Cisco Removes Backdoor Account from IOS XE Software

Haythem Elmir

isco removed today a backdoor account from its IOS XE operating system that would have allowed a remote attacker to log into Cisco routers and switches with a high-privileged account.

The company says the « undocumented user account » only impacts devices running Cisco XE Software 16.x —an operating system deployed mostly with Cisco ASR routers and Catalyst switches.

Cisco says devices running IOS XE 16.x come with a hidden default account named « cisco, » and a static password that Cisco didn’t reveal to avoid future exploitation attempts.

Cisco devices don’t usually come with default accounts, and network admins must set up an account during the device’s first boot-up.

Since this account only affects v16.x versions and uses the company’s name for the username, this appears to have been accidentally left over from IOS XE’s development or testing phase.

If patching is not possible, mitigations exist

Besides the software patches made available on the Cisco customer portal, device admins can remove the account by typing:

no username cisco

This command deletes the account. If they’d like to keep the accunt, admins can also log into their device via their regular admin user and utilize that account to change the cisco’s account default password with one of their own choosing.

The bug can be exploited remotely

This « backdoor » vulnerability (CVE-2018-0150) is considered critical and has a severity score of 9.8 out of 10.

Attackers can log into this account remotely, and don’t necessarily need physical access to the device. The account grants the attacker a « privilege level 15 access, » a term used to describe high-privileged accounts.

The patch for CVE-2018-0150 is one of the 22 security updates the networking software giant published yesterday. The patches also include two fixes for two other critical flaws —two remote code execution bugs (CVE-2018-0151 and CVE-2018-0171).

This is the second backdoor account that Cisco removed from its software this month. The company previously removed a similar account from Cisco PCP, a software application that can be used for the remote installation and maintenance of other Cisco voice and video products.

To read the original article:

Laisser un commentaire

Next Post

New ThreadKit exploit builder used to spread banking Trojan and RATs

A recently discovered Microsoft Office document exploit builder kit dubbed ThreadKit has been used to spread a variety of malware, including RATs and banking Trojans. Security experts at Proofpoint recently discovered a Microsoft Office document exploit builder kit dubbed ThreadKit that has been used to spread a variety of malware, including banking […]