Home / About / Threat Intelligence / Critical Vulnerabilities in Cisco Devices

Overview

Cisco has patched 2 vulnerabilities that would allow a remote attacker to log in to their devices using default credentials.
This follows multiple severe Denial of Service vulnerabilities reported last week.

A default, static password in some Cisco Catalyst PON series devices (CVE-2021-34795) could allow a remote attacker to log in if the Telnet service has been manually enabled.

A reused SSH key (CVE-2021-40119 ) would allow a remote attacker with a copy of the key to log in to an affected device as a root user.

Impact

A remote attacker can take control of some network devices.

A remote attacker can cause a Denial of Service in some network devices.

An authenticated FTD user could execute commands on the device with root privileges.

Affected Products

Cisco Policy Suite

  • Catalyst PON Switch CGP-ONT-1P
  • Catalyst PON Switch CGP-ONT-4P
  • Catalyst PON Switch CGP-ONT-4PV
  • Catalyst PON Switch CGP-ONT-4PVC
  • Catalyst PON Switch CGP-ONT-4TVCW

Containment, Mitigations & Remediations

Cisco have released advice on how to regenerate the SSH key.

Indicators of Compromise

None known.

Threat Landscape

Cisco’s PSIRT say there’s no PoC available online for the remote login attacks and no evidence of ongoing exploitation but the root SSH key can be extracted from a device so it won’t be long until this is being used by criminals.

 Mitre Methodologies

T1190 – Exploit Public-Facing Application

Further Information

Cisco Catalyst PON Series Switches ONT Vulnerabilities

Cisco Policy Suite Static SSH Keys Vulnerability

Multiple Severe Vulnerabilities in Cisco Products

Cisco Security Advisories