Cisco discloses security breach that impacted VIRL-PE infrastructure

Hackers used vulnerabilities in the SaltStack data center software to breach six Cisco servers.

cisco.png

Cisco has disclosed today a security breach that impacted a small part of its backend infrastructure.

In a security alert published today, Cisco said that hackers used a vulnerability in the SaltStack software package, which Cisco bundles with some products, to gain access to six servers:

  • us-1.virl.info
  • us-2.virl.info
  • us-3.virl.info
  • us-4.virl.info
  • vsm-us-1.virl.info
  • vsm-us-2.virl.info

The six servers provide the backend infrastructure for VIRL-PE (Internet Routing Lab Personal Edition), a Cisco service that lets users model and create virtual network architectures to test network setups before deploying equipment in real situations.

"Cisco identified that the Cisco maintained salt-master servers that are servicing Cisco VIRL-PE releases 1.2 and 1.3 were compromised," the company said today.

Cisco said it patched and remediated all hacked VIRL-PE servers on May 7, when it deployed updates for the SaltStack software.

Cisco customers with CML and VIRL-PE gear also impacted

However, the issue isn't localized to Cisco's backend infrastructure alone.

Cisco says that two of its commercial products also bundle the SaltStack software package as part of their firmware. These are the aforementioned Cisco VIRL-PE, and Cisco Modeling Labs Corporate Edition (CML), another network modeling tool.

Both VIRL-PE and CML can be used in Cisco-hosted and on-premis scenarios. In case companies use the two products on location, Cisco says CML and VIRL-PE need to be patched.

The company has released software updates today for both products that incorporate fixes for the two SaltStack vulnerabilities that were utilized to breach Cisco's VIRL-PE backend.

The two SaltStack vulnerabilities -- CVE-2020-11651 (an authentication bypass) and CVE-2020-11652 (a directory traversal) -- have been disclosed on April 30, and have been heavily abused over the past month.

Security breaches caused by the two have been reported by mobile operating system vendor LineageOS, blogging platform Ghost, certificate authority Digicert, cloud software provider Xen Orchestra, and search provider Algolia.

In most of the past incidents, victims said the hacker breached SaltStack servers and installed a cryptocurrency miner. Cisco did not elaborate on the nature of its breach.

SaltStack, also known as Salt, is a type of software used in data centers that allows administrators to cluster multiple servers together and control them from a central location.

The Cisco security advisory Cisco-SA-Salt-2vx545AG contains all the necessary information for Cisco CML and VIRL-PE users to patch their devices.