Cisco has posted an alert to customers about a severe flaw affecting the software for its Cisco Nexus 9000 switches that could let a remote baddy connect to a device like they owned it.
Cisco appears to have accidentally placed a default Secure Shell (SSH) key pair in all affected devices via the Nexus 9000 Series application centric infrastructure (ACI) mode switch software.
SSH keys pairs include a public and private key, which are both long strings of characters that are difficult to crack. While the public key can be placed on any server, the private key, which in this case was with the public key on the devices, should be kept elsewhere for securely connecting remotely to the protected entity.
"An attacker could exploit this vulnerability by opening an SSH connection via IPv6 to a targeted device using the extracted key materials," Cisco notes.
Nexus 9000 switch devices are vulnerable if they’re running a Cisco NX-OS Software release before version 14.1(1i).
NX-OS is the operating system for Cisco’s Nexus line of data center switches. Devices are only vulnerable if they’re running in ACI mode.
The bug, tracked as CVE-2019-1804, is the worst of 41 security flaws Cisco disclosed in its late April batch of disclosures. It has a severity rating of 9.8 out of 10.
The bug was reported by an external researcher, Oliver Matula of security German firm ERNW Enno Rey Netzwerke, however Cisco notes that it is not aware of it being exploited in the wild, adding that the attack is not possible over IPv4.
Also fixed in Cisco NX-OS Software 14.1(1i) was a “high” severity elevation of privilege flaw that allowed local attacker with valid admin credentials for a device to execute arbitrary NX-OS commands as the root user.
This issue was caused by “overly permissive file permissions of specific system files”, according to Cisco.
Cisco’s Nexus 9000 Series ACI Mode Switch Software running pre-14.1(1i) NX-OS also doesn’t properly validate certificates sent between components of an ACI fabric.
This is a high severity flaw that could give an attacker who has a certificate that’s trusted by the Cisco Manufacturing certificate authority and the corresponding private key to exploit the bug by presenting a valid certificate while attempting to connect to the targeted device.
“An exploit could allow the attacker to gain full control of all other components within the ACI fabric of an affected device,” Cisco warned.
ERNW’s Matula also found a slightly less severe flaw in the Nexus 9000 ACI mode software that would allow a local attacker with valid credentials -- but without root privileges -- to use “symbolic links” to overwrite potentially sensitive system files.