Unpatched critical flaw CVE-2018-15439 could be exploited by a remote, unauthenticated attacker to gain full control over the device.
Cisco Small Business Switch software is affected by a critical and unpatched vulnerability (CVE-2018-15439) that could be exploited by a remote, unauthenticated attacker to gain full control over the device.
Cisco Small Business Switch SOHO devices allow to manage small local area networks, they are widely adopted in cloud-based, managed and unmanaged “flavors.”
The flaw has received a critical base CVSS severity rating of 9.8, it ties the default configuration on the devices that includes a default, privileged user account.
This account was created for the initial login and cannot be deleted from the Cisco Small Business Switch devices.
“A vulnerability in the Cisco Small Business Switches software could allow an unauthenticated, remote attacker to bypass the user authentication mechanism of an affected device.” reads the security advisory published by Cisco.
“The vulnerability exists because under specific circumstances, the affected software enables a privileged user account without notifying administrators of the system. An attacker could exploit this vulnerability by using this account to log in to an affected device and execute commands with full admin rights.”
The advisory also includes a workaround that consists of disabling this account by adding at least one user account with access privilege set to level 15 in the device configuration.
Users can “configure an account by using admin as user ID, setting the access privilege to level 15, and defining the password by replacing <strong_password> with a complex password chosen by the user,”
“However, if all user-configured privilege level 15 accounts are removed from the device configuration, an affected software release re-enables the default privileged user account without notifying administrators of the system.” continues the advisory.
“Under these circumstances, an attacker can use this account to log in to an affected device and execute commands with full admin rights.”
Experts pointed out that a successful exploit could allow a remote attacker to compromise the entire network.
The vulnerability affects Cisco Small Business 200 Series Smart Switches, 250 Series Smart Switches, 300 Series Managed Switches, 350 Series Managed Switches, Cisco 350X Series Stackable Managed Switches, 500 Series Stackable Managed Switches and 550X Series Stackable Managed Switches.
The Cisco 220 Series and 200E Series Smart Switches aren’t affected, and neither are devices running Cisco IOS Software, Cisco IOS XE Software or Cisco NX-OS Software, according to the networking giant.
At the time there isn’t a patch to address the vulnerability, but likely Cisco will fix the flaw in the future.
The good news is that the Cisco Product Security Incident Response Team (PSIRT) is not aware of any attack exploiting this vulnerability.