Cloud security course specialists revealed the finding of a critical vulnerability in Cisco Virtual Wide Area Application Services (vWAAS), a virtual deployment for both enterprise and service provider, that accelerates commercial applications delivered from virtual and private private cloud infrastructure. According to the report, the successful exploitation of these flaws would allow threat actors to gain full control of the target system.
Below is a brief overview of the reported flaw, in addition to its identification key and score according to the Common Vulnerability Scoring System (CVSS).
CVE-2020-3446: The presence of hard-coded credentials in Virtual Wide Area Application Services (vWAAS) with Cisco Enterprise NFV Infrastructure Software (NFVIS) would allow unauthenticated remote malicious hackers to access the affected system.
According to cloud security course experts, successful exploitation of this flaw could compromise the vulnerable system altogether.
Vulnerable Cisco Wide Area Application Services versions are: 6.0(1), 6.1(1), 6.2(1), 6.2(3), 6.2 (3a), 6.2(3b), 6.2(3c), 6.2(3e) 31, 6.2(3e) 40, 6.3(1), 6.4(1), 6.4(3d). This vulnerability affects Cisco ENCS 5400-W and CSP 5000-W series devices if you are running Cisco vWAAS with versions 6.4.5 or 6.4.3d of images packaged with NFVIS and earlier.
This is considered a critical vulnerability and received a CVSS score of 8.5/10.
While cloud security course specialists mention that the flaw can be exploited by remote threat actors over the Internet, attempts to exploit actively or any malware related to the attack have not yet been detected. Updates are ready, so administrators of affected deployments are encouraged to update as soon as possible.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.