Cisco patches critical Smart Install flaw: 8.5 million devices affected.
Cisco is warning customers who use its new Digital Network Architecture (DNA) Center software to install newer releases that address three critical vulnerabilities that can give remote attackers access to enterprise networks.
Cisco over the past few months has rolled out new DNA Center releases that address serious authentication flaws that, it revealed on Wednesday, affect earlier releases.
The first DNA Center release was made available in January 2018, but it and versions up to 1.1.3 are vulnerable to three flaws with a CVSS v3 base score of 10 out of a possible 10, meaning they're as severe as it gets.
Cisco discovered two of the bugs during an internal audit, one of which consisted of undocumented, hardcoded user credentials for the default administrative account of DNA Center.
This bug, which is tracked as CVE-2018-0222, could allow a remote attacker who knew the credentials to log in and execute commands with root privileges.
Cisco fixed this in the 1.1.3 release of DNA Center, which arrived in March. Since then it has also released DNA Center 1.1.4 and 1.1.5, so customers on these releases aren't vulnerable.
See: Special report: Cybersecurity in an IoT and mobile world (free PDF)
Earlier this year Cisco similarly posted an advisory for CVSS v3 score-10 flaw affecting ASA several months after releasing fixed versions. One admin criticized Cisco for waiting 80 days to tell customers that fixes were already available.
However, Cisco defended the move on the grounds that it had coordinated the timing of the disclosure with a researcher, which gave it time to put in place protections before more details were revealed.
Cisco also found that DNA Center was vulnerable to an authentication bypass that an unauthenticated, remote attacker could exploit with a specially crafted URL.
"The vulnerability is due to a failure to normalize URLs prior to servicing requests. An attacker could exploit this vulnerability by submitting a crafted URL designed to exploit the issue. A successful exploit could allow the attacker to gain unauthenticated access to critical services, resulting in elevated privileges in DNA Center," Cisco notes.
All versions of DNA Center before the 1.1.2 release are affected.
The third flaw was discovered with the help of a customer and affects DNA Center's Kubernetes container management subsystem.
Remote attackers can exploit an insecure default configuration to access the Kubernetes service port and execute commands with elevated privileges and completely compromise containers. This bug is fixed in DNA Center 1.1.4 and later.
Cisco released fixes for a total of 16 flaws yesterday to address four other high-severity issues and nine medium-severity flaws.
Previous and related coverage
Cisco security: Russia, Iran switches hit by attackers who leave US flag on screens
Hackers use Cisco gear to send Russia a message not to mess with US elections.
Cisco's warning: Watch out for government hackers targeting your network
Cisco urges Smart Install client users to patch and securely configure the software.
Cisco critical flaw: At least 8.5 million switches open to attack, so patch now
Cisco patches a severe flaw in switch deployment software that can be attacked with crafted messages sent to a port that's open by default.
Cisco: Update now to fix critical hardcoded password bug, remote code execution flaw
Cisco patches two serious authentication bugs and a Java deserialization flaw.
Cisco: Severe bug in our security appliances is now under attack
A proof-of-concept exploit for Cisco's 10-out-of-10 severity bug surfaces days after researcher details his attack.
Cisco: You need to patch our security devices again for dangerous ASA VPN bug
Cisco has warned that its original fix for the 10/10-severity ASA VPN flaw was
Cisco 'waited 80 days' before revealing it had been patching its critical VPN flaw
Updated: Cisco should do more to help companies secure their network gear, says one customer.
Cisco switch flaw led to attacks on critical infrastructure in several countriesTechRepublic
The attack targets the Cisco Smart Install Client, and as many as 168,000 systems could be vulnerable.