Cisco has revealed a critical flaw affecting the ENCS 5400-W and CSP 5000-W series devices due to software containing user accounts with a default, static password.
During in-house testing, Cisco discovered Virtual Bandwidth Application Services (vWAAS) with default images of Cisco Enterprise NFV Infrastructure (NFVIS) software - for devices that have user accounts with a fixed password.
NFVIS helps clients virtualize Cisco network services, such as Integrated Services Virtual Router, WAN virtualization, Virtual ASA, Virtual Wireless LAN Controller, and next-generation Virtual Firewall.
Customers with affected devices should apply Cisco updates if the devices are running vWAAS with NFVIS versions of 6.4.5, 6.4.3d or earlier.
There are no solutions, so updating is the only way for customers to fix the defect, which has a severity score of 9,8 out of 10 and is referred to as CVE-2020-3446.
Cisco lists four conditions under which one intruder could be connected to NFVIS CLI, depending on how customers have configured the device:
- The Ethernet management port for the CPU on an ENCS 5400-W Series device. This interface can be remotely accessed if a routed IP is configured.
- The first port of the four-port I350 PCIe Ethernet adapter card on an affected CSP 5000-W device.
- A link to the vWAAS CLI software and a valid user certificate for authentication to the vWAAS CLI first.
- A connection to the Cisco Integrated Management Controller (CIMC) interface of the ENCS 5400-W Series or CSP 5000-W Series and a valid user certificate for authentication to CIMC first.
Cisco has also released two more high-quality tips that can be addressed by installing updates software recently released.
In addition to repairing critical defects and severity, the company also issued corrections for 21 additional vulnerabilities of moderate severity.