Cisco released 16 security advisories yesterday, including alerts for three vulnerabilities rated "Critical" and which received a maximum of 10 out of 10 on the CVSSv3 severity score.
The three vulnerabilities include a backdoor account and two bypasses of the authentication system for Cisco Digital Network Architecture (DNA) Center.
The Cisco DNA Center is a piece of software that's aimed at enterprise clients and which provides a central system for designing and deploying device configurations (aka provisioning) across a large network.
This is, arguably, a pretty complex piece of software, and according to Cisco, a recent internal audit has yielded some pretty bad results.
CVE-2018-0222
The first of these flaws, and probably the easiest to exploit, is CVE-2018-0222. Cisco describes this as an "undocumented, static user credentials for the default administrative account," which is just a longer way of spelling backdoor account.
The company did not reveal the account's default username and password but said it grants an attacker root privileges on targeted systems.
Users are advised to apply software patches to remove the account as soon as possible, as there are no known workarounds that can disable it until updates can be installed.
CVE-2018-0268
The second vulnerability is CVE-2018-0268, which is an authentication bypass for a Kubernetes container management subsystem embedded inside Cisco's DNA Center.
"An attacker who has the ability to access the Kubernetes service port could execute commands with elevated privileges within provisioned containers," Cisco said. "A successful exploit could result in a complete compromise of affected containers."
Like with the previous flaw, there are no workarounds and users must update their DNA Center to protect themselves.
CVE-2018-0271
Last but not least there's CVE-2018-0271, an authentication bypass in the DNA Center's API gateway.
"The vulnerability is due to a failure to normalize URLs prior to servicing requests," Cisco explained. "An attacker could exploit this vulnerability by submitting a crafted URL designed to exploit the issue. A successful exploit could allow the attacker to gain unauthenticated access to critical services, resulting in elevated privileges in DNA Center."
Cisco fixed all three issues in DNA Center v1.1.3.
Let's not criticize Cisco
The company discovered these flaws following as part of its massive series of internal audits it started back in December 2015.
At the time, security researchers found a backdoor account in Juniper software that could decrypt VPN traffic, and Cisco decided to hunt and root out any similar backdoors before attackers found them first.
The company discovered many backdoors and hardcoded accounts in the past two years as part of internal audits and has received some pretty unfair criticism for its efforts.
The most recent backdoors Cisco discovered was in March, when the company's engineers discovered two —one in Cisco's Prime Collaboration Provisioning (PCP) platform, and one in the IOS XE operating system.
Comments
lolita_lopez2 - 5 years ago
They should be applauded for doing this on their own accord; but the criticism is 100% warranted. Hard coded users would, at the very least, be left over from development/debugging and there was little to no code review before it was put into production. At the worst, the hard coded users were put there exactly to be a back door and they are now fixing it before it would be publicly disclosed by a third party
STS-1 - 5 years ago
I was thinking the same thing... If there are "hard coded" user accounts how is that NOT Cisco's fault... Are they not the ones responsible for the finished product released to customers? Is there any legit reason to have a hard coded user account other than just to be used as a back door, which is the only reason I know of)? Any user account than would be legit would be created by the system admin(s) not embedded in the firmware (which from my understanding is what "hard coded" would mean) Yes it is good that they are doing the internal audit, but would it not be more efficient to ensure that these holes are not released in the first place...