According to Bleeping Computer, Cisco was hit with some bad news earlier this month. The company released 16 security advisories, which included alerts for three vulnerabilities that rated “critical,” and received a 10 out of 10 on the CVSSv3 severity score.
These vulnerabilities, Bleeping Computer says, “include a backdoor account and two bypasses of the authentication system for Cisco Digital Network (DNA) Center. This center consists of software catered to enterprise clients and provides a central system for “designing and deploying device configurations across a large network.”
However, while the DNA Center is considered complex software, Bleeping Computer says that a recent internal audit of Cisco “yielded some pretty bad results,” including:
1) CVE-2018-0222 – Bleeping Computer says that this is a backdoor account, or “an undocumented, static user credentials for the default administrative account.” These accounts can enable an attacker root privileges on targeted systems; as a result, users are recommended to apply software patches as quickly as possible to prevent this from happening, especially since “there are no known workarounds that can disable it until updates can be installed.”
2) CVE-2018-0268 – According to Bleeping Computer, this is an authentication bypass for a Kubernetes container management subsystem embedded inside Cisco’s DNA Center. Similar to the first result, this one also has no workarounds; updates need to be made to the DNA Center to protect its containers from a breach.
3) CVE-2018-0271 – This is an authentication bypass in the DNA Center’s API gateway. Cisco told Bleeping Computer that this vulnerability is caused from failure to normalize URLs prior to servicing requests. An attacker is able to break into this vulnerability by submitting a URL designed to exploit the issues, which could cause a breach and let the attacker “gain unauthenticated access to critical services.”
What decision makers need to know:
Even though Cisco was hit hard by those vulnerabilities, the company was still able to resolve each of them in DNA Center v1.1.3. These vulnerabilities were actually discovered as part of a huge internal audit that started back in December 2015; during that original audit, security researchers discovered other backdoors, which led the company to weed them out before attackers found them. “The company discovered many backdoors and hardcoded accounts in the past two years as part of internal audits and has received some pretty unfair criticism for its efforts,” Bleeping Computer says.
While Cisco did receive negative feedback about their findings, those findings reaffirm the importance of cybersecurity safety and audits; each are needed by decision makers, companies and institutions alike to protect data, keep networks protected from data breaches, and determine if security upgrades are needed.