back to article Sigh. Cisco security kit has Java deserialisation bug and a default password SNAFU

Cisco's security developers have served up a parcel of patches. First up, there's a gem in Switchzilla's Secure Access Control System. The ACS (which ceased sale in August 2017) is a hardware-based login gatekeeper, and it's got a remotely-pwnable Java deserialisation bug. Cisco's notice for CVE-2018-0147 says an attacker …

In 2018?

It's 2018 and there are companies that still produce stuff with hardcoded password backdoors (and sql injection, and buffer overflow, and etc.). Can't we just take the executives to forced labor, dissolve the company and donate its assets to animal shelters?

I don't know what else would help.

7
1

Re: In 2018?

In theory a good idea, but I don't think animal shelters have the knowledge or resources to provide support for the companies products. And most Cisco customers will be needing extended support.

Maybe sell the assets & donate the proceeds to animal shelters?

2
0

Re: In 2018?

But Jack, in 2018 its preposterous to imagine a professional vendor doing this* and you must be an idiot to suggest otherwise.

*Source some middle managers pretending to be technical on El Reg's forums.

3
0
Bronze badge

...in 2018

When pen testing and doing code review, you'll occasionally run across hard coded passwords. They are usually left there from testing, weren't documented, and therefore weren't removed.

Still, you bring up a good point about this happening in recent years. Because of the availability of development environment OWASP plugins along with much improved (over the past 5-10 years) static code checking software, we shouldn't see something like this from a large company like Cisco.

6
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018