The company discovered a severe security flaw during a routine process
Cisco has notified its customers that it
is necessary to install an update to correct a critical vulnerability that
affects the Network Assurance Engine
(NAE) for the management of data center networks.
The vulnerability, tracked as CVE-2019-1688, allows an attacker to
take advantage of an error in the NAE password management system to override
one of these servers and generate a denial-of-service condition, report network
security and ethical hacking specialists from the International
Institute of Cyber Security.
According to network security specialists, NAE
is a key tool for managing data center networks, as it helps administrators
determine the impact of network changes and avoid application outages.
The company explained that the vulnerability exists
because changes in the passwords of users of the web administration interface
do not spread to the command line interface (CLI), so the default password
takes its place in the CLI. The vulnerability only seems to affect versions 3.0
and 3.1 of NAE.
A local attacker could exploit the
vulnerability by authenticating with the default administrator password in the
CLI of a compromised server. From that point, the attacker could access
confidential information, or even collapse the server.
The vulnerability was corrected in versions 3.0
and 3.1 of Cisco NAE, although the company points out that to eliminate any
possibility of exploitation users must change the administrator password after
having installed the security update.
Cisco has also described a risk mitigation
method that involves changing the default password for the CLI. However, the
company recommends its customers to contact their technical support center
before implementing any of the available solutions. Cisco emphasizes that the
password change must be completed on all nodes of the cluster.
The Cisco network security teams claim that, so
far, no cases of exploitation of this vulnerability have been reported in real
scenarios; highlighted that this was discovered during a process of routine
security tests; the company believes that it is unlikely that any hacker
discovered this error before their security teams.
