Critical, Unpatched Cisco Flaw Leaves Small Business Networks Wide Open

A default configuration allows full admin access to unauthenticated attackers.

A critical and unpatched vulnerability in the widely deployed Cisco Small Business Switch software leaves the door open to remote, unauthenticated attackers gaining full administrative control over the device – and therefore the network.

Cisco Small Business Switches were developed for small office and home office (SOHO) environments, to manage and control small local area networks with no more than a handful of workstations. They come in cloud-based, managed and unmanaged “flavors,” and are an affordable (under $300) solution for resource-strapped small businesses.

The vulnerability (CVE-2018-15439), which has a critical base CVSS severity rating of 9.8, exists because the default configuration on the devices includes a default, privileged user account that is used for the initial login and cannot be removed from the system. An administrator may disable this account by configuring other user accounts with access privilege set to level 15. However, if all user-configured privilege level 15 accounts are removed from the device configuration, it re-enables the default privileged user account without notifying administrators of the system.

“Under these circumstances, an attacker can use this account to log in to an affected device and execute commands with full admin rights,” Cisco explained in its advisory on Wednesday. “[It] could allow an unauthenticated, remote attacker to bypass the user-authentication mechanism of an affected device.”

Since the switches are used to manage a LAN, a successful exploit means that a remote attacker would gain access to network security functions such as firewalls, as well as the management interface for administering voice, data and wireless connectivity for network devices.

There’s no patch to address the vulnerability, though one is expected at some (as yet unannounced) point in the future, Cisco said. There is however a simple workaround: Just add at least one user account with access privilege set to level 15 in the device configuration.

Users can “configure an account by using admin as user ID, setting the access privilege to level 15, and defining the password by replacing <strong_password> with a complex password chosen by the user,” according to the advisory. “By adding this user account, the default privileged account will be disabled.”

The flaw affects Cisco Small Business 200 Series Smart Switches, 250 Series Smart Switches, 300 Series Managed Switches, 350 Series Managed Switches, Cisco 350X Series Stackable Managed Switches, 500 Series Stackable Managed Switches and 550X Series Stackable Managed Switches.

The Cisco 220 Series and 200E Series Smart Switches aren’t affected, and neither are devices running Cisco IOS Software, Cisco IOS XE Software or Cisco NX-OS Software, according to the networking giant.

Earlier in January Cisco issued 18 fixes as part of its monthly update, including two serious vulnerabilities for another small-business stalwart – its security appliance tool. Two bugs, one critical and one high-severity, could ultimately lead to a permanent denial of service (DoS) on impacted devices – and can be exploited by an attacker who simply sends an email.

Suggested articles

Discussion

  • Anonymous on

    A default setting is not a flaw
  • Thomas Anderson on

    OK? So? Change the username and password! DUH! Not sure how this qualifies as something to ding a company with.
  • Allen Unrau on

    How is this different from every other device that ships with a default admin account?
    • Tara Seals on

      Hi Allen -- Cisco said this was critical and worth a separate advisory because "if all user-configured privilege level 15 accounts are removed from the device configuration, it re-enables the default privileged user account without notifying administrators of the system."

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.