A place for Chicago Flutists to meet :)
'cisco' issues critical patch for Nexus switches to get rid of hardcoded credentials
'cisco' Systems has released software updates because of its Nexus 3000 and 3500 switches to be able to remove a default administrative account with static credentials that may allow remote attackers to compromise devices.The account is produced at installation time through the 'cisco' NX-OS software that operates on these switches also it can't be altered or deleted without having affected the system's functionality,Core Switches 'cisco' stated within an advisory.
The organization rated the problem as critical because authenticating with this particular account can offer attackers with use of a party covering with root rights, meaning that they'll fully control the unit.One component that may potentially limit attacks is the fact that of all NX-OS releases, the default account are only able to be utilized via Telnet, that is disabled automatically. The exception is Nexus 3500 Platform Switches running 'cisco' NX-OS Software release 6.(2)A6(1) in which the account may also be utilized over SSH (Secure Covering).
The affected products are: 'cisco' Nexus 3000 Series switches running NX-OS 6.(2)U6(1), 6.(2)U6(2), 6.(2)U6(3), 6.(2)U6(4) and 6.(2)U6(5) and 'cisco' Nexus 3500 Platform switches running NX-OS 6.(2)A6(2), 6.(2)A6(3), 6.(2)A6(4), 6.(2)A6(5) and 6.(2)A7(1).
'cisco' provides patched versions its these releases, but the organization advises people to upgrade to NX-OS 6.(2)U6(5a) for Nexus 3000 switches and 6.(2)A7(1a) or 6.(2)A6(5a) for Nexus 3500 switches. That is because these versions also contain patches for 2 other high-impact vulnerabilities that can lead to denial-of-service conditions.Certainly one of individuals flaws could be exploited by delivering a particular TCP packet for an affected device on the TCP session that's currentlyWait around condition. This could make the TCP stack to reload, producing a denial and services information.