Mailing List Archive

CUCM and Auto Fill Credentials
I'm working on something, and was wondering if you could check something
for me, so I can better understand why and how often this is happening.

So, I was looking at phone config file today, and I noticed the ccmadmin
username and password was in the XML, and in plain text nonetheless.

I found out that the browser, when told to remember your credentials, will
treat the SSH username/password fields as login fields whenever you modify
a phone, and you might be unknowingly save your credentials for clear text
view by unauthenticated users.

Is anyone already aware of this?

You could you run the following command on your clusters:

*run sql select name, sshuserid from device where sshuserid is not null and
sshuserid <> ""*

Then in the output, if there are any hits, look at the config XML file for
the phone and see if the passwords are there.

E.g.,

output might be:

*SEP6899CD84B710 aholloway*

So then you would navigate your browser to:

*http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml*

You then might have to view the HTML source of the page, because the
browser might mess up the output.

You're then looking for the following two fields, your results will vary:

*<sshUserId>aholloway</sshUserId>*
*<sshPassword>MyP@ssw0rd</sshPassword>*

Then, since we now know it's happening, get list of how many different
usernames you have with this command:

*run sql select distinct sshuserid from device where sshuserid is not null
and sshuserid <> "" order by sshuserid*

This could also be happening with Energy Wise settings, albeit not on the
same web pages.

I'm curious about two things:

1) Is it even happening outside of my limited testing scenarios?
2) How many different usernames and passwords were there?

If the answers are yes, and 1 or more, then this is an issue Cisco should
address.

The reason it's happening is because the way in which browsers identify
login forms, is different from the way in which web developers understand
it to work. Cisco uses the element attribute on these fields "autocomplete
= false" and unfortunately, most browser ignore that directive.

I have noticed that this does not happen, if you have more than 1 saved
password for the same site, rather it will only happen if you use the same
login for the entire site. Our highest chance of seeing this happen are
for operations teams where they login with their own accounts, and do not
use DRS or OS Admin.
Re: CUCM and Auto Fill Credentials [ In reply to ]
I have noticed the auto population of the ssh account on multiple installs but never thought about the XML file. I’ll investigate tomorrow and report my findings.

Sent via C=64 Mobile

> On Mar 14, 2018, at 8:49 PM, Anthony Holloway <avholloway+cisco-voip@gmail.com> wrote:
>
> I'm working on something, and was wondering if you could check something for me, so I can better understand why and how often this is happening.
>
> So, I was looking at phone config file today, and I noticed the ccmadmin username and password was in the XML, and in plain text nonetheless.
>
> I found out that the browser, when told to remember your credentials, will treat the SSH username/password fields as login fields whenever you modify a phone, and you might be unknowingly save your credentials for clear text view by unauthenticated users.
>
> Is anyone already aware of this?
>
> You could you run the following command on your clusters:
>
> run sql select name, sshuserid from device where sshuserid is not null and sshuserid <> ""
>
> Then in the output, if there are any hits, look at the config XML file for the phone and see if the passwords are there.
>
> E.g.,
>
> output might be:
>
> SEP6899CD84B710 aholloway
>
> So then you would navigate your browser to:
>
> http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml
>
> You then might have to view the HTML source of the page, because the browser might mess up the output.
>
> You're then looking for the following two fields, your results will vary:
>
> <sshUserId>aholloway</sshUserId>
> <sshPassword>MyP@ssw0rd</sshPassword>
>
> Then, since we now know it's happening, get list of how many different usernames you have with this command:
>
> run sql select distinct sshuserid from device where sshuserid is not null and sshuserid <> "" order by sshuserid
>
> This could also be happening with Energy Wise settings, albeit not on the same web pages.
>
> I'm curious about two things:
>
> 1) Is it even happening outside of my limited testing scenarios?
> 2) How many different usernames and passwords were there?
>
> If the answers are yes, and 1 or more, then this is an issue Cisco should address.
>
> The reason it's happening is because the way in which browsers identify login forms, is different from the way in which web developers understand it to work. Cisco uses the element attribute on these fields "autocomplete = false" and unfortunately, most browser ignore that directive.
>
> I have noticed that this does not happen, if you have more than 1 saved password for the same site, rather it will only happen if you use the same login for the entire site. Our highest chance of seeing this happen are for operations teams where they login with their own accounts, and do not use DRS or OS Admin.
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
Re: CUCM and Auto Fill Credentials [ In reply to ]
Hi Anthony,

Yes, the SSH credentials saved on the device page are available in clear text in the phone XML config, it’s not just your environment unfortunately. Also I believe the same thing applies for the Telepresence endpoints (anything running CE including the DX) for the web page admin credentials that are saved in the vendor config section.

We noticed this a little while ago but given most people did not populate it did not consider as a serious issue, however the auto-population of credentials is not something we considered. So yes this does look like a serious problem when you combine those two together.

Kind Regards

Stephen Welsh
CTO
UnifiedFX

On 15 Mar 2018, at 01:50, Anthony Holloway <avholloway+cisco-voip@gmail.com<mailto:avholloway+cisco-voip@gmail.com>> wrote:

I'm working on something, and was wondering if you could check something for me, so I can better understand why and how often this is happening.

So, I was looking at phone config file today, and I noticed the ccmadmin username and password was in the XML, and in plain text nonetheless.

I found out that the browser, when told to remember your credentials, will treat the SSH username/password fields as login fields whenever you modify a phone, and you might be unknowingly save your credentials for clear text view by unauthenticated users.

Is anyone already aware of this?

You could you run the following command on your clusters:

run sql select name, sshuserid from device where sshuserid is not null and sshuserid <> ""

Then in the output, if there are any hits, look at the config XML file for the phone and see if the passwords are there.

E.g.,

output might be:

SEP6899CD84B710 aholloway

So then you would navigate your browser to:

http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml

You then might have to view the HTML source of the page, because the browser might mess up the output.

You're then looking for the following two fields, your results will vary:

<sshUserId>aholloway</sshUserId>
<sshPassword>MyP@ssw0rd</sshPassword>

Then, since we now know it's happening, get list of how many different usernames you have with this command:

run sql select distinct sshuserid from device where sshuserid is not null and sshuserid <> "" order by sshuserid

This could also be happening with Energy Wise settings, albeit not on the same web pages.

I'm curious about two things:

1) Is it even happening outside of my limited testing scenarios?
2) How many different usernames and passwords were there?

If the answers are yes, and 1 or more, then this is an issue Cisco should address.

The reason it's happening is because the way in which browsers identify login forms, is different from the way in which web developers understand it to work. Cisco uses the element attribute on these fields "autocomplete = false" and unfortunately, most browser ignore that directive.

I have noticed that this does not happen, if you have more than 1 saved password for the same site, rather it will only happen if you use the same login for the entire site. Our highest chance of seeing this happen are for operations teams where they login with their own accounts, and do not use DRS or OS Admin.
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
Re: CUCM and Auto Fill Credentials [ In reply to ]
While we are on the subject here are some other non encrypted TFTP server items:


* ConfigFileCacheList.txt
* FileList.txt
* BinFileCacheList.txt
* PerfMon.txt
* ParamList.txt
* lddefault.cfg

So you could use the following to get a list of all the device MAC addresses anonymously from the TFTP server:

http://TFTPServer:6970/FileList.txt<http://tftpserver:6970/FileList.txt>

So with the scenario you describe and just the TFTP Server IP Address you could scan all the device configs on the cluster to see if even just one of them has the admin credentials saved accidentally on the SSH User/Password field.

I suspect this may apply to most clusters....

Kind Regards

Stephen Welsh
CTO
UnifiedFX

On 15 Mar 2018, at 07:25, Stephen Welsh <stephen.welsh@unifiedfx.com<mailto:stephen.welsh@unifiedfx.com>> wrote:

Hi Anthony,

Yes, the SSH credentials saved on the device page are available in clear text in the phone XML config, it’s not just your environment unfortunately. Also I believe the same thing applies for the Telepresence endpoints (anything running CE including the DX) for the web page admin credentials that are saved in the vendor config section.

We noticed this a little while ago but given most people did not populate it did not consider as a serious issue, however the auto-population of credentials is not something we considered. So yes this does look like a serious problem when you combine those two together.

Kind Regards

Stephen Welsh
CTO
UnifiedFX

On 15 Mar 2018, at 01:50, Anthony Holloway <avholloway+cisco-voip@gmail.com<mailto:avholloway+cisco-voip@gmail.com>> wrote:

I'm working on something, and was wondering if you could check something for me, so I can better understand why and how often this is happening.

So, I was looking at phone config file today, and I noticed the ccmadmin username and password was in the XML, and in plain text nonetheless.

I found out that the browser, when told to remember your credentials, will treat the SSH username/password fields as login fields whenever you modify a phone, and you might be unknowingly save your credentials for clear text view by unauthenticated users.

Is anyone already aware of this?

You could you run the following command on your clusters:

run sql select name, sshuserid from device where sshuserid is not null and sshuserid <> ""

Then in the output, if there are any hits, look at the config XML file for the phone and see if the passwords are there.

E.g.,

output might be:

SEP6899CD84B710 aholloway

So then you would navigate your browser to:

http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml

You then might have to view the HTML source of the page, because the browser might mess up the output.

You're then looking for the following two fields, your results will vary:

<sshUserId>aholloway</sshUserId>
<sshPassword>MyP@ssw0rd</sshPassword>

Then, since we now know it's happening, get list of how many different usernames you have with this command:

run sql select distinct sshuserid from device where sshuserid is not null and sshuserid <> "" order by sshuserid

This could also be happening with Energy Wise settings, albeit not on the same web pages.

I'm curious about two things:

1) Is it even happening outside of my limited testing scenarios?
2) How many different usernames and passwords were there?

If the answers are yes, and 1 or more, then this is an issue Cisco should address.

The reason it's happening is because the way in which browsers identify login forms, is different from the way in which web developers understand it to work. Cisco uses the element attribute on these fields "autocomplete = false" and unfortunately, most browser ignore that directive.

I have noticed that this does not happen, if you have more than 1 saved password for the same site, rather it will only happen if you use the same login for the entire site. Our highest chance of seeing this happen are for operations teams where they login with their own accounts, and do not use DRS or OS Admin.
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
Re: CUCM and Auto Fill Credentials [ In reply to ]
I don't know about any of those additional files, and the FileList one was
something I was looking for.

Today's goal will be to write a Python script to: grab that file, then grab
all phone configs, then auth against CUCM, and finally, store the
credentials that worked.

