There is a severe remote code execution vulnerability in a number of Cisco’s security appliances, a bug that was first disclosed nearly three years ago. The vulnerability is in Telnet and there has been a Metasploit module available to exploit it for years.
The FreeBSD Project first disclosed the vulnerability in telnet in December 2011 and it was widely publicized at the time. Recently, Glafkos Charalambous, a security researcher, discovered that the bug was still present in several of Cisco’s security boxes, including the Web Security Appliance, Email Security Appliance and Content Security Management Appliance. The vulnerability is in the AsyncOS software in those appliances and affects all versions of the products.
If the Telnet service is enabled on a vulnerable appliance, a remote attacker can execute arbitrary code.
“A vulnerability in telnet code of Cisco AsyncOS could allow an unauthenticated, remote attacker to to execute arbitrary code on the affected system,” the Cisco advisory says.
“The vulnerability is due to insufficient boundary checks when processing telnet encryption keys. An unauthenticated, remote attacker could exploit this vulnerability by sending malicious requests to a targeted system. If successful, the attacker could execute arbitrary code on the system with elevated privileges.”
Cisco has released a patched version of the AsyncOS software to address the vulnerability and also has recommended some workarounds for customers.
“For some versions of Cisco AsyncOS Software for Cisco ESA and Cisco SMA, Telnet is configured on the Management port. Telnet services can be disabled to mitigate this vulnerability. Administrators can disable Telnet by using the administration graphical user interface (GUI) or by using the interfaceconfig command in the command-line interface (CLI). As a security best practice, customers should use Secure Shell (SSH) instead of Telnet,” the advisory says.