Cisco is urging customers to install an update that fixes a high-severity issue affecting its Network Assurance Engine (NAE) for managing data-center networks.
The bug, tracked as CVE-2019-1688, could allow an attacker to use a flaw in the password-management system of NAE to knock out an NAE server and cause a denial of service.
NAE is an important data-center network management tool that helps admins assess the impact of network changes and avoid application outages.
As Cisco explains, the flaw is due to user passwords changes from the web-management interface failing to propagate to the command-line interface (CLI), leaving the old default password in place in the CLI. The issue only affects NAE version 3.0 (1), so older versions aren't affected.
A local attacker could exploit the bug by authenticating with the default admin password on the CLI of an affected server. From there, the attacker could view sensitive information and bring down the server.
SEE: 10 tips for new cybersecurity pros (free PDF)
The bug is fixed in Cisco NAE Release 3.0(1a) but Cisco notes that to fix the issue properly customers should change the admin password after upgrading to that version.
Cisco also has a workaround for the bug, which involves changing the default admin password from the CLI. However, Cisco recommends customers contact the Technical Assistance Center to do this, so that the default password can be entered in a secure remote-support session. The password change needs to be carried out for all nodes in the cluster, it notes.
Fortunately, Cisco's security team isn't aware of any live attacks using the flaw, which was found during internal security testing.
Previous and related coverage
One bad email could crash your Cisco email security appliance and keep it down as it tries to process the same email over and again.
Networking giant reveals 23 security issues hitting products including SD-WAN Solution, Webex, and small business routers.
Among the key updates, Cisco said it's integrating application-aware enterprise firewall, intrusion prevention, and URL filtering into Cisco SD-WAN devices.
Cisco's list of products with a Linux kernel denial-of-service flaw is growing.
This time a 9.8/10-severity hardcoded password has been found in Cisco's video surveillance software.
Cisco's software for managing software-defined networks has three critical, remotely exploitable vulnerabilities.
You'll need to wade through Cisco's advisories to work out if software you're running is vulnerable or already fixed.
Cisco patches two serious authentication bugs and a Java deserialization flaw.
The massive security update includes a patch for the recently-disclosed Apache bug -- but not all products will be fixed yet.
New automation software, a new networking processor, and a new operating system will help Cisco customers make the transition to next-generation networking.
Apple and Cisco join forces to protect businesses from risk of cyber threats.