It might even be worth looking at the credentials which don't work, because
it might tell you something about password habits, allowing you to predict
future passwords. Eg Summer2010

On Mar 15, 2018 2:34 AM, "Stephen Welsh" <stephen.welsh@unifiedfx.com>
wrote:

> While we are on the subject here are some other non encrypted TFTP server
> items:
>
>
> - ConfigFileCacheList.txt
> - FileList.txt
> - BinFileCacheList.txt
> - PerfMon.txt
> - ParamList.txt
> - lddefault.cfg
>
> So you could use the following to get a list of all the device MAC
> addresses anonymously from the TFTP server:
>
> http://TFTPServer:6970/FileList.txt <http://tftpserver:6970/FileList.txt>
>
> So with the scenario you describe and just the TFTP Server IP Address you
> could scan all the device configs on the cluster to see if even just one of
> them has the admin credentials saved accidentally on the SSH User/Password
> field.
>
> I suspect this may apply to most clusters....
>
> Kind Regards
>
> Stephen Welsh
> CTO
> UnifiedFX
>
> On 15 Mar 2018, at 07:25, Stephen Welsh <stephen.welsh@unifiedfx.com>
> wrote:
>
> Hi Anthony,
>
> Yes, the SSH credentials saved on the device page are available in clear
> text in the phone XML config, it’s not just your environment unfortunately.
> Also I believe the same thing applies for the Telepresence endpoints
> (anything running CE including the DX) for the web page admin credentials
> that are saved in the vendor config section.
>
> We noticed this a little while ago but given most people did not populate
> it did not consider as a serious issue, however the auto-population of
> credentials is not something we considered. So yes this does look like a
> serious problem when you combine those two together.
>
> Kind Regards
>
> Stephen Welsh
> CTO
> UnifiedFX
>
> On 15 Mar 2018, at 01:50, Anthony Holloway <avholloway+cisco-voip@gmail.
> com> wrote:
>
> I'm working on something, and was wondering if you could check something
> for me, so I can better understand why and how often this is happening.
>
> So, I was looking at phone config file today, and I noticed the ccmadmin
> username and password was in the XML, and in plain text nonetheless.
>
> I found out that the browser, when told to remember your credentials, will
> treat the SSH username/password fields as login fields whenever you modify
> a phone, and you might be unknowingly save your credentials for clear text
> view by unauthenticated users.
>
> Is anyone already aware of this?
>
> You could you run the following command on your clusters:
>
> *run sql select name, sshuserid from device where sshuserid is not null
> and sshuserid <> ""*
>
> Then in the output, if there are any hits, look at the config XML file for
> the phone and see if the passwords are there.
>
> E.g.,
>
> output might be:
>
> *SEP6899CD84B710 aholloway*
>
> So then you would navigate your browser to:
>
> *http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml*
>
> You then might have to view the HTML source of the page, because the
> browser might mess up the output.
>
> You're then looking for the following two fields, your results will vary:
>
> *<sshUserId>aholloway</sshUserId>*
> *<sshPassword>MyP@ssw0rd</sshPassword>*
>
> Then, since we now know it's happening, get list of how many different
> usernames you have with this command:
>
> *run sql select distinct sshuserid from device where sshuserid is not null
> and sshuserid <> "" order by sshuserid*
>
> This could also be happening with Energy Wise settings, albeit not on the
> same web pages.
>
> I'm curious about two things:
>
> 1) Is it even happening outside of my limited testing scenarios?
> 2) How many different usernames and passwords were there?
>
> If the answers are yes, and 1 or more, then this is an issue Cisco should
> address.
>
> The reason it's happening is because the way in which browsers identify
> login forms, is different from the way in which web developers understand
> it to work. Cisco uses the element attribute on these fields "autocomplete
> = false" and unfortunately, most browser ignore that directive.
>
> I have noticed that this does not happen, if you have more than 1 saved
> password for the same site, rather it will only happen if you use the same
> login for the entire site. Our highest chance of seeing this happen are
> for operations teams where they login with their own accounts, and do not
> use DRS or OS Admin.
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
Re: CUCM and Auto Fill Credentials [ In reply to ]
It's interesting, and scary, if you are on a system's network, wouldn't be
hard to get people's passwords.

I did confirm that I have access to about 20 different AD passwords from
just 1 cluster.

Thanks for the info Anthony

On Thu, Mar 15, 2018 at 7:46 AM Anthony Holloway <
avholloway+cisco-voip@gmail.com> wrote:

> I don't know about any of those additional files, and the FileList one was
> something I was looking for.
>
> Today's goal will be to write a Python script to: grab that file, then
> grab all phone configs, then auth against CUCM, and finally, store the
> credentials that worked.
>
> It might even be worth looking at the credentials which don't work,
> because it might tell you something about password habits, allowing you to
> predict future passwords. Eg Summer2010
>
> On Mar 15, 2018 2:34 AM, "Stephen Welsh" <stephen.welsh@unifiedfx.com>
> wrote:
>
>> While we are on the subject here are some other non encrypted TFTP server
>> items:
>>
>>
>> - ConfigFileCacheList.txt
>> - FileList.txt
>> - BinFileCacheList.txt
>> - PerfMon.txt
>> - ParamList.txt
>> - lddefault.cfg
>>
>> So you could use the following to get a list of all the device MAC
>> addresses anonymously from the TFTP server:
>>
>> http://TFTPServer:6970/FileList.txt <http://tftpserver:6970/FileList.txt>
>>
>> So with the scenario you describe and just the TFTP Server IP Address you
>> could scan all the device configs on the cluster to see if even just one of
>> them has the admin credentials saved accidentally on the SSH User/Password
>> field.
>>
>> I suspect this may apply to most clusters....
>>
>> Kind Regards
>>
>> Stephen Welsh
>> CTO
>> UnifiedFX
>>
>> On 15 Mar 2018, at 07:25, Stephen Welsh <stephen.welsh@unifiedfx.com>
>> wrote:
>>
>> Hi Anthony,
>>
>> Yes, the SSH credentials saved on the device page are available in clear
>> text in the phone XML config, it’s not just your environment unfortunately.
>> Also I believe the same thing applies for the Telepresence endpoints
>> (anything running CE including the DX) for the web page admin credentials
>> that are saved in the vendor config section.
>>
>> We noticed this a little while ago but given most people did not populate
>> it did not consider as a serious issue, however the auto-population of
>> credentials is not something we considered. So yes this does look like a
>> serious problem when you combine those two together.
>>
>> Kind Regards
>>
>> Stephen Welsh
>> CTO
>> UnifiedFX
>>
>> On 15 Mar 2018, at 01:50, Anthony Holloway <
>> avholloway+cisco-voip@gmail.com> wrote:
>>
>> I'm working on something, and was wondering if you could check something
>> for me, so I can better understand why and how often this is happening.
>>
>> So, I was looking at phone config file today, and I noticed the ccmadmin
>> username and password was in the XML, and in plain text nonetheless.
>>
>> I found out that the browser, when told to remember your credentials,
>> will treat the SSH username/password fields as login fields whenever you
>> modify a phone, and you might be unknowingly save your credentials for
>> clear text view by unauthenticated users.
>>
>> Is anyone already aware of this?
>>
>> You could you run the following command on your clusters:
>>
>> *run sql select name, sshuserid from device where sshuserid is not null
>> and sshuserid <> ""*
>>
>> Then in the output, if there are any hits, look at the config XML file
>> for the phone and see if the passwords are there.
>>
>> E.g.,
>>
>> output might be:
>>
>> *SEP6899CD84B710 aholloway*
>>
>> So then you would navigate your browser to:
>>
>> *http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml*
>>
>> You then might have to view the HTML source of the page, because the
>> browser might mess up the output.
>>
>> You're then looking for the following two fields, your results will vary:
>>
>> *<sshUserId>aholloway</sshUserId>*
>> *<sshPassword>MyP@ssw0rd</sshPassword>*
>>
>> Then, since we now know it's happening, get list of how many different
>> usernames you have with this command:
>>
>> *run sql select distinct sshuserid from device where sshuserid is not
>> null and sshuserid <> "" order by sshuserid*
>>
>> This could also be happening with Energy Wise settings, albeit not on the
>> same web pages.
>>
>> I'm curious about two things:
>>
>> 1) Is it even happening outside of my limited testing scenarios?
>> 2) How many different usernames and passwords were there?
>>
>> If the answers are yes, and 1 or more, then this is an issue Cisco should
>> address.
>>
>> The reason it's happening is because the way in which browsers identify
>> login forms, is different from the way in which web developers understand
>> it to work. Cisco uses the element attribute on these fields "autocomplete
>> = false" and unfortunately, most browser ignore that directive.
>>
>> I have noticed that this does not happen, if you have more than 1 saved
>> password for the same site, rather it will only happen if you use the same
>> login for the entire site. Our highest chance of seeing this happen are
>> for operations teams where they login with their own accounts, and do not
>> use DRS or OS Admin.
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
Re: CUCM and Auto Fill Credentials [ In reply to ]
I didn't actually check the file contents before replying. What I meant to
say was, the ConfigFileCacheList.txt is the file I was wondering if
existed. Since it does, then one could write a scraping tool to search for
and confirm credentials in one fell swoop.

Thanks for the information, Stephen.

I should also mention, some members of this group are replying to me
directly, off the list, and the results are confirming that this is indeed
an issue worth Cisco's time and attention. One member of the list
confirmed that passwords stored with 3rd party password tools, such as
LastPass, protect you from this behavior.

Like I said earlier, it's the browser/user causing the autocomplete to
happen, but Cisco's attempt to have these fields NOT auto filled, is faulty.

You can read more below on why that might be.

https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion#The_autocomplete_attribute_and_login_fields

[image: image.png]

On Thu, Mar 15, 2018 at 7:46 AM Anthony Holloway <
avholloway+cisco-voip@gmail.com> wrote:

> I don't know about any of those additional files, and the FileList one was
> something I was looking for.
>
> Today's goal will be to write a Python script to: grab that file, then
> grab all phone configs, then auth against CUCM, and finally, store the
> credentials that worked.
>
> It might even be worth looking at the credentials which don't work,
> because it might tell you something about password habits, allowing you to
> predict future passwords. Eg Summer2010
>
> On Mar 15, 2018 2:34 AM, "Stephen Welsh" <stephen.welsh@unifiedfx.com>
> wrote:
>
>> While we are on the subject here are some other non encrypted TFTP server
>> items:
>>
>>
>> - ConfigFileCacheList.txt
>> - FileList.txt
>> - BinFileCacheList.txt
>> - PerfMon.txt
>> - ParamList.txt
>> - lddefault.cfg
>>
>> So you could use the following to get a list of all the device MAC
>> addresses anonymously from the TFTP server:
>>
>> http://TFTPServer:6970/FileList.txt <http://tftpserver:6970/FileList.txt>
>>
>> So with the scenario you describe and just the TFTP Server IP Address you
>> could scan all the device configs on the cluster to see if even just one of
>> them has the admin credentials saved accidentally on the SSH User/Password
>> field.
>>
>> I suspect this may apply to most clusters....
>>
>> Kind Regards
>>
>> Stephen Welsh
>> CTO
>> UnifiedFX
>>
>> On 15 Mar 2018, at 07:25, Stephen Welsh <stephen.welsh@unifiedfx.com>
>> wrote:
>>
>> Hi Anthony,
>>
>> Yes, the SSH credentials saved on the device page are available in clear
>> text in the phone XML config, it’s not just your environment unfortunately.
>> Also I believe the same thing applies for the Telepresence endpoints
>> (anything running CE including the DX) for the web page admin credentials
>> that are saved in the vendor config section.
>>
>> We noticed this a little while ago but given most people did not populate
>> it did not consider as a serious issue, however the auto-population of
>> credentials is not something we considered. So yes this does look like a
>> serious problem when you combine those two together.
>>
>> Kind Regards
>>
>> Stephen Welsh
>> CTO
>> UnifiedFX
>>
>> On 15 Mar 2018, at 01:50, Anthony Holloway <
>> avholloway+cisco-voip@gmail.com> wrote:
>>
>> I'm working on something, and was wondering if you could check something
>> for me, so I can better understand why and how often this is happening.
>>
>> So, I was looking at phone config file today, and I noticed the ccmadmin
>> username and password was in the XML, and in plain text nonetheless.
>>
>> I found out that the browser, when told to remember your credentials,
>> will treat the SSH username/password fields as login fields whenever you
>> modify a phone, and you might be unknowingly save your credentials for
>> clear text view by unauthenticated users.
>>
>> Is anyone already aware of this?
>>
>> You could you run the following command on your clusters:
>>
>> *run sql select name, sshuserid from device where sshuserid is not null
>> and sshuserid <> ""*
>>
>> Then in the output, if there are any hits, look at the config XML file
>> for the phone and see if the passwords are there.
>>
>> E.g.,
>>
>> output might be:
>>
>> *SEP6899CD84B710 aholloway*
>>
>> So then you would navigate your browser to:
>>
>> *http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml*
>>
>> You then might have to view the HTML source of the page, because the
>> browser might mess up the output.
>>
>> You're then looking for the following two fields, your results will vary:
>>
>> *<sshUserId>aholloway</sshUserId>*
>> *<sshPassword>MyP@ssw0rd</sshPassword>*
>>
>> Then, since we now know it's happening, get list of how many different
>> usernames you have with this command:
>>
>> *run sql select distinct sshuserid from device where sshuserid is not
>> null and sshuserid <> "" order by sshuserid*
>>
>> This could also be happening with Energy Wise settings, albeit not on the
>> same web pages.
>>
>> I'm curious about two things:
>>
>> 1) Is it even happening outside of my limited testing scenarios?
>> 2) How many different usernames and passwords were there?
>>
>> If the answers are yes, and 1 or more, then this is an issue Cisco should
>> address.
>>
>> The reason it's happening is because the way in which browsers identify
>> login forms, is different from the way in which web developers understand
>> it to work. Cisco uses the element attribute on these fields "autocomplete
>> = false" and unfortunately, most browser ignore that directive.
>>
>> I have noticed that this does not happen, if you have more than 1 saved
>> password for the same site, rather it will only happen if you use the same
>> login for the entire site. Our highest chance of seeing this happen are
>> for operations teams where they login with their own accounts, and do not
>> use DRS or OS Admin.
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
Re: CUCM and Auto Fill Credentials [ In reply to ]
There’s an internal defect on this that cites CSCvb33351 as the source of the fix for this problem, fixed in 12.0.

