Cisco has once again made it to the news. But this time, it isn’t because of bug fixes, rather a security breach. As revealed, criminals targeted Cisco servers exploiting the SaltStack vulnerability.
Cisco Security Breach
Recently, Cisco has announced a security breach affecting part of its IT structure. Specifically, the breach affected some servers serving the backend infrastructure of Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE).
As explained in Cisco’s advisory, Cisco noted that the affected servers were running the vulnerable salt-master service. Hence, the two SaltStack vulnerabilities disclosed earlier this month allowed the hackers to breach Cisco servers.
As stated in the advisory,
Cisco Product Security Incident Response Team (PSIRT) became aware of additional attempted exploitation of these vulnerabilities in the wild.
Consequently, the breach affected the Cisco Modeling Labs Corporate Edition (CML) and VIRL-PE.
Specifically, the affected servers were servicing the Cisco VIRL-PE releases 1.2 and 1.3. The compromised servers include,
- us-1.virl.info
- us-2.virl.info
- us-3.virl.info
- us-4.virl.info
- vsm-us-1.virl.info
- vsm-us-2.virl.info
Cisco Released Fixes
Cisco detected the vulnerabilities earlier this month, following which, they patched all the compromised servers on May 7, 2020.
According to the vendors, the two products Cisco CML and VIRL-PE can either work as a standalone deployment or in cluster mode. Hence, Cisco patched the fixes for both deployment options with the release of Cisco CML and Cisco VIRL-PE software releases 2.0 that do not run salt-master service.
Considering the attempts of exploitation in the wild, Cisco has urged all the users to update the software releases immediately. For this, users can check the salt-master service status using the instructions given in Cisco’s advisory.
SaltStack vulnerabilities surfaced online earlier this month. Shortly after the disclosure, hackers began exploiting the bugs for targeting various corporate networks. Consequently, LineageOS – a mobile OS vendor, Digicert – certificate authority, Ghost blogging platform, Xen Orchestra, and Algolia search service, reported hacking attacks.