Cisco Systems issued a “critical” patch on Wednesday for its Nexus 3000 and 3500 series switches that allow remote attackers to access default account and static password information on affected hardware. The vulnerability could allow an unauthenticated user to log in to the affected system with the privileges of a root user.
The account is created by default at installation time by the Cisco NX-OS software that runs on the switches. According to a Cisco Advisory, instances of the default account and static password cannot be removed without risking hurting the system’s functionality. The Cisco patches remove the default administrative account and static credentials.
Cisco’s security advisory warns:
“The vulnerability is due to a user account that has a default and static password. This account is created at installation and cannot be changed or deleted without impacting the functionality of the system. An attacker could exploit this vulnerability by connecting to the affected system using this default account. The account can be used to authenticate remotely to the device via Telnet (or SSH on a specific release) and locally on the serial console.”
Cisco is a repeat offender when it comes to this vulnerability. Over the past several years, the networking giant has had to issue several advisories warning of the presence of backdoor and default user issues leaving hardware open to remote system access.
Eight months ago Cisco admitted that security appliances shipped with static SSH keys. Last year, Cisco revealed some of Cisco’s IronPort “virtual appliance” products contain multiple default SSH keys that offered root privileges. That followed a similar advisory for default private and host SSH keys in three of its security appliances.
“These issues aren’t unique to Cisco,” said Chris Pickard, president and COO of Xylotek Solutions, an Ontario-based IT solution provider. “All vendors give IT admin headaches when it comes to coded or default accounts that are turned on or off or hiding somewhere.”
But, Pickard said, too many system administrators don’t take a static password flaw as seriously as they should. “Is this a security issue or a potential security issue? It may not be 99 percent of the time. But that one percent of the time that someone gets through a firewall or is sitting on your internal network and finds a way to exploit something – then it becomes a very serious issue.”
With this most recent patch Cisco is providing patches for: Cisco Nexus 3000 Series switches running NX-OS 6.0(2)U6(1), 6.0(2)U6(2), 6.0(2)U6(3), 6.0(2)U6(4) and 6.0(2)U6(5) and Cisco Nexus 3500 Platform switches running NX-OS 6.0(2)A6(2), 6.0(2)A6(3), 6.0(2)A6(4), 6.0(2)A6(5) and 6.0(2)A7(1).
Cisco says it found coded credentials during the resolution of a customer case handled by the Cisco. “The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory,” the report read.