Interestingly enough for me in Firefox (on 12.0) I don’t get ccmadmin passwords auto-populated in ssh fields, but I do get saved ssh username/passwords auto-populated in the ccmadmin login fields.

Thanks for raising this issue everyone.

-Ryan

On Mar 15, 2018, at 7:54 AM, Anthony Holloway <avholloway+cisco-voip@gmail.com<mailto:avholloway+cisco-voip@gmail.com>> wrote:

I didn't actually check the file contents before replying. What I meant to say was, the ConfigFileCacheList.txt is the file I was wondering if existed. Since it does, then one could write a scraping tool to search for and confirm credentials in one fell swoop.

Thanks for the information, Stephen.

I should also mention, some members of this group are replying to me directly, off the list, and the results are confirming that this is indeed an issue worth Cisco's time and attention. One member of the list confirmed that passwords stored with 3rd party password tools, such as LastPass, protect you from this behavior.

Like I said earlier, it's the browser/user causing the autocomplete to happen, but Cisco's attempt to have these fields NOT auto filled, is faulty.

You can read more below on why that might be.

https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion#The_autocomplete_attribute_and_login_fields

<image.png>

On Thu, Mar 15, 2018 at 7:46 AM Anthony Holloway <avholloway+cisco-voip@gmail.com<mailto:avholloway%2Bcisco-voip@gmail.com>> wrote:
I don't know about any of those additional files, and the FileList one was something I was looking for.

Today's goal will be to write a Python script to: grab that file, then grab all phone configs, then auth against CUCM, and finally, store the credentials that worked.

It might even be worth looking at the credentials which don't work, because it might tell you something about password habits, allowing you to predict future passwords. Eg Summer2010

On Mar 15, 2018 2:34 AM, "Stephen Welsh" <stephen.welsh@unifiedfx.com<mailto:stephen.welsh@unifiedfx.com>> wrote:
While we are on the subject here are some other non encrypted TFTP server items:


* ConfigFileCacheList.txt
* FileList.txt
* BinFileCacheList.txt
* PerfMon.txt
* ParamList.txt
* lddefault.cfg

So you could use the following to get a list of all the device MAC addresses anonymously from the TFTP server:

http://TFTPServer:6970/FileList.txt<http://tftpserver:6970/FileList.txt>

So with the scenario you describe and just the TFTP Server IP Address you could scan all the device configs on the cluster to see if even just one of them has the admin credentials saved accidentally on the SSH User/Password field.

I suspect this may apply to most clusters....

Kind Regards

Stephen Welsh
CTO
UnifiedFX

On 15 Mar 2018, at 07:25, Stephen Welsh <stephen.welsh@unifiedfx.com<mailto:stephen.welsh@unifiedfx.com>> wrote:

Hi Anthony,

Yes, the SSH credentials saved on the device page are available in clear text in the phone XML config, it’s not just your environment unfortunately. Also I believe the same thing applies for the Telepresence endpoints (anything running CE including the DX) for the web page admin credentials that are saved in the vendor config section.

We noticed this a little while ago but given most people did not populate it did not consider as a serious issue, however the auto-population of credentials is not something we considered. So yes this does look like a serious problem when you combine those two together.

Kind Regards

Stephen Welsh
CTO
UnifiedFX

On 15 Mar 2018, at 01:50, Anthony Holloway <avholloway+cisco-voip@gmail.com<mailto:avholloway+cisco-voip@gmail.com>> wrote:

I'm working on something, and was wondering if you could check something for me, so I can better understand why and how often this is happening.

So, I was looking at phone config file today, and I noticed the ccmadmin username and password was in the XML, and in plain text nonetheless.

I found out that the browser, when told to remember your credentials, will treat the SSH username/password fields as login fields whenever you modify a phone, and you might be unknowingly save your credentials for clear text view by unauthenticated users.

Is anyone already aware of this?

You could you run the following command on your clusters:

run sql select name, sshuserid from device where sshuserid is not null and sshuserid <> ""

Then in the output, if there are any hits, look at the config XML file for the phone and see if the passwords are there.

E.g.,

output might be:

SEP6899CD84B710 aholloway

So then you would navigate your browser to:

http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml

You then might have to view the HTML source of the page, because the browser might mess up the output.

You're then looking for the following two fields, your results will vary:

<sshUserId>aholloway</sshUserId>
<sshPassword>MyP@ssw0rd</sshPassword>

Then, since we now know it's happening, get list of how many different usernames you have with this command:

run sql select distinct sshuserid from device where sshuserid is not null and sshuserid <> "" order by sshuserid

This could also be happening with Energy Wise settings, albeit not on the same web pages.

I'm curious about two things:

1) Is it even happening outside of my limited testing scenarios?
2) How many different usernames and passwords were there?

If the answers are yes, and 1 or more, then this is an issue Cisco should address.

The reason it's happening is because the way in which browsers identify login forms, is different from the way in which web developers understand it to work. Cisco uses the element attribute on these fields "autocomplete = false" and unfortunately, most browser ignore that directive.

I have noticed that this does not happen, if you have more than 1 saved password for the same site, rather it will only happen if you use the same login for the entire site. Our highest chance of seeing this happen are for operations teams where they login with their own accounts, and do not use DRS or OS Admin.
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
Re: CUCM and Auto Fill Credentials [ In reply to ]
For the record, per request via a private reply from a Cisco employee (not
Ryan), I emailed the Cisco PSIRT team about this issue.

On Thu, Mar 15, 2018 at 10:36 AM Ryan Ratliff (rratliff) <rratliff@cisco.com>
wrote:

> There’s an internal defect on this that cites CSCvb33351 as the source of
> the fix for this problem, fixed in 12.0.
>
> Interestingly enough for me in Firefox (on 12.0) I don’t get ccmadmin
> passwords auto-populated in ssh fields, but I do get saved ssh
> username/passwords auto-populated in the ccmadmin login fields.
>
> Thanks for raising this issue everyone.
>
> -Ryan
>
> On Mar 15, 2018, at 7:54 AM, Anthony Holloway <
> avholloway+cisco-voip@gmail.com> wrote:
>
> I didn't actually check the file contents before replying. What I meant
> to say was, the ConfigFileCacheList.txt is the file I was wondering if
> existed. Since it does, then one could write a scraping tool to search for
> and confirm credentials in one fell swoop.
>
> Thanks for the information, Stephen.
>
> I should also mention, some members of this group are replying to me
> directly, off the list, and the results are confirming that this is indeed
> an issue worth Cisco's time and attention. One member of the list
> confirmed that passwords stored with 3rd party password tools, such as
> LastPass, protect you from this behavior.
>
> Like I said earlier, it's the browser/user causing the autocomplete to
> happen, but Cisco's attempt to have these fields NOT auto filled, is faulty.
>
> You can read more below on why that might be.
>
>
> https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion#The_autocomplete_attribute_and_login_fields
>
> <image.png>
>
> On Thu, Mar 15, 2018 at 7:46 AM Anthony Holloway <
> avholloway+cisco-voip@gmail.com> wrote:
>
>> I don't know about any of those additional files, and the FileList one
>> was something I was looking for.
>>
>> Today's goal will be to write a Python script to: grab that file, then
>> grab all phone configs, then auth against CUCM, and finally, store the
>> credentials that worked.
>>
>> It might even be worth looking at the credentials which don't work,
>> because it might tell you something about password habits, allowing you to
>> predict future passwords. Eg Summer2010
>>
>> On Mar 15, 2018 2:34 AM, "Stephen Welsh" <stephen.welsh@unifiedfx.com>
>> wrote:
>>
>>> While we are on the subject here are some other non encrypted TFTP
>>> server items:
>>>
>>>
>>> - ConfigFileCacheList.txt
>>> - FileList.txt
>>> - BinFileCacheList.txt
>>> - PerfMon.txt
>>> - ParamList.txt
>>> - lddefault.cfg
>>>
>>> So you could use the following to get a list of all the device MAC
>>> addresses anonymously from the TFTP server:
>>>
>>> http://TFTPServer:6970/FileList.txt
>>> <http://tftpserver:6970/FileList.txt>
>>>
>>> So with the scenario you describe and just the TFTP Server IP Address
>>> you could scan all the device configs on the cluster to see if even just
>>> one of them has the admin credentials saved accidentally on the SSH
>>> User/Password field.
>>>
>>> I suspect this may apply to most clusters....
>>>
>>> Kind Regards
>>>
>>> Stephen Welsh
>>> CTO
>>> UnifiedFX
>>>
>>> On 15 Mar 2018, at 07:25, Stephen Welsh <stephen.welsh@unifiedfx.com>
>>> wrote:
>>>
>>> Hi Anthony,
>>>
>>> Yes, the SSH credentials saved on the device page are available in clear
>>> text in the phone XML config, it’s not just your environment unfortunately.
>>> Also I believe the same thing applies for the Telepresence endpoints
>>> (anything running CE including the DX) for the web page admin credentials
>>> that are saved in the vendor config section.
>>>
>>> We noticed this a little while ago but given most people did not
>>> populate it did not consider as a serious issue, however the
>>> auto-population of credentials is not something we considered. So yes this
>>> does look like a serious problem when you combine those two together.
>>>
>>> Kind Regards
>>>
>>> Stephen Welsh
>>> CTO
>>> UnifiedFX
>>>
>>> On 15 Mar 2018, at 01:50, Anthony Holloway <
>>> avholloway+cisco-voip@gmail.com> wrote:
>>>
>>> I'm working on something, and was wondering if you could check something
>>> for me, so I can better understand why and how often this is happening.
>>>
>>> So, I was looking at phone config file today, and I noticed the ccmadmin
>>> username and password was in the XML, and in plain text nonetheless.
>>>
>>> I found out that the browser, when told to remember your credentials,
>>> will treat the SSH username/password fields as login fields whenever you
>>> modify a phone, and you might be unknowingly save your credentials for
>>> clear text view by unauthenticated users.
>>>
>>> Is anyone already aware of this?
>>>
>>> You could you run the following command on your clusters:
>>>
>>> *run sql select name, sshuserid from device where sshuserid is not null
>>> and sshuserid <> ""*
>>>
>>> Then in the output, if there are any hits, look at the config XML file
>>> for the phone and see if the passwords are there.
>>>
>>> E.g.,
>>>
>>> output might be:
>>>
>>> *SEP6899CD84B710 aholloway*
>>>
>>> So then you would navigate your browser to:
>>>
>>> *http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml*
>>>
>>> You then might have to view the HTML source of the page, because the
>>> browser might mess up the output.
>>>
>>> You're then looking for the following two fields, your results will vary:
>>>
>>> *<sshUserId>aholloway</sshUserId>*
>>> *<sshPassword>MyP@ssw0rd</sshPassword>*
>>>
>>> Then, since we now know it's happening, get list of how many different
>>> usernames you have with this command:
>>>
>>> *run sql select distinct sshuserid from device where sshuserid is not
>>> null and sshuserid <> "" order by sshuserid*
>>>
>>> This could also be happening with Energy Wise settings, albeit not on
>>> the same web pages.
>>>
>>> I'm curious about two things:
>>>
>>> 1) Is it even happening outside of my limited testing scenarios?
>>> 2) How many different usernames and passwords were there?
>>>
>>> If the answers are yes, and 1 or more, then this is an issue Cisco
>>> should address.
>>>
>>> The reason it's happening is because the way in which browsers identify
>>> login forms, is different from the way in which web developers understand
>>> it to work. Cisco uses the element attribute on these fields "autocomplete
>>> = false" and unfortunately, most browser ignore that directive.
>>>
>>> I have noticed that this does not happen, if you have more than 1 saved
>>> password for the same site, rather it will only happen if you use the same
>>> login for the entire site. Our highest chance of seeing this happen are
>>> for operations teams where they login with their own accounts, and do not
>>> use DRS or OS Admin.
>>>
>>> _______________________________________________
>>> cisco-voip mailing list
>>> cisco-voip@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>
>>> _______________________________________________
>>> cisco-voip mailing list
>>> cisco-voip@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>
>>> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
Re: CUCM and Auto Fill Credentials [ In reply to ]
Thank you very much for bring this to the group’s attention. And for providing some great troubleshooting steps to see whether we might be affected. Thanks to others for providing other information as well.


