Arraya Insights | December 7, 2018
Cisco shops take note: the tech leader recently announced a trio of high impact and above vulnerabilities affecting some of its more popular solutions. As is the case with any vulnerability, organizations leveraging these technologies should take immediate action in order to mitigate possible exposures. Otherwise, they risk leaving themselves at the mercy of opportunistic cyber criminals. Let’s take a look at each of these vulnerabilities, and what can be done about them, with insight from Arraya’s Network and Security team.
Critical Vulnerability: Privileged access on Cisco Switches
A default setting on a variety of switch offerings from Cisco’s Small Business, Smart, and Managed lines could allow an unauthorized user to gain admin rights on the device. These switches come configured with an admin-level (level 15) default account. This profile comes into play during the initial login and it can’t be deleted from the device. However, it will go dormant as long as additional level 15 admin accounts are configured on the switch.
Security researchers noticed that in the event all level 15 admin accounts are removed from a switch, this default profile reactivates. On top of that, it does so quietly, leaving admins in the dark about this potential liability. As a result, should an attacker gain access to this account, he or she would have full run of the switch.
To remediate this, admins must ensure there is at least one level 15 account spun up on any potentially affected device. If such an account doesn’t exist, they must take steps to spin one up ASAP. Furthermore, strong passwords are must for any account but especially for accounts with this level of authority.
Affected devices include:
- Cisco Small Business 200 Series Smart Switches
- Cisco Small Business 300 Series Managed Switches
- Cisco Small Business 500 Series Stackable Managed Switches
- Cisco 250 Series Smart Switches
- Cisco 350 Series Managed Switches
- Cisco 350X Series Stackable Managed Switches
- Cisco 550X Series Stackable Managed Switches
High Impact Vulnerability #1: ASA/FTD-based DoS attacks
An error in the Session Initiation Protocol (SIP) inspection engine employed by Cisco’s ASA and Firepower Threat Defense could leave both tools vulnerable to a denial of service (DoS) attack. The SIP inspection engine is automatically enabled on each solution, but it can struggle to process SIP traffic efficiently. By virtue of this, a savvy-attacker could simply overwhelm these solutions with traffic, knocking them offline.
Cisco has released not one but four separate mitigation strategies for dealing with this vulnerability. For example, they could disable SIP inspection. Admins could also block suspicious hosts, filter possibly malicious addresses, or impose a rate limit on SIP traffic.
Affected devices include:
- 3000 Series Industrial Security Appliance (ISA)
- ASA 5500-X Series Next-Generation Firewalls
- ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- Adaptive Security Virtual Appliance (ASAv)
- Firepower 2100 Series Security Appliance
- Firepower 4100 Series Security Appliance
- Firepower 9300 ASA Security Module
- FTD Virtual (FTDv)
High Impact Vulnerability #2: Meraki privilege escalation
A weak point in Meraki’s local status page could inadvertently let attackers gain high-level access privileges to affected devices. Consequently, by using this newfound administrative might, attackers could gain a tactical foothold into an organization’s network or access and modify the device’s configuration data. Further worsening the matter is the fact that, on all affected devices, this local status page is automatically provisioned.
As of press time, there is no workaround that will allow organizations to stay safe while continuing to use Meraki’s local status page. Instead, admins are encouraged to disable this page should their organizational needs and obligations allow it. One note of caution: doing so can result in a loss of additional functionality.
Here’s a list of the Meraki devices impacted:
- MR devices
- MS devices
- MX devices (includes physical devices and the vMX100 virtual appliance)
- Z1 and Z3 devices
Next steps: Protecting your Cisco environment against vulnerabilities
Does your organization leverage any of the above solutions? Arraya’s Network and Security team can work with you to mitigate each of the above risks and identify any additional trouble spots. Arraya’s team has the knowledge and experience needed to help organizations of all shapes and sizes plan, protect, and prevail against today’s evolving threat landscape. Reach out to our team now by visiting: https://www.arrayasolutions.com/contact-us/.
As always, let us know what you think of this post! Leave us any comments or questions on our social media pages. We can be found on LinkedIn, Twitter, and Facebook. Then, follow us so you can keep up with our take on industry news and access our exclusive learning opportunities.