Cisco Addresses Critical Security Flaws (Inc a Backdoor Vulnerability) That Could Affect Over 8.5 Million Devices
Cisco has released patches for 34 security vulnerabilities, including three critical remote code execution flaws - that affect IOS and IOS XE networking software. The security firm Embedi that first discovered one of the most serious problems (tracked as CVE-2018-0171) believed that it could only be exploited within an enterprise network. However, it later found millions of affected devices left exposed on the internet.
The bug affects Smart Install, a Cisco client for deploying new switches for Cisco IOS and IOS XE Software. "Because in a securely configured network, Smart Install technology participants should not be accessible through the internet. But scanning the internet has shown that this is not true," Embedi said.
"During a short scan of the internet, we detected 250,000 vulnerable devices and 8.5 million devices that have a vulnerable port open."
Cisco also fixes default account backdoor issue
Today's patches also fix "backdoor" vulnerability (tracked as CVE-2018-0150) that received a severity score of 9.8 out of 10. Attackers can exploit this bug to log into Cisco routers and switches with a high-privileged account. The problem affects devices running Cisco XE Software 16.x that is deployed with Cisco ASR routers and Catalyst switches.
The company explained that devices running IOS XE 16.x bring a hidden default account named "cisco" and a static password that Cisco hasn't shared. While Cisco products don't usually come with default accounts, this appears to have been left during the testing phase of IOS XE and affects only the v16.x versions.
Along with installing recommended patches, the company said device admins can also remove the account by using the following command in the device configuration:
no username cisco
The third critical bug, tracked as CVE-2018-0151, is also a remote code execution vulnerability and affects the QoS subsystem of IOS and IOS XE. "The vulnerability is due to incorrect bounds checking of certain values in packets that are destined for UDP port 18999 of an affected device," Cisco wrote. "An attacker could exploit this vulnerability by sending malicious packets to an affected device."