For the fourth time in as many months, Cisco has removed hardcoded credentials that were left inside one of its products, which an attacker could have exploited to gain access to devices and inherently to customer networks.
This time around, the hardcoded password was found in Cisco’s Wide Area Application Services (WAAS), which is a software package that runs on Cisco hardware that can optimize WAN traffic management.
Harcoded SNMP community string
This backdoor mechanism (CVE-2018-0329) was in the form of a hardcoded, read-only SNMP community string in the configuration file of the SNMP daemon.
SNMP stands for Simple Network Management Protocol, an Internet protocol for collecting data about and from remote devices. The community string was there so SNMP servers knowing the string’s value could connect to the remote Cisco device and gather statistics and system information about it.
“An attacker could exploit this vulnerability by using the static community string in SNMP version 2c queries to an affected device,” Cisco said. “A successful exploit could allow the attacker to read any data that is accessible via SNMP on the affected device.”
Hardcoded creds is invisible to device owners
Making matters worse, this SNMP community string is hidden from device owners, even from the ones with an admin account, meaning they couldn’t have located it on their own during regular security audits.
This second vulnerability was a privilege escalation in the WaaS disk check tool that allowed Blair to elevate his account’s access level from “admin” to “root.” Normally, Cisco users are permitted only admin access. The root user level grants access to the underlying OS files and is typically reserved only for Cisco engineers.
By using his newly granted root-level access, Blair says he was able to spot the hidden SNMP community string inside the /etc/snmp/snmpd.conf file.
“This string can not be discovered or disabled without access to the root filesystem, which regular administrative users do not have under normal circumstances,” Blair says.
But while it took Blair root access to spot the hidden SNMP creds, they don’t require root access to be exploited, and anyone knowing the string can retrieve stats and system info from affected devices.
WaaS updates released to remove hardcoded SNMP creds
The researcher reported the issue to Cisco in March. Cisco released updates for WaaS this week. There are no mitigations or workarounds for avoiding the exploitation, and users must apply the WaaS software updates.
The Cisco WaaS patches are part of a batch of 28 security fixes that Cisco released on June 6, this week.
Twice in March and again in May, Cisco removed other similar backdoor accounts and mechanisms in other software such as the Prime Collaboration Provisioning (PCP), the IOS XE operating system, and the Digital Network Architecture (DNA) Center. Unlike this latest issues, the first three were discovered by Cisco engineers during internal audits.