====================================================================


                             CERT-Renater

                 Note d'Information No. 2018/VULN374
_____________________________________________________________________

DATE                : 08/11/2018

HARDWARE PLATFORM(S): Cisco Small Business Switches.

OPERATING SYSTEM(S): Cisco Small Business Switches firmware.

=====================================================================
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-sbsw-privacc
_____________________________________________________________________

Cisco Small Business Switches Privileged Access Vulnerability

Priority: Critical
Advisory ID: cisco-sa-20181107-sbsw-privacc
First Published: 2018 November 7 16:00 GMT
Version 1.0: Interim
Workarounds: Yes
Cisco Bug IDs: CSCvk20713 CSCvm11846

CVE-2018-15439
CVSS Score:
Base 9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X

Summary

  * A vulnerability in the Cisco Small Business Switches software could
    allow an unauthenticated, remote attacker to bypass the user
    authentication mechanism of an affected device.

    The vulnerability exists because under specific circumstances, the
    affected software enables a privileged user account without
    notifying administrators of the system. An attacker could exploit
    this vulnerability by using this account to log in to an affected
    device and execute commands with full admin rights.

    Cisco has not released software updates that address this
    vulnerability.
    This advisory will be updated with fixed software information once
    fixed software becomes available. There is a workaround to address
    this vulnerability.

    This advisory is available at the following link:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-sbsw-privacc

Affected Products

  * Vulnerable Products

    This vulnerability affects the following Cisco Small Business
    product families running any software release if no user accounts
    with access privilege set to level 15 are configured on the device:

      + Cisco Small Business 200 Series Smart Switches
      + Cisco Small Business 300 Series Managed Switches
      + Cisco Small Business 500 Series Stackable Managed Switches
      + Cisco 250 Series Smart Switches
      + Cisco 350 Series Managed Switches
      + Cisco 350X Series Stackable Managed Switches
      + Cisco 550X Series Stackable Managed Switches

    Determining the Cisco Small Business Switches Software Release

    To determine which Cisco Small Business Switches Software release is
    running on a device, use the show version command from the CLI
    prompt. The following example shows the output of the command for a
    device that is running software version 1.4.9.4:

        Switch# show version
        SW version    1.4.9.04 (date 20-Jul-2018 time 17:14:12)

    Determining if Privilege Level 15 User Accounts Are Present on the
    Device Configuration

    To determine if any privilege level 15 user accounts are present in
    the device configuration, use the command
    show running-config | include privilege 15 from a CLI prompt. An
    empty output would indicate that no user accounts with level 15
    access privilege are configured on the device; the device is
    vulnerable if also running an affected software release.

    The following example shows the output of the command
    show running-config | include privilege 15 when a user account with
    access privilege set to level 15 is not present on the running
    configuration.

        Switch# show running-config | include privilege 15
        Switch#

    The following example shows the output of the command
    show running-config | include privilege 15 when a user account with
    access privilege set to level 15 is present on the running
    configuration. This device is not vulnerable:

        Switch# show running-config | include privilege 15
        username <user-ID> password encrypted <encrypted-password>
privilege 15

    Additional information is available in the Details section of this
    advisory.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this
    advisory are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect the
    following Cisco products:

      + Cisco 220 Series Smart Switches

    Cisco has also confirmed that this vulnerability does not affect
    devices running Cisco IOS Software, Cisco IOS XE Software, or Cisco
    NX-OS Software.

Details

  * Cisco Small Business Switches are typically deployed within small
    office/ home office (SOHO) network environments. The default
    configuration on the devices listed as vulnerable includes a
    default, privileged user account that is used for the initial login
    and cannot be removed from the system.
    An administrator may disable this account by configuring other user
    accounts with access privilege set to level 15. However, if all
    user-configured privilege level 15 accounts are removed from the
    device configuration, an affected software release re-enables the
    default privileged user account without notifying administrators of
    the system.
    Under these circumstances, an attacker can use this account to log
    in to an affected device and execute commands with full admin
    rights.

    Note: The default user account is defined in a software-internal
    data structure and is not visible in either the running
    configuration or the startup configuration of an affected device.

Workarounds

  * The workaround consists of adding at least one user account with
    access privilege set to level 15 in the device configuration. The
    following example shows how to configure an account by using admin
    as user ID, setting the access privilege to level 15, and defining
    the password by replacing <strong_password> with a complex password
    chosen by the user. By adding this user account, the default
    privileged account will be disabled.

    Switch# configure terminal
    Switch(config)# username admin privilege 15 password <strong_password>

    The command show running-config | include privilege 15 will now
    produce the following output:

        Switch# show running-config | include privilege 15
        username admin password encrypted <encrypted-password> privilege 15

Fixed Software

  * Cisco has not released software updates that address this vulnerability.

    Customers may only install and expect support for software versions
    and feature sets for which they have purchased a license. By
    installing, downloading, accessing, or otherwise using such software
    upgrades, customers agree to follow the terms of the Cisco software
    license:

    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they
    have a valid license, procured from Cisco directly, or through a
    Cisco authorized reseller or partner. In most cases this will be a
    maintenance upgrade to software that was previously purchased. Free
    security software updates do not entitle customers to a new software
    license, additional software feature sets, or major revision
    upgrades.

    When considering software upgrades, customers are advised to
    regularly consult the advisories for Cisco products, which are
    available from the Cisco Security Advisories and Alerts page, to
    determine exposure and a complete upgrade solution.

    In all cases, customers should ensure that the devices to be
    upgraded contain sufficient memory and confirm that current hardware
    and software configurations will continue to be supported properly
    by the new release.
    If the information is not clear, customers are advised to contact
    the Cisco Technical Assistance Center (TAC) or their contracted
    maintenance providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco
    service contract and customers who make purchases through
    third-party vendors but are unsuccessful in obtaining fixed software
    through their point of sale should obtain upgrades by contacting the
    Cisco TAC:

https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be
    prepared to provide the URL of this advisory as evidence of
    entitlement to a free upgrade.

    Fixed Releases

    Cisco has not released software updates that address the
    vulnerability described in this advisory.

Exploitation and Public Announcements

  * The Cisco Product Security Incident Response Team (PSIRT) is not
    aware of any public announcements or malicious use of the
    vulnerability that is described in this advisory.

Source

  * Cisco would like to thank Thor Simon of Two Sigma Investments LP for
    reporting this vulnerability.

URL

  * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20181107-sbsw-privacc

Revision History

  *

+----------------------------------------------------------------------------+
    | Version |       Description        | Section | Status  |
Date        |

|---------+--------------------------+---------+---------+-------------------|
    | 1.0     | Initial public release.  | -       | Interim |
2018-November-07  |

+----------------------------------------------------------------------------+


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================