Cisco NFV controller is a bit too elastic: It has an empty password bug
Critical patch lands for that, UCS Domain Manager flaw, dirty dozen lesser messes fixed
Cisco's Elastic Services Controller's release 3.0.0 software has a critical vulnerability: it accepts an empty admin password.
The Controller (ESC) is Cisco's automation environment for network function virtualisation (NFV), providing VM and service monitors, automated recovery and dynamic scaling.
Cisco's advisory about the flaw explains the bug is in ESC's Web service portal: “An attacker could exploit this vulnerability by submitting an empty password value to an affected portal when prompted to enter an administrative password for the portal.”
Once past the (non)-authentication, the attacker has administrative rights to “execute arbitrary actions” on the target system.
Only ESC software release 3.0.0 is affected, and the vuln has been patched. The bug's been assigned CVE-2018-0121.
The Borg's latest patchfest also included a critical-rated bug in Cisco's Unified Communications Domain Manager that also gives a successful attacker remote code execution privileges.
The vulnerability occurs during application generation on the controller: the keys it generates are insecure, and an attacker could use “a known insecure key value to bypass security protections”. The bug affects Unified Communications Domain Manager versions prior to 11.5(2).
Thursday's announcements included another 12 lower-rated vulnerabilities, listed here. ®