Cisco removes weak default static credentials from its switches

Cisco has released on Wednesday a bucketload of software updates for a wide variety of its products, fixing vulnerabilities of different types and severity.

But one is deemed critical: default static passwords have been found on the company’s Nexus 3000 Series Switches and Nexus 3500 Platform Switches.

The flaw affects the Cisco NX-OS Software running on those devices, and could be exploited by an unauthenticated, remote attacker to log in to the device with the privileges of the root user with bash shell access.

“The vulnerability is due to a user account that has a default and static password. This account is created at installation and cannot be changed or deleted without impacting the functionality of the system,” the company explained in the advisory.

The provided updates fix this flaw and two high-severity DoS vulnerabilities in the software, affecting these and other series of Cisco switches, as well as the company’s Unified Computing System.

Cisco says that there is no indication that the static password vulnerability has been exploited in attacks in the wild, and that it was discovered during resolution of a customer case handled by its Technical Assistance Center (TAC).

Among the high-severity holes also plugged this time are a DoS flaw affecting the web proxy framework of the Cisco Web Security Appliance, and the recently discovered flaws in the GNU C library (aka “glibc”) and the OpenSSL library, the latter of which compound the seriousness of the TLS-breaking DROWN attack.

A number of Cisco products incorporate a version of glibc and OpenSSL that may be affected by these vulnerabilities.

Don't miss