CVE-2020-3446 default credentials bug exposes Cisco ENCS, CSP Appliances to hack

Cisco addressed a critical default credentials vulnerability (CVE-2020-3446) affecting some configurations of its ENCS 5400-W series and CSP 5000-W series appliances.

Cisco fixed a critical default credentials vulnerability impacting some configurations of its ENCS 5400-W series and CSP 5000-W series appliances.

Cisco Wide Area Application Services (WAAS) is technology developed by Cisco Systems that optimizes the performance of any TCP-based application operating in a wide area network (WAN) environment while preserving and strengthening branch security. WAAS combines WAN optimization, acceleration of TCP-based applications, and Cisco’s Wide Area File Services (WAFS) in a single appliance or blade.

The Cisco Cloud Services Platform for WAAS (CSP-W) is a Cisco open x86 hardware platform for deployment of Cisco datacenter network functions virtualization (VNFs). 

The Cisco Enterprise Network Compute System (ENCS) is a hybrid platform for branch deployment and for hosting WAAS applications.

Cisco experts revealed that the virtual WAAS (vWAAS) with Enterprise NFV Infrastructure Software (NFVIS)-bundled images for ENCS 5400-W series and 5000-W series appliances includes a default, static password.

The vulnerability, tracked as CVE-2020-3446, could be exploited by a remote, unauthenticated attacker using the the default with static password to log into the NFVIS command line interface (CLI) with administrator privileges.

“A vulnerability in Cisco Virtual Wide Area Application Services (vWAAS) with Cisco Enterprise NFV Infrastructure Software (NFVIS)-bundled images for Cisco ENCS 5400-W Series and CSP 5000-W Series appliances could allow an unauthenticated, remote attacker to log into the NFVIS CLI of an affected device by using accounts that have a default, static password.” reads the security advisory published by Cisco. “The vulnerability exists because the affected software has user accounts with default, static passwords. An attacker with access to the NFVIS CLI of an affected device could exploit this vulnerability by logging into the CLI. A successful exploit could allow the attacker to access the NFVIS CLI with administrator privileges.”

The vulnerability, rated as critical, has received a CVSS Score of 9.8. The issue can be exploited by an attacker who can connect to the targeted device’s NFVIS CLI.

According to Cisco, an attacker could connect to the device’s NFVIS CLI through:

• The Ethernet management port for the CPU on an affected ENCS 5400-W Series appliance. This interface might be remotely accessible if a routed IP is configured.
• The first port on the four-port I350 PCIe Ethernet Adapter card on an affected CSP 5000-W Series appliance. This interface might be remotely accessible if a routed IP is configured.
• A connection to the vWAAS software CLI and a valid user credential to authenticate on the vWAAS CLI first.
• A connection to the Cisco Integrated Management Controller (CIMC) interface of the ENCS 5400-W Series or CSP 5000-W Series appliance and a valid user credential to authenticate to the CIMC first.

Cisco confirmed that the flaw does not impact standalone NFVIS running on Cisco ENCS 5000 Series and Cisco CSP 5000 Series devices, and it does not affect standalone vWAAS software or WAAS software running on Cisco Wide Area Virtualization Engine (WAVE) appliances.

The IT giant is not aware of any attacks in the wild exploiting the CVE-2020-3446 flaw.

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2020-3446)

[adrotate banner=”5″]

[adrotate banner=”13″]