Tech

Cisco patches severe default password security issue in network hardware

Cisco has patched another hard-coded, default password problem which gives cyberattackers root access to devices.

Written by Charlie Osborne, Contributing Writer March 4, 2016 at 3:00 a.m. PT

Cisco has fixed a severe security issue which could give attackers full access to devices through default credentials.

The issue lies within Cisco's Nexus 3000 Series switches and Nexus 3500 Platform switches. A user account with root bash shell access is created at installation and the default, static password cannot be changed without hurting the device's functionality.

Security

The "critical" vulnerability could allow attackers to log into the devices with root access privileges, according to a security advisory posted on Tuesday. Attackers are able to connect to this default account using the static credentials locally or through Telnet or SSH.

Once a cyberattacker has accessed the default account, they have full admin privileges and can fully compromise the device.

Cisco has released a software update which removes the default account and static credentials. Patches have been provided for Cisco Nexus 3000 Series switches running NX-OS software releases 6.0(2)U6(1), 6.0(2)U6(2), 6.0(2)U6(3), 6.0(2)U6(4), and 6.0(2)U6(5), and Cisco Nexus 3500 Platform Switches running NX-OS software releases 6.0(2)A6(1), 6.0(2)A6(2), 6.0(2)A6(3), 6.0(2)A6(4), 6.0(2)A6(5), and 6.0(2)A7(1).

This is not the first time that Cisco has patched these kinds of security flaws. In January, the tech giant fixed a number of vulnerabilities and blocked access to hard-coded passwords in wireless access point devices. Cisco also took the opportunity to disclose a critical access flaw in the firm's Identity Services Engine (ISE).

Earlier this week, Cisco revealed changes to its enterprise networking model, the Digital Network Architecture. The model encompasses virtualization, automation, analytics, cloud service management and open via application programming interfaces for enterprise clients.