Cisco's warning: Patch this default Network Assurance Engine password bug

When changing the default admin password doesn't actually change the password at all.
Written by Liam Tung, Contributing Writer

Cisco is urging customers to install an update that fixes a high-severity issue affecting its Network Assurance Engine (NAE) for managing data-center networks. 

The bug, tracked as CVE-2019-1688, could allow an attacker to use a flaw in the password-management system of NAE to knock out an NAE server and cause a denial of service. 

NAE is an important data-center network management tool that helps admins assess the impact of network changes and avoid application outages. 

As Cisco explains, the flaw is due to user passwords changes from the web-management interface failing to propagate to the command-line interface (CLI), leaving the old default password in place in the CLI. The issue only affects NAE version 3.0 (1), so older versions aren't affected.

A local attacker could exploit the bug by authenticating with the default admin password on the CLI of an affected server. From there, the attacker could view sensitive information and bring down the server. 

SEE: 10 tips for new cybersecurity pros (free PDF)

The bug is fixed in Cisco NAE Release 3.0(1a) but Cisco notes that to fix the issue properly customers should change the admin password after upgrading to that version. 

Cisco also has a workaround for the bug, which involves changing the default admin password from the CLI. However, Cisco recommends customers contact the Technical Assistance Center to do this, so that the default password can be entered in a secure remote-support session. The password change needs to be carried out for all nodes in the cluster, it notes. 

Fortunately, Cisco's security team isn't aware of any live attacks using the flaw, which was found during internal security testing.

Previous and related coverage

Cisco warns: Patch now or risk your security appliance choking on single rogue email

One bad email could crash your Cisco email security appliance and keep it down as it tries to process the same email over and again.

Cisco discloses arbitrary execution in SD-WAN Solution and Webex

Networking giant reveals 23 security issues hitting products including SD-WAN Solution, Webex, and small business routers.

Cisco updates SD-WAN portfolio with new security features

Among the key updates, Cisco said it's integrating application-aware enterprise firewall, intrusion prevention, and URL filtering into Cisco SD-WAN devices.

Cisco: Linux kernel FragmentSmack bug now affects 88 of our products

Cisco's list of products with a Linux kernel denial-of-service flaw is growing.

Cisco: We've killed another critical hard-coded root password bug, patch urgently

This time a 9.8/10-severity hardcoded password has been found in Cisco's video surveillance software.

Cisco critical flaw warning: These 10/10 severity bugs need patching now

Cisco's software for managing software-defined networks has three critical, remotely exploitable vulnerabilities.

Cisco patches critical Nexus flaws: Are your switches vulnerable?

You'll need to wade through Cisco's advisories to work out if software you're running is vulnerable or already fixed.

Cisco: Update now to fix critical hardcoded password bug, remote code execution flaw

Cisco patches two serious authentication bugs and a Java deserialization flaw.

Cisco warns customers of critical security flaws, advisory includes Apache Struts

The massive security update includes a patch for the recently-disclosed Apache bug -- but not all products will be fixed yet.

Cisco updates ASR 9000 edge routing platform to carry users to 5G, multicloud world TechRepublic

New automation software, a new networking processor, and a new operating system will help Cisco customers make the transition to next-generation networking.

Apple and Cisco pool their might to shield companies from cyber risks CNET

Apple and Cisco join forces to protect businesses from risk of cyber threats.

Editorial standards