—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Cisco Mobility Services Engine Static Credential Vulnerability

Advisory ID: cisco-sa-20151104-mse-cred

Revision 1.0

For Public Release 2015 November 4 16:00 UTC (GMT)

+———————————————————————

Summary
=======

A vulnerability in the Cisco Mobility Services Engine (MSE) could
allow an unauthenticated, remote attacker to log in to the MSE with
the default oracle account. This account does not have full administrator
privileges.

The vulnerability is due to a user account that has a default and static
password. This account is created at installation and cannot be changed
or deleted without impacting the functionality of the system. An attacker
could exploit this vulnerability by remotely connecting to the affected
system via SSH using this account. A successful exploit could allow the
attacker to log in to the MSE using the default oracle account.

Cisco has released software updates that address this vulnerability. A
workaround that mitigates this vulnerability is available.

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151104-mse-cred

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.5 (SunOS)

iQIVAwUBVjU/CIpI1I6i1Mx3AQKNjg/9GI0PcbZpae1heXAxTQRq4eKBKlzxIECj
gJeC8r8CPUtFnjzxRWx7JmcqWXCD9Yo1/XEOmD+O3bmfc6xg3Ek0XTT08YS5vIi0
hyLW3m1imMElicStf8qB8g0fvGKJksgxnkkwi0gSxTnW9KKfolgNjLFmdjYe7FSs
4JgyqhxMwO46GNXwX6yJL3MfRVCyShQfsQoTKT+x3g+geXdcVcETiSCChZmmqIXJ
rUeVpBQf1uGjteuOWUW2DDnztcFSBVt/1t9v5BakgX6sX/pEU6W87NQgq5Gn+1Ur
v0XTO1FC9MmXe5E7JFBT8bq6EhQ8ZtqNSh+hjiqx8pMiMUaMB2igPmMknCsVybKI
7y9A4i5+J6TkG96KEtXqbNOer1rejjS3j83Io1yfJe3tUbr/a3t+Mu5pywJEt83N
esyDSV6M9FCK9dlhugvoTvw6g9vsmRBwr9gLDhzWbRojMdfIX3DIawgrbmWYLZi4
Zh8y4aADE7jXlVV2viJrSeGVnCYJus5ZBZfWUcnXK8DDVmc1811HOoZ9NBYz10NV
KU77Xd4ABMGxTpzhGRMmZ3BS0pPSCcOtXFID4HBZikRzNd5o0nESnCw/XJN2AbF+
28jvo2LkVc3K/QJLOivLqAa3E4kK5MM0RzIqQnlt5LHAVZXuvH4Ozjfn1Aev1AFp
cs6ZocWGsjg=
=QO9M
—–END PGP SIGNATURE—–
_______________________________________________
cust-security-announce mailing list
cust-security-announce@cisco.com
To unsubscribe, send the command “unsubscribe” in the subject of your message to cust-security-announce-leave@cisco.com