Network giant confirms unpatched backdoor account creation flaw

Cisco is offering workarounds to defend against a “critical” zero-day vulnerability in its Small Business Switch software.

Left unaddressed, the flaw creates a means for hackers to bypass authentication control on an affected device in order to set up rogue accounts – with admin privileges – ripe for subsequent misuse.

“The vulnerability exists because under specific circumstances, the affected software enables a privileged user account without notifying administrators of the system,” Cisco explains in an updated advisory.

“An attacker could exploit this vulnerability by using this account to login to an affected device and execute commands with full admin rights.”

The workaround has been made available ahead of the likely development of a patch.

The vulnerability (CVE-2018-15439 ) affects a range of Cisco Small Business Switches, whether they are managed by third-party service firms, cloud-based, or unmanaged.

The default configuration comes with a privileged user account that is used for the initial login and cannot be removed from the system.

An administrator may disable this account by configuring other user accounts with access privilege set to level 15.

In circumstances where privilege level 15 accounts are removed from the device configuration, an affected software release re-enables the default privileged user account without notifying administrators of the system.

A moderately skilled hacker might abuse this “backdoor account” to login to an affected device and execute commands with full admin rights.

Affected products include Cisco Small Business 200 Series Smart Switches, Cisco Small Business 300 Series Managed Switches, Cisco Small Business 500 Series Stackable Managed Switches, Cisco 250 Series Smart Switches, Cisco 350 Series Managed Switches, Cisco 350X Series Stackable Managed Switches, and Cisco 550X Series Stackable Managed Switches.

Cisco 200E Series Smart Switches and Cisco 220 Series Smart Switches are not vulnerable, test by Cisco have confirmed.

The vulnerability is restricted to Cisco’s software as used in its Small Business Switches and has no impact on its large enterprise and telco-focused Cisco IOS Software, Cisco IOS XE Software, or Cisco NX-OS Software releases.

The affected Cisco Small Business Switches find their home in small office/home office (SOHO) network environments.

Cisco’s workaround involves adding at least one user account with access privilege set to level 15 in the device configuration file.

This is a simple process involving just two command lines, but currently needs to be done manually.

“Cisco has not released software updates that address this vulnerability,” the networking giant said. “This advisory will be updated with fixed software information once fixed software becomes available.”

The flaw, first reported to Cisco by Thor Simon of Two Sigma Investments, has not featured in any hacking attacks to date – to the best of Cisco’s knowledge, at least.

Cisco’s advisory implies it is working on a more comprehensive patch without explicitly confirming it will deliver a software update, much less offering a timeline for the delivery of a software update.

Cisco’s advisory, first published in November, was updated this week to include a list of products confirmed as not vulnerable to the flaw.