Home > News > Trending news > Cisco's 6 Unpatched Internal Servers Compromised

Cisco's 6 Unpatched Internal Servers Compromised

Cisco | June 01, 2020

Cisco's six servers that were compromised are used to support Internet Routing Lab Personal Edition, or VIRL-PE, and Modeling Labs Corporate Edition .
The exploitability of the vulnerabilities in the six servers depends upon how the products that the servers' support are enabled.
We expect that any competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours.

Six internal servers that Cisco uses to support its virtual networking service were compromised earlier this month after the company failed to patch two SaltStack zero day vulnerabilities, according to a security advisory sent to customers this week. Cisco gave no details on exactly what, if any, damage was done as a result of the attacks, but said a "limited set of customers" was impacted. If exploited, these zero-day vulnerabilities potentially could have allowed an attacker to gain full remote code execution within the servers. In its Thursday advisory, Cisco states that on April 29, the Salt Open Core team informed those using the SaltStack open-source configuration management and orchestration tool about two critical-rated vulnerabilities, an authentication bypass flaw, CVE-2020-11651, and a directory traversal problem, CVE-2020-11652.

Cisco applied the patch in May, and a limited set of customers were impacted by exploitation attempts of the vulnerability," a company spokesperson tells Information Security Media Group. Despite this warning, Cisco placed six servers in service on May 7 that were not patched against these vulnerabilities, and the servers were immediately attacked, the company acknowledges. The vulnerabilities in SaltStack were originally uncovered by security firm F-Secure, which describes them as allowing an attacker "to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the 'master' server file system and steal the secret key used to authenticate to the master as root. The impact is full remote command execution as root on both the master and all minions that connect to it.

A software component of the Cisco Virtual Internet Routing Lab service was affected by a third-party software vulnerability that was disclosed in late April. Cisco applied the patch in May, and a limited set of customers were impacted by exploitation attempts of the vulnerability.

~ Information Security Media Group.

SaltStack published its own advisory on April 20 and patched the vulnerabilities the following week with the release of versions 2019.2.4 and 3000.2, Alex Peay, a senior vice president at SaltStack, tells ISMG. Cisco's six servers that were compromised are used to support Internet Routing Lab Personal Edition, or VIRL-PE, and Modeling Labs Corporate Edition, or CML, a platform that enables engineers to emulate various Cisco operating systems, including IOS, IOS XR, and NX-OS, Cisco says in the advisory. The exploitability of the vulnerabilities in the six servers depends upon how the products that the servers' support are enabled.

Attackers will often review the code and look at what changes have been made in a patch or release update to determine how the fix was applied.

The company advises those using Cisco CML and Cisco VIRL-PE software releases 1.5 and 1.6, which have the salt-master service reachable on TCP ports 4505 and 4506, to inspect the software for compromise, re-image it and then patch it with the latest update. We expect that any competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours," F-Secure says. Peay of SaltStack added that exploits immediately began to show up after the patches were released and publicized as malicious actors attempted to take advantage of the zero-day vulnerabilities before companies were able to install patches. Scott Caveza, research engineering manager at the security firm Tenable, offers a quick rundown of how threat actors use patch information to crack a system. Then working backwards, they can use this information to develop a working exploit and begin scanning and probing for targets across the internet.

SaltStack went to great lengths to communicate the problem to its users and offer tools so mitigation efforts were conducted properly, Peay says. This included direct assistance for those lacking skills handling SaltStack along with a service that would scan to validate that the patches were properly applied, he adds. Some security experts question why Cisco did not immediately patch its servers when it was notified of the zero day vulnerabilities. "There are management tools that can help with the automation of checking, but even that requires someone setting it up to check for a version of software on a set of servers, so in the end it's the IT person who has to do the work," says Jayant Shukla, CTO and co-founder of K2 Cyber Security. Caveza of Tenable notes identifying systems that need a patch involves IT staff checking the version of SaltStack and verifying that versions 2019.2.4, 3000.2 or later have been applied. He points out that plugins are available to assist with this task.

