Cisco removed hardcoded credentials in WAAS software. Undocumented accounts are a frequent issue
9.6.18 securityaffairs Vulnerebility
Cisco has removed hardcoded credentials that were in Cisco Wide Area Application Services (WAAS), which is a software designed to optimize WAN traffic management.
The hardcoded credentials (CVE-18-0329) resides in the read-only SNMP community string in the configuration file of the SNMP daemon, they could be exploited by attackers to read any data that is accessible via SNMP on the affected device.
“A vulnerability in the default configuration of the Simple Network Management Protocol (SNMP) feature of Cisco Wide Area Application Services (WAAS) Software could allow an unauthenticated, remote attacker to read data from an affected device via SNMP.” states the security advisory published by Cisco.
“The vulnerability is due to a hard-coded, read-only community string in the configuration file for the SNMP daemon. An attacker could exploit this vulnerability by using the static community string in SNMP version 2c queries to an affected device.”
There are no workarounds that address this vulnerability.
The SNMP community string is hidden from administrators this means that there was no way to see the find the vulnerability during regular audits of the architecture.
The flaw was reported by the security researcher Aaron Blair while investigating the CVE-18-0352 WaaS vulnerability, a flaw that affects the Cisco Wide Area Application Services Software Disk Check Tool that could lead privilege escalation.
“A vulnerability in the Disk Check Tool (disk-check.sh) for Cisco Wide Area Application Services (WAAS) Software could allow an authenticated, local attacker to elevate their privilege level to root. The attacker must have valid user credentials with super user privileges (level 15) to log in to the device.” reads the security advisory.
“The vulnerability is due to insufficient validation of script files executed in the context of the Disk Check Tool. An attacker could exploit this vulnerability by replacing one script file with a malicious script file while the affected tool is running. A successful exploit could allow the attacker to gain root-level privileges and take full control of the device.”
This CVE-18-0352 vulnerability was a privilege escalation in the WaaS disk check tool, Blair exploited it to elevate his privilege to “root,” an access level that allowed him to discoverer the hidden SNMP community string inside the /etc/snmp/snmpd.conf file.
Unfortunately, hardcoded credentials and undocumented accounts are not uncommon in Cisco appliance, the company addressed similar issues in the Prime Collaboration Provisioning (PCP), in the CISCO IOS XE operating system, and the Digital Network Architecture (DNA) Center.