Cisco has revealed that its Nexus 9000 fabric switches have a critical flaw that could allow anyone to remotely connect to a vulnerable device using Secure Shell (SSH) and control it with root user privileges.
The company disclosed the bug on Tuesday and has given it a severity rating of 9.8 out of 10.
The issue stems from SSH key management in the Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software. Cisco mistakenly put a default SSH key pair in the devices that an attacker could grab by connecting to the device over IPv6.
“An attacker could exploit this vulnerability by opening an SSH connection via IPv6 to a targeted device using the extracted key materials. An exploit could allow the attacker to access the system with the privileges of the root user,” Cisco explains, noting it can’t be exploited over IPv4.
SEE: 10 tips for new cybersecurity pros (free PDF)
The bug was found by external security researcher Oliver Matula from ERNW Enno Rey Netzwerke.
There are no workarounds, so Cisco is encouraging customers to update the software.
The bug affects the 9000 Series Fabric Switches in ACI mode if it is running Cisco NX-OS Software release before 14.1(1i).
Cisco has fixes available for several other vulnerabilities acting the Nexus 9000 software, all of which affect systems running Cisco NX-OS Software release prior to 14.1(1i)
ERNW’s Matula also reported a medium-severity path traversal flaw in the Nexus 9000 ACI mode software that would allow a local attacker with valid credentials to use ‘symbolic links’ to overwrite potentially sensitive system files.
Another fix in Cisco NX-OS Software 14.1(1i) is a high-severity elevation of privilege flaw that allowed a local attacker with valid admin credentials for a device to execute arbitrary NX-OS commands as the root user.
“The vulnerability is due to overly permissive file permissions of specific system files. An attacker could exploit this vulnerability by authenticating to an affected device, creating a crafted command string, and writing this crafted string to a specific file location,” Cisco explains.
Pre-14.1(1i) NX-OS also wasn’t properly validating TLS client certificates sent between components of an ACI fabric.
An attacker with a certificate that is trusted by the Cisco Manufacturing certificate authority and the corresponding private key could present a valid certificate while attempting to connect to the targeted device.
“An exploit could allow the attacker to gain full control of all other components within the ACI fabric of an affected device,” Cisco notes.