Spotlight

The Human Touch in an Increasingly Digital World How to deliver financial wellbeing and make a difference in customers’ lives

Being the bank customers want – and will need in the future – comes with a unique set of challenges that organizations in financial services should start to embrace now. Whether this is the way artificial intelligence is now delivering everyday capabilities we can see and touch, or the impending revolution coming from quantum co

Other News

ENTERPRISE SECURITY, PLATFORM SECURITY, SOFTWARE SECURITY

Cyber Security & Cloud North America – New Line-Up Speakers Announced

TechEx Events Ltd | April 17, 2023

The Cyber Security & Cloud Congress North America (17-18th May) has announced exciting new additions to its line-up of speakers and panellists for the upcoming two-day event in Santa Clara. The event will take place on May 17th and 18th, 2023, and will feature a diverse range of tech industry experts, including CIOs, CTOs, Cyber Security, Cloud Architects, and other key players in the field. Attendees will have a great opportunity to hear from the most talented speakers including: Prasanna P., Digital Transformation Leader – Enterprise Architecture & Enterprise Strategy Leader – Molina Healthcare Shea Lovan, Chief Security Officer – UC Santa Barbara Sachin Vaidya, EVP Chief Information Officer of Heritage – Bank of Commerce Kishore Viswanathan, Senior Technical Program Manager, Cybersecurity and Compliance – Lucid Motors Sameh Emam, Division Risk Manager – Union Bank Kavitha Venkataswamy, Director – Digital Product Security – Capital One Richard Paz, CISM, Cyber Security Engineer – NASA Jet Propulsion Laboratory & many more! In addition to these keynote speakers, the event will also feature several panel discussions covering a wide range of topics, including Zero Trust, Threat Detection & Response, Training, Talent & Culture, Identity & Access Management, Application Security, Data Security and more. Attendees will have the opportunity to network with other industry professionals and gain valuable insights into the latest trends and technologies shaping the cybersecurity and cloud technology landscape. The Cyber & Cloud Congress North America promises to be a knowledge-packed, innovative, and engaging event for all those interested in Cyber Security and Cloud technology, but also the newest technology solutions, products and services that will be showcased during the event. “We are thrilled to have such an outstanding group of speakers joining us for the Cyber & Cloud Expo,” said Lia Richards, Head of Conference. “With their diverse backgrounds and extensive experience, they will bring a wealth of knowledge and insights to our attendees. We look forward to hearing their perspectives on the most pressing issues facing the industry today”. WHAT ELSE TO EXPECT? Over the course of two days at Cyber Security & Cloud Congress North America attendees will have a great number of opportunities to visit exhibition stalls and connect with the representatives of some of the world’s biggest brands including IBM, IDC, Bosh, AWS, Zoho and many more, all implementing the latest in Cyber Security & Cloud technologies within their sectors. Paying attendees will also have a chance to join the networking party event following Day 1 of the conference, where all will be able to connect and network in a more relaxed setting, with free food and drinks provided. This opportunity is open for Gold and Ultimate Pass Holders, Speakers, Press, Sponsors, and Exhibitors. Find out more information here: https://www.cybersecuritycloudexpo.com/northamerica/networking-party/ Early-bird registration offering 25% discount of the full ticket price is open until 17th April, and interested attendees are encouraged to secure their tickets before the offer ends to avoid missing out on this exciting opportunity. Follow this link to discover ticket types and prices: https://www.cybersecuritycloudexpo.com/northamerica/ticket-types-and-prices/. About TechEx Events Ltd The TechEx Event portfolio is an international conference and tech showcasing cutting-edge tech innovation in enterprise. Featuring real-life use cases and in-depth industry insights, the event series delves into the AI, Big Data, Blockchain, Cyber Security, 5G, IoT and Edge Computing ecosystems. Running for over six years, our co-located events strengths lie within our expert community. We bring the heroes responsible for pushing game changing tech and strategy together, to craft relationships and creative solutions. We are the place where networking never stops – The one-stop-shop for enterprise innovators.