How can we help?
Cisco has patched 2 vulnerabilities that would allow a remote attacker to log in to their devices using default credentials.
This follows multiple severe Denial of Service vulnerabilities reported last week.
A default, static password in some Cisco Catalyst PON series devices (CVE-2021-34795) could allow a remote attacker to log in if the Telnet service has been manually enabled.
A reused SSH key (CVE-2021-40119 ) would allow a remote attacker with a copy of the key to log in to an affected device as a root user.
A remote attacker can take control of some network devices.
A remote attacker can cause a Denial of Service in some network devices.
An authenticated FTD user could execute commands on the device with root privileges.
Cisco Policy Suite
- Catalyst PON Switch CGP-ONT-1P
- Catalyst PON Switch CGP-ONT-4P
- Catalyst PON Switch CGP-ONT-4PV
- Catalyst PON Switch CGP-ONT-4PVC
- Catalyst PON Switch CGP-ONT-4TVCW
Containment, Mitigations & Remediations
Cisco have released advice on how to regenerate the SSH key.
Indicators of Compromise
Cisco’s PSIRT say there’s no PoC available online for the remote login attacks and no evidence of ongoing exploitation but the root SSH key can be extracted from a device so it won’t be long until this is being used by criminals.
T1190 – Exploit Public-Facing Application