Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.2445.3
Multiple Issues in Cisco Small Business 250/350/350X/550X Series Switches
Firmware and Cisco FindIT Network Probe
18 October 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Small Business 250/350/350X/550X Series Switches
Publisher: Cisco Systems
Operating System: Network Appliance
Impact/Access: Reduced Security -- Existing Account
Resolution: Patch/Upgrade
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190703-sb-switches-findit
Revision History: October 18 2019: Vendor updated details on password and software issues
July 10 2019: Updated first vulnerable releases information
July 4 2019: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Multiple Issues in Cisco Small Business 250/350/350X/550X Series Switches
Firmware and Cisco FindIT Network Probe
Priority: Informational
Advisory ID: cisco-sa-20190703-sb-switches-findit
First Published: 2019 July 3 16:00 GMT
Last Updated: 2019 October 16 17:21 GMT
Version 1.2: Final
Summary
o On June 3, 2019, SEC Consult, a consulting firm for the areas of cyber and
application security, contacted the Cisco Product Security Incident
Response Team (PSIRT) to report the following issues that they found in
firmware images for Cisco Small Business 250 Series Switches:
Certificates and keys issued to Futurewei Technologies
Empty password hashes
Unneeded software packages
Multiple vulnerabilities in third-party software (TPS) components
Cisco PSIRT investigated each issue, and the following are the
investigation results:
Certificates and Keys Issued to Futurewei Technologies
An X.509 certificate with the corresponding public/private key pair and the
corresponding root CA certificate were found in Cisco Small Business 250
Series Switches firmware. SEC Consult calls this the "House of Keys." Both
certificates are issued to third-party entity Futurewei Technologies, a
Huawei subsidiary.
The certificates and keys in question are part of the Cisco FindIT Network
Probe that is bundled with Cisco Small Business 250, 350, 350X, and 550X
Series Switches firmware. These files are part of the OpenDaylight open
source package. Their intended use is to test the functionality of software
using OpenDaylight routines. The Cisco FindIT team used those certificates
and keys for their intended testing purpose during the development of the
Cisco FindIT Network Probe; they were never used for live functionality in
any shipping version of the product. All shipping versions of the Cisco
FindIT Network Probe use dynamically created certificates instead. The
inclusion of the certificates and keys from the OpenDaylight open source
package in shipping software was an oversight by the Cisco FindIT
development team.
Cisco has removed those certificates and associated keys from FindIT
Network Probe software and Small Business 250, 350, 350X, and 550X Series
Switches firmware starting with the releases listed later in this advisory.
Empty Password Hashes
The /etc/passwd file included in Cisco Small Business 250, 350, 350X, and
550X Series Switches firmware has empty password hashes for the users root
and user .
The /etc/passwd file is not consulted during user authentication by Small
Business 250, 350, 350X, and 550X Series Switches firmware. Instead, a
dedicated alternate user database is used to authenticate users that log in
to either the CLI or the web-based management interface of Small Business
250, 350, 350X, and 550X Series Switches.
A potential attacker with access to the base operating system on an
affected device could exploit this issue to elevate privileges to the root
user. However, Cisco is not currently aware of a way to access the base
operating system on these switches.
Cisco has replaced the empty hashes with hashed, randomly generated
passwords during initial boot from Cisco Small Business 250, 350, 350X, and
550X Series Switches firmware starting with the releases listed later in
this advisory.
Unneeded Software Packages
An attacker who gains access to the CLI of the base operating system may be
able to misuse the gdbserver and tcpdump packages that are included in
Cisco Small Business 250, 350, 350X, and 550X Series Switches firmware as
part of the base operating system. Cisco is not currently aware of a way to
access this part of the system on these switches.
Cisco has removed the gdbserver and tcpdump packages from Cisco Small
Business 250, 350, 350X, and 550X Series Switches firmware starting with
the releases listed later in this advisory.
Affected Products
o Certificates and Keys Issued to Futurewei Technologies
The certificates and keys from the OpenDaylight open source package are
included in the following Cisco products:
FindIT Network Probe versions 1.0.0 and 1.0.1
Firmware versions 2.4.5.71 through 2.5.0.82 for the following Cisco
products:
250 Series Smart Switches
350 Series Managed Switches
350X Series Stackable Managed Switches
550X Series Stackable Managed Switches
Empty Password Hashes/Unneeded Software Packages
The empty password hashes for the users root and user and the unneeded
gdbserver package are included in all firmware versions prior to the first
fixed release, the tcpdump package is included in firmware versions
2.4.5.71 and later for the following Cisco products:
250 Series Smart Switches
350 Series Managed Switches
350X Series Stackable Managed Switches
550X Series Stackable Managed Switches
Products Confirmed Not Affected
Only products listed in the Affected Products section of this advisory are
known to be affected by these issues.
Updated Software
Certificates and Keys Issued to Futurewei Technologies
The following table provides updated release information:
Cisco Product First Updated Release for This
Product
FindIT Network Probe 1.1.0
250 Series Smart Switches
350 Series Managed Switches 2.5.0.83
350X Series Stackable Managed
Switches
550X Series Stackable Managed
Switches
Empty Password Hashes/Unneeded Software Packages
The following table provides updated release information:
Cisco Product First Updated Release for This
Product
250 Series Smart Switches
350 Series Managed Switches 2.5.0.90
350X Series Stackable Managed
Switches
550X Series Stackable Managed
Switches
Source
o Cisco would like to thank security researchers Stefan Viehbock and Thomas
Weber of SEC Consult/IoT Inspector for reporting these issues.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining updated software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190703-sb-switches-findit
Revision History
o +---------+------------------------+----------+---------+-----------------+
| Version | Description | Section | Status | Date |
+---------+------------------------+----------+---------+-----------------+
| | An updated release for | | | |
| | the Empty Password | | | |
| 1.2 | Hashes and Unneeded | Updated | Final | 2019-October-16 |
| | Software Packages | Software | | |
| | issues is now | | | |
| | available. | | | |
+---------+------------------------+----------+---------+-----------------+
| | Updated first | Affected | | |
| 1.1 | vulnerable releases | Products | Interim | 2019-July-09 |
| | information. | | | |
+---------+------------------------+----------+---------+-----------------+
| 1.0 | Initial public | - | Interim | 2019-July-03 |
| | release. | | | |
+---------+------------------------+----------+---------+-----------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXaklY2aOgq3Tt24GAQi+zBAAwAb2hSfeD0JDf97UFjNEbBkXY8VriDNi
9ro8ebCNJfsZGEEiDROWRzOWhuRTOcNtcNdWIi7M4AZ281ZyC9bfQh65eFMw3iDK
733wLsCA0LQm/+Hp8dhAPtSYi0H1MLYzDH0A8ijH2mE5DmJlb6upYXwdMjgeOlx7
QwEnqIq2xX5UFY/iY8mB1DtuBXOtTNwb7RLsmJtxNh2MT32HT3b1Jq5D6grMQCY6
JblpCPoQ4hFotSVT8B5j8AZVbnHl75nGRK+gCVc5ITmHwxiAXIB/29KWAO6HO22o
L5MXrxjtzL5omOfCBO+wxCxPS54DCUzWsv2kXxkpgq0kMYODEQ3RwNL0Ygx5/ysq
5ihwi3OHg76PVgNn/qdvMiu1HldNrQYRJoGBburFAN89hnqKxi9Ks4SUtge446TZ
N2Z8mUGu4Os76piY9WMNkb/oyYchIFKOv/NUHSGjPkwgD7nJ/niRCeju1rfToFsv
hBfrOcZ9mKWc5wiRGLZA0wgLSB+H9q6QYCAd/S8JoU+h4O8o0rGPqqPP9YwyEYFx
t5Ko5EbV/mb4Ear6RTpNYymti7N7AdboL5wwcPpoXQRcHytWwmVsziKATjjgcIZ/
NSvCwtYqbtZbgrmltb8YNKyQOA9G+yROkmihcLxsRx3UwkxJ/gGusMU2Ac+nOizA
1ux4jUKO4Bo=
=f1hH
-----END PGP SIGNATURE-----