Reminder to Cisco: Remove Testing Interface
Monday, October 3, 2016 @ 03:10 PM gHale
By mistake, Cisco released a critical vulnerability in its email security appliances by forgetting to remove an internal testing interface.
The vulnerability affects physical and virtual Email Security Appliances (ESA) running IronPort AsyncOS software, Cisco officials said.
The flaw allows a remote attacker to gain complete control of the affected device with root privileges.
Tracked as CVE-2016-6406, the vulnerability is the result of an internal testing and debugging interface Cisco installed for the manufacturing phase. Since the interface made it into production releases, attackers can connect to it without authentication and hijack the vulnerable device.
The flaw affects various 9.1.2, 9.7.2 and 10.0.0 software releases. The good news is a device is not vulnerable if it has been rebooted more than once, since the problematic interface ends up automatically disabled after the second reboot.
Cisco released updates for versions 9.1.2 and 9.7.2, and a patch for version 10.0.0 should become available early this month. Cisco did release an update for the Enrollment Client component that prevents the flaw from undergoing exploitation regardless of which software version is running.
As a workaround, customers can simply reboot their devices using the reboot command from the command-line interface (CLI). The internal testing and debugging interface will end up disabled once the reboot has completed.