Cisco’s Latest Patches Address Critical Flaws, Hardcoded Password

Cisco Systems released a new batch of security patches that fix 29 vulnerabilities across its product portfolio, four of which pose a critical risk and eight are rated important.

One of the critical flaws affects Cisco’s Policy Suite Cluster Manager and stems from the use of a static and undocumented password for the root account. Policy Suite is a carrier-grade policy, charging and subscriber data management solution for mobile providers.

“An attacker could exploit this vulnerability by using the account to log in to an affected system,” the company said in an advisory. “An exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user.”

The use of hardcoded passwords for administrative accounts was a common practice over a decade ago, especially in the appliance and embedded device development world. Back then, one of the main reasons was that these accounts were not made available in products to customers and were only intended for technicians during technical support engagements.

However, once security researchers started to reverse-engineer firmware packages and found these credentials, vendors became more aware of the serious security risks associated with using the same static administrative password across many devices. Once such a password is exposed, all customer deployments are put at risk and it’s unlikely that all of them will be updated in a timely manner.

Cisco has been removing hardcoded administrative passwords for years from its own products and those it inherited through acquisitions and the fact that the task still has not been completed highlights just how widespread the practice was. Unfortunately, there are vendors today that continue to use static root credentials in new products.

The other three critical vulnerabilities patched this week also affect Cisco Policy Suite components. All of them stem from a lack of authentication controls that could give unauthorized attackers access to the Policy Builder interface, the Policy Builder database and the Open Systems Gateway initiative (OSGi) interface. Attackers could make changes to existing repositories or add new ones, change any data in the database or change any files that are accessible by the OSGi process.

Cisco advises customers to upgrade to the newly released Policy Suite version 18.2.0, which is available through its Software Center portal.

The company has also fixed high-risk remote code execution flaws in the Cisco Webex Network Recording Players for the Advanced Recording Format (ARF) and Webex Recording Format (WRF). These are players downloaded and installed by Webex users on their computers to play Webex meeting recordings stored in different formats.

“An attacker could exploit these vulnerabilities by providing a user with a malicious .arf or .wrf file via email or URL and convincing the user to launch the file in the Webex recording players,” the company said in an advisory.

This is not the first time when the company fixes format parsing vulnerabilities in its Webex Network Recording Players that can lead to remote code execution, so unless they need these programs on an ongoing basis, it’s probably best for users to consider uninstalling them. The players can be installed again when needed from enterprise-hosted Cisco Webex Meetings Servers or the Cisco Webex Meetings Online sites.

High-risk remote code execution, command injection and denial-of-service flaws were patched in the Cisco SD-WAN Solution for enterprises, while a denial-of-service issue that can be exploited through malicious DHCPv6 packets was fixed in the Cisco Nexus 9000 Series Fabric Switches.

Sixteen other vulnerabilities fixed this week were rated with medium severity and were located in Cisco Finesse, SD-WAN, Policy Suite, Cisco Unified Contact Center Express, Cisco Unified Communications Manager, Webex, Webex Teams and the Webex Network Recording Players.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin