=""></u></span></p>


<p class="MsoNormal"><span style="font-family:"Arial",sans-serif" class="">Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1<u class=""></u><u class=""></u></span></p>


<p class="MsoNormal"><span style="font-family:"Arial",sans-serif" class=""><a href="tel:(519)%20824-4120" value="+15198244120" target="_blank" class="">519-824-4120 Ext. 56354</a> |


<a href="mailto:lelio@uoguelph.ca" target="_blank" class=""><span style="color:#0563c1" class="">lelio@uoguelph.ca</span></a><u class=""></u><u class=""></u></span></p>


<p class="MsoNormal"><span style="font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>


<p class="MsoNormal"><a href="http://www.uoguelph.ca/ccs" target="_blank" class=""><span style="font-family:"Arial",sans-serif" class="">www.uoguelph.ca/ccs</span></a><span style="font-family:"Arial",sans-serif;color:#1f497d" class=""> | @UofGCCS on Instagram,


 Twitter and Facebook<u class=""></u><u class=""></u></span></p>


<p class="MsoNormal"><span style="font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>


</div>


</div>


<div lang="EN-US" link="blue" vlink="purple" class="">


<div class="m_4076692036444802707WordSection1">


<p class="MsoNormal"><img border="0" width="187" height="100" style="width:1.9479in;height:1.0416in" id="m_4076692036444802707Picture_x0020_1" src="cid:image001.png@01D3E064.C2A040B0" alt="University of Guelph Cornerstone with Improve Life tagline" class=""><u class=""></u><u class=""></u></p>


<p class="MsoNormal"><u class=""></u> <u class=""></u></p>


<p class="MsoNormal"><b class="">From:</b> cisco-voip <<a href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank" class="">cisco-voip-bounces@puck.nether.net</a>>


<b class="">On Behalf Of </b>Anthony Holloway<br class="">


<b class="">Sent:</b> Monday, April 30, 2018 9:11 AM</p>


</div>


</div>


<div lang="EN-US" link="blue" vlink="purple" class="">


<div class="m_4076692036444802707WordSection1">


<p class="MsoNormal"><br class="">


<b class="">To:</b> Cisco VoIP Group <<a href="mailto:cisco-voip@puck.nether.net" target="_blank" class="">cisco-voip@puck.nether.net</a>><br class="">


</p>


</div>


</div>


<div lang="EN-US" link="blue" vlink="purple" class="">


<div class="m_4076692036444802707WordSection1">


<p class="MsoNormal"><b class="">Subject:</b> Re: [cisco-voip] CUCM and Auto Fill Credentials<u class=""></u><u class=""></u></p>


</div>


</div>


<div lang="EN-US" link="blue" vlink="purple" class="">


<div class="m_4076692036444802707WordSection1">


<p class="MsoNormal"><u class=""></u> <u class=""></u></p>


<div class="">


<p class="MsoNormal">UPDATE<u class=""></u><u class=""></u></p>


<div class="">


<p class="MsoNormal"><u class=""></u> <u class=""></u></p>


</div>


<div class="">


<p class="MsoNormal">I just upgraded a system to CUCM 11.5(1)SU4 (11.5.1.14900-11) and when I went to change the Device Pool on this phone, I saw this message at the top:<u class=""></u><u class=""></u></p>


<div class="">


<p class="MsoNormal"><u class=""></u> <u class=""></u></p>


</div>


<div class="">


<p class="MsoNormal"><img border="0" width="1239" height="387" style="width:12.9062in;height:4.0312in" id="m_4076692036444802707_x0000_i1025" src="cid:image002.png@01D3E064.C2A040B0" alt="image.png" class=""><br class="">


<br class="">


And when I scrolled down to the Secure Shell section, sure enough, my administrator credentials were in there.<u class=""></u><u class=""></u></p>


</div>


<div class="">


<p class="MsoNormal"><u class=""></u> <u class=""></u></p>


</div>


<div class="">


<p class="MsoNormal"><img border="0" width="798" height="236" style="width:8.3125in;height:2.4583in" id="m_4076692036444802707_x0000_i1026" src="cid:image003.png@01D3E064.C2A040B0" alt="image.png" class=""><u class=""></u><u class=""></u></p>


<div class="">


<p class="MsoNormal"><u class=""></u> <u class=""></u></p>


</div>


<div class="">


<p class="MsoNormal">So, the problem still persists, but Cisco is trying to make you aware that it happened.  Of course, if you don't see it, or don't understand it, you're not going to correct it.  Also, who wants to scroll down and erase the credentials every


 time they make a change?  Not many, I'd wager.<u class=""></u><u class=""></u></p>


