Cisco bug warning: Critical static password flaw in network appliances needs patching
Cisco has disclosed a critical flaw affecting its ENCS 5400-W Series and CSP 5000-W Series appliances, which is due to their software containing user accounts with a default, static password.
During internal testing, Cisco discovered its Virtual Wide Area Application Services (vWAAS) with Cisco Enterprise NFV Infrastructure Software (NFVIS)-bundled images for the appliances have user accounts with the fixed password.
NFVIS helps customers virtualize Cisco network services such as its Integrated Services Virtual Router, virtual WAN optimization, Virtual ASA, virtual Wireless LAN Controller, and Next-Generation Virtual Firewall.
SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)
The default password means a remote attacker without credentials could log into the NFVIS command-line interface of a vulnerable device with administrator privileges.
Customers with the affected appliances need to apply Cisco’s updates if the appliances are running vWAAS with NFVIS-bundled image releases 6.4.5, or 6.4.3d and earlier.
There are no workarounds, so the update is the only way for customers to plug the flaw, which has a severity rating of 9.8 out of 10 and is being tracked as CVE-2020-3446.
Cisco lists four conditions under which an attacker could connect to the NFVIS CLI, depending on how customers have configured the device:
- The Ethernet management port for the CPU on an affected ENCS 5400-W Series appliance. This interface might be remotely accessible if a routed IP is configured.
- The first port on the four-port I350 PCIe Ethernet Adapter card on an affected CSP 5000-W Series appliance. This interface might be remotely accessible if a routed IP is configured.
- A connection to the vWAAS software CLI and a valid user credential to authenticate on the vWAAS CLI first.
- A connection to the Cisco Integrated Management Controller (CIMC) interface of the ENCS 5400-W Series or CSP 5000-W Series appliance and a valid user credential to authenticate to the CIMC first.
Cisco has also posted two more high-severity advisories that can be addressed by installing software updates it recently made available.
Multiple vulnerabilities affect Cisco’s Video Surveillance 8000 Series IP Cameras and may allow an unauthenticated attacker in the same broadcast domain as the vulnerable camera to knock it offline.
The flaws reside in the Cisco Discovery Protocol, a Layer 2 or data link layer protocol in the Open Systems Interconnection (OSI) networking model.
“An attacker could exploit these vulnerabilities by sending a malicious Cisco Discovery Protocol packet to the targeted IP camera,” explains Cisco in the advisory for the flaws CVE-2020-3506 and CVE-2020-3507.
“A successful exploit could allow the attacker to execute code on the affected IP camera or cause it to reload unexpectedly, resulting in a denial-of-service (DoS) condition.”
The Cisco cameras are vulnerable if they are running a firmware version earlier than 1.0.9-4 and have the Cisco Discovery Protocol enabled. Again, customers need to apply Cisco’s update to protect the model because there’s no workaround.
This bug was reported to Cisco by Qian Chen of Qihoo 360 Nirvan Team. However, Cisco notes it is not aware of any malicious activity using this vulnerability.
The second high-severity advisory concerns a privilege-escalation flaw affecting the Cisco Smart Software Manager On-Prem or SSM On-Prem. It’s tracked as CVE-2020-3443 and has a severity score of 8.8 out of 10.
During internal testing, Cisco discovered that an authenticated, remote attacker could elevate their privileges and execute commands with higher privileges up to an administrative role, which would give the attacker full access to the device.
The bug affects all Cisco SSM On-Prem releases earlier than version 8-202004. It also affects all 6.x Cisco Smart Software Manager satellite releases. These are the same products.
Customers need to install Cisco’s updates since there is no workaround available.
At the same time as patching the critical and high-severity flaws, the company has also issued fixes for a further 21 medium-severity vulnerabilities.