Critical vulnerability in Cisco devices exposes networks of thousands of SMEs

A default configuration grants full admin-level access to unauthenticated remote users

A critical uncorrected vulnerability in the Cisco product called Small Business Switch, widely used by SMEs, leaves systems vulnerable to remote attacks by unauthenticated users. According to experts in network security and ethical hacking from the International Institute of Cyber Security, an attacker could exploit this flaw to take full control of the compromised device and therefore the entire network of an organization.

According to network security experts, the Small Business Switch was developed by Cisco to operate in small organizations and home office environments for the control and management of small local networks. It is one of the most popular solutions offered by the company for organizations with limited resources, as its price range starts at $300 USD.

The vulnerability (tracked as CVE-2018-15439), has been considered critical, with a score of 9.8/10 on the Common Vulnerability Scoring System scale, and it exists due to the default device configuration, which includes a user account with admin privileges by default that cannot be removed from the system.

In recent days, Cisco issued a security statement that warns users: “An attacker can use this default account to log into a vulnerable device and execute commands with all administrator privileges. This vulnerability could allow remote attackers to bypass the Small Business Switch user authentication system”.

Because these devices are used to manage local area networks (LANs), exploiting this vulnerability would involve attackers getting access to network security features such as firewall configuration or network management panel.

Cisco has not developed a patch to fix this vulnerability, although it is expected to be launched over the next few days, according to network security experts from the company. Although it’s not all bad news, there is a simple solution to this flaw: An administrator can add at least one user account with level 15 access privileges in the Small Business Switch configuration to mitigate the risks.

“A user can set up an account using ‘admin’ as the user ID, setting the access privilege to level 15 and setting a complex password for this new administrator account. By adding this new account, the default privilege account will be disabled,” mentions the Cisco security alert.

Just a few days ago, Cisco launched 18 new patches as part of its monthly updates, including fixes for several of its small business-specialized products. The bugs in question were two critical vulnerabilities that could lead to a denial of service on the affected devices. The flaws could be exploited by unauthenticated attackers via email.

The entire list of affected devices is available on the Cisco support webpage.