Cisco's 6 Unpatched Internal Servers Supporting Virtual Networking Service Compromised

  • Cisco gave no details on exactly what, if any, damage was done as a result of the attacks, but said a "limited set of customers" was impacted.

  • Despite this warning, Cisco placed six servers in service on May 7 that were not patched against these vulnerabilities, and the servers were immediately attacked.

  • The vulnerabilities in SaltStack were originally uncovered by security firm F-Secure.


Six internal servers that Cisco uses to support its virtual networking service were compromised earlier this month after the company failed to patch two SaltStack zero day vulnerabilities, according to a security advisory sent to customers this week.

Cisco gave no details on exactly what, if any, damage was done as a result of the attacks, but said a "limited set of customers" was impacted. If exploited, these zero-day vulnerabilities potentially could have allowed an attacker to gain full remote code execution within the servers.

In its Thursday advisory, Cisco states that on April 29, the Salt Open Core team informed those using the SaltStack open-source configuration management and orchestration tool about two critical-rated vulnerabilities, an authentication bypass flaw, CVE-2020-11651, and a directory traversal problem, CVE-2020-11652.

Read More: Virtualized Desktop Infrastructure and Storage Solutions Driving Intel's Optane Memory & Storage Sales

Despite this warning, Cisco placed six servers in service on May 7 that were not patched against these vulnerabilities, and the servers were immediately attacked, the company acknowledges.

"A software component of the Cisco Virtual Internet Routing Lab service was affected by a third-party software vulnerability that was disclosed in late April. Cisco applied the patch in May, and a limited set of customers were impacted by exploitation attempts of the vulnerability," a company spokesperson tells Information Security Media Group.

SaltStack Vulnerabilities

The vulnerabilities in SaltStack were originally uncovered by security firm F-Secure, which describes them as allowing an attacker "to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the 'master' server file system and steal the secret key used to authenticate to the master as root. The impact is full remote command execution as root on both the master and all minions that connect to it."

SaltStack published its own advisory on April 20 and patched the vulnerabilities the following week with the release of versions 2019.2.4 and 3000.2, Alex Peay, a senior vice president at SaltStack, tells ISMG.

Cisco's six servers that were compromised are used to support Internet Routing Lab Personal Edition, or VIRL-PE, and Modeling Labs Corporate Edition, or CML, a platform that enables engineers to emulate various Cisco operating systems, including IOS, IOS XR, and NX-OS, Cisco says in the advisory. The servers are:

• us-1.virl.info

• us-2.virl.info

• us-3.virl.info

• us-4.virl.info

• vsm-us-1.virl.info

• vsm-us-2.virl.info

The exploitability of the vulnerabilities in the six servers depends upon how the products that the servers' support are enabled. The company advises those using Cisco CML and Cisco VIRL-PE software releases 1.5 and 1.6, which have the salt-master service reachable on TCP ports 4505 and 4506, to inspect the software for compromise, re-image it and then patch it with the latest update.

F-Secure described the unpatched vulnerabilities as particularly easy to exploit.

"We expect that any competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours," F-Secure says.

Attackers Looked for Easy Exploits

Peay of SaltStack added that exploits immediately began to show up after the patches were released and publicized as malicious actors attempted to take advantage of the zero-day vulnerabilities before companies were able to install patches.

Scott Caveza, research engineering manager at the security firm Tenable, offers a quick rundown of how threat actors use patch information to crack a system.

 

Attackers will often review the code and look at what changes have been made in a patch or release update to determine how the fix was applied. Then working backwards, they can use this information to develop a working exploit and begin scanning and probing for targets across the internet,

Scott Caveza, research engineering manager at the security firm Tenable.



SaltStack went to great lengths to communicate the problem to its users and offer tools so mitigation efforts were conducted properly, Peay says. This included direct assistance for those lacking skills handling SaltStack along with a service that would scan to validate that the patches were properly applied, he adds.

Some security experts question why Cisco did not immediately patch its servers when it was notified of the zero day vulnerabilities.

 

There are management tools that can help with the automation of checking, but even that requires someone setting it up to check for a version of software on a set of servers, so in the end it's the IT person who has to do the work,

Jayant Shukla, CTO and co-founder of K2 Cyber Security.



