Critical vulnerability in Cisco network management tool: Network Assurance Engine

The company discovered a severe security flaw during a routine process

Cisco has notified its customers that it is necessary to install an update to correct a critical vulnerability that affects the Network Assurance Engine (NAE) for the management of data center networks.

The vulnerability, tracked as CVE-2019-1688, allows an attacker to take advantage of an error in the NAE password management system to override one of these servers and generate a denial-of-service condition, report network security and ethical hacking specialists from the International Institute of Cyber Security.

According to network security specialists, NAE is a key tool for managing data center networks, as it helps administrators determine the impact of network changes and avoid application outages.

The company explained that the vulnerability exists because changes in the passwords of users of the web administration interface do not spread to the command line interface (CLI), so the default password takes its place in the CLI. The vulnerability only seems to affect versions 3.0 and 3.1 of NAE.

A local attacker could exploit the vulnerability by authenticating with the default administrator password in the CLI of a compromised server. From that point, the attacker could access confidential information, or even collapse the server.

The vulnerability was corrected in versions 3.0 and 3.1 of Cisco NAE, although the company points out that to eliminate any possibility of exploitation users must change the administrator password after having installed the security update.

Cisco has also described a risk mitigation method that involves changing the default password for the CLI. However, the company recommends its customers to contact their technical support center before implementing any of the available solutions. Cisco emphasizes that the password change must be completed on all nodes of the cluster.

The Cisco network security teams claim that, so far, no cases of exploitation of this vulnerability have been reported in real scenarios; highlighted that this was discovered during a process of routine security tests; the company believes that it is unlikely that any hacker discovered this error before their security teams.