Vulnerability in Cisco Mobility Services Engine Could Allow Unauthorized Access and Lead to Information Disclosure
MS-ISAC ADVISORY NUMBER:2015-130
A vulnerability has been discovered in Cisco Mobility Services Engine, which could allow for unauthorized access, and lead to information disclosure. This vulnerability could allow an unauthenticated, remote user to log in with the default oracle account. This account does not have full administrator privileges. However, this access could lead to unintended information disclosure.
There are currently no reports of this vulnerability being exploited in the wild.
- Cisco Mobility Services Engine versions 188.8.131.52 and earlier
- Large and medium government entities: HIGH
- Small government entities: HIGH
- Large and medium business entities: HIGH
- Small business entities: HIGH
A static password was assigned to the default oracle account on Cisco Mobility Services Engine (MSE). This account is a reserved account used for internal Mobility Services Engine tasks. This account does not have full administrative privileges, however access to it could lead to disclosure of sensitive internal information. MSE does not perform SSH logins with this account, and it should not be used in this manner. Signs of compromise can be determined by running the following command from the device.
This vulnerability has been fixed in all versions after Cisco MSE Static Credential Vulnerability 184.108.40.206. The following work around may also be applied to mitigate against this vulnerability.
Log in to the MSE as user root.
Edit the file /etc/ssh/sshd_config via a text editor.
Navigate to the bottom of the file and add the following line: DenyUsers oracle
Note: This change only takes effect after the SSH service is restarted.
Save the updated /etc/ssh/sshd_config file.
Restart the SSH service with the service sshd restart command.
To verify that the workaround is properly configured, attempt an SSH login to the MSE as the oracle user.
This login attempt should fail with the error Permission Denied.
ssh - l oracle
Try an SSH login to the MSE as the root user. This login attempt should succeed. ssh -l root
We recommend the following actions be taken:
Apply patches or work around to vulnerable systems after appropriate testing.
Administrators are advised to allow only trusted users to have network access.
IAdministrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.
Administrators are advised to monitor affected systems.