Cisco's 6 Unpatched Internal Servers Supporting Virtual Networking Service Compromised

Cisco | June 01, 2020

Cisco's 6 Unpatched Internal Servers Supporting Virtual Networking Service Compromised
  • Cisco gave no details on exactly what, if any, damage was done as a result of the attacks, but said a "limited set of customers" was impacted.

  • Despite this warning, Cisco placed six servers in service on May 7 that were not patched against these vulnerabilities, and the servers were immediately attacked.

  • The vulnerabilities in SaltStack were originally uncovered by security firm F-Secure.


Six internal servers that Cisco uses to support its virtual networking service were compromised earlier this month after the company failed to patch two SaltStack zero day vulnerabilities, according to a security advisory sent to customers this week.

Cisco gave no details on exactly what, if any, damage was done as a result of the attacks, but said a "limited set of customers" was impacted. If exploited, these zero-day vulnerabilities potentially could have allowed an attacker to gain full remote code execution within the servers.

In its Thursday advisory, Cisco states that on April 29, the Salt Open Core team informed those using the SaltStack open-source configuration management and orchestration tool about two critical-rated vulnerabilities, an authentication bypass flaw, CVE-2020-11651, and a directory traversal problem, CVE-2020-11652.

Read More: Virtualized Desktop Infrastructure and Storage Solutions Driving Intel's Optane Memory & Storage Sales

Despite this warning, Cisco placed six servers in service on May 7 that were not patched against these vulnerabilities, and the servers were immediately attacked, the company acknowledges.

"A software component of the Cisco Virtual Internet Routing Lab service was affected by a third-party software vulnerability that was disclosed in late April. Cisco applied the patch in May, and a limited set of customers were impacted by exploitation attempts of the vulnerability," a company spokesperson tells Information Security Media Group.

SaltStack Vulnerabilities

The vulnerabilities in SaltStack were originally uncovered by security firm F-Secure, which describes them as allowing an attacker "to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the 'master' server file system and steal the secret key used to authenticate to the master as root. The impact is full remote command execution as root on both the master and all minions that connect to it."

SaltStack published its own advisory on April 20 and patched the vulnerabilities the following week with the release of versions 2019.2.4 and 3000.2, Alex Peay, a senior vice president at SaltStack, tells ISMG.

Cisco's six servers that were compromised are used to support Internet Routing Lab Personal Edition, or VIRL-PE, and Modeling Labs Corporate Edition, or CML, a platform that enables engineers to emulate various Cisco operating systems, including IOS, IOS XR, and NX-OS, Cisco says in the advisory. The servers are:

• us-1.virl.info

• us-2.virl.info

• us-3.virl.info

• us-4.virl.info

• vsm-us-1.virl.info

• vsm-us-2.virl.info

The exploitability of the vulnerabilities in the six servers depends upon how the products that the servers' support are enabled. The company advises those using Cisco CML and Cisco VIRL-PE software releases 1.5 and 1.6, which have the salt-master service reachable on TCP ports 4505 and 4506, to inspect the software for compromise, re-image it and then patch it with the latest update.

F-Secure described the unpatched vulnerabilities as particularly easy to exploit.

"We expect that any competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours," F-Secure says.

Attackers Looked for Easy Exploits

Peay of SaltStack added that exploits immediately began to show up after the patches were released and publicized as malicious actors attempted to take advantage of the zero-day vulnerabilities before companies were able to install patches.

Scott Caveza, research engineering manager at the security firm Tenable, offers a quick rundown of how threat actors use patch information to crack a system.

 

Attackers will often review the code and look at what changes have been made in a patch or release update to determine how the fix was applied. Then working backwards, they can use this information to develop a working exploit and begin scanning and probing for targets across the internet,

Scott Caveza, research engineering manager at the security firm Tenable.



SaltStack went to great lengths to communicate the problem to its users and offer tools so mitigation efforts were conducted properly, Peay says. This included direct assistance for those lacking skills handling SaltStack along with a service that would scan to validate that the patches were properly applied, he adds.

Some security experts question why Cisco did not immediately patch its servers when it was notified of the zero day vulnerabilities.

 

There are management tools that can help with the automation of checking, but even that requires someone setting it up to check for a version of software on a set of servers, so in the end it's the IT person who has to do the work,

Jayant Shukla, CTO and co-founder of K2 Cyber Security.



Caveza of Tenable notes identifying systems that need a patch involves IT staff checking the version of SaltStack and verifying that versions 2019.2.4, 3000.2 or later have been applied. He points out that plugins are available to assist with this task.

