Cisco Issues New Warning for 6-Month-Old Critical Bug in IOS XE

Cisco Systems has issued a second warning for a critical static credential bug in its IOS XE software, which allows an unauthenticated attacker to gain access to targeted systems. The security bulletin comes more than six months after the company initially reported the bug and provided a software fix.

Separately, the networking giant also warned of multiple flaws in its WebEx online meeting software.

A Second Warning

The updated warning from Cisco regarding the original bug is an update to the original advisory from March to indicate that the Cisco Integrated Services Virtual Router (ISRv) is affected and has a separate code fix.

ISRv is a virtual Cisco IOS XE Software router that delivers a WAN gateway and network services functions to virtual environments. The IOS XE software is Cisco’s newer version of IOS (introduced in 2008) which is Linux-based and includes a bevy of new features compared to the older version. It’s built to be a flexible, all-in-one-OS for controlling enterprise systems, including wired and wireless access, aggregation, core networking and WAN.

According to Wednesday’s security bulletin, the vulnerability “could allow an unauthenticated, remote attacker to log into a device running an affected release of Cisco IOS XE software, with the default username and password that are used at initial boot.”

Cisco traces the bug to an undocumented, highly privileged user account with access to a default username and password. “An attacker could exploit this vulnerability by using this account to remotely connect to an affected device. A successful exploit could allow the attacker to log in to the device with privilege level 15 access,” Cisco warned.

“Privilege level 15” is Cisco parlance for privilege access and control of a Cisco device, such as a router. It is the highest privilege a user can have, compared to “level 1,” which only allows limited read-only access to a router.

The vulnerability (CVE-2018-0150) affects Cisco devices running the IOS XE Software Release 16.x — prior releases are unaffected, as are the Cisco IOS, IOS XR and NX-OS software.

The bug is critical and carries a CVSS score of 9.8 out of 10. Fortunately, Cisco said that both a workaround and a patch are available to address CVE-2018-0150.

“To address this vulnerability, administrators may remove the default account by using the ‘no username cisco’ command in the device configuration,” Cisco explained. “Administrators may also address this vulnerability by logging in to the device and changing the password for this account.”

WebEx Flaws

On Wednesday, Cisco also issued patches for Cisco Webex network recording player file processing flaws (CVE-2018-15414, CVE-2018-15421, CVE-2018-15422). Each of the bugs were rated high severity, with a CVSS score of 7.8 out of 10.

“Multiple vulnerabilities in the Cisco Webex Network Recording Player for Advanced Recording Format (ARF) could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system,” according to the Cisco bulletin.

Cisco explained the bugs are tied to an improper validation of its Webex recording files: “An attacker could exploit these vulnerabilities by sending a user a link or email attachment containing a malicious file and persuading the user to open the file in the Cisco Webex Player. A successful exploit could allow the attacker to execute arbitrary code on an affected system,” it wrote.

A software update is available for addressing this vulnerability in Cisco Webex Meetings Suite sites, Cisco Webex Meetings Online sites and Cisco Webex Meetings Server. There are no workarounds to address the problems.

(This article was updated 9/20/18 at 12:45pm EDT to reflect a comment from Cisco)