Cisco Network Assurance Engine Bug Allows Login with Old Passwords

Cisco has issue a security advisory for Cisco Network Assurance Engine (NAE) Release 3.0(1) for a bug that causes password changes done via NAE to not be synchronized to the CLI of the associated device. This would allow a user to be able to gain access to a device via its CLI using the previous password.

The Cisco Network Assurance Engine (NAE) is a management software used by data centers or network operation centers to monitor their networks and devices and to make sure they are compliant with current policies.

This bug, titled "Cisco Network Assurance Engine CLI Access with Default Password Vulnerability", has been assigned a Cisco ID of cisco-sa-20190212-nae-dos and the CVE-2019-1688 identifier. The vulnerability could allow users who know the previous administrator password to login to the device via the CLI or perform a shutdown.

According to Cisco, this bug only affects NA version 3.0(1) and those who have upgraded to this version will not be affected. If any password changes are made with this version of NAE, though, they will not be synchronized with the device's CLI and would allow a user to continue to gain access by logging in directly to the device.

"The vulnerability is due to a fault in the password management system of NAE," states Cisco's advisory. "An attacker could exploit this vulnerability by authenticating with the default administrator password via the CLI of an affected server. A successful exploit could allow the attacker to view potentially sensitive information or bring the server down, causing a DoS condition."

This vulnerability has been fixed in Cisco NAE Release 3.0(1a).  Once this update is installed, Cisco states that you should change the administrator password again from the management web interface to properly synchronize the passwords.

For those who do not wish to install this update now, the only way to synchronize the passwords is to change the password via the device's CLI using the passwd command.