Cisco has stated that there is a vulnerability in Cisco IOS XE 16.X version (bug does not affect releases prior IOS XE 16.X) that allows remote attacker to log in to the system with privilege 15 with default username cisco. This bug affects the platforms supported by IOS XE software, inter alia following:
If you have one of these and show version displays the following output:
router# show version
--- output omitted ---- (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1
Immediately upgrade the system or use the workaround.
Possible direct workarounds:
Known fixed releases (as of 10 April 2018):
The vulnerability is described as critical and received score 9.8:
Sources:
[1] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-xesc
[2] https://quickview.cloudapps.cisco.com/quickview/bug/CSCve89880
Leave a Reply