Cisco on Oct. 5 patched a critical 9.8 vulnerability in Cisco Emergency Responder that could let an unauthenticated, remote attacker log in to an affected device using root privileges, which means they could execute any command, alter system settings, or even disable an emergency response system entirely.
In its advisory, Cisco said the vulnerability — CVE-2023-20101 — was caused by the presence of static user credentials for the root account that’s typically reserved for use during development. Cisco said an attacker could exploit this vulnerability by using the account to log in to an affected system.
Essentially, a successful exploit could let the attacker log in to the affected system and execute arbitrary commands as the root user.
“Should the system become compromised, it could impede the correct routing of emergency calls or even block them entirely, leading to potential delays in emergency responses,” said Callie Guenther, senior manager, cyber threat research at Critical Start.
Guenther explained that CVE-2023-20101 pertains to static, unchangeable credentials associated with the root account of the Emergency Responder software. Guenther said it’s believed these credentials were hardcoded during the software's development phase and unintentionally left in the released product.
“Because these credentials cannot be altered or deleted, they present a significant security risk,” explained Guenther. “If malicious actors become aware of these credentials, they can access the system remotely without authentication.”
Stephen Gates, principal security SME at Horizon3.ai, added that any time a vendor leaves a root account dangling behind in their product that has a default, static credential that cannot be changed or deleted, they’re opening up a Pandora's box of unforeseeable outcomes.
“First, attackers are completely capable of finding out what the default credentials are, in this case most likely from using open-source intelligence widely available on the internet,” said Gates. “And once attackers gain access to the root, it’s ‘game over’ and they have complete control of the system or software in the same fashion as any other root user would. Vendors should always mandate, via a forced process, that all default root account credentials be changed when a system or software is installed.”
Critical Start’s Guenther explained that the Cisco Emergency Responder software has been designed to integrate with Cisco Unified Communications Manager. Its primary purpose includes the following:
- Route emergency calls to the correct local Public Safety Answering Point (PSAP), known mostly as 911 Call Centers.
- Alert specific personnel of an ongoing emergency call, facilitating a quick and efficient response.
- Keep a detailed log of all emergency calls made.
- Provide the PSAP with accurate geolocation details of the caller to ensure timely response in emergencies.
“It’s predominantly available in the United States and Canadian markets, making it crucial in these regions for handling emergency communications,” said Guenther.