In a recent advisory post on its website, Cisco disclosed a major unpatched vulnerability that affects the Small Business Switches software. The vulnerability, which has the advisory ID (CVE-2018-15439), allows for unauthenticated remote attackers to gain total control of a device. The attack vector is specifically the user authentication mechanism within the Small Business Switches software.
Cisco explains the flaw in detail in the following quote taken from the advisory, which also offers a workaround:
The vulnerability exists because under specific circumstances, the affected software enables a privileged user account without notifying administrators of the system. An attacker could exploit this vulnerability by using this account to log in to an affected device and execute commands with full admin rights.
Cisco has not released software updates that address this vulnerability. This advisory will be updated with fixed software information once fixed software becomes available. There is a workaround to address this vulnerability.
The Cisco workaround is having someone with administrator access “configure an account by using admin as user ID” then placing access privilege at level 15, and “defining the password by replacing <strong_password> with a complex password chosen by the user.” Until there is a patch, which Cisco acknowledged was in the works, this is the best bet for protecting your network from remote hackers.
Cisco stated that this unpatched vulnerability affects these specific products:
Cisco Small Business 200 Series Smart Switches
Cisco Small Business 300 Series Managed Switches
Cisco Small Business 500 Series Stackable Managed Switches
Cisco 250 Series Smart Switches
Cisco 350 Series Managed Switches
Cisco 350X Series Stackable Managed Switches
Cisco 550X Series Stackable Managed Switches
Cisco can be commended for staying ahead of the curve with this vulnerability notice. Some companies like to put their heads in the sand and just hope that the vulnerability will never cause serious issues. Instead of that, Cisco provided an effective workaround and is in the process of creating a patch. That is a response that other companies should model their vulnerability disclosure and containment procedures after.
Featured image: Flickr / Hades2k