A default configuration grants full admin-level access to unauthenticated remote users
A critical uncorrected vulnerability in the Cisco
product called Small Business Switch,
widely used by SMEs, leaves systems vulnerable to remote attacks by
unauthenticated users. According to experts in network security and ethical
hacking from the International Institute of Cyber Security, an attacker could
exploit this flaw to take full control of the compromised device and therefore
the entire network of an organization.
According to network
security experts, the Small Business Switch was developed by Cisco to
operate in small organizations and home office environments for the control and
management of small local networks. It is one of the most popular solutions
offered by the company for organizations with limited resources, as its price range
starts at $300 USD.
The vulnerability (tracked as CVE-2018-15439), has been considered
critical, with a score of 9.8/10 on the Common Vulnerability Scoring System
scale, and it exists due to the default device configuration, which includes a
user account with admin privileges by default that cannot be removed from the
system.
In recent days, Cisco issued a security
statement that warns users: “An attacker can use this default account to log into
a vulnerable device and execute commands with all administrator privileges.
This vulnerability could allow remote attackers to bypass the Small Business
Switch user authentication system”.
Because these devices are used to manage local
area networks (LANs), exploiting this vulnerability would involve attackers
getting access to network security features such as firewall configuration or
network management panel.
Cisco has not developed a patch to fix this
vulnerability, although it is expected to be launched over the next few days, according
to network security experts from the company. Although it’s not all bad news,
there is a simple solution to this flaw: An administrator can add at least one
user account with level 15 access privileges in the Small Business Switch
configuration to mitigate the risks.
“A user can set up an account using ‘admin’ as
the user ID, setting the access privilege to level 15 and setting a complex
password for this new administrator account. By adding this new account, the
default privilege account will be disabled,” mentions the Cisco security alert.
Just a few days ago, Cisco launched 18 new
patches as part of its monthly updates, including fixes for several of its
small business-specialized products. The bugs in question were two critical
vulnerabilities that could lead to a denial of service on the affected devices.
The flaws could be exploited by unauthenticated attackers via email.
The entire list of affected devices is
available on the Cisco support webpage.
