Cisco's warning: Patch this default Network Assurance Engine password bug

[The AchieVer]

Cisco's warning: Patch this default Network Assurance Engine password bug

When changing the default admin password doesn't actually change the password at all.

 

                 

 

Cisco issues networking updates for 13 high-severity holes

Cisco is urging customers to install an update that fixes a high-severity issue affecting its Network Assurance Engine (NAE) for managing data-center networks.  

 

The bug, tracked as CVE-2019-1688, could allow an attacker to use a flaw in the password-management system of NAE to knock out an NAE server and cause a denial of service.  

NAE is an important data-center network management tool that helps admins assess the impact of network changes and avoid application outages. 

As Cisco explains, the flaw is due to user passwords changes from the web-management interface failing to propagate to the command-line interface (CLI), leaving the old default password in place in the CLI. The issue only affects NAE version 3.0 (1), so older versions aren't affected. 

A local attacker could exploit the bug by authenticating with the default admin password on the CLI of an affected server. From there, the attacker could view sensitive information and bring down the server.  

The bug is fixed in Cisco NAE Release 3.0(1a) but Cisco notes that to fix the issue properly customers should change the admin password after upgrading to that version.  

Cisco also has a workaround for the bug, which involves changing the default admin password from the CLI. However, Cisco recommends customers contact the Technical Assistance Center to do this, so that the default password can be entered in a secure remote-support session. The password change needs to be carried out for all nodes in the cluster, it notes.  

Fortunately, Cisco's security team isn't aware of any live attacks using the flaw, which was found during internal security testing.

 

 

Source