A high severity issue is affecting Cisco’s Network Assurance Engine (NAE) that could permit an attacker to use a flaw in its password-management system to take down an NAE server and cause a denial of service. The vulnerability could allow users who know the previous administrator password to login to the device through the CLI or execute a shutdown.
The bug has been dubbed as CVE-2019-1688 and the vulnerability is due to the user passwords changes from the web-management interface failing to propagate to the command-line interface (CLI), leaving the old default password in place in the CLI.
NAE is a data-center network management software used by the data centers or network operation centers to monitor their network changes and avoid application outages. The bug had affected only NAE version 3.0 (1), and so the older versions are safe.
It is possible for a local attacker to exploit the bug by authenticating using the default admin password on the CLI of an affected server. Then the hacker can view sensitive information and bring down the server.
The bug which is called “Cisco Network Assurance Engine CLI Access with Default Password Vulnerability” has been fixed in Cisco NAE Release 3.0(1a) but in order to fix the issue appropriately the users must change the admin password once they upgrade to that version. Those users who have upgraded to this version will not be affected.
Cisco also has a workaround for the bug where the default admin password can be changed from the CLI. But it is highly recommended for the users to contact the Technical Assistance Center to do this, so that the default password can be entered in a secure remote-support session.
Luckily there hasn’t been any live exploit of the flaw noted by the company’s security team.