Cisco has recently addressed a serious vulnerability affecting its vWAAS product. Exploiting the bug could give admin rights to an unauthenticated attacker.
Cisco vWAAS Vulnerability
Reportedly, a critical severity vulnerability existed in the Cisco Virtual Wide Area Application Services (vWAAS). Cisco vWAAS is a WAN optimization solution that facilitates managing business apps in virtual cloud infrastructure.
Describing the details in an advisory, Cisco stated,
A vulnerability in Cisco Virtual Wide Area Application Services (vWAAS) with Cisco Enterprise NFV Infrastructure Software (NFVIS)-bundled images for Cisco ENCS 5400-W Series and CSP 5000-W Series appliances could allow an unauthenticated, remote attacker to log into the NFVIS CLI of an affected device by using accounts that have a default, static password.
As revealed, the bug existed because of default, static passwords in user accounts. Hence, anyone could log into the CLI with the default password to access with administrator privileges.
Though, successful exploitation of the bug required the attacker to fulfill certain requirements. Yet, it was not entirely difficult to achieve that.
Cisco has labeled this vulnerability, CVE-2020-3446, a critical severity bug with CVSS score of 9.8.
Cisco Released The Fix
The vulnerability affected the Cisco ENCS 5400-W Series and CSP 5000-W Series appliances. That too, only if they run Cisco vWAAS with NFVIS-bundled image releases 6.4.5, or 6.4.3d and earlier.
Following the discovery of the bug, Cisco rolled out a patch for it with the release of Cisco vWAAS with NFVIS-bundled image release 6.4.3e, 6.4.5a, and later releases.
Hence, users must ensure updating their devices to the patched versions to stay safe.
While the fixes are out, the vendors have also confirmed no active exploitation of the flaw.
Earlier this month, Cisco also addressed numerous vulnerabilities in the Data Center Network Manager (DCNM). These included multiple critical, high-severity, and medium severity flaws leading to different consequences.
Let us know your thoughts in the comments.