[German]On July 18, 2018, Cisco released 25 security updates, including a critical patch for the Cisco Policy Suite that removes an undocumented password for the root account. Here is some information for administrators using the Cisco Policy Suite (CSP) in enterprise environments.
The Cisco Policy Suite (CSP)
The Cisco Policy Suite is a complex software available for Mobile, WiFi and Broadband Network Gateways (BNG), which Cisco sells to Internet Service Providers (ISPs) and large corporate customers. Network administrators can set up bandwidth usage policies and subscription plans for customers/employees in the software.
The software is equipped with network intrusive functions that enable it to keep track of individual users and traffic on individual network layers. Access policies can also be enforced. Among other things, weak points were probably found in the product during internal audits.
Critical vulnerability in CSP
The Cisco Policy Suite (CPS) contains at least four vulnerabilities quoted a ‘critical’, according to this document (dated July 18, 2018):
- CVE-2018-0374: A vulnerability in the Cisco Policy Builder database could allow an unauthenticated, remote attacker to connect directly to the Policy Builder database.
- CVE-2018-0375: A vulnerability in the Cisco Policy Suite Cluster Manager could allow an unauthenticated, remote attacker to log on to an affected system using the root account, which has static user credentials by default.
- CVE-2018-0376: A vulnerability in the Policy Builder interface of the Cisco Policy Suite could allow an unauthenticated, remote attacker to access the Policy Builder interface.
CVE-2018-0377: A vulnerability in the Open Systems Gateway Initiative (OSGi) interface of the Cisco Policy Suite could allow an unauthenticated, remote attacker to connect directly to the OSGi interface.
The list of vulnerabilities contains further entries whose effect is classified as High or Medium. These vulnerabilities allow attackers to access the Cisco Policy Suite and perform the manipulations described in the CVEs.
Details and any workarounds suggested by Cisco (if known) can be found when calling up the relevant security article via this document. The details article also says which vulnerability has been fixed within which CSP version (e.g. 18.1.0, 18.2.0, 18.3.0). Customers with a valid CPS product license will receive an update from Cicso to fix the vulnerabilities. The updated versions can be downloaded from the Software Download-Center (requires registration). If anything is unclear, please contact Cisco support.