On the one hand, I see it being a browser issue – autocompleting when it shouldn’t (although you’re asked at least once, are you not?) and ignoring the autocomplete=false…. But…

Should Cisco really be storing passwords in clear text anywhere?




---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | lelio@uoguelph.ca<mailto:lelio@uoguelph.ca>

www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs> | @UofGCCS on Instagram, Twitter and Facebook

[University of Guelph Cornerstone with Improve Life tagline]

From: cisco-voip [mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Anthony Holloway
Sent: Wednesday, March 14, 2018 9:50 PM
To: Cisco VoIP Group <cisco-voip@puck.nether.net>
Subject: [cisco-voip] CUCM and Auto Fill Credentials

I'm working on something, and was wondering if you could check something for me, so I can better understand why and how often this is happening.

So, I was looking at phone config file today, and I noticed the ccmadmin username and password was in the XML, and in plain text nonetheless.

I found out that the browser, when told to remember your credentials, will treat the SSH username/password fields as login fields whenever you modify a phone, and you might be unknowingly save your credentials for clear text view by unauthenticated users.

Is anyone already aware of this?

You could you run the following command on your clusters:

run sql select name, sshuserid from device where sshuserid is not null and sshuserid <> ""

Then in the output, if there are any hits, look at the config XML file for the phone and see if the passwords are there.

E.g.,

output might be:

SEP6899CD84B710 aholloway

So then you would navigate your browser to:

http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml<http://%3ctftpserver%3e:6970/SEP6899CD84B710.cnf.xml>

You then might have to view the HTML source of the page, because the browser might mess up the output.

You're then looking for the following two fields, your results will vary:

<sshUserId>aholloway</sshUserId>
<sshPassword>MyP@ssw0rd</sshPassword>

Then, since we now know it's happening, get list of how many different usernames you have with this command:

run sql select distinct sshuserid from device where sshuserid is not null and sshuserid <> "" order by sshuserid

This could also be happening with Energy Wise settings, albeit not on the same web pages.

I'm curious about two things:

1) Is it even happening outside of my limited testing scenarios?
2) How many different usernames and passwords were there?

If the answers are yes, and 1 or more, then this is an issue Cisco should address.

The reason it's happening is because the way in which browsers identify login forms, is different from the way in which web developers understand it to work. Cisco uses the element attribute on these fields "autocomplete = false" and unfortunately, most browser ignore that directive.

I have noticed that this does not happen, if you have more than 1 saved password for the same site, rather it will only happen if you use the same login for the entire site. Our highest chance of seeing this happen are for operations teams where they login with their own accounts, and do not use DRS or OS Admin.
Re: CUCM and Auto Fill Credentials [ In reply to ]
Curious to what the fix is Ryan?

Modifying the attributes in the form?
Not storing these passwords in the phone config?

---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | lelio@uoguelph.ca<mailto:lelio@uoguelph.ca>

www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs> | @UofGCCS on Instagram, Twitter and Facebook

[University of Guelph Cornerstone with Improve Life tagline]

From: cisco-voip [mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Ryan Ratliff (rratliff)
Sent: Thursday, March 15, 2018 11:36 AM
To: Anthony Holloway <avholloway+cisco-voip@gmail.com>
Cc: Cisco VoIP Group <cisco-voip@puck.nether.net>
Subject: Re: [cisco-voip] CUCM and Auto Fill Credentials

There’s an internal defect on this that cites CSCvb33351 as the source of the fix for this problem, fixed in 12.0.

Interestingly enough for me in Firefox (on 12.0) I don’t get ccmadmin passwords auto-populated in ssh fields, but I do get saved ssh username/passwords auto-populated in the ccmadmin login fields.

Thanks for raising this issue everyone.

-Ryan

On Mar 15, 2018, at 7:54 AM, Anthony Holloway <avholloway+cisco-voip@gmail.com<mailto:avholloway+cisco-voip@gmail.com>> wrote:

I didn't actually check the file contents before replying. What I meant to say was, the ConfigFileCacheList.txt is the file I was wondering if existed. Since it does, then one could write a scraping tool to search for and confirm credentials in one fell swoop.

Thanks for the information, Stephen.

I should also mention, some members of this group are replying to me directly, off the list, and the results are confirming that this is indeed an issue worth Cisco's time and attention. One member of the list confirmed that passwords stored with 3rd party password tools, such as LastPass, protect you from this behavior.

Like I said earlier, it's the browser/user causing the autocomplete to happen, but Cisco's attempt to have these fields NOT auto filled, is faulty.

You can read more below on why that might be.

https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion#The_autocomplete_attribute_and_login_fields

<image.png>

On Thu, Mar 15, 2018 at 7:46 AM Anthony Holloway <avholloway+cisco-voip@gmail.com<mailto:avholloway%2Bcisco-voip@gmail.com>> wrote:
I don't know about any of those additional files, and the FileList one was something I was looking for.

Today's goal will be to write a Python script to: grab that file, then grab all phone configs, then auth against CUCM, and finally, store the credentials that worked.

It might even be worth looking at the credentials which don't work, because it might tell you something about password habits, allowing you to predict future passwords. Eg Summer2010

On Mar 15, 2018 2:34 AM, "Stephen Welsh" <stephen.welsh@unifiedfx.com<mailto:stephen.welsh@unifiedfx.com>> wrote:
While we are on the subject here are some other non encrypted TFTP server items:


* ConfigFileCacheList.txt
* FileList.txt
* BinFileCacheList.txt
* PerfMon.txt
* ParamList.txt
* lddefault.cfg
So you could use the following to get a list of all the device MAC addresses anonymously from the TFTP server:


http://TFTPServer:6970/FileList.txt<http://tftpserver:6970/FileList.txt>

So with the scenario you describe and just the TFTP Server IP Address you could scan all the device configs on the cluster to see if even just one of them has the admin credentials saved accidentally on the SSH User/Password field.

I suspect this may apply to most clusters....

Kind Regards

Stephen Welsh
CTO
UnifiedFX

On 15 Mar 2018, at 07:25, Stephen Welsh <stephen.welsh@unifiedfx.com<mailto:stephen.welsh@unifiedfx.com>> wrote:
Hi Anthony,

Yes, the SSH credentials saved on the device page are available in clear text in the phone XML config, it’s not just your environment unfortunately. Also I believe the same thing applies for the Telepresence endpoints (anything running CE including the DX) for the web page admin credentials that are saved in the vendor config section.

We noticed this a little while ago but given most people did not populate it did not consider as a serious issue, however the auto-population of credentials is not something we considered. So yes this does look like a serious problem when you combine those two together.

Kind Regards

Stephen Welsh
CTO
UnifiedFX

On 15 Mar 2018, at 01:50, Anthony Holloway <avholloway+cisco-voip@gmail.com<mailto:avholloway+cisco-voip@gmail.com>> wrote:
I'm working on something, and was wondering if you could check something for me, so I can better understand why and how often this is happening.

So, I was looking at phone config file today, and I noticed the ccmadmin username and password was in the XML, and in plain text nonetheless.

I found out that the browser, when told to remember your credentials, will treat the SSH username/password fields as login fields whenever you modify a phone, and you might be unknowingly save your credentials for clear text view by unauthenticated users.

Is anyone already aware of this?

You could you run the following command on your clusters:

run sql select name, sshuserid from device where sshuserid is not null and sshuserid <> ""

Then in the output, if there are any hits, look at the config XML file for the phone and see if the passwords are there.

E.g.,

output might be:

SEP6899CD84B710 aholloway

So then you would navigate your browser to:

http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml<http://%3ctftpserver%3e:6970/SEP6899CD84B710.cnf.xml>

You then might have to view the HTML source of the page, because the browser might mess up the output.

You're then looking for the following two fields, your results will vary:

<sshUserId>aholloway</sshUserId>
<sshPassword>MyP@ssw0rd</sshPassword>

Then, since we now know it's happening, get list of how many different usernames you have with this command:

run sql select distinct sshuserid from device where sshuserid is not null and sshuserid <> "" order by sshuserid

This could also be happening with Energy Wise settings, albeit not on the same web pages.

I'm curious about two things:

1) Is it even happening outside of my limited testing scenarios?
2) How many different usernames and passwords were there?

If the answers are yes, and 1 or more, then this is an issue Cisco should address.

The reason it's happening is because the way in which browsers identify login forms, is different from the way in which web developers understand it to work. Cisco uses the element attribute on these fields "autocomplete = false" and unfortunately, most browser ignore that directive.

I have noticed that this does not happen, if you have more than 1 saved password for the same site, rather it will only happen if you use the same login for the entire site. Our highest chance of seeing this happen are for operations teams where they login with their own accounts, and do not use DRS or OS Admin.
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
Re: CUCM and Auto Fill Credentials [ In reply to ]
It's certainly a complicated problem: . Also, Cisco is storing the
password in the DB encrypted, as you could see by modifying the SQL query
to:

*run sql select name, sshuserid, sshpassword from device where sshuserid is
not null and sshuserid <> ''*

Which is what the defect Ryan posted is talking about, the stored encrypted
password length.

However, the TFTP files do contain the plain text credentials. You could
encrypt your TFTP config files to protect yourself completely, but who's
doing that these days?

And lastly, like I said before, this is also happening with the Energy Wise
fields, albeit on other web pages, and those are stored in the DB in plain
text.

E.g.,

*run sql select xml from enterprisephoneconfigxml** where xml like
'%energy%'*

Output will contain the following if impacted "
<energyWiseDomain>theuser</energyWiseDomain><energyWiseSecret>thepassword</energyWiseSecret>"
which is also transmitted in plain text to phones via the phone XML config
file.

There may be others too.

