Cisco WAAS Hardcoded Credentials and Privilege Escalation (CVE-2018-0329)

In March of 2018, Aaron Blair from Brisbane based RIoT Solutions, discovered two vulnerabilities in Cisco’s Wide Area Application Services (WAAS) product.  The WAAS software version which he found both of these in was v6.2.3c, and the vulnerabilities exist in WAAS Central Manager (CM) and WAEs (Wide Area Application Engines).

These vulnerabilities affect any platform (hardware or virtualised) running the affected versions of software.  CVEs CVE-2018-0329 and CVE-2018-0352 were assigned to refer to these vulnerabilities.

The first, CVE-2018-0329, is a hidden, hardcoded, read-only SNMP community string which the administrator is unable to view or disable. The second, CVE-2018-0352, is a local privilege escalation vulnerability which allows a user with the ‘admin’ role to elevate to the root user, normally inaccessible to anybody but Cisco themselves.

CVE-2018-0329 Vulnerabilities Summary

The hardcoded SNMP string can be found in /etc/snmp/snmpd.conf.

This string can not be discovered or disabled without access to the root filesystem, which regular administrative users do not have under normal circumstances.

An unauthenticated, remote attacker could use this string to retreive statistics and system information from the WAAS systems.

Fix Information

Cisco has provided a fix, however requires users to uphold a support contract and/or contact Cisco TAC in order to obtain the fix.

Fixed Releases

  • v6.2(3e)31
  • v6.4(1b)15
  • v6.4(3.46)

For further detailed technical information on both CVS’s please see:

Aaron Blair’s blog post detailing it all – https://xor.cat/2018/06/07/cisco-waas-multiple-cves/
CVE entries: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0329 & https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0352
Cisco’s security advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-waas-snmp

Leave a Reply

Your email address will not be published. Required fields are marked *