Critical severity bugs disclosed by networking titan
Cisco has patched critical vulnerabilities in Policy Suite software and its Catalyst Passive Optical Network (PON) switches that could lead to the full compromise of the platform and devices.
A vulnerability in the key-based SSH (Secure Shell) authentication mechanism of Cisco Policy Suite could allow an unauthenticated attacker to access an affected system as root, according to a security advisory issued on Wednesday (November 3).
Tracked as CVE-2021-40119, the flaw commands a CVSS rating of 9.8, just a sliver off the maximum severity of 10.0.
Cisco Policy Suite is a policy, charging, and subscriber data management platform used by mobile telecommunications service providers.
A separate advisory details three unauthenticated bugs in the web-based management interface of certain PON optical network terminals (ONTs), two of which were assigned the maximum possible severity rating of CVSS 10.0.
They include a flaw that exposes users to the risk of command injection attacks, courtesy of insufficient validation of user-supplied input (CVE-2021-40113).
The other maximum-severity bug was found in the Telnet service (CVE-2021-34795) and could allow an attacker to seize control of vulnerable devices.
Exploitation involves logging into an affected device via a debugging account with a default, static password.
The default credential works only over Telnet, a protocol that is disabled by default – twin factors that greatly mitigate the risk of attack.
With a CVSS of 8.6, another, ‘high’ severity flaw (CVE-2021-40112) means attackers are able to modify a device’s configuration, thanks to improper validation of HTTPS input.
The Cisco ONTs allow only local LAN connections to the web management interface by default, according to Cisco. “Therefore, all these vulnerabilities are exploitable only via the switches’ LAN ports unless Remote Web Management has been configured,” Cisco’s advisory explains.
Cisco also emphasised that the three vulnerabilities are independent of each other.
The PON ONT vulnerabilities affect firmware version 1.1 and CGP-ONT-1P – for which the patched update is 220.127.116.11 – as well as CGP-ONT-4P, CGP-ONT-4PV, CGP-ONT-4PVC, and CGP-ONT-4TVCW, for which patched version 18.104.22.168 has been released.
Cisco Policy Suite users running versions earlier than 20.2.0 have been advised to upgrade to 21.1.0, while those running version 20.2.0 are advised to contact Cisco technical support to get a patch installed.
Users running 21.1.0 can remedy the issue by changing the default SSH keys.
“Releases 21.2.0 and later will automatically create new SSH keys during installation but not during an upgrade,” said Cisco.
A Cisco spokesperson told The Daily Swig: “Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in the advisories. Fixed software is available, and we ask our customers to please review the advisories for complete information.”
The Cisco Policy Suite vulnerability was discovered during internal security testing, while Marco Wiorek of German infosec firm Hotzone has been credited with reporting the PON ONT vulnerabilities.