Skip links

Cisco warns of critical flaw in Emergency Responder code

Cisco has issued a security advisory about a vulnerability in its Emergency Responder software that would allow an unauthenticated remote attacker to log in to an affected device using the root account.

The vulnerability, designated CVE-2023-20101, arises from the fact that the root account has default, static credentials that cannot be changed or deleted. Yet again, security through obscurity proves insufficiently obscure.

“This vulnerability is due to the presence of static user credentials for the root account that are typically reserved for use during development,” Cisco explains in its advisory. “An attacker could exploit this vulnerability by using the account to log in to an affected system.”

And in so doing, the attacker could login from wherever and execute arbitrary commands as the root user. Hence the base CVSS score of 9.8.

Cisco Emergency Responder is designed to work with Cisco Unified Communications Manager to ensure that emergency calls get routed to a location-appropriate Public Safety Answering Point (PSAP). It supports real-time location tracking, call routing, and automatic notification of security personnel with the location of the caller, among other things.

It’s not the sort of system you want taken over by those with malicious intent.

The inclusion of hard-coded credentials is a textbook security flaw. Its Common Weakness Enumeration is CWE-798: Use of Hard-coded Credentials – and the fact that needs a designation speaks volumes. In 2023, according to security organization MITRE, it ranked 18 among the top 25 most stubborn weaknesses.

MITRE places the use of hard-coded credentials into the category “Weaknesses introduced into a system because of a poor security architecture or poor security design choices.”

At least Cisco managed to find the bug “during internal security testing” rather than learning about it from active exploitation. It says there are no workarounds and has released software patches to address the issue.

At least only one particular version of the software is affected: Cisco Emergency Responder Release 12.5(1)SU4. Version 12.5 was released January, 2019.

Prior versions, 11.5(1) and earlier, are not affected. Neither is the latest version, 14. ®