Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2445.3 Multiple Issues in Cisco Small Business 250/350/350X/550X Series Switches Firmware and Cisco FindIT Network Probe 18 October 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Small Business 250/350/350X/550X Series Switches Publisher: Cisco Systems Operating System: Network Appliance Impact/Access: Reduced Security -- Existing Account Resolution: Patch/Upgrade Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190703-sb-switches-findit Revision History: October 18 2019: Vendor updated details on password and software issues July 10 2019: Updated first vulnerable releases information July 4 2019: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Multiple Issues in Cisco Small Business 250/350/350X/550X Series Switches Firmware and Cisco FindIT Network Probe Priority: Informational Advisory ID: cisco-sa-20190703-sb-switches-findit First Published: 2019 July 3 16:00 GMT Last Updated: 2019 October 16 17:21 GMT Version 1.2: Final Summary o On June 3, 2019, SEC Consult, a consulting firm for the areas of cyber and application security, contacted the Cisco Product Security Incident Response Team (PSIRT) to report the following issues that they found in firmware images for Cisco Small Business 250 Series Switches: Certificates and keys issued to Futurewei Technologies Empty password hashes Unneeded software packages Multiple vulnerabilities in third-party software (TPS) components Cisco PSIRT investigated each issue, and the following are the investigation results: Certificates and Keys Issued to Futurewei Technologies An X.509 certificate with the corresponding public/private key pair and the corresponding root CA certificate were found in Cisco Small Business 250 Series Switches firmware. SEC Consult calls this the "House of Keys." Both certificates are issued to third-party entity Futurewei Technologies, a Huawei subsidiary. The certificates and keys in question are part of the Cisco FindIT Network Probe that is bundled with Cisco Small Business 250, 350, 350X, and 550X Series Switches firmware. These files are part of the OpenDaylight open source package. Their intended use is to test the functionality of software using OpenDaylight routines. The Cisco FindIT team used those certificates and keys for their intended testing purpose during the development of the Cisco FindIT Network Probe; they were never used for live functionality in any shipping version of the product. All shipping versions of the Cisco FindIT Network Probe use dynamically created certificates instead. The inclusion of the certificates and keys from the OpenDaylight open source package in shipping software was an oversight by the Cisco FindIT development team. Cisco has removed those certificates and associated keys from FindIT Network Probe software and Small Business 250, 350, 350X, and 550X Series Switches firmware starting with the releases listed later in this advisory. Empty Password Hashes The /etc/passwd file included in Cisco Small Business 250, 350, 350X, and 550X Series Switches firmware has empty password hashes for the users root and user . The /etc/passwd file is not consulted during user authentication by Small Business 250, 350, 350X, and 550X Series Switches firmware. Instead, a dedicated alternate user database is used to authenticate users that log in to either the CLI or the web-based management interface of Small Business 250, 350, 350X, and 550X Series Switches. A potential attacker with access to the base operating system on an affected device could exploit this issue to elevate privileges to the root user. However, Cisco is not currently aware of a way to access the base operating system on these switches. Cisco has replaced the empty hashes with hashed, randomly generated passwords during initial boot from Cisco Small Business 250, 350, 350X, and 550X Series Switches firmware starting with the releases listed later in this advisory. Unneeded Software Packages An attacker who gains access to the CLI of the base operating system may be able to misuse the gdbserver