Cisco automation code needs manual patch
Default and leaky creds, remote code execution and more
In Cisco's weekly security update list, there are three critical bugs affecting its Elastic Services Controller and Ultra Services Framework.
Switchzilla warns its Elastic Services Controller (a network function virtualisation management environment) has static default credentials that would let a remote attacker log into the controller's UI.
The credentials are shared between multiple installations, meaning a miscreant “could generate an admin session token that allows access to all instances of the ESC web UI”.
There's also a privilege escalation bug: user
tomcat has access to shell commands that lets that user overwrite any file on the system, and elevate their privilege to root.
The first bug in the Ultra Services Framework's (USF) automation service has an insecure configuration of the Apache ZooKeeper service, which again is remotely exploitable if the attacker can get at the orchestrator network.
The framework also has a bug in its staging server: a goof in shell invocations means an unauthenticated remote attacker can craft “CLI command inputs to execute Linux shell commands as the root user.”
There's also a credential disclosure bug in the USF's AutoVNF: it logs admin credentials in clear text, which an attacker can retrieve if they know the logfile's URL.
The same product also has a symbolic link error that exposes the system to arbitrary file read and malicious code execution. ®