On Thu, Mar 15, 2018 at 11:02 AM Lelio Fulgenzi <lelio@uoguelph.ca> wrote:

>
>
> Thank you very much for bring this to the group’s attention. And for
> providing some great troubleshooting steps to see whether we might be
> affected. Thanks to others for providing other information as well.
>
>
>
>
>
> On the one hand, I see it being a browser issue – autocompleting when it
> shouldn’t (although you’re asked at least once, are you not?) and ignoring
> the autocomplete=false…. But…
>
>
>
> Should Cisco really be storing passwords in clear text anywhere?
>
>
>
>
>
>
>
>
>
> ---
>
> *Lelio Fulgenzi, B.A.* | Senior Analyst
>
> Computing and Communications Services | University of Guelph
>
> Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON |
> N1G 2W1
>
> 519-824-4120 Ext. 56354 <(519)%20824-4120> | lelio@uoguelph.ca
>
>
>
> www.uoguelph.ca/ccs | @UofGCCS on Instagram, Twitter and Facebook
>
>
>
> [image: image001.png]
>
>
>
> *From:* cisco-voip [mailto:cisco-voip-bounces@puck.nether.net] *On Behalf
> Of *Anthony Holloway
>
> *Sent:* Wednesday, March 14, 2018 9:50 PM
>
>
> *To:* Cisco VoIP Group <cisco-voip@puck.nether.net>
> *Subject:* [cisco-voip] CUCM and Auto Fill Credentials
>
>
>
> I'm working on something, and was wondering if you could check something
> for me, so I can better understand why and how often this is happening.
>
>
>
> So, I was looking at phone config file today, and I noticed the ccmadmin
> username and password was in the XML, and in plain text nonetheless.
>
>
>
> I found out that the browser, when told to remember your credentials, will
> treat the SSH username/password fields as login fields whenever you modify
> a phone, and you might be unknowingly save your credentials for clear text
> view by unauthenticated users.
>
>
>
> Is anyone already aware of this?
>
>
>
> You could you run the following command on your clusters:
>
>
>
> *run sql select name, sshuserid from device where sshuserid is not null
> and sshuserid <> ""*
>
>
>
> Then in the output, if there are any hits, look at the config XML file for
> the phone and see if the passwords are there.
>
>
>
> E.g.,
>
>
>
> output might be:
>
>
>
> *SEP6899CD84B710** aholloway*
>
>
>
> So then you would navigate your browser to:
>
>
>
> *http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml
> <http://%3ctftpserver%3e:6970/SEP6899CD84B710.cnf.xml>*
>
>
>
> You then might have to view the HTML source of the page, because the
> browser might mess up the output.
>
>
>
> You're then looking for the following two fields, your results will vary:
>
>
>
> *<sshUserId>aholloway</sshUserId>*
>
> *<sshPassword>MyP@ssw0rd</sshPassword>*
>
>
>
> Then, since we now know it's happening, get list of how many different
> usernames you have with this command:
>
>
>
> *run sql select distinct sshuserid from device where sshuserid is not null
> and sshuserid <> "" order by sshuserid*
>
>
>
> This could also be happening with Energy Wise settings, albeit not on the
> same web pages.
>
>
>
> I'm curious about two things:
>
>
>
> 1) Is it even happening outside of my limited testing scenarios?
>
> 2) How many different usernames and passwords were there?
>
>
>
> If the answers are yes, and 1 or more, then this is an issue Cisco should
> address.
>
>
>
> The reason it's happening is because the way in which browsers identify
> login forms, is different from the way in which web developers understand
> it to work. Cisco uses the element attribute on these fields "autocomplete
> = false" and unfortunately, most browser ignore that directive.
>
>
>
> I have noticed that this does not happen, if you have more than 1 saved
> password for the same site, rather it will only happen if you use the same
> login for the entire site. Our highest chance of seeing this happen are
> for operations teams where they login with their own accounts, and do not
> use DRS or OS Admin.
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
Re: CUCM and Auto Fill Credentials [ In reply to ]
With respect to storing passwords the intent for the ssh username/password field for IP phones is something that was generally not considered very sensitive info. The separation of ssh credentials from enabling SSH was also done to help mitigate the fact that this info is available to anyone by default.

For TP endpoints while their admin credentials can be configured in UCM the endpoint ignores that setting unless the TFTP config file is encrypted, for just this reason.

With respect to the fix in 12.0 I haven’t figured that out just yet. The id and name attributes on the HTML inputs are different, but both have type “password”. Personally I can’t imagine why the browser would think a stored credential from one html element should be autofilled into an entirely different field, but I guess the browser is trying to be helpful.

The only big difference I can see in 12.0 is the proper use of tags in the input and labels associated with them.
10.5
<td>
<label for="SSHPASSWORD">Secure Shell Password </label>
</td>
<td>
<input autocomplete="off" id="SSHPASSWORD" name="sshpassword" maxlength="200" size="50" value="" onchange="issshpasswordValid(this)" type="password">
</td>

12.x
<td>
<label id="SSHPASSWORD_ID" for="SSHPASSWORD">Secure Shell Password </label>
</td>
<td>
<input autocomplete="off" id="SSHPASSWORD" name="sshpassword" maxlength="288" size="50" value="" onchange="issshpasswordValid(this)" type="password”>
</td>

Not a ton of changes between those two. The maxlength change is directly from the defect I cited earlier.

For the login it seems to be unchanged from 10.5 to 12.x.
<tr>
<td class="cuesLoginField">Password</td>
</tr>
<tr>
<td class="cuesLoginField">
<input size="20" autocomplete="off" name="j_password" maxlength="128" type="password">
</td>
</tr>

I’m not an expert in HTML autocomplete so it’s going to take some more testing to figure out exactly why the login credentials aren’t auto-filled in this field any longer.


-Ryan

On Mar 15, 2018, at 9:38 AM, Anthony Holloway <avholloway+cisco-voip@gmail.com<mailto:avholloway+cisco-voip@gmail.com>> wrote:

It's certainly a complicated problem: . Also, Cisco is storing the password in the DB encrypted, as you could see by modifying the SQL query to:

run sql select name, sshuserid, sshpassword from device where sshuserid is not null and sshuserid <> ''

Which is what the defect Ryan posted is talking about, the stored encrypted password length.

However, the TFTP files do contain the plain text credentials. You could encrypt your TFTP config files to protect yourself completely, but who's doing that these days?

And lastly, like I said before, this is also happening with the Energy Wise fields, albeit on other web pages, and those are stored in the DB in plain text.

E.g.,

run sql select xml from enterprisephoneconfigxml where xml like '%energy%'

Output will contain the following if impacted "<energyWiseDomain>theuser</energyWiseDomain><energyWiseSecret>thepassword</energyWiseSecret>" which is also transmitted in plain text to phones via the phone XML config file.

There may be others too.

On Thu, Mar 15, 2018 at 11:02 AM Lelio Fulgenzi <lelio@uoguelph.ca<mailto:lelio@uoguelph.ca>> wrote:

Thank you very much for bring this to the group’s attention. And for providing some great troubleshooting steps to see whether we might be affected. Thanks to others for providing other information as well.


On the one hand, I see it being a browser issue – autocompleting when it shouldn’t (although you’re asked at least once, are you not?) and ignoring the autocomplete=false…. But…

Should Cisco really be storing passwords in clear text anywhere?




---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354<tel:(519)%20824-4120> | lelio@uoguelph.ca<mailto:lelio@uoguelph.ca>

www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs> | @UofGCCS on Instagram, Twitter and Facebook


<image001.png>



From: cisco-voip [mailto:cisco-voip-bounces@puck.nether.net<mailto:cisco-voip-bounces@puck.nether.net>] On Behalf Of Anthony Holloway
Sent: Wednesday, March 14, 2018 9:50 PM

To: Cisco VoIP Group <cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>>
Subject: [cisco-voip] CUCM and Auto Fill Credentials


I'm working on something, and was wondering if you could check something for me, so I can better understand why and how often this is happening.

So, I was looking at phone config file today, and I noticed the ccmadmin username and password was in the XML, and in plain text nonetheless.

I found out that the browser, when told to remember your credentials, will treat the SSH username/password fields as login fields whenever you modify a phone, and you might be unknowingly save your credentials for clear text view by unauthenticated users.

Is anyone already aware of this?

You could you run the following command on your clusters:

run sql select name, sshuserid from device where sshuserid is not null and sshuserid <> ""

Then in the output, if there are any hits, look at the config XML file for the phone and see if the passwords are there.

E.g.,

output might be:

SEP6899CD84B710 aholloway

So then you would navigate your browser to:

http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml

You then might have to view the HTML source of the page, because the browser might mess up the output.

You're then looking for the following two fields, your results will vary:

<sshUserId>aholloway</sshUserId>
<sshPassword>MyP@ssw0rd</sshPassword>

Then, since we now know it's happening, get list of how many different usernames you have with this command:

run sql select distinct sshuserid from device where sshuserid is not null and sshuserid <> "" order by sshuserid

This could also be happening with Energy Wise settings, albeit not on the same web pages.

I'm curious about two things:

1) Is it even happening outside of my limited testing scenarios?
2) How many different usernames and passwords were there?

If the answers are yes, and 1 or more, then this is an issue Cisco should address.

The reason it's happening is because the way in which browsers identify login forms, is different from the way in which web developers understand it to work. Cisco uses the element attribute on these fields "autocomplete = false" and unfortunately, most browser ignore that directive.

I have noticed that this does not happen, if you have more than 1 saved password for the same site, rather it will only happen if you use the same login for the entire site. Our highest chance of seeing this happen are for operations teams where they login with their own accounts, and do not use DRS or OS Admin.
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
Re: CUCM and Auto Fill Credentials [ In reply to ]
Interestingly, none of these files come up for me on a 11.5.1.13902
system. I can pull an XML file as Anthony showed previously, but not these
files. On 9.1.2 and 11.0.1.2000 systems, I can view them just fine. Did
something change in 11.5.1 or so to now allow these files?

I don't receive an error, just a blank page, and source is nil.

On Thu, Mar 15, 2018 at 2:35 AM Stephen Welsh <stephen.welsh@unifiedfx.com>
wrote:

> While we are on the subject here are some other non encrypted TFTP server
> items:
>
>
> - ConfigFileCacheList.txt
> - FileList.txt
> - BinFileCacheList.txt
> - PerfMon.txt
> - ParamList.txt
> - lddefault.cfg
>
> So you could use the following to get a list of all the device MAC
> addresses anonymously from the TFTP server:
>
> http://TFTPServer:6970/FileList.txt <http://tftpserver:6970/FileList.txt>
>
> So with the scenario you describe and just the TFTP Server IP Address you
> could scan all the device configs on the cluster to see if even just one of
> them has the admin credentials saved accidentally on the SSH User/Password
> field.
>
> I suspect this may apply to most clusters....
>
> Kind Regards
>
> Stephen Welsh
> CTO
> UnifiedFX
>
> On 15 Mar 2018, at 07:25, Stephen Welsh <stephen.welsh@unifiedfx.com>
> wrote:
>
> Hi Anthony,
>
> Yes, the SSH credentials saved on the device page are available in clear
> text in the phone XML config, it’s not just your environment unfortunately.
> Also I believe the same thing applies for the Telepresence endpoints
> (anything running CE including the DX) for the web page admin credentials
> that are saved in the vendor config section.
>
> We noticed this a little while ago but given most people did not populate
> it did not consider as a serious issue, however the auto-population of
> credentials is not something we considered. So yes this does look like a
> serious problem when you combine those two together.
>
> Kind Regards
>
> Stephen Welsh
> CTO
> UnifiedFX
>
> On 15 Mar 2018, at 01:50, Anthony Holloway <
> avholloway+cisco-voip@gmail.com> wrote:
>
> I'm working on something, and was wondering if you could check something
> for me, so I can better understand why and how often this is happening.
>
> So, I was looking at phone config file today, and I noticed the ccmadmin
> username and password was in the XML, and in plain text nonetheless.
>
> I found out that the browser, when told to remember your credentials, will
> treat the SSH username/password fields as login fields whenever you modify
> a phone, and you might be unknowingly save your credentials for clear text
> view by unauthenticated users.
>
> Is anyone already aware of this?
>
> You could you run the following command on your clusters:
>
> *run sql select name, sshuserid from device where sshuserid is not null
> and sshuserid <> ""*
>
> Then in the output, if there are any hits, look at the config XML file for
> the phone and see if the passwords are there.
>
> E.g.,
>
> output might be:
>
> *SEP6899CD84B710 aholloway*
>
> So then you would navigate your browser to:
>
> *http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml*
>
> You then might have to view the HTML source of the page, because the
> browser might mess up the output.
>
> You're then looking for the following two fields, your results will vary:
>
> *<sshUserId>aholloway</sshUserId>*
> *<sshPassword>MyP@ssw0rd</sshPassword>*
>
> Then, since we now know it's happening, get list of how many different
> usernames you have with this command:
>
> *run sql select distinct sshuserid from device where sshuserid is not null
> and sshuserid <> "" order by sshuserid*
>
> This could also be happening with Energy Wise settings, albeit not on the
> same web pages.
>
> I'm curious about two things:
>
> 1) Is it even happening outside of my limited testing scenarios?
> 2) How many different usernames and passwords were there?
>
> If the answers are yes, and 1 or more, then this is an issue Cisco should
> address.
>
> The reason it's happening is because the way in which browsers identify
> login forms, is different from the way in which web developers understand
> it to work. Cisco uses the element attribute on these fields "autocomplete
> = false" and unfortunately, most browser ignore that directive.
>
> I have noticed that this does not happen, if you have more than 1 saved
> password for the same site, rather it will only happen if you use the same
> login for the entire site. Our highest chance of seeing this happen are
> for operations teams where they login with their own accounts, and do not
> use DRS or OS Admin.
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
Re: CUCM and Auto Fill Credentials [ In reply to ]
Anthony, pertaining to this tidbit about 3rd party password tools, I've
found at least with LastPass this is not the case. In testing this, I'm
using Firefox ESR latest, on Windows 7 fully patched and the latest
Lastpass update that it's still allowing firefox to insert the credentials
if you have that enabled. Of course, if you disable firefox saving of
credentials, it shouldn't do this.

