by Robinson Roca
Practice Leader – Network Infrastructure
Ensuring your network and environment is free of potential vulnerabilities and looking out for security gaps is a full time job. The typical approach for most firms is to just have their “Helpdesk” make sure things are the way they need to be. That may be a good approach for the desktop as the Helpdesk is typically designed to provide support to end users, but supporting your firm’s security posture needs a certain type and level of dedicated personnel.
When a switch, firewall, router or any other number of network infrastructure and security devices has a vulnerability, it could affect anything between Layer 1 and Layer 7 of the OSI model. If your team is not familiar with troubleshooting an IP stack, or debugging IOS, NX-OS, or FWOS logs the value of your vulnerability alert, and vulnerability check cadence diminishes.
A few years ago, several Cisco devices were affected by a Clocking Signal component failure on the mother boards of various devices; routers, firewalls, and some switches. This didn’t just affect Cisco, but various other vendors who patronize the firm who sold the Clock Signal component. The devices would just fail and could not be resuscitated after the failure. Cisco did a great job of communicating to their customers and their partners, but many firms ignored this alert/warning because of the lack of focus on vulnerabilities, and warnings.
Helient takes pride in keeping our customers informed of potential Vulnerabilities and risks. We maintain a list of our customers network infrastructure makes and models. Helient also maintains and secures encrypted stored copies of network infrastructure configurations, which are be reviewed to confirm or refute the presence of a vulnerability in the environment. Cisco’s latest vulnerabilities are very specific, and we wanted to share a few hot ones with you.
Cisco IOS XE Software Web UI Command Injection Vulnerabilities
It is a known best practice in the network industry to turn off the Web GUI on network devices such as routers, and switches. As the network infrastructure world continues to find greater value in centralized management or cloud management, various vendors require the enablement of the GUI for either direct GUI web calls or API calls to the devices. Opening HTTP to these devices opens up the potential to vulnerabilities to bad actors, both internal and external. So lets be safe, and ensure we apply access-lists to define access only from specific hosts or subnets, further more we can lock the HTTPS connections to specific encryption cyphers. While this does tighten security a bit, it still doesn’t resolve the latest Web UI Injection vulnerability. This vulnerability is listed with the following Common Vulnerability and Expose (CVE) identifiers CVE-2019-12650, CVE-2019-12651. In this case it allows an Authenticated hacker to execute elevated privileges. This cannot be stressed enough, protecting your environment with a centralized Authentication server is critical, using TACACS+ will allow for an accounting of what commands were issued, but can also limit the level of privileges users have.
Cisco Catalyst 4000 Series Switches TCP Denial of Service Vulnerability
Another vulnerability has been discovered that can affect those firms who have not been following a consistent network infrastructure refresh cycle. Various vulnerabilities have been found in the Cisco 4500 Sup 6E, 6L-E, 4900M, and 4948 switches. These switches and supervisors have all been announced end-of-life, and are moving through their end-of-life milestones. Its recommended you upgrade to a supported platform, as Helient has done for many of our customer running the Cisco 4500 Series switches. If you still run this platform, please call Helient and we would be happy to offer our asssitance. This vulnerability’s CVE designation is CVE-2019-12652 and can lead to a TCP denial of service. Crafted TCP traffic destined to the affected device can cause the control plane of the device to lock up due to exhausted buffer resources.
Below is a subset of the vendor vulnerabilities lists we review for our customers. Please review what suits your environment.
If you have any questions or need assistance, please contact us at email@example.com.