</div>


<div class="">


<p class="MsoNormal"><u class=""></u> <u class=""></u></p>


</div>


<div class="">


<p class="MsoNormal">I did not test all of the pages where this can happen, to see if Cisco caught them all, but this was the major offender in my opinion.<u class=""></u><u class=""></u></p>


</div>


<p class="MsoNormal"><u class=""></u> <u class=""></u></p>


<div class="">


<div class="">


<p class="MsoNormal">On Wed, Mar 14, 2018 at 8:49 PM Anthony Holloway <<a href="mailto:avholloway%2Bcisco-voip@gmail.com" target="_blank" class="">avholloway+cisco-voip@gmail.com</a>> wrote:<u class=""></u><u class=""></u></p>


</div>


<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in" class="">


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">I'm working on something, and was wondering if you could check something for me, so I can better understand why and how often this is happening.</span><u class=""></u><u class=""></u></p>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">So, I was looking at phone config file today, and I noticed the ccmadmin username and password was in the XML, and in plain text nonetheless.<u class=""></u><u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">I found out that the browser, when told to remember your credentials, will treat the SSH username/password fields as login fields whenever you modify a phone, and you


 might be unknowingly save your credentials for clear text view by unauthenticated users.<u class=""></u><u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">Is anyone already aware of this?<u class=""></u><u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">You could you run the following command on your clusters:<u class=""></u><u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><b class=""><span style="font-size:9.5pt;font-family:"Courier New"" class="">run sql select name, sshuserid from device where sshuserid is not null and sshuserid <> ""</span></b><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u><u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">Then in the output, if there are any hits, look at the config XML file for the phone and see if the passwords are there.<u class=""></u><u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">E.g., <u class=""></u><u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">output might be:<u class=""></u><u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><b class=""><span style="font-size:9.5pt;font-family:"Courier New";color:#cc0000" class="">SEP6899CD84B710</span></b><b class=""><span style="font-size:9.5pt;font-family:"Courier New"" class=""> aholloway</span></b><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u><u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">So then you would navigate your browser to:<u class=""></u><u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><b class=""><span style="font-size:9.5pt;font-family:"Courier New"" class=""><a href="http://%3ctftpserver%3e:6970/SEP6899CD84B710.cnf.xml" target="_blank" class="">http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml</a></span></b><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u><u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">You then might have to view the HTML source of the page, because the browser might mess up the output.<u class=""></u><u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">You're then looking for the following two fields, your results will vary:<u class=""></u><u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><b class=""><span style="font-size:9.5pt;font-family:"Courier New"" class=""><sshUserId>aholloway</sshUserId></span></b><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u><u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><b class=""><span style="font-size:9.5pt;font-family:"Courier New"" class=""><sshPassword>MyP@ssw0rd</sshPassword></span></b><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u><u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">Then, since we now know it's happening, get list of how many different usernames you have with this command:<u class=""></u><u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><b class=""><span style="font-size:9.5pt;font-family:"Courier New"" class="">run sql select distinct sshuserid from device where sshuserid is not null and sshuserid <> "" order by sshuserid</span></b><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u><u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">This could also be happening with Energy Wise settings, albeit not on the same web pages.<u class=""></u><u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">I'm curious about two things:<u class=""></u><u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">1) Is it even happening outside of my limited testing scenarios?<u class=""></u><u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">2) How many different usernames and passwords were there?<u class=""></u><u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">If the answers are yes, and 1 or more, then this is an issue Cisco should address.<u class=""></u><u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">The reason it's happening is because the way in which browsers identify login forms, is different from the way in which web developers understand it to work.  Cisco uses


 the element attribute on these fields "autocomplete = false" and unfortunately, most browser ignore that directive.<u class=""></u><u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class=""><u class=""></u> <u class=""></u></span></p>


</div>


<div class="">


<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Arial",sans-serif" class="">I have noticed that this does not happen, if you have more than 1 saved password for the same site, rather it will only happen if you use the same login for the entire


 site.  Our highest chance of seeing this happen are for operations teams where they login with their own accounts, and do not use DRS or OS Admin.<u class=""></u><u class=""></u></span></p>


</div>


</div>


</blockquote>


</div>


</div>


</div>


</div>


</div>


</div>


</blockquote>


</div>


<span id="cid:16316d7e40d5b16b22"><image002.png></span><span id="cid:16316d7e40c4cff311"><image001.png></span><span id="cid:%3C%3E"><image002.png></span><span id="cid:16316d7e40d692e333"><image003.png></span>_______________________________________________<br class="">


cisco-voip mailing list<br class="">


<a href="mailto:cisco-voip@puck.nether.net" class="">cisco-voip@puck.nether.net</a><br class="">


https://puck.nether.net/mailman/listinfo/cisco-voip<br class="">


</div>


</div>


<br class="">


</div>


</body>


</html>