tagline: Confidence in the Connected World
CIS Logo
HomeResourcesAdvisoriesVulnerability in Cisco Mobility Services Engine Could Allow Unauthorized Access and Lead to Information Disclosure

Vulnerability in Cisco Mobility Services Engine Could Allow Unauthorized Access and Lead to Information Disclosure

MS-ISAC ADVISORY NUMBER:

2015-130

DATE(S) ISSUED:

11/05/2015

OVERVIEW:

A vulnerability has been discovered in Cisco Mobility Services Engine, which could allow for unauthorized access, and lead to information disclosure. This vulnerability could allow an unauthenticated, remote user to log in with the default oracle account. This account does not have full administrator privileges. However, this access could lead to unintended information disclosure.

THREAT INTELLIGENCE:

There are currently no reports of this vulnerability being exploited in the wild.

SYSTEMS AFFECTED:

  • Cisco Mobility Services Engine versions 8.0.120.7 and earlier

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
N/A

TECHNICAL SUMMARY:

A static password was assigned to the default oracle account on Cisco Mobility Services Engine (MSE). This account is a reserved account used for internal Mobility Services Engine tasks. This account does not have full administrative privileges, however access to it could lead to disclosure of sensitive internal information. MSE does not perform SSH logins with this account, and it should not be used in this manner. Signs of compromise can be determined by running the following command from the device.

This vulnerability has been fixed in all versions after Cisco MSE Static Credential Vulnerability 8.0.120.7. The following work around may also be applied to mitigate against this vulnerability.

Log in to the MSE as user root.
Edit the file /etc/ssh/sshd_config via a text editor.
Navigate to the bottom of the file and add the following line: DenyUsers oracle
Note: This change only takes effect after the SSH service is restarted.
Save the updated /etc/ssh/sshd_config file.
Restart the SSH service with the service sshd restart command.
To verify that the workaround is properly configured, attempt an SSH login to the MSE as the oracle user.
This login attempt should fail with the error Permission Denied.
ssh - l oracle
Try an SSH login to the MSE as the root user. This login attempt should succeed. ssh -l root

RECOMENDATIONS:

We recommend the following actions be taken:

Apply patches or work around to vulnerable systems after appropriate testing.
Administrators are advised to allow only trusted users to have network access.
IAdministrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.
Administrators are advised to monitor affected systems.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories