-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2019.2445.2
 Multiple Issues in Cisco Small Business 250/350/350X/550X Series Switches
                  Firmware and Cisco FindIT Network Probe
                               10 July 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Small Business 250/350/350X/550X Series Switches
Publisher:         Cisco Systems
Operating System:  Network Appliance
Impact/Access:     Reduced Security -- Existing Account
Resolution:        Patch/Upgrade

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190703-sb-switches-findit

Revision History:  July 10 2019: Updated first vulnerable releases information
                   July  4 2019: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Multiple Issues in Cisco Small Business 250/350/350X/550X Series Switches
Firmware and Cisco FindIT Network Probe

Priority:        Informational

Advisory ID:     cisco-sa-20190703-sb-switches-findit

First Published: 2019 July 3 16:00 GMT

Last Updated:    2019 July 9 16:33 GMT

Version 1.1:     Interim

Summary

  o On June 3, 2019, SEC Consult, a consulting firm for the areas of cyber and
    application security, contacted the Cisco Product Security Incident
    Response Team (PSIRT) to report the following issues that they found in
    firmware images for Cisco Small Business 250 Series Switches:

       Certificates and keys issued to Futurewei Technologies
       Empty password hashes
       Unneeded software packages
       Multiple vulnerabilities in third-party software (TPS) components

    Cisco PSIRT investigated each issue, and the following are the
    investigation results:

    Certificates and Keys Issued to Futurewei Technologies

    An X.509 certificate with the corresponding public/private key pair and the
    corresponding root CA certificate were found in Cisco Small Business 250
    Series Switches firmware. SEC Consult calls this the "House of Keys." Both
    certificates are issued to third-party entity Futurewei Technologies, a
    Huawei subsidiary.

    The certificates and keys in question are part of the Cisco FindIT Network
    Probe that is bundled with Cisco Small Business 250, 350, 350X, and 550X
    Series Switches firmware. These files are part of the OpenDaylight open
    source package. Their intended use is to test the functionality of software
    using OpenDaylight routines. The Cisco FindIT team used those certificates
    and keys for their intended testing purpose during the development of the
    Cisco FindIT Network Probe; they were never used for live functionality in
    any shipping version of the product. All shipping versions of the Cisco
    FindIT Network Probe use dynamically created certificates instead. The
    inclusion of the certificates and keys from the OpenDaylight open source
    package in shipping software was an oversight by the Cisco FindIT
    development team.

    Cisco has removed those certificates and associated keys from FindIT
    Network Probe software and Small Business 250, 350, 350X, and 550X Series
    Switches firmware starting with the releases listed later in this advisory.

    Empty Password Hashes

    The /etc/passwd file included in Cisco Small Business 250, 350, 350X, and
    550X Series Switches firmware has empty password hashes for the users root 
    and user .

    The /etc/passwd file is not consulted during user authentication by Small
    Business 250, 350, 350X, and 550X Series Switches firmware. Instead, a
    dedicated alternate user database is used to authenticate users that log in
    to either the CLI or the web-based management interface of Small Business
    250, 350, 350X, and 550X Series Switches.

    A potential attacker with access to the base operating system on an
    affected device could exploit this issue to elevate privileges to the root 
    user. However, Cisco is not currently aware of a way to access the base
    operating system on these switches.

    Future firmware releases will replace the empty hashes with hashed,
    randomly generated passwords during initial boot.

    Unneeded Software Packages

    An attacker who gains access to the CLI of the base operating system may be
    able to misuse the gdbserver and tcpdump packages that are included in
    Cisco Small Business 250, 350, 350X, and 550X Series Switches firmware as
    part of the base operating system. Cisco is not currently aware of a way to
    access this part of the system on these switches.

    Future firmware releases will not include the gdbserver and tcpdump 
    packages.

Affected Products

  o Certificates and Keys Issued to Futurewei Technologies

    The certificates and keys from the OpenDaylight open source package are
    included in the following Cisco products:

       FindIT Network Probe versions 1.0.0 and 1.0.1
       Firmware versions 2.4.5.71 through 2.5.0.82 for the following Cisco
        products:
           250 Series Smart Switches
           350 Series Managed Switches
           350X Series Stackable Managed Switches
           550X Series Stackable Managed Switches

    Empty Password Hashes/Unneeded Software Packages

    The empty password hashes for the users root and user and the unneeded
    gdbserver package are included in all firmware versions prior to the first
    fixed release, the tcpdump package is included in firmware versions
    2.4.5.71 and later for the following Cisco products:

       250 Series Smart Switches
       350 Series Managed Switches
       350X Series Stackable Managed Switches
       550X Series Stackable Managed Switches

    Products Confirmed Not Affected

    Only products listed in the Affected Products section of this advisory are
    known to be affected by these issues.

    Updated Software

    Certificates and Keys Issued to Futurewei Technologies

    The following table provides updated release information:

                Cisco Product                First Updated Release for This
                                                         Product
    FindIT Network Probe                  1.1.0
    250 Series Smart Switches
    350 Series Managed Switches           2.5.0.83
    350X Series Stackable Managed
    Switches
    550X Series Stackable Managed
    Switches

    Empty Password Hashes/Unneeded Software Packages

    Future firmware releases will replace the empty hashes with hashed,
    randomly generated passwords and will have the unneeded software packages
    removed. This advisory will be updated when the updated firmware becomes
    available.

Source

  o Cisco would like to thank security researchers Stefan Viehbock and Thomas
    Weber of SEC Consult/IoT Inspector for reporting these issues.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining updated software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190703-sb-switches-findit

Revision History

  o +---------+--------------------------+-----------+---------+--------------+
    | Version |       Description        |  Section  | Status  |     Date     |
    +---------+--------------------------+-----------+---------+--------------+
    | 1.1     | Updated first vulnerable | Affected  | Interim | 2019-July-09 |
    |         | releases information.    | Products  |         |              |
    +---------+--------------------------+-----------+---------+--------------+
    | 1.0     | Initial public release.  | -         | Interim | 2019-July-03 |
    +---------+--------------------------+-----------+---------+--------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXSVsmGaOgq3Tt24GAQjNlQ//SJDLFwZ0w514bA9GhVIZvoMjuvC6yV4J
bMQIkjs/Gzxh1YkaswwiRVIBBcJtNN6OEBgdxfm2ZIOgSgv5nRhpbxVKYCOtBAyy
8Xtj/OO4QBdlTUFucATfWYisdwdSgjLL5cRsj6iHjeFZkGsjaoWz6UOgLmUgeiSd
WjlRvuPZpJTVphLeA6tRsMqgw5Gz93MwXyT001VljvxAdtzFC4XVgwJw9F0XQ6Gb
l60Q3X9vEiNGocHS5zNaS2QuFrd0i5VzcU2YJVp8Ae+mQ9xmpPl/qH9OtvSAYM4c
TnwrleD2/dhTEkm8v/2oQ109p7XmRjGJ/hC9fIXthBxtxthMG53U250HiKIxJ6af
Fij+FfU0PsUUcjna9/7M6apY9SLaJaeJMUrOo82BIne+bAa+etjyH8AhzlRbjv2A
ZL69X+/AG5edyff7GutA/Ewxs7VV9lDqRcDj8gw154TS8AqAOvKkviNXmXxCFivs
IFmuraEGvB6bu95QoTatcekIod1iFiGon1BgQkDJUpEPK0QFSpoSoxZ1UXtDMq78
aTyJboUMY7D7WdlKTV/KxREiKPx/JFJkXwY7ezyKmwZ0r1oZpq3DoMJhSzREl/Ab
UrIWMMmcbx1z+8FTHotpz1L7FVg3HfoxSHBM+SsBbupzxkdF2g/ExhNjQCv1ieCs
RIWrouhzH08=
=4fc6
-----END PGP SIGNATURE-----