Cisco bugs leave network automation vulnerable to attack
Packet snooping, certificate slip, and denial-of-service
A slip in certificate handling is one of three bugs in Cisco's Autonomic Networking software.
As its name implies, Autonomic Networking is about reducing the load on network administrators by offering self-management for suitable switches and routers under suitable versions of the IOS operating system.
And then, as they say, the murders began: Autonomous Networking uses infrastructure certificates to verify nodes in the system, and that's where the problem has emerged.
It starts with this advisory: a mistake in infrastructure certificate revocation.
In Cisco IOS XE, the bug could let an unauthenticated, remote autonomic node back into a network after its certificate has been revoked.
That's because the software doesn't transfer certificate revocation lists across Autonomic Control Plane Channels (ACP). An attacker with access to the remote node, even if its certificate has been revoked, can re-insert the revoked node into the autonomic domain.
The bug affects “Release 16.x of Cisco IOS XE Software and are configured to use Autonomic Networking”.
The only option for affected admins is to manually check that the “bad node's” certificate has been deleted properly, and then update the Autonomic Networking whitelist file.
In the first, the information disclosure is only available to an unauthenticated, adjacent attacker to view control plane packets in clear text. So far, there's no fix available.
In the second, attackers can crash adjacent IOS and IOS XE Autonomic Networking nodes. Cisco doesn't yet know what causes the bug, but if an attacker captured packets (exploiting the information disclosure bug, for example), they can replay them to reset the ACP channel of the system. Again, users will have to keep an eye out for when a fix lands. ®