Vulnerability

    Cisco ConfigMaker

Affected

    CISCO

Description

    Runar  Jensen  found   following.   He   had  his  own   passwords
    (login/enable)  set  on  a  Cisco,  and  had  to  supply  these to
    ConfigMaker for it to  be able to logon  to the router.   However,
    when he generated a new configuration, it still set the  passwords
    to a  predefined default,  which was  "cmaker" for  both login and
    enable (although it may have been for just one of them).

Solution

    Damir Rajnovic from Cisco manage to install this thing and play  a
    bit with it.  There is the 'cmaker' password offered as a  default
    password.  He tried with a configured router but it should be  the
    same with an unconfigured one.  It seems that, if you do not  have
    password configured (e.g. he did  not have it on vty)  ConfigMaker
    will put the default (cmaker) in that place.

    There is a warning, severe warning to be precise, when you read in
    the existing  config that  warns you  that 'cmaker'  is set as the
    password and that you should change it.  Unfortunately, it is to be
    expected that, lesser and unexperienced admins, will leave it as it
    is.

    That is a security risk and CISCO will address it as a such.