Cisco warns of error in password management system NAE

An error in the password management system of Cisco’s Network Assurance Engine (NAE) causes attackers to disable a NAE server and cause a denial of service (DoS). The error has now been fixed and Cisco advises users to install the update with the fix, reports ZDNet.

NAE is an important network management tool for data centers, enabling administrators to determine the impact of network changes and prevent application failures. However, there appears to be a flaw in that system.

An attacker can use this error in the password management system of NAE to disable a NAE server. The result is a DoS. According to Cisco, the error is due to the fact that changes to passwords by users of the web-management interface are not forwarded to the command-line interface (CLI). This keeps the old password in the CLI. The error only affects NAE version 3.0, older versions do not suffer from it.

A local attacker could misuse the error by logging in with the default administrator password on the CLI of an affected server. From here, the attacker can view sensitive information and take the server offline.

Solution

The error has been solved in Cisco NAE Release 3.0(1a). However, the company says that users must change the administrator password after upgrading to that version in order to solve the problem completely.

They also have a temporary solution to the problem, which includes changing the default administrator password of the CLI. However, Cisco recommends that users call the Technical Assistance Center to do so, so that the default password can be entered into a secure remote support session. The password change must be carried out for all nodes in the cluster.

The Cisco security team is not aware of any live attacks with the error. The error was found during an internal security test.