Schedule a free product or technology session with Grandmetric Engineer
schedule a video call

Blog

IP and Mobile Trends and Education

 

Cisco IOS XE Static Credential Vulnerability (Catalyst Switches, ISR4k and ASR1k Routers)

Author:


09.04.2018

Cisco has stated that there is a vulnerability in Cisco IOS XE 16.X version (bug does not affect releases prior IOS XE 16.X)  that allows remote attacker to log in to the system with privilege 15 with default username cisco. This bug affects the platforms supported by IOS XE software, inter alia following:

 

  • Catalyst 9500, 9300 switches
  • Catalyst 3650, 3850 switches
  • ISR 4200, 4300, 4400 routers
  • ASR 1000 routers
  • ISRv, CSR1000v

 

If you have one of these and show version displays the following output:

router# show version
--- output omitted ---- (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1

Immediately upgrade the system or use the workaround.

 

Possible direct workarounds:

  • delete an account by issuing no username cisco command in configuration mode
  • change the password for cisco user
  • to upgrade the IOS XE version to get rid of this vulnerability check the bug toolkit

 

Affected releases (as of 10 April 2018):
  • 16.5.1
  • Everest-16.5.1

Known fixed releases (as of 10 April 2018):

  • Everest-16.6.1
  • Everest-16.6.1a
  • Everest-16.5.2
  • 16.7(0.78)
  • 16.6.1
  • 16.6.1a
  • 16.6(0.238)
  • 16.5.2
  • 16.5(1.67)

 

The vulnaribility is described as critical and received score 9.8:

  • The Cisco bug id is: CSCve89880
  • CVSS score: 9.8
  • Vulnerability: CVE-2018-0150

 

Sources:

[1] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-xesc

[2] https://quickview.cloudapps.cisco.com/quickview/bug/CSCve89880

Author

Grandmetric

Grandmetric is an IT Next Generation Systems integration company helping clients with their IT transformation, infrastructure automation, LAN, WiFi, SD-WAN & SDN delivery. Fast growing Grandmetric team is becoming also a referal point in Cloud migrations and DC Stack management with their Storage, OS and virtualization experience. Grandmetric provides technical insights along with technical trainings in areas of expertise. Latest projects cover also IoT subjects R&D in the area of IoT backend development, big data analysis and monitoring. Based on above experience in production systems maintenance, new division – Grandmetric Managed Services (GMS) maintaining IT infrastructure of corporates & globally present customers is available for demanding IT environments.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

code


 

Newsletter