Yesterday, September 19th, Cisco announced an advisory for a critical vulnerability (CVE-2018-0150) that exists with their IOS XE Software.
The vulnerability is due to an undocumented user account with privilege level 15 that has a default username and password. An attacker could exploit this vulnerability by using this account to remotely connect to an affected device. A successful exploit could allow the attacker to log in to the device with privilege level 15 access.
CVSS Score: Base 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Advisory link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-xesc
Affected versions
- Cisco IOS XE 16.5.x version < 16.5.2
- Cisco IOS XE 16.6.x version < 16.6.1
- Cisco IOS XE running on Integrated Services Virtual Router (ISRv)
For Cisco IOS XE realeases running on a Cisco ISRv, refer to https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-xesc
Unaffected versions
- Cisco IOS XE version < 16.x
- Cisco IOS XE version 16.5.2
- Cisco IOS XE version 16.6.1
Solution
Cisco has provided workarounds to address this vulnerability:
To address this vulnerability, administrators may remove the default account by using the no username cisco command in the device configuration. Administrators may also address this vulnerability by logging in to the device and changing the password for this account.
For the Cisco ISRv, administrators should remove old packages from their datastore and update the ISRv package to prevent a newly-deployed Cisco ISRv from having the default account.