Re: CSCve89880 Trying To Test Vulnerability

Hawk · ‎04-09-2018

Does anyone know the default username & password on IOS XE devices? According to the advisory I have a few affected devices in my environment & I would like to do a proof of concept to see if I can access the affected devices like the advisory is stating that can be done. Google searches for Default Cisco IOS XE username & passwords don't produce anything.

Summary

A vulnerability in Cisco IOS XE Software could allow an unauthenticated, remote attacker to log in to a device running an affected release of Cisco IOS XE Software with the default username and password that are used at initial boot.

Workarounds

To address this vulnerability, administrators may remove the default account by using the no username cisco command in the device configuration. Administrators may also address this vulnerability by logging in to the device and changing the password for this account.

lawrence · ‎10-29-2018

I had thought the default combo was cisco/cisco.

I was unable to validate the before and after of issuing "no username cisco". Even if i went through and issued the command on all my routers, i wouldnt be able to come back and validate if I had done it or not. When you issue the command, nothing changes in show run or show run all. I suppose the safe bet would be to configure a username cisco with some insane password?

The bug indicates confirmed fix in 16.6.1 yet the release notes say nothing about this bug. The IOS checker indicates 16.6.5 has the bug fix but 16.6.5 isnt available for download. The other reported fixed version is 16.9.2 and its not available for download either. Seems ill need to open a tac case.