Cisco Monitoring Tool Vulnerable to Attack
5/1/2007 -- Cisco Systems Inc. last week warned of a no-brainer vulnerability in its Cisco Network Services (CNS) NetFlow Collection Engine (NFC) which could expose that product to attack.
Organizations use Cisco's NFC to collect and monitor NetFlow accounting data from Cisco routers and switches. NetFlow data is typically collected in order to determine a network "baseline" -- a nominal view of network traffic -- by means of which one can proactively identify upticks in activity associated with denial of service (DoS) attacks, worms and other malicious attacks.
The vulnerability stems from the fact that flavors of NFC prior to version 6.0 create default system accounts with identical usernames and passwords. As a result, Cisco said, an attacker could potentially exploit this knowledge to access the NFC tool and modify its configuration. Under certain circumstances, an attacker could gain access to the host operating system, too, Cisco warned.
NFC is a Unix- or Linux-based tool. According to Cisco, its installation routine creates a default Web-based user account, dubbed "nfcuser," that has an identical password (i.e., "nfcuser").
This account is required for NFC maintenance, configuration, and troubleshooting, Cisco said. There's a further wrinkle here, too: In versions of NFC prior to 6.0, the Linux installer creates a local user -- dubbed, once again, "nfcuser" -- with an identical default password. If that username already exists, the installer will change its password to "nfcuser," too.
Under certain circumstances, then, an administrator might change the NFC password -- only to reinstall or update NFC, such that the installer automatically resets the password once again. In any case, Cisco warned, an attacker who supplies the right NFC credentials will gain complete administrative control of the NFC itself, along with user-level access to the host OS.
Cisco formally addressed this issue in NFC version 6.0, which prompts a user to change the password for the Web-based nfcuser account during the install process (or during an upgrade). Even in this case, however, users aren't completely out of the woods: On Linux systems, for example, the "nfcuser" account needs to be manually changed, too.
Cisco isn't issuing a patch, and the upgrade to NFC 6.0 isn't free. Instead, the networking giant recommends that administrators change the default "nfcuser" password. As of last week, Cisco wasn't aware of any known attacks (targeted or otherwise) which exploited this vulnerability. --Stephen Swoyer
|