Caveza of Tenable notes identifying systems that need a patch involves IT staff checking the version of SaltStack and verifying that versions 2019.2.4, 3000.2 or later have been applied. He points out that plugins are available to assist with this task.

Read More: How Virtualization Helps Businesses Overcome Cloud Migration Problems

About Cisco

Cisco enables people to make powerful connections--whether in business, education, philanthropy, or creativity. Cisco hardware, software, and service offerings are used to create the Internet solutions that make networks possible--providing easy access to information anywhere, at any time.

Spotlight

Spotlight

Related News

VPN

Automox Announces Immediate and Secure Actions at Scale to Keep IT Fast and Compliant

globenewswire | September 21, 2023

Automox, the leader in AI-powered IT automation, is proud to announce two new capabilities, FixNow and PowerShell Signing. Combined, these new features further extend Automox’s industry-leading automation, speed, and security to enable organizations to act immediately to enforce and audit configuration, remediate vulnerabilities, install or remove software, query devices, and more. According to a 2019 IT Outage Impact Study, human error was the #1 cause of IT outages in the United States and Canada, and the #3 cause globally. Using FixNow for immediate testing and validation enables IT professionals to confidently automate configuration changes at scale and to minimize the potential for human error. FixNow runs Automox WorkletsTM immediately at scale across IT environments without a VPN or servers. With a catalog of over 300 automations that span Windows, macOS, and Linux systems, FixNow runs securely in real-time on the devices you choose. Early-access Automox customers are already confirming the value of FixNow. Matthew Rehm, Director of Information Systems at Methodist Theological School in Ohio said, “[FixNow] made updating some machines so much easier than having to schedule.” And David Thomson, IT Manager, St Andrew's First Aid in the UK said, “I use FixNow when evaluating new Worklets. The capability to execute instantly allows me to see instant results without cluttering up my existing policies.” “The value of immediate and secure action at scale cannot be overstated. We know time is of the essence, and FixNow lets our users remediate fast,” said Tim Lucas, CEO of Automox. “FixNow is the fastest and most secure way to audit and fix hundreds or even thousands of devices immediately.” According to a 2020 study by Cisco, PowerShell accounted for more than 33% of critical threats detected on endpoints. Automox PowerShell Signing will ensure script integrity and adherence to security best practices by enabling remote or all script signing to further reduce potential attack surfaces. Whether you automate or immediately execute PowerShell with FixNow, tasks like configuration, software deployment, and patching will be signed. To ensure the integrity of scripts from Automox and enable IT teams to adhere to security best practices, all PowerShell commands and automations will be self-signed by Automox. Once enabled, organizations can enhance their security posture by disallowing unsigned and potentially malicious PowerShell from running in their environment. “All Automox customers will be able to opt-in to sign every PowerShell command sent through Automox, so they can be confident that critical endpoint management tasks like configuration updates were unchanged in transit to managed devices,” said Jason Kikta, Automox CISO. “This is a major advance in security for IT teams. Dual-use and fileless PowerShell scripts comprise nearly half of the critical security threats on endpoints.” FixNow is available to Automox customers today as a free preview, Secure Signing will be made available to all Automox customers shortly. About Automox Automox is the IT automation platform for modern organizations. It makes it easy to keep Windows, macOS, and Linux endpoints patched, configured, controlled, and secured – without servers or VPNs. Using AI-powered automation, IT professionals can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their days. Join thousands of companies transforming IT operations into a strategic business driver with Automox.

Read More

Virtual Server Infrastructure

Scale Computing Offers Simple, Secure, Reliable IT Infrastructure to Combat 'Zombie' Technology