Obviously I'm nitpicking here, but wanted to clarify this a bit for
posterities sake, since we are obviously getting into some best practices
here.

Turn off browser auto-complete of passwords and use a 3rd party password
management tool.

Lastly, once the fields are filled out, I cannot find an easy way to clear
them. You can replace with something else, but not clear.

Thanks for the info on all of this!


On Thu, Mar 15, 2018 at 9:54 AM Anthony Holloway <
avholloway+cisco-voip@gmail.com> wrote:

> One member of the list confirmed that passwords stored with 3rd party
> password tools, such as LastPass, protect you from this behavior.
>
>
>
Re: CUCM and Auto Fill Credentials [ In reply to ]
Charles, Sounds good, and thank you for the input.

As for clearing the SSH stuff, you could run:

*run sql update device set (sshuserid, sshpassword) = ('', '') where
sshuserid is not null and sshuserid <> ''*

On Thu, Mar 15, 2018 at 6:50 PM Charles Goldsmith <wokka@justfamily.org>
wrote:

> Anthony, pertaining to this tidbit about 3rd party password tools, I've
> found at least with LastPass this is not the case. In testing this, I'm
> using Firefox ESR latest, on Windows 7 fully patched and the latest
> Lastpass update that it's still allowing firefox to insert the credentials
> if you have that enabled. Of course, if you disable firefox saving of
> credentials, it shouldn't do this.
>
> Obviously I'm nitpicking here, but wanted to clarify this a bit for
> posterities sake, since we are obviously getting into some best practices
> here.
>
> Turn off browser auto-complete of passwords and use a 3rd party password
> management tool.
>
> Lastly, once the fields are filled out, I cannot find an easy way to clear
> them. You can replace with something else, but not clear.
>
> Thanks for the info on all of this!
>
>
> On Thu, Mar 15, 2018 at 9:54 AM Anthony Holloway <
> avholloway+cisco-voip@gmail.com> wrote:
>
>> One member of the list confirmed that passwords stored with 3rd party
>> password tools, such as LastPass, protect you from this behavior.
>>
>>
>>
Re: CUCM and Auto Fill Credentials [ In reply to ]
Running 11.5 and I tested on a few admin users and got clear txt using the tftp address and SEPMac address.cnf.xml

Dang!!!

Get Outlook for Android<https://aka.ms/ghei36>

________________________________
From: cisco-voip <cisco-voip-bounces@puck.nether.net> on behalf of Anthony Holloway <avholloway+cisco-voip@gmail.com>
Sent: Thursday, March 15, 2018 9:38:11 PM
To: Charles Goldsmith
Cc: Cisco VoIP Group
Subject: Re: [cisco-voip] CUCM and Auto Fill Credentials

Charles, Sounds good, and thank you for the input.

As for clearing the SSH stuff, you could run:

run sql update device set (sshuserid, sshpassword) = ('', '') where sshuserid is not null and sshuserid <> ''

On Thu, Mar 15, 2018 at 6:50 PM Charles Goldsmith <wokka@justfamily.org<mailto:wokka@justfamily.org>> wrote:
Anthony, pertaining to this tidbit about 3rd party password tools, I've found at least with LastPass this is not the case. In testing this, I'm using Firefox ESR latest, on Windows 7 fully patched and the latest Lastpass update that it's still allowing firefox to insert the credentials if you have that enabled. Of course, if you disable firefox saving of credentials, it shouldn't do this.

Obviously I'm nitpicking here, but wanted to clarify this a bit for posterities sake, since we are obviously getting into some best practices here.

Turn off browser auto-complete of passwords and use a 3rd party password management tool.

Lastly, once the fields are filled out, I cannot find an easy way to clear them. You can replace with something else, but not clear.

Thanks for the info on all of this!


On Thu, Mar 15, 2018 at 9:54 AM Anthony Holloway <avholloway+cisco-voip@gmail.com<mailto:avholloway%2Bcisco-voip@gmail.com>> wrote:
One member of the list confirmed that passwords stored with 3rd party password tools, such as LastPass, protect you from this behavior.
Re: CUCM and Auto Fill Credentials [ In reply to ]
This is also a problem on the Service Profile page filling in LDAP
Username/Password. I see so many customers with their admin accounts
filled in here from autofill on their browsers. These are sent clear-text
to Jabber clients.

I think I talked to some Cisco folks on this and it didn't get anywhere
since it was more a browser issue. I think they need to rename some of
these fields so that password autofill doesn't happen.

On Wed, Mar 14, 2018 at 9:49 PM, Anthony Holloway <
avholloway+cisco-voip@gmail.com> wrote:

> I'm working on something, and was wondering if you could check something
> for me, so I can better understand why and how often this is happening.
>
> So, I was looking at phone config file today, and I noticed the ccmadmin
> username and password was in the XML, and in plain text nonetheless.
>
> I found out that the browser, when told to remember your credentials, will
> treat the SSH username/password fields as login fields whenever you modify
> a phone, and you might be unknowingly save your credentials for clear text
> view by unauthenticated users.
>
> Is anyone already aware of this?
>
> You could you run the following command on your clusters:
>
> *run sql select name, sshuserid from device where sshuserid is not null
> and sshuserid <> ""*
>
> Then in the output, if there are any hits, look at the config XML file for
> the phone and see if the passwords are there.
>
> E.g.,
>
> output might be:
>
> *SEP6899CD84B710 aholloway*
>
> So then you would navigate your browser to:
>
> *http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml*
>
> You then might have to view the HTML source of the page, because the
> browser might mess up the output.
>
> You're then looking for the following two fields, your results will vary:
>
> *<sshUserId>aholloway</sshUserId>*
> *<sshPassword>MyP@ssw0rd</sshPassword>*
>
> Then, since we now know it's happening, get list of how many different
> usernames you have with this command:
>
> *run sql select distinct sshuserid from device where sshuserid is not null
> and sshuserid <> "" order by sshuserid*
>
> This could also be happening with Energy Wise settings, albeit not on the
> same web pages.
>
> I'm curious about two things:
>
> 1) Is it even happening outside of my limited testing scenarios?
> 2) How many different usernames and passwords were there?
>
> If the answers are yes, and 1 or more, then this is an issue Cisco should
> address.
>
> The reason it's happening is because the way in which browsers identify
> login forms, is different from the way in which web developers understand
> it to work. Cisco uses the element attribute on these fields "autocomplete
> = false" and unfortunately, most browser ignore that directive.
>
> I have noticed that this does not happen, if you have more than 1 saved
> password for the same site, rather it will only happen if you use the same
> login for the entire site. Our highest chance of seeing this happen are
> for operations teams where they login with their own accounts, and do not
> use DRS or OS Admin.
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
Re: CUCM and Auto Fill Credentials [ In reply to ]
"...I think they need to rename some of these fields so that password
autofill doesn't happen."

Exactly! If you're going to build a web app, you have to understand how
the browser works. Granted, the browser should be a little more
intelligent about what it thinks is a login form, but the web developers
should know how that process works, and how to avoid having the browser
mistake their fields for login forms.

On Fri, Mar 16, 2018 at 11:32 AM Brian Meade <bmeade90@vt.edu> wrote:

> This is also a problem on the Service Profile page filling in LDAP
> Username/Password. I see so many customers with their admin accounts
> filled in here from autofill on their browsers. These are sent clear-text
> to Jabber clients.
>
> I think I talked to some Cisco folks on this and it didn't get anywhere
> since it was more a browser issue. I think they need to rename some of
> these fields so that password autofill doesn't happen.
>
> On Wed, Mar 14, 2018 at 9:49 PM, Anthony Holloway <
> avholloway+cisco-voip@gmail.com> wrote:
>
>> I'm working on something, and was wondering if you could check something
>> for me, so I can better understand why and how often this is happening.
>>
>> So, I was looking at phone config file today, and I noticed the ccmadmin
>> username and password was in the XML, and in plain text nonetheless.
>>
>> I found out that the browser, when told to remember your credentials,
>> will treat the SSH username/password fields as login fields whenever you
>> modify a phone, and you might be unknowingly save your credentials for
>> clear text view by unauthenticated users.
>>
>> Is anyone already aware of this?
>>
>> You could you run the following command on your clusters:
>>
>> *run sql select name, sshuserid from device where sshuserid is not null
>> and sshuserid <> ""*
>>
>> Then in the output, if there are any hits, look at the config XML file
>> for the phone and see if the passwords are there.
>>
>> E.g.,
>>
>> output might be:
>>
>> *SEP6899CD84B710 aholloway*
>>
>> So then you would navigate your browser to:
>>
>> *http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml*
>>
>> You then might have to view the HTML source of the page, because the
>> browser might mess up the output.
>>
>> You're then looking for the following two fields, your results will vary:
>>
>> *<sshUserId>aholloway</sshUserId>*
>> *<sshPassword>MyP@ssw0rd</sshPassword>*
>>
>> Then, since we now know it's happening, get list of how many different
>> usernames you have with this command:
>>
>> *run sql select distinct sshuserid from device where sshuserid is not
>> null and sshuserid <> "" order by sshuserid*
>>
>> This could also be happening with Energy Wise settings, albeit not on the
>> same web pages.
>>
>> I'm curious about two things:
>>
>> 1) Is it even happening outside of my limited testing scenarios?
>> 2) How many different usernames and passwords were there?
>>
>> If the answers are yes, and 1 or more, then this is an issue Cisco should
>> address.
>>
>> The reason it's happening is because the way in which browsers identify
>> login forms, is different from the way in which web developers understand
>> it to work. Cisco uses the element attribute on these fields "autocomplete
>> = false" and unfortunately, most browser ignore that directive.
>>
>> I have noticed that this does not happen, if you have more than 1 saved
>> password for the same site, rather it will only happen if you use the same
>> login for the entire site. Our highest chance of seeing this happen are
>> for operations teams where they login with their own accounts, and do not
>> use DRS or OS Admin.
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
Re: CUCM and Auto Fill Credentials [ In reply to ]
The challenge here is that you want the “type” of the input to be set to password for these fields so the browser will replace the contents with *****.

