The problem is if the customer got SDM installed on the device from manufacturing, and used some script/CLI to reconfigure the device - and never ever starts SDM - SDM never gets the chance to remove the default credentials. The one-time username is removed only from the running configuration, if you don't save the new configuration to the NVRAM, the username will reappear after the router reload.Īctually, the first thing SDM does is ask the user to change the default credentials - so if the user does use SDM for initial/subsequent configuration, the credentials would be removed.
If you log into the router using any other username, the one-time username remains valid (it's not removed on the first successful login to the box, which would make more sense in the SDM context). There are, however, two caveats associated with this feature: After the first login, the username disappears from the running configuration and thus cannot be reused. As many users forget to disable or change the default username after configuring their router with SDM, they could end up with an exposed router.Ĭisco has patched this vulnerability in IOS release 12.4(11)T that includes the one-time password/secret option of the username command, allowing you to define a username/password combination that can be used only once.įor example, the username cisco one-time secret cisco would define the default username that can be used only for single access to the router. 
Cisco routers preconfigured for SDM have default username/password cisco/cisco.
0 kommentar(er)
