back to article Cisco NFV controller is a bit too elastic: It has an empty password bug

Cisco's Elastic Services Controller's release 3.0.0 software has a critical vulnerability: it accepts an empty admin password. The Controller (ESC) is Cisco's automation environment for network function virtualisation (NFV), providing VM and service monitors, automated recovery and dynamic scaling. Cisco's advisory about the …

  1. DryBones
    Facepalm

    It amazes me in this day and age that "Can you access the admin account with a blank password?" isn't the first thing on the automated test of every single log-into-able thing out there.

    I mean, I know it's Cisco, but still.

  2. Mayday
    Devil

    Big Cisco Fan here (generally, but don't shoot me)

    But I know from experience to never trust an x.0.0 Cisco release!

    P.S I don't trust another other vendor of any other product either.

    1. Mayday

      Re: Big Cisco Fan here (generally, but don't shoot me)

      Too late to edit. Ooops.

      Either way blank/zero authentication should not even be able to get past beta testing, let alone release.

      1. Notas Badoff

        Re: Big Cisco Fan here (generally, but don't shoot me)

        A long time ago a friend showed us their clever way to message between terminals using mainframe OS memory (it was also a demo of a clever hack found by accident). The friend let us test it out. I sat down, hit the space key and just sat on it.

        First the program seized up. Cue irritation. Then their face showed absolute horror and they bolted for the computer room door. After all, it was OS memory I was overwriting with spaces, given the unchecked buffer limits.

        "You need idiots to defeat idiots"™ The next govt IT employment push?

        1. Anonymous Coward
          Anonymous Coward

          Re: Big Cisco Fan here (generally, but don't shoot me)

          Back when I was doing a ton of beta testing for various firms, I'd mentally dump every preconception I'd have about a program. Then, armed with just the documentation, I'd blithely do any idiot thing I could come up with. Works if you can compartmentalize everything you know.

          Great fun!

  3. Anonymous Coward
    Anonymous Coward

    UC not UCS

    Two entirely different things. UC is unified communications (phones, call centers, videoconf, etc), UCS is unified compute system (network and compute converged).

    Domain Manager is UC.

  4. Anonymous Coward
    Big Brother

    Unified Communications Backdoor Manager

    "You will not and will not allow a third party to: .. reverse engineer, decompile, decrypt, disassemble or otherwise attempt to derive the source code for the Software" else you may discover the NSA backdoors we keep accidentally leaving in the product.

    1. Christian Berger

      Plausible deniability

      Well Cisco is one of those companies which have messed up so many things in the past that you can never tell whether a bug is just an accident or a deliberate backdoor.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like