Updated Cisco this week revealed a pair of critical flaws, rated ten out of ten in severity, in its family of Catalyst PON Series Switches Optical Network Terminals.
One of these vulnerabilities, CVE-2021-34795, is "an unintentional debugging credential," as Cisco put it, baked into the devices.
What on Earth is an "unintentional debugging credential"? It kinda smells like a backdoor left in by engineers for testing. Cisco's not explained how such a credential was left in a shipping product; we've asked for more details.
What we do know is that if you know the hidden credential, you can get root-level access to these passive optical network switches, which Cisco suggests are at home in service provider networks.
There is an upside to this. As Cisco explains in its advisory, the device needs to have Telnet support enabled, and that's off by default. If Telnet is running (and you can reach the device on the network), you can log in as root using the debugging credential.
The other critical hole is CVE-2021-40113, which can be exploited by an unauthenticated remote attacker to perform a command injection attack on the equipment's web-based management portal, thanks to insufficient validation of user-supplied input.
"An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface," Cisco explained. "A successful exploit could allow the attacker to execute arbitrary commands on an affected device as the root user."
To pull off such an attack, you must be able to reach the management portal via the device's LAN ports, unless you've enabled Remote Web Management.
But wait, there's more! The 8.6-out-of-10-rated CVE-2021-40112 allows an unauthenticated remote attacker to modify the configuration of the same switches impacted by the other flaws detailed above.
Cisco has released a software update for the borkable boxen: if you run a Catalyst PON Switch CGP-ONT-1P, CGP-ONT-4P, CGP-ONT-4PV, CGP-ONT-4PVC, or CGP-ONT-4TVCW, you know what to do.
- Cisco requires COVID-19 shots for all US staff – even remote workers
- Cisco deprecates Microsoft management integrations for UCS servers
- Cisco to face trial over trade secrets theft, NDA breach claims after losing attempt to swat Leadfactors lawsuit
Cisco also notified customers of a 9.8-rated flaw in version 21.1.0 and earlier releases of its Policy Suite product.
"A vulnerability in the key-based SSH authentication mechanism of Cisco Policy Suite could allow an unauthenticated, remote attacker to log in to an affected system as the root user," it warned.
Cisco Policy Suite for Mobile is described as offering "cloud-native policy, charging, and subscriber data management functions … providing the control to better monetize your networks and profit from personalized services."
Or, if a third party gets root, someone else can do that monetizing and profiting.
Updating software and installing fresh SSH keys should sort this one out. ®
Updated to add on November 7th at 23:15 UTC
Cisco has sent the following statement to The Register.
"Cisco has security engineering programs and requirements to facilitate use of secure credentials in our products. When improvement areas are identified, we programmatically work to remediate them, provide fixed software, and notify our customers. In this case, the debugging credentials described in the advisory were unintentionally included in affected software versions, and the released software update addresses this issue."
Make of that what you will.