14 DAY TRIAL // After hardcoded credentials were found and removed from Juniper and Fortinet networking products, it's now Cisco's turn to patch its devices and remove a backdoor account as well.
Yesterday, Cisco released several updates meant to fix a series of flaws in its products. Out of the five updates, one stood apart, especially after the recent disclosure of backdoors in networking products belonging to some of Cisco's biggest rivals, Juniper and Fortinet.
The vulnerability (CVE-2015-6336) relates to an account on Cisco's Aironet 1800 series access points, which would have allowed an attacker access to the devices via a series of credentials hardcoded in the device's firmware.
Cisco said that the account did not provide full administrative rights over the device, but would allow an attacker access to it nevertheless.
Cisco Aironet 1830e, 1830i, 1850e, and 1850i were affected by this issue, for which the company offered a software update to remove the account.
Last December, after Juniper disclosed the presence of a backdoor in its ScreenOS operating system installed on its firewall equipment, Cisco started a company-wide audit to search for similar issues.
Two other more dangerous flaws also fixed
But this wasn't even Cisco's biggest problem yesterday because the company also fixed two highly critical security flaws, both receiving a score of 10 out of 10 on the CVSS severity scale.
The first (CVE-2015-6314) affects all devices running Cisco Wireless LAN Controller (WLC) software versions 7.6.120.0 or later, 8.0 or later, or 8.1 or later. This vulnerability would allow an unauthenticated, remote attacker access to the device and its configuration settings.
The second issue (CVE-2015-6323), also with a perfect 10 severity score, is a vulnerability in the admin portal of devices running Cisco Identity Services Engine (ISE) software (affected versions are 1.1 or later, 1.2.0 prior to patch 17, 1.2.1 prior to patch 8, 1.3 prior to patch 5, or 1.4 prior to patch 4).
This also allows an unauthenticated, remote attacker to gain unauthorized access to affected devices and also modify the device's configuration.
"A successful exploit may compromise the device completely," said Cisco's security team about both bugs.
Since Cisco announced there are no techniques or configuration settings that can be applied to mitigate these flaws, sysadmins are urged to patch their Cisco products as soon as possible.