What would you rename in this case? Is it the label for the input, the id of the input itself? For the login and ssh password fields the ids don’t match and neither do the label fields (login page doesn’t have a label at all).

With respect to the service profile this is also resolved in 12.0 where username and password are no longer in the service profile.

I brought this issue up with PSIRT today and the general consensus is that we are trying to do the right thing by specifying autocomplete=off on these fields. The fact that the browser ignores this for password input fields is a problem, but we need more inputs from the DEs on how or if we can prevent this. We are going to look into back-porting the fix from 12.0 into older releases.

-Ryan

On Mar 16, 2018, at 2:10 PM, Anthony Holloway <avholloway+cisco-voip@gmail.com<mailto:avholloway+cisco-voip@gmail.com>> wrote:

"...I think they need to rename some of these fields so that password autofill doesn't happen."

Exactly! If you're going to build a web app, you have to understand how the browser works. Granted, the browser should be a little more intelligent about what it thinks is a login form, but the web developers should know how that process works, and how to avoid having the browser mistake their fields for login forms.

On Fri, Mar 16, 2018 at 11:32 AM Brian Meade <bmeade90@vt.edu<mailto:bmeade90@vt.edu>> wrote:
This is also a problem on the Service Profile page filling in LDAP Username/Password. I see so many customers with their admin accounts filled in here from autofill on their browsers. These are sent clear-text to Jabber clients.

I think I talked to some Cisco folks on this and it didn't get anywhere since it was more a browser issue. I think they need to rename some of these fields so that password autofill doesn't happen.

On Wed, Mar 14, 2018 at 9:49 PM, Anthony Holloway <avholloway+cisco-voip@gmail.com<mailto:avholloway+cisco-voip@gmail.com>> wrote:
I'm working on something, and was wondering if you could check something for me, so I can better understand why and how often this is happening.

So, I was looking at phone config file today, and I noticed the ccmadmin username and password was in the XML, and in plain text nonetheless.

I found out that the browser, when told to remember your credentials, will treat the SSH username/password fields as login fields whenever you modify a phone, and you might be unknowingly save your credentials for clear text view by unauthenticated users.

Is anyone already aware of this?

You could you run the following command on your clusters:

run sql select name, sshuserid from device where sshuserid is not null and sshuserid <> ""

Then in the output, if there are any hits, look at the config XML file for the phone and see if the passwords are there.

E.g.,

output might be:

SEP6899CD84B710 aholloway

So then you would navigate your browser to:

http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml

You then might have to view the HTML source of the page, because the browser might mess up the output.

You're then looking for the following two fields, your results will vary:

<sshUserId>aholloway</sshUserId>
<sshPassword>MyP@ssw0rd</sshPassword>

Then, since we now know it's happening, get list of how many different usernames you have with this command:

run sql select distinct sshuserid from device where sshuserid is not null and sshuserid <> "" order by sshuserid

This could also be happening with Energy Wise settings, albeit not on the same web pages.

I'm curious about two things:

1) Is it even happening outside of my limited testing scenarios?
2) How many different usernames and passwords were there?

If the answers are yes, and 1 or more, then this is an issue Cisco should address.

The reason it's happening is because the way in which browsers identify login forms, is different from the way in which web developers understand it to work. Cisco uses the element attribute on these fields "autocomplete = false" and unfortunately, most browser ignore that directive.

I have noticed that this does not happen, if you have more than 1 saved password for the same site, rather it will only happen if you use the same login for the entire site. Our highest chance of seeing this happen are for operations teams where they login with their own accounts, and do not use DRS or OS Admin.

_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip

_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
Re: CUCM and Auto Fill Credentials [ In reply to ]
In the article I shared, it covers this exact scenario:

"If an author would like to prevent the autofilling of password fields in
user management pages where a user can specify a new password for someone
other than themself, autocomplete="new-password" should be specified,
though support for this has not been implemented in all browsers yet."

Source:
https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion#The_autocomplete_attribute_and_login_fields

Until all browsers support it, perhaps making it a pop up window to
configure, like how IP Phone service subscriptions and speed dials are,
this way you know that filling in these fields is intentional. The real
trouble with how it works now is, the secure shell area is far below the
view port, and you have no idea it's even happening. So, if you simply
open a phone page, change the CSS, click save; you think you made 1 change,
when in fact you made 3: CSS, secure shell username, and secure shell
password.

Cisco could also put the number of fields updated on the top of the page in
the Status area. E.g., 3 Changes saved successfully.

On Mon, Mar 19, 2018 at 11:07 AM Ryan Ratliff (rratliff) <rratliff@cisco.com>
wrote:

> The challenge here is that you want the “type” of the input to be set to
> password for these fields so the browser will replace the contents with
> *****.
>
> What would you rename in this case? Is it the label for the input, the id
> of the input itself? For the login and ssh password fields the ids don’t
> match and neither do the label fields (login page doesn’t have a label at
> all).
>
> With respect to the service profile this is also resolved in 12.0 where
> username and password are no longer in the service profile.
>
> I brought this issue up with PSIRT today and the general consensus is that
> we are trying to do the right thing by specifying autocomplete=off on these
> fields. The fact that the browser ignores this for password input fields is
> a problem, but we need more inputs from the DEs on how or if we can prevent
> this. We are going to look into back-porting the fix from 12.0 into older
> releases.
>
> -Ryan
>
> On Mar 16, 2018, at 2:10 PM, Anthony Holloway <
> avholloway+cisco-voip@gmail.com> wrote:
>
> "...I think they need to rename some of these fields so that password
> autofill doesn't happen."
>
> Exactly! If you're going to build a web app, you have to understand how
> the browser works. Granted, the browser should be a little more
> intelligent about what it thinks is a login form, but the web developers
> should know how that process works, and how to avoid having the browser
> mistake their fields for login forms.
>
> On Fri, Mar 16, 2018 at 11:32 AM Brian Meade <bmeade90@vt.edu> wrote:
>
>> This is also a problem on the Service Profile page filling in LDAP
>> Username/Password. I see so many customers with their admin accounts
>> filled in here from autofill on their browsers. These are sent clear-text
>> to Jabber clients.
>>
>> I think I talked to some Cisco folks on this and it didn't get anywhere
>> since it was more a browser issue. I think they need to rename some of
>> these fields so that password autofill doesn't happen.
>>
>> On Wed, Mar 14, 2018 at 9:49 PM, Anthony Holloway <
>> avholloway+cisco-voip@gmail.com> wrote:
>>
>>> I'm working on something, and was wondering if you could check something
>>> for me, so I can better understand why and how often this is happening.
>>>
>>> So, I was looking at phone config file today, and I noticed the ccmadmin
>>> username and password was in the XML, and in plain text nonetheless.
>>>
>>> I found out that the browser, when told to remember your credentials,
>>> will treat the SSH username/password fields as login fields whenever you
>>> modify a phone, and you might be unknowingly save your credentials for
>>> clear text view by unauthenticated users.
>>>
>>> Is anyone already aware of this?
>>>
>>> You could you run the following command on your clusters:
>>>
>>> *run sql select name, sshuserid from device where sshuserid is not null
>>> and sshuserid <> ""*
>>>
>>> Then in the output, if there are any hits, look at the config XML file
>>> for the phone and see if the passwords are there.
>>>
>>> E.g.,
>>>
>>> output might be:
>>>
>>> *SEP6899CD84B710 aholloway*
>>>
>>> So then you would navigate your browser to:
>>>
>>> *http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml*
>>>
>>> You then might have to view the HTML source of the page, because the
>>> browser might mess up the output.
>>>
>>> You're then looking for the following two fields, your results will vary:
>>>
>>> *<sshUserId>aholloway</sshUserId>*
>>> *<sshPassword>MyP@ssw0rd</sshPassword>*
>>>
>>> Then, since we now know it's happening, get list of how many different
>>> usernames you have with this command:
>>>
>>> *run sql select distinct sshuserid from device where sshuserid is not
>>> null and sshuserid <> "" order by sshuserid*
>>>
>>> This could also be happening with Energy Wise settings, albeit not on
>>> the same web pages.
>>>
>>> I'm curious about two things:
>>>
>>> 1) Is it even happening outside of my limited testing scenarios?
>>> 2) How many different usernames and passwords were there?
>>>
>>> If the answers are yes, and 1 or more, then this is an issue Cisco
>>> should address.
>>>
>>> The reason it's happening is because the way in which browsers identify
>>> login forms, is different from the way in which web developers understand
>>> it to work. Cisco uses the element attribute on these fields "autocomplete
>>> = false" and unfortunately, most browser ignore that directive.
>>>
>>> I have noticed that this does not happen, if you have more than 1 saved
>>> password for the same site, rather it will only happen if you use the same
>>> login for the entire site. Our highest chance of seeing this happen are
>>> for operations teams where they login with their own accounts, and do not
>>> use DRS or OS Admin.
>>>
>>> _______________________________________________
>>> cisco-voip mailing list
>>> cisco-voip@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>
>>> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
Re: CUCM and Auto Fill Credentials [ In reply to ]
UPDATE

I just upgraded a system to CUCM 11.5(1)SU4 (11.5.1.14900-11) and when I
went to change the Device Pool on this phone, I saw this message at the top:

[image: image.png]

And when I scrolled down to the Secure Shell section, sure enough, my
administrator credentials were in there.

[image: image.png]

So, the problem still persists, but Cisco is trying to make you aware that
it happened. Of course, if you don't see it, or don't understand it,
you're not going to correct it. Also, who wants to scroll down and erase
the credentials every time they make a change? Not many, I'd wager.

I did not test all of the pages where this can happen, to see if Cisco
caught them all, but this was the major offender in my opinion.

On Wed, Mar 14, 2018 at 8:49 PM Anthony Holloway <
avholloway+cisco-voip@gmail.com> wrote:

> I'm working on something, and was wondering if you could check something
> for me, so I can better understand why and how often this is happening.
>
> So, I was looking at phone config file today, and I noticed the ccmadmin
> username and password was in the XML, and in plain text nonetheless.
>
> I found out that the browser, when told to remember your credentials, will
> treat the SSH username/password fields as login fields whenever you modify
> a phone, and you might be unknowingly save your credentials for clear text
> view by unauthenticated users.
>
> Is anyone already aware of this?
>
> You could you run the following command on your clusters:
>
> *run sql select name, sshuserid from device where sshuserid is not null
> and sshuserid <> ""*
>
> Then in the output, if there are any hits, look at the config XML file for
> the phone and see if the passwords are there.
>
> E.g.,
>
> output might be:
>
> *SEP6899CD84B710 aholloway*
>
> So then you would navigate your browser to:
>
> *http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml*
>
> You then might have to view the HTML source of the page, because the
> browser might mess up the output.
>
> You're then looking for the following two fields, your results will vary:
>
> *<sshUserId>aholloway</sshUserId>*
> *<sshPassword>MyP@ssw0rd</sshPassword>*
>
> Then, since we now know it's happening, get list of how many different
> usernames you have with this command:
>
> *run sql select distinct sshuserid from device where sshuserid is not null
> and sshuserid <> "" order by sshuserid*
>
> This could also be happening with Energy Wise settings, albeit not on the
> same web pages.
>
> I'm curious about two things:
>
> 1) Is it even happening outside of my limited testing scenarios?
> 2) How many different usernames and passwords were there?
>
> If the answers are yes, and 1 or more, then this is an issue Cisco should
> address.
>
> The reason it's happening is because the way in which browsers identify
> login forms, is different from the way in which web developers understand
> it to work. Cisco uses the element attribute on these fields "autocomplete
> = false" and unfortunately, most browser ignore that directive.
>
> I have noticed that this does not happen, if you have more than 1 saved
> password for the same site, rather it will only happen if you use the same
> login for the entire site. Our highest chance of seeing this happen are
> for operations teams where they login with their own accounts, and do not
> use DRS or OS Admin.
>
Re: CUCM and Auto Fill Credentials [ In reply to ]
But, it’s not that the “endpoint is vulnerable to security breach” – it’s the whole system!

