A flaw in CISCO Universal Small Cell allows firmware retrieval

Pierluigi Paganini February 15, 2016

A flaw affecting the Cisco Universal Small Cell devices allows unauthenticated remote users to retrieve devices’ firmware, so Cisco urges patching these systems.

Other problems for the IT giant Cisco, the company is asking service providers using its Universal Small Cell solutions to update their systems and install a patch to solve a serious security issue.

The Cisco Universal Small Cell family is designed to help operators to integrate 3G and 4G small cell services into the IT infrastructure. The presence of the security issue could allow an unauthenticated remote attacker to access devices’ firmware and make a copy.

“A vulnerability in Cisco Universal Small Cell devices could allow an unauthenticated, remote attacker to retrieve firmware from a Cisco-hosted binary server.” states the Cisco’s advisory.

The advisory highlights a problem in the binary server that wasn’t properly enforcing the two-way certificate validation process, this means that the firmware retrieval process is not restricted to Universal Small Cell devices.

As a consequence, if an attacker is able to retrieve a valid key from a Universal Small Cell device he is able to decrypt the binary images and access information it contains, including the service provider configuration hints file that usually contains reserved information.

Of course, this information could be used by a threat actor to attack the Universal Small Cell devices of a specific service provider.

“The vulnerability is due to insufficient enforcement of the two-way certificate validation process by the Cisco-hosted binary server to ensure that only Cisco Universal Small Cell devices are able to download the firmware images and service provider configuration hints file. ” continues the advisory.”The hints file contains IP addresses of the device’s provisioned service provider Cisco Universal Small Cell RAN Management System. The binary images retrieved from the image distribution service could be decrypted by an attacker who has previously retrieved a valid key from the flash of a Cisco Universal Small Cell device.”

CISCO universal small cell kits

 

If your organization is using a Cisco Universal Small Cell solution you need to apply the patch asap.

Recently another flaw in Cisco ASA Software alerted the security industry, its exploitation could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.

Stay Tuned

Pierluigi Paganini

(Security Affairs – Cisco Universal Small Cell, hacking)



you might also like

leave a comment