Read More: How Virtualization Helps Businesses Overcome Cloud Migration Problems

About Cisco

Cisco enables people to make powerful connections--whether in business, education, philanthropy, or creativity. Cisco hardware, software, and service offerings are used to create the Internet solutions that make networks possible--providing easy access to information anywhere, at any time.

Spotlight

In this video we demonstrate how to enable copy and paste operations between the VMware vSphere C# client console and a Windows virtual machine. http://virtualg.uk/enabling-copy-and-First install VMware tools on the Virtual Machine Once the VM has rebooted, power down the VMWe need to add two advanced configuration options to the VM's configuration file Right click the VM - Edit Settings - Options Tab - General - Configuration Parameters

Spotlight

In this video we demonstrate how to enable copy and paste operations between the VMware vSphere C# client console and a Windows virtual machine. http://virtualg.uk/enabling-copy-and-First install VMware tools on the Virtual Machine Once the VM has rebooted, power down the VMWe need to add two advanced configuration options to the VM's configuration file Right click the VM - Edit Settings - Options Tab - General - Configuration Parameters

Related News

AT&T Committs to Carbon Neutral Across Entire Global Operations By 2035

AT&T | September 18, 2020

AT&T* has committed to be carbon neutral across its entire global operations by 2035. The company is also expanding its Climate Change Analysis Tool (CCAT) across the contiguous United States to identify the potential impacts of climate change on the network and operations – up to 30 years into the future.

Read More

VIRTUAL SERVER INFRASTRUCTURE

Cox Network Transformation to Bring Multi-Gig Internet Service to Hampton Roads

Cox Communications | January 07, 2022

Cox Communications announced the company will make significant broadband network enhancements in Hampton Roads. As part of a multi-billion dollar infrastructure investment to build a 10 Gigabit-capable, fiber-optic network, these enhancements will enable Cox to deliver multi-Gigabit speeds to its customers in the next few years, both downstream and upstream, to support a host of bandwidth-hungry applications. Cox has invested $55 million over the last 5 years in Hampton Roads and was the first to make Gigabit service available to all customers in the market. Cox now plans to invest an additional $100+ million over the next 3 years to deliver multi-Gigabit symmetrical speeds over high-speed broadband connections, starting in Norfolk. We're preparing for the next generation of internet uses at home and in business. The ever-growing number of connected devices combined with exciting new applications of technology such as virtual reality learning, autonomous vehicles or even exploring the meta-verse will require more network capacity and increased speeds and symmetry. We are committed to being the internet provider customers can count on to have the speed they need now and in the future." J.D. Myers, Senior Vice President and Region Manager, Cox Communications In addition to faster speeds, Cox also provides secure and reliable wifi connections covering the whole home. Cox's Panoramic Wifi delivers the equipment its customers need for best-in-class wifi that can be easily updated as technology changes. Customers also get control and security through the Panoramic Wifi app with Advanced Security, protecting every device connected to their network. As the largest private telecom company in America, Cox delivers value beyond superior internet and entertainment services in the communities it serves. A recent 2019-2020 economic impact assessment of the company's operating, capital project and social investment data in Hampton Roads indicates that Cox Communications recurring operations support more than $170 million in economic output locally, including more than 1,000 jobs and near $50 million in wage and salary payments. Beyond this, the company's $1.5+ billion annual capital investment in technology infrastructure generates more than $20 billion in economic output supporting over 55,000 jobs and more than $3 billion in wage and salary payments. Cox Communications also generates over $480 million annually in state and local tax contributions. About Сoх Communications Cox Communications is committed to creating meaningful moments of human connection through technology. The largest private broadband company in America, we proudly serve nearly seven million homes and businesses across 18 states. We're dedicated to empowering others to build a better future and celebrate diverse products, people, suppliers, communities and the characteristics that make each one unique. Cox Communications is the largest division of Cox Enterprises, a family-owned business founded in 1898 by Governor James M. Cox.

Read More

CommScope Acquires Complete Patent Portfolio for Virtual Radio Access Networks from Phluido

CommScope | October 19, 2020

CommScope announced today that it has acquired the complete patent portfolio for virtual radio access networks (vRAN) from Phluido, a pioneer in RAN virtualization and disaggregation. These patents address key concepts introduced in both 5G and O-RAN radio access networks, including efficient fronthaul transport, virtualization, and network synchronization. “We believe the acquisition of this intellectual property, combined with our ONECELL patent portfolio, further solidifies CommScope’s position as innovative indoor RAN provider,” said Matt Melester, chief technology officer for CommScope’s Venue and Campus Networks and Outdoor Wireless Networks businesses. “Both Phluido and our ONECELL platform introduced new concepts in 4G which are now key components in 5G architectures.”

Read More