---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | lelio@uoguelph.ca<mailto:lelio@uoguelph.ca>

www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs> | @UofGCCS on Instagram, Twitter and Facebook

[University of Guelph Cornerstone with Improve Life tagline]

From: cisco-voip <cisco-voip-bounces@puck.nether.net> On Behalf Of Anthony Holloway
Sent: Monday, April 30, 2018 9:11 AM
To: Cisco VoIP Group <cisco-voip@puck.nether.net>
Subject: Re: [cisco-voip] CUCM and Auto Fill Credentials

UPDATE

I just upgraded a system to CUCM 11.5(1)SU4 (11.5.1.14900-11) and when I went to change the Device Pool on this phone, I saw this message at the top:

[image.png]

And when I scrolled down to the Secure Shell section, sure enough, my administrator credentials were in there.

[image.png]

So, the problem still persists, but Cisco is trying to make you aware that it happened. Of course, if you don't see it, or don't understand it, you're not going to correct it. Also, who wants to scroll down and erase the credentials every time they make a change? Not many, I'd wager.

I did not test all of the pages where this can happen, to see if Cisco caught them all, but this was the major offender in my opinion.

On Wed, Mar 14, 2018 at 8:49 PM Anthony Holloway <avholloway+cisco-voip@gmail.com<mailto:avholloway%2Bcisco-voip@gmail.com>> wrote:
I'm working on something, and was wondering if you could check something for me, so I can better understand why and how often this is happening.

So, I was looking at phone config file today, and I noticed the ccmadmin username and password was in the XML, and in plain text nonetheless.

I found out that the browser, when told to remember your credentials, will treat the SSH username/password fields as login fields whenever you modify a phone, and you might be unknowingly save your credentials for clear text view by unauthenticated users.

Is anyone already aware of this?

You could you run the following command on your clusters:

run sql select name, sshuserid from device where sshuserid is not null and sshuserid <> ""

Then in the output, if there are any hits, look at the config XML file for the phone and see if the passwords are there.

E.g.,

output might be:

SEP6899CD84B710 aholloway

So then you would navigate your browser to:

http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml<http://%3ctftpserver%3e:6970/SEP6899CD84B710.cnf.xml>

You then might have to view the HTML source of the page, because the browser might mess up the output.

You're then looking for the following two fields, your results will vary:

<sshUserId>aholloway</sshUserId>
<sshPassword>MyP@ssw0rd</sshPassword>

Then, since we now know it's happening, get list of how many different usernames you have with this command:

run sql select distinct sshuserid from device where sshuserid is not null and sshuserid <> "" order by sshuserid

This could also be happening with Energy Wise settings, albeit not on the same web pages.

I'm curious about two things:

1) Is it even happening outside of my limited testing scenarios?
2) How many different usernames and passwords were there?

If the answers are yes, and 1 or more, then this is an issue Cisco should address.

The reason it's happening is because the way in which browsers identify login forms, is different from the way in which web developers understand it to work. Cisco uses the element attribute on these fields "autocomplete = false" and unfortunately, most browser ignore that directive.

I have noticed that this does not happen, if you have more than 1 saved password for the same site, rather it will only happen if you use the same login for the entire site. Our highest chance of seeing this happen are for operations teams where they login with their own accounts, and do not use DRS or OS Admin.
Re: CUCM and Auto Fill Credentials [ In reply to ]
Good point.

On Mon, Apr 30, 2018 at 8:22 AM Lelio Fulgenzi <lelio@uoguelph.ca> wrote:

>
>
> But, it’s not that the “endpoint is vulnerable to security breach” – it’s
> the whole system!
>
>
>
> ---
>
> *Lelio Fulgenzi, B.A.* | Senior Analyst
>
> Computing and Communications Services | University of Guelph
>
> Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON |
> N1G 2W1
>
> 519-824-4120 Ext. 56354 <(519)%20824-4120> | lelio@uoguelph.ca
>
>
>
> www.uoguelph.ca/ccs | @UofGCCS on Instagram, Twitter and Facebook
>
>
>
> [image: University of Guelph Cornerstone with Improve Life tagline]
>
>
>
> *From:* cisco-voip <cisco-voip-bounces@puck.nether.net> *On Behalf Of *Anthony
> Holloway
> *Sent:* Monday, April 30, 2018 9:11 AM
>
>
> *To:* Cisco VoIP Group <cisco-voip@puck.nether.net>
>
> *Subject:* Re: [cisco-voip] CUCM and Auto Fill Credentials
>
>
>
> UPDATE
>
>
>
> I just upgraded a system to CUCM 11.5(1)SU4 (11.5.1.14900-11) and when I
> went to change the Device Pool on this phone, I saw this message at the top:
>
>
>
> [image: image.png]
>
> And when I scrolled down to the Secure Shell section, sure enough, my
> administrator credentials were in there.
>
>
>
> [image: image.png]
>
>
>
> So, the problem still persists, but Cisco is trying to make you aware that
> it happened. Of course, if you don't see it, or don't understand it,
> you're not going to correct it. Also, who wants to scroll down and erase
> the credentials every time they make a change? Not many, I'd wager.
>
>
>
> I did not test all of the pages where this can happen, to see if Cisco
> caught them all, but this was the major offender in my opinion.
>
>
>
> On Wed, Mar 14, 2018 at 8:49 PM Anthony Holloway <
> avholloway+cisco-voip@gmail.com> wrote:
>
> I'm working on something, and was wondering if you could check something
> for me, so I can better understand why and how often this is happening.
>
>
>
> So, I was looking at phone config file today, and I noticed the ccmadmin
> username and password was in the XML, and in plain text nonetheless.
>
>
>
> I found out that the browser, when told to remember your credentials, will
> treat the SSH username/password fields as login fields whenever you modify
> a phone, and you might be unknowingly save your credentials for clear text
> view by unauthenticated users.
>
>
>
> Is anyone already aware of this?
>
>
>
> You could you run the following command on your clusters:
>
>
>
> *run sql select name, sshuserid from device where sshuserid is not null
> and sshuserid <> ""*
>
>
>
> Then in the output, if there are any hits, look at the config XML file for
> the phone and see if the passwords are there.
>
>
>
> E.g.,
>
>
>
> output might be:
>
>
>
> *SEP6899CD84B710** aholloway*
>
>
>
> So then you would navigate your browser to:
>
>
>
> *http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml
> <http://%3ctftpserver%3e:6970/SEP6899CD84B710.cnf.xml>*
>
>
>
> You then might have to view the HTML source of the page, because the
> browser might mess up the output.
>
>
>
> You're then looking for the following two fields, your results will vary:
>
>
>
> *<sshUserId>aholloway</sshUserId>*
>
> *<sshPassword>MyP@ssw0rd</sshPassword>*
>
>
>
> Then, since we now know it's happening, get list of how many different
> usernames you have with this command:
>
>
>
> *run sql select distinct sshuserid from device where sshuserid is not null
> and sshuserid <> "" order by sshuserid*
>
>
>
> This could also be happening with Energy Wise settings, albeit not on the
> same web pages.
>
>
>
> I'm curious about two things:
>
>
>
> 1) Is it even happening outside of my limited testing scenarios?
>
> 2) How many different usernames and passwords were there?
>
>
>
> If the answers are yes, and 1 or more, then this is an issue Cisco should
> address.
>
>
>
> The reason it's happening is because the way in which browsers identify
> login forms, is different from the way in which web developers understand
> it to work. Cisco uses the element attribute on these fields "autocomplete
> = false" and unfortunately, most browser ignore that directive.
>
>
>
> I have noticed that this does not happen, if you have more than 1 saved
> password for the same site, rather it will only happen if you use the same
> login for the entire site. Our highest chance of seeing this happen are
> for operations teams where they login with their own accounts, and do not
> use DRS or OS Admin.
>
>
Re: CUCM and Auto Fill Credentials [ In reply to ]
The fix for CSCvb33351 was ported back to 11.5 but won’t be there until 11.5(1)SU5.

-Ryan

On Apr 30, 2018, at 9:57 AM, Anthony Holloway <avholloway+cisco-voip@gmail.com<mailto:avholloway+cisco-voip@gmail.com>> wrote:

Good point.

On Mon, Apr 30, 2018 at 8:22 AM Lelio Fulgenzi <lelio@uoguelph.ca<mailto:lelio@uoguelph.ca>> wrote:

But, it’s not that the “endpoint is vulnerable to security breach” – it’s the whole system!

---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354<tel:(519)%20824-4120> | lelio@uoguelph.ca<mailto:lelio@uoguelph.ca>

www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs> | @UofGCCS on Instagram, Twitter and Facebook

[University of Guelph Cornerstone with Improve Life tagline]

From: cisco-voip <cisco-voip-bounces@puck.nether.net<mailto:cisco-voip-bounces@puck.nether.net>> On Behalf Of Anthony Holloway
Sent: Monday, April 30, 2018 9:11 AM

To: Cisco VoIP Group <cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>>
Subject: Re: [cisco-voip] CUCM and Auto Fill Credentials

UPDATE

I just upgraded a system to CUCM 11.5(1)SU4 (11.5.1.14900-11) and when I went to change the Device Pool on this phone, I saw this message at the top:

[image.png]

And when I scrolled down to the Secure Shell section, sure enough, my administrator credentials were in there.

[image.png]

So, the problem still persists, but Cisco is trying to make you aware that it happened. Of course, if you don't see it, or don't understand it, you're not going to correct it. Also, who wants to scroll down and erase the credentials every time they make a change? Not many, I'd wager.

I did not test all of the pages where this can happen, to see if Cisco caught them all, but this was the major offender in my opinion.

On Wed, Mar 14, 2018 at 8:49 PM Anthony Holloway <avholloway+cisco-voip@gmail.com<mailto:avholloway%2Bcisco-voip@gmail.com>> wrote:
I'm working on something, and was wondering if you could check something for me, so I can better understand why and how often this is happening.

So, I was looking at phone config file today, and I noticed the ccmadmin username and password was in the XML, and in plain text nonetheless.

I found out that the browser, when told to remember your credentials, will treat the SSH username/password fields as login fields whenever you modify a phone, and you might be unknowingly save your credentials for clear text view by unauthenticated users.

Is anyone already aware of this?

You could you run the following command on your clusters:

run sql select name, sshuserid from device where sshuserid is not null and sshuserid <> ""

Then in the output, if there are any hits, look at the config XML file for the phone and see if the passwords are there.

E.g.,

output might be:

SEP6899CD84B710 aholloway

So then you would navigate your browser to:

http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml<http://%3ctftpserver%3e:6970/SEP6899CD84B710.cnf.xml>

You then might have to view the HTML source of the page, because the browser might mess up the output.

You're then looking for the following two fields, your results will vary:

<sshUserId>aholloway</sshUserId>
<sshPassword>MyP@ssw0rd</sshPassword>

Then, since we now know it's happening, get list of how many different usernames you have with this command:

run sql select distinct sshuserid from device where sshuserid is not null and sshuserid <> "" order by sshuserid

This could also be happening with Energy Wise settings, albeit not on the same web pages.

I'm curious about two things:

1) Is it even happening outside of my limited testing scenarios?
2) How many different usernames and passwords were there?

If the answers are yes, and 1 or more, then this is an issue Cisco should address.

The reason it's happening is because the way in which browsers identify login forms, is different from the way in which web developers understand it to work. Cisco uses the element attribute on these fields "autocomplete = false" and unfortunately, most browser ignore that directive.

I have noticed that this does not happen, if you have more than 1 saved password for the same site, rather it will only happen if you use the same login for the entire site. Our highest chance of seeing this happen are for operations teams where they login with their own accounts, and do not use DRS or OS Admin.
<image002.png><image001.png><image002.png><image003.png>_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip