Critical vulnerabilities expose Cisco equipment to hijacking attacks

(Image credit: Shutterstock / Valriya Zankovych)

Cisco has revealed it uncovered, and fixed, two "high-severity" flaws in its Catalyst PON Series Switches Optical Network Terminals which could have allowed for unauthorized root access (opens in new tab) to devices.

As reported by The Register (opens in new tab), the two vulnerabiliies are labeled CVE-2021-34795 and CVE-2021-40113, with the former described as an "unintentional debugging credential" or, as it seems, a backdoor left by the developers, for debugging. 

Whoever knew the hidden credentials can get root access to the passive optical network switches (opens in new tab), but to do that, the device needed to have Telnet support enabled, something that's usually off, by default.

The latter threat revolves around insufficient validation of user-supplied input. As per the report, an unauthenticated malicious actor can conduct a command injection attack on the gear's web-based management portal.

Patch available

"An attacker could exploit this vulnerability (opens in new tab) by sending a crafted request to the web-based management interface," Cisco says. "A successful exploit could allow the attacker to execute arbitrary commands on an affected device as the root user."

The devices need to have Remote Web Management enabled, in order for the attack to work. Otherwise, the malicious actors need to reach the management portal via LAN.

It was said that the Catalyst PON Switch CGP-ONT-1P, CGP-ONT-4P, CGP-ONT-4PV, CGP-ONT-4PVC, or CGP-ONT-4TVCW are all affected. Users should make sure to update the devices as soon as possible.

The Register also said Cisco also found a high-severity (8.6 out of 10 rating) flaw in its Policy Suite product, as well. Labeled CVE-2021-40112, it allows an unauthenticated remote attacker (opens in new tab) to modify the same switches' configuration.

"A vulnerability in the key-based SSH authentication mechanism of Cisco Policy Suite could allow an unauthenticated, remote attacker to log in to an affected system as the root user," the company said. To fix this, users should update the software and install fresh SSH keys.

You might also want to check out our list of the best ransomware (opens in new tab) protection out there

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.