This article is more than 1 year old

Cisco warns 'unintentional debugging credential' left in some network switches can be abused to hijack equipment

Pair of 10/10 critical bugs demand your attention, as does a 9.8-rated SSH SNAFU

Updated Cisco this week revealed a pair of critical flaws, rated ten out of ten in severity, in its family of Catalyst PON Series Switches Optical Network Terminals.

One of these vulnerabilities, CVE-2021-34795, is "an unintentional debugging credential," as Cisco put it, baked into the devices.

What on Earth is an "unintentional debugging credential"? It kinda smells like a backdoor left in by engineers for testing. Cisco's not explained how such a credential was left in a shipping product; we've asked for more details.

What we do know is that if you know the hidden credential, you can get root-level access to these passive optical network switches, which Cisco suggests are at home in service provider networks.

There is an upside to this. As Cisco explains in its advisory, the device needs to have Telnet support enabled, and that's off by default. If Telnet is running (and you can reach the device on the network), you can log in as root using the debugging credential.

The other critical hole is CVE-2021-40113, which can be exploited by an unauthenticated remote attacker to perform a command injection attack on the equipment's web-based management portal, thanks to insufficient validation of user-supplied input.

"An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface," Cisco explained. "A successful exploit could allow the attacker to execute arbitrary commands on an affected device as the root user."

To pull off such an attack, you must be able to reach the management portal via the device's LAN ports, unless you've enabled Remote Web Management.

But wait, there's more! The 8.6-out-of-10-rated CVE-2021-40112 allows an unauthenticated remote attacker to modify the configuration of the same switches impacted by the other flaws detailed above.

Cisco has released a software update for the borkable boxen: if you run a Catalyst PON Switch CGP-ONT-1P, CGP-ONT-4P, CGP-ONT-4PV, CGP-ONT-4PVC, or CGP-ONT-4TVCW, you know what to do.

Cisco also notified customers of a 9.8-rated flaw in version 21.1.0 and earlier releases of its Policy Suite product.

"A vulnerability in the key-based SSH authentication mechanism of Cisco Policy Suite could allow an unauthenticated, remote attacker to log in to an affected system as the root user," it warned.

Cisco Policy Suite for Mobile is described as offering "cloud-native policy, charging, and subscriber data management functions … providing the control to better monetize your networks and profit from personalized services."

Or, if a third party gets root, someone else can do that monetizing and profiting.

Updating software and installing fresh SSH keys should sort this one out. ®

Updated to add on November 7th at 23:15 UTC

Cisco has sent the following statement to The Register.

"Cisco has security engineering programs and requirements to facilitate use of secure credentials in our products. When improvement areas are identified, we programmatically work to remediate them, provide fixed software, and notify our customers. In this case, the debugging credentials described in the advisory were unintentionally included in affected software versions, and the released software update addresses this issue."

Make of that what you will.

More about

More about

More about


Send us news

Other stories you might like