and tcpdump packages that are included in Cisco Small Business 250, 350, 350X, and 550X Series Switches firmware as part of the base operating system. Cisco is not currently aware of a way to access this part of the system on these switches. Cisco has removed the gdbserver and tcpdump packages from Cisco Small Business 250, 350, 350X, and 550X Series Switches firmware starting with the releases listed later in this advisory. Affected Products o Certificates and Keys Issued to Futurewei Technologies The certificates and keys from the OpenDaylight open source package are included in the following Cisco products: FindIT Network Probe versions 1.0.0 and 1.0.1 Firmware versions 2.4.5.71 through 2.5.0.82 for the following Cisco products: 250 Series Smart Switches 350 Series Managed Switches 350X Series Stackable Managed Switches 550X Series Stackable Managed Switches Empty Password Hashes/Unneeded Software Packages The empty password hashes for the users root and user and the unneeded gdbserver package are included in all firmware versions prior to the first fixed release, the tcpdump package is included in firmware versions 2.4.5.71 and later for the following Cisco products: 250 Series Smart Switches 350 Series Managed Switches 350X Series Stackable Managed Switches 550X Series Stackable Managed Switches Products Confirmed Not Affected Only products listed in the Affected Products section of this advisory are known to be affected by these issues. Updated Software Certificates and Keys Issued to Futurewei Technologies The following table provides updated release information: Cisco Product First Updated Release for This Product FindIT Network Probe 1.1.0 250 Series Smart Switches 350 Series Managed Switches 2.5.0.83 350X Series Stackable Managed Switches 550X Series Stackable Managed Switches Empty Password Hashes/Unneeded Software Packages The following table provides updated release information: Cisco Product First Updated Release for This Product 250 Series Smart Switches 350 Series Managed Switches 2.5.0.90 350X Series Stackable Managed Switches 550X Series Stackable Managed Switches Source o Cisco would like to thank security researchers Stefan Viehbock and Thomas Weber of SEC Consult/IoT Inspector for reporting these issues. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining updated software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190703-sb-switches-findit Revision History o +---------+------------------------+----------+---------+-----------------+ | Version | Description | Section | Status | Date | +---------+------------------------+----------+---------+-----------------+ | | An updated release for | | | | | | the Empty Password | | | | | 1.2 | Hashes and Unneeded | Updated | Final | 2019-October-16 | | | Software Packages | Software | | | | | issues is now | | | | | | available. | | | | +---------+------------------------+----------+---------+-----------------+ | | Updated first | Affected | | | | 1.1 | vulnerable releases | Products | Interim | 2019-July-09 | | | information. | | | | +---------+------------------------+----------+---------+-----------------+ | 1.0 | Initial public | - | Interim | 2019-July-03 | | | release. | | | | +---------+------------------------+----------+---------+-----------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXaklY2aOgq3Tt24GAQi+zBAAwAb2hSfeD0JDf97UFjNEbBkXY8VriDNi 9ro8ebCNJfsZGEEiDROWRzOWhuRTOcNtcNdWIi7M4AZ281ZyC9bfQh65eFMw3iDK 733wLsCA0LQm/+Hp8dhAPtSYi0H1MLYzDH0A8ijH2mE5DmJlb6upYXwdMjgeOlx7 QwEnqIq2xX5UFY/iY8mB1DtuBXOtTNwb7RLsmJtxNh2MT32HT3b1Jq5D6grMQCY6 JblpCPoQ4hFotSVT8B5j8AZVbnHl75nGRK+gCVc5ITmHwxiAXIB/29KWAO6HO22o L5MXrxjtzL5omOfCBO+wxCxPS54DCUzWsv2kXxkpgq0kMYODEQ3RwNL0Ygx5/ysq 5ihwi3OHg76PVgNn/qdvMiu1HldNrQYRJoGBburFAN89hnqKxi9Ks4SUtge446TZ N2Z8mUGu4Os76piY9WMNkb/oyYchIFKOv/NUHSGjPkwgD7nJ/niRCeju1rfToFsv hBfrOcZ9mKWc5wiRGLZA0wgLSB+H9q6QYCAd/S8JoU+h4O8o0rGPqqPP9YwyEYFx t5Ko5EbV/mb4Ear6RTpNYymti7N7AdboL5wwcPpoXQRcHytWwmVsziKATjjgcIZ/ NSvCwtYqbtZbgrmltb8YNKyQOA9G+yROkmihcLxsRx3UwkxJ/gGusMU2Ac+nOizA 1ux4jUKO4Bo= =f1hH -----END PGP SIGNATURE-----