A critical flaw in the High Availability (HA) service of Cisco Smart Software Manager On-Prem Base has been uncovered, which would open the door to remote attackers thanks to its use of a static, default password, even if the platform isn’t directly connected to the internet.
Cisco Smart Software Manager On-Prem Base is used to manage a customer or partner’s product licenses, providing near real-time visibility and reporting of the Cisco licenses that an organization purchases and consumes. According to Cisco’s product literature, the platform is aimed at “customers who have strict security requirements and do not want their products to communicate with the central licensing database on Smart Software Manager over a direct Internet connection,” like financial institutions, utilities, service providers and government organizations.
The hard-coded password is for “a [HA] system account [that] is not under the control of the system administrator,” Cisco said in an advisory issued Wednesday on the bug, tracked as CVE-2020-3158. Essentially, anyone who discovered the password (presumably available in installation guides or other documentation available online), could log onto this account and then, from there, connect to the Cisco Smart Software Manager On-Prem Base.
“Vulnerabilities like CVE-2020-3158 could not be any easier for attackers to compromise,” Chris Hass, director of information security and research at Automox, told Threatpost. “Systems with default, hardcoded credentials completely removes the need for any real technical skill, and drastically reduces the time to be weaponized.”
The vulnerability, which has a score of 9.8 on the CVSS bug-severity scale, “could allow an unauthenticated, remote attacker to access a sensitive part of the system with a high-privileged account,” Cisco said. “A successful exploit could allow the attacker to obtain read-and-write access to system data, including the configuration of an affected device.”
The good news is, while attackers would gain access to a sensitive portion of the system, they would not have full administrative rights to control the device.
No workaround are available, but Cisco issued a patch this week (Cisco Smart Software Manager On-Prem release 7-202001). The vulnerability only affects systems if the HA feature is enabled. HA is not enabled by default.
Steven Van Loo of hIQkru was given credit for discovering the flaw.
“It is unfortunate that the lessons of Mirai have not translated into stronger security hardening practices,” Hass said. “And to see manufacturers and critical service providers continue to ignore the basics of cyber-hygiene is disappointing.”
A Buggy Start to the Year
Cisco has released patches for a number of flaws already in 2020, including fixes for five critical vulnerabilities that were discovered in Cisco Discovery Protocol (CDP), the info-sharing layer that maps all Cisco equipment on a network. Dubbed “CDPwn,” they can allow attackers with an existing foothold in the network to break through network segmentation efforts and remotely take over millions of devices.
In January, high-severity vulnerabilities affecting over a half dozen of its small business switches were patched, which allow remote unauthenticated adversaries to access sensitive information and level denial-of-service (DoS) attacks against affected gear.
Separately, it has patched two high-severity vulnerabilities in its popular Webex video conferencing platform. One of them could let strangers barge in on password-protected meetings – no authentication necessary; the other that was patched could allow remote code execution.
Also in January, a critical Cisco vulnerability emerged in its administrative management tool for Cisco network security solutions. The flaw could allow an unauthenticated, remote attacker to gain administrative privileges on impacted devices.
And to kick off the year, three critical vulnerabilities impacting a key tool for managing its network platform and switches were patched. The bugs could allow an unauthenticated, remote attacker to bypass endpoint authentication and execute arbitrary actions with administrative privileges on targeted devices, the vendor said. Proof-of-concept exploits emerged shortly after disclosure.