PR Newswire | October 10, 2023

Scale Computing, a market leader in edge computing, virtualization, and hyperconverged solutions, today announced its new campaign targeting outdated, 'zombie-like' infrastructure and calling on organizations to learn more about Scale Computing Platform's (SC//Platform) future-ready solutions. Between now and November 4, 2023, end users in North America and Europe, Middle East, and Africa (EMEA) can register for the company's free Zombie Apocalypse Essentials Kit, containing a water bottle, lantern, and powerbank. "IT managers are increasingly dealing with unreliable, inflexible, and inefficient systems. Instead of being haunted by outdated and traditional infrastructure, we invite users to learn more about Scale Computing and our Scale Computing Platform. SC//Platform brings together simplicity and scalability, replacing existing outdated infrastructure and providing high availability for running workloads in a single, easy-to-manage platform, while leveraging our patented self-healing technology to maintain maximum uptime for all applications," said Jeff Ready, CEO and co-founder of Scale Computing. October is Cybersecurity Awareness Month, dedicated to raising awareness about the importance of digital security and protecting personal data. As cyberattacks become more sophisticated, maintaining modern infrastructure with a powerful cybersecurity stance is key to keeping critical business applications and data secured. Scale Computing's campaign aims to help businesses fortify their defenses against the three blood-thirsty 'zombies' that commonly haunt outdated, traditional three-tier infrastructure Dreadful Downtime — an unreliable network that causes unexpected and expensive downtime for an organization Mangled Management — disparate technology systems, managed across multiple platforms, that make upgrades, patching, and overall management unnecessarily time- consuming Creeping Complexity — old and outdated systems across multiple locations that make scaling overly complicated SC//Platform provides infrastructure that is simple, secure, scalable, and reliable. With SC//Fleet Manager, the industry's first cloud-hosted monitoring and management tool built for hyperconverged edge computing infrastructure at scale, customers can quickly identify areas of concern using a single pane of glass, scaling from 1 to over 50,000 clusters. Zero-touch provisioning and Secure Link features allow administrators to centrally and securely monitor and manage hundreds or thousands of distributed edge infrastructure deployments, with few or no on-site IT personnel. About Scale Computing Scale Computing is a leader in edge computing, virtualization, and hyperconverged solutions. Using patented HyperCore™ technology, Scale Computing Platform automatically identifies, mitigates, and corrects infrastructure problems in real-time, enabling applications to achieve maximum uptime, even when local IT resources and staff are scarce. Edge Computing is the fastest-growing area of IT infrastructure, and industry analysts have named Scale Computing an outperformer and leader in the space, including being named the #1 edge computing vendor by CRN. Scale Computing's products are sold by thousands of value-added resellers, integrators, and service providers worldwide.

Read More

Backup and Disaster Recovery

In an Era of Escalating Cyber Threats, Commvault and Lenovo Simplify Enterprise Data Protection and Speed Recovery in the Hybrid Cloud

PR Newswire | October 17, 2023

Commvault®, an enterprise data protection leader for global businesses, announced new highly reliable backup and recovery solutions for enterprise organizations, powered by Lenovo technology. Paired with Lenovo's award-winning hardware systems, Commvault is delivering simplicity to IT teams with data protection and management from a single view, while giving CIOs flexibility, reliability, and blazing performance at immense scale with better TCO and faster time to value. "Innovation through collaboration has always been at the heart of Commvault. Partnering with Lenovo propels us further into a future where enterprises can safely say their data is secured, protected, and recoverable," said Alan Atkinson, Chief Partner Officer, Commvault. "This partnership stands as a testament to both companies' commitment to supporting global enterprises in navigating the multifaceted challenges posed by today's data-driven business landscape." "As we continue to operate in such a fast-paced and data-driven business environment, ensuring the safety, accessibility, and recoverability of critical business data has never been more important. It is for this exact reason that Commvault and Lenovo have come together to deliver highly reliable backup and recovery solutions for enterprise organizations," said Brian Connors, Vice President and General Manager, Software & Business Development, Lenovo. Commvault software is recognized for its unmatched depth in cloud-native integrations, supporting an array of applications, databases, and infrastructures. For the 12th consecutive year, Gartner positioned Commvault as a Leader in the Gartner® Magic Quadrant™ for Enterprise Backup and Recovery Software Solutions. Commvault also ranked highest in six out of seven use cases in the 2023 Gartner® Critical Capabilities for Enterprise Backup and Recovery Software Solutions. About Commvault Commvault is a global leader in cloud data protection. Our industry-leading platform redefines the next generation of data protection as the only solution with comprehensive data protection, proactive data defense, advanced ransomware protection, and a single view across all your data. This lets you secure, defend, and recover your data, applications, and production workloads – on-premises, in the cloud, over SaaS, or spread across hybrid and multi-cloud environments. The result is early warning of attacks, active defense to reduce the impact of intrusion, and rapid, accurate recovery of your data. Simply put, Commvault is data, protected.

Read More