14 DAY TRIAL // A security restrictions bypass was discovered in the Cisco Energy Management Suite (CEMS) allowing potential authenticated attackers to access and modify data on vulnerable machines.
CEMS is a software suite designed to provide its users with complete visibility of the energy use of all devices connected to the network used by the machine it is running on.
"The vulnerability is due to the installation of the PostgreSQL database with unchanged default access credentials. An attacker could exploit this vulnerability by logging in to the machine where CEMS is installed and establishing a local connection to the database," says Cisco's advisory.
The security issue which received the CVE-2018-0468 from the Common Vulnerabilities and Exposures database can be exploited by local attackers who also need to have access and log into an account.
As detailed by Cisco in their vulnerability report and the patch release notes, "The fix for this vulnerability randomizes the database access password in new installations; however, the fix will not change the password for existing installations."
Before patching any vulnerable CEMS installations, Cisco recommends a full database backup, as well as stopping any software running on the system that could stand in the way of the patch process.
No active exploitation campaigns detected by Cisco's PSIRT
Furthermore, "In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release."
Also, users of CEMS installations running on production machines can circumvent the issue by manually changing the default password on the PostgreSQL installation.
A step by step guide designed to help CEMS users to reset the inbuilt PostgreSQL database password is available in the Release Notes document, in the "Reset PostgreSQL database password" area.
Additionally, Cisco's Product Security Incident Response Team (PSIRT) is not currently aware of any malicious use or public announcements regarding active exploitation of this security restriction bypass issue in the wild.