14 DAY TRIAL // A serious security vulnerability has been discovered in Cisco Industrial Ethernet 3000 (IE 3000) Series switches running 12.2(52)SE or 12.2(52)SE1 versions of Cisco IOS. The vendor has scheduled an update to the software for next month and in the meantime has provided manual workaround instructions.
Just as their name suggests, the Cisco IE 3000 Series switches are designed for mission-critical industrial Ethernet applications like factory automation, energy and process control or intelligence transportation systems. According to Cisco's own description these devices “provide a rugged, easy-to-use, secure infrastructure for harsh environments.”
The 12.2(52)SE or 12.2(52)SE1 Cisco IOS Software versions contain hard-coded SNMP read-write community names, which act as passwords for managing and monitoring the device. “The security issue is caused due to the restoring of hardcoded read-write SNMP community names to the running configuration after a device reload,” an advisory published by vulnerability research company Secunia, reads.
These community names are well known and an attacker connected to the local network can use them to take complete control over the device. Because the vulnerability has a low access complexity, doesn't require authentication and can completely compromise the confidentiality, integrity and availability, it carries the highest possible CVSS (Common Vulnerability Scoring System) base score – 10.
Cisco notes that only a limited number of switches are affected. Devices running 12.0, 12.1, 12.3, 12.4, 15.0 or 15.1 versions of IOS Software are not impacted by this flaw. Additionally, 12.2-based Releases older than 12.2(52)SE are not affected either.
The vendor has released an advisory, which contains workaround instructions to disable the community names both manually and automatically. However, it is noted that the manual workaround is not persistent and has to be reapplied if the switch is rebooted.
“By creating an Embedded Event Manager (EEM) policy, it is possible to automatically remove the hard-coded SNMP community names each time the device is reloaded. […] Although it is often difficult to block traffic that transits a network, it is possible to identify traffic that should never be allowed to target infrastructure devices and block that traffic at the device interface or the border of networks,” the vendor advises.
You can follow the editor on Twitter @lconstantin