Cisco patches severe default password security issue in network hardware
Cisco has fixed a severe security issue which could give attackers full access to devices through default credentials.
The issue lies within Cisco's Nexus 3000 Series switches and Nexus 3500 Platform switches. A user account with root bash shell access is created at installation and the default, static password cannot be changed without hurting the device's functionality.
Security
The "critical" vulnerability could allow attackers to log into the devices with root access privileges, according to a security advisory posted on Tuesday. Attackers are able to connect to this default account using the static credentials locally or through Telnet or SSH.
Once a cyberattacker has accessed the default account, they have full admin privileges and can fully compromise the device.
Cisco has released a software update which removes the default account and static credentials. Patches have been provided for Cisco Nexus 3000 Series switches running NX-OS software releases 6.0(2)U6(1), 6.0(2)U6(2), 6.0(2)U6(3), 6.0(2)U6(4), and 6.0(2)U6(5), and Cisco Nexus 3500 Platform Switches running NX-OS software releases 6.0(2)A6(1), 6.0(2)A6(2), 6.0(2)A6(3), 6.0(2)A6(4), 6.0(2)A6(5), and 6.0(2)A7(1).
This is not the first time that Cisco has patched these kinds of security flaws. In January, the tech giant fixed a number of vulnerabilities and blocked access to hard-coded passwords in wireless access point devices. Cisco also took the opportunity to disclose a critical access flaw in the firm's Identity Services Engine (ISE).
Earlier this week, Cisco revealed changes to its enterprise networking model, the Digital Network Architecture. The model encompasses virtualization, automation, analytics, cloud service management and open via application programming interfaces for enterprise clients.
Top 5 security practices in staying safe online: From the experts
Read on: Top picks
- How to increase your Bitcoin mining profit by 30 percent with less effort
- SMS Android malware roots and hijacks your device - unless you are Russian
- Bug bounties: Which companies offer researchers cash?
- Shodan: The IoT search engine privacy messenger
- What happens when you leak stolen bank data to the Dark Web?