Cisco has released a bunch of security advisories with three of them rated at the company’s highest level of criticality. Those three vulnerabilities, relating to Cisco Digital Network Architecture (DNA) Center, include a backdoor account and two static username and password combinations that could allow someone to bypass the authentication system for Cisco Digital Network Architecture (DNA) Center.
The most critical and easily exploitable bug is called Cisco Digital Network Architecture Center Static Credentials Vulnerability and is designated CVE-2018-0222. The language in Cisco’s description is very plain.
The vulnerability is due to the presence of undocumented, static user credentials for the default administrative account for the affected software. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands with root privileges.
In other words, anyone inside the network could log in and do whatever they want. At least they were undocumented.
Software vulnerabilities are a fact of life. Systems are complex and contain thousands of lines of code that were created by humans and they can make mistakes. But leaving hard coded user credentials in systems is close to unforgivable.
There are software updates to fix this problem but it’s still a major worry. We know that patching is a major issue for many companies so this flaw is likely to hang around in some systems for a while yet. And now that it’s public you can be sure threat actors will be looking for ways into your systems if you have some affected Cisco hardware. These are exactly the situations some criminals wait for. They can sit dormant and undetected in your systems looking for a vulnerability just like this.
There are several other issues in this set of updates, and they’re well explained by Bleeping Computer, who are a little more forgiving than I am.