With respect to storing passwords the intent for the ssh username/password
field for IP phones is something that was generally not considered very
sensitive info. The separation of ssh credentials from enabling SSH was also
done to help mitigate the fact that this info is available to anyone by default.
For TP endpoints while their admin credentials can be configured in UCM the
endpoint ignores that setting unless the TFTP config file is encrypted, for
just this reason.
With respect to the fix in 12.0 I haven’t figured that out just yet. The id and
name attributes on the HTML inputs are different, but both have type
“password”. Personally I can’t imagine why the browser would think a stored
credential from one html element should be autofilled into an entirely
different field, but I guess the browser is trying to be helpful.
The only big difference I can see in 12.0 is the proper use of tags in the
input and labels associated with them.
10.5
<td>
<label for="SSHPASSWORD">Secure Shell Password </label>
</td>
<td>
<input autocomplete="off" id="SSHPASSWORD" name="sshpassword"
maxlength="200" size="50" value="" onchange="issshpasswordValid(this)"
type="password">
</td>
12.x
<td>
<label id="SSHPASSWORD_ID" for="SSHPASSWORD">Secure Shell Password </label>
</td>
<td>
<input autocomplete="off" id="SSHPASSWORD" name="sshpassword"
maxlength="288" size="50" value="" onchange="issshpasswordValid(this)"
type="password”>
</td>
Not a ton of changes between those two. The maxlength change is directly from
the defect I cited earlier.
For the login it seems to be unchanged from 10.5 to 12.x.
<tr>
<td class="cuesLoginField">Password</td>
</tr>
<tr>
<td class="cuesLoginField">
<input size="20" autocomplete="off" name="j_password" maxlength="128"
type="password">
</td>
</tr>
I’m not an expert in HTML autocomplete so it’s going to take some more testing
to figure out exactly why the login credentials aren’t auto-filled in this
field any longer.
-Ryan
On Mar 15, 2018, at 9:38 AM, Anthony Holloway
<[email protected]<mailto:[email protected]>> wrote:
It's certainly a complicated problem: . Also, Cisco is storing the password in
the DB encrypted, as you could see by modifying the SQL query to:
run sql select name, sshuserid, sshpassword from device where sshuserid is not
null and sshuserid <> ''
Which is what the defect Ryan posted is talking about, the stored encrypted
password length.
However, the TFTP files do contain the plain text credentials. You could
encrypt your TFTP config files to protect yourself completely, but who's doing
that these days?
And lastly, like I said before, this is also happening with the Energy Wise
fields, albeit on other web pages, and those are stored in the DB in plain text.
E.g.,
run sql select xml from enterprisephoneconfigxml where xml like '%energy%'
Output will contain the following if impacted
"<energyWiseDomain>theuser</energyWiseDomain><energyWiseSecret>thepassword</energyWiseSecret>"
which is also transmitted in plain text to phones via the phone XML config
file.
There may be others too.
On Thu, Mar 15, 2018 at 11:02 AM Lelio Fulgenzi
<[email protected]<mailto:[email protected]>> wrote:
Thank you very much for bring this to the group’s attention. And for providing
some great troubleshooting steps to see whether we might be affected. Thanks to
others for providing other information as well.
On the one hand, I see it being a browser issue – autocompleting when it
shouldn’t (although you’re asked at least once, are you not?) and ignoring the
autocomplete=false…. But…
Should Cisco really be storing passwords in clear text anywhere?
---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354<tel:(519)%20824-4120> |
[email protected]<mailto:[email protected]>
www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs> | @UofGCCS on Instagram,
Twitter and Facebook
<image001.png>
From: cisco-voip
[mailto:[email protected]<mailto:[email protected]>]
On Behalf Of Anthony Holloway
Sent: Wednesday, March 14, 2018 9:50 PM
To: Cisco VoIP Group
<[email protected]<mailto:[email protected]>>
Subject: [cisco-voip] CUCM and Auto Fill Credentials
I'm working on something, and was wondering if you could check something for
me, so I can better understand why and how often this is happening.
So, I was looking at phone config file today, and I noticed the ccmadmin
username and password was in the XML, and in plain text nonetheless.
I found out that the browser, when told to remember your credentials, will
treat the SSH username/password fields as login fields whenever you modify a
phone, and you might be unknowingly save your credentials for clear text view
by unauthenticated users.
Is anyone already aware of this?
You could you run the following command on your clusters:
run sql select name, sshuserid from device where sshuserid is not null and
sshuserid <> ""
Then in the output, if there are any hits, look at the config XML file for the
phone and see if the passwords are there.
E.g.,
output might be:
SEP6899CD84B710 aholloway
So then you would navigate your browser to:
http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml
You then might have to view the HTML source of the page, because the browser
might mess up the output.
You're then looking for the following two fields, your results will vary:
<sshUserId>aholloway</sshUserId>
<sshPassword>MyP@ssw0rd</sshPassword>
Then, since we now know it's happening, get list of how many different
usernames you have with this command:
run sql select distinct sshuserid from device where sshuserid is not null and
sshuserid <> "" order by sshuserid
This could also be happening with Energy Wise settings, albeit not on the same
web pages.
I'm curious about two things:
1) Is it even happening outside of my limited testing scenarios?
2) How many different usernames and passwords were there?
If the answers are yes, and 1 or more, then this is an issue Cisco should
address.
The reason it's happening is because the way in which browsers identify login
forms, is different from the way in which web developers understand it to work.
Cisco uses the element attribute on these fields "autocomplete = false" and
unfortunately, most browser ignore that directive.
I have noticed that this does not happen, if you have more than 1 saved
password for the same site, rather it will only happen if you use the same
login for the entire site. Our highest chance of seeing this happen are for
operations teams where they login with their own accounts, and do not use DRS
or OS Admin.
_______________________________________________
cisco-voip mailing list
[email protected]<mailto:[email protected]>
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
[email protected]<mailto:[email protected]>
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
[email protected]
https://puck.nether.net/mailman/listinfo/cisco-voip
