Cisco Network Assurance Engine bug could allow attackers who know previous passwords to gain access to the device
- A bug named ‘Cisco Network Assurance Engine CLI Access with Default Password Vulnerability’ has been discovered which affects NAE version 3.0(1).
- This vulnerability allows unauthenticated users to gain unauthorized access to the device via CLI using previous passwords.
A vulnerability was spotted in the web interface of Cisco Network Assurance Engine (NAE). This vulnerability affects Network Assurance Engine (NAE) version 3.0(1). Cisco NAE is a management software used by data center networks to monitor the entire network for consistency and compliance.
Gain access with old passwords
The vulnerability titled ‘Cisco Network Assurance Engine CLI Access with Default Password Vulnerability’ allows unauthenticated users to gain unauthorized access to the device via CLI using previous passwords. This implies that the vulnerability could allow an attacker who knows previous passwords to gain access to the device and cause Denial of Service (DoS) on the server.
Source of the vulnerability
Cisco disclosed that the vulnerability was detected during internal security testing and that the bug is due to a fault in the password management system of Network Assurance Engine (NAE).
“An attacker could exploit this vulnerability by authenticating with the default administrator password via the CLI of an affected server. A successful exploit could allow the attacker to view potentially sensitive information or bring the server down, causing a DoS condition,” Cisco stated in its advisory.
Cisco has released a software update to patch this vulnerability. This vulnerability has been fixed in Network Assurance Engine (NAE) version 3.0(1a).
Cisco noted that after upgrading to NAE version 3.0(1a), users should change the administrator password from the management web interface in order to fix the vulnerability.
“The default administrator password can be changed from the CLI by setting a new password with the ‘passwd’ command,” Cisco said.