Cisco has patched a critical bug affecting the web portal for its Elastic Services Controller Software that gives anyone full control of a vulnerable system by entering a blank password in the admin password field.
The flaw has a CVSS score of 9.8 out of a possible 10 and allows an unauthenticated, remote attacker to control a vulnerable system with the same rights as an legitimate administrator.
“An attacker could exploit this vulnerability by submitting an empty password value to an affected portal when prompted to enter an administrative password for the portal,” Cisco warned in an advisory.
“A successful exploit could allow the attacker to bypass authentication and gain administrator privileges for the web-based service portal of the affected software.”
The flaw is reminiscent of a recent authentication bypass affecting macOS High Sierra, which gave anyone admin rights by typing in the word “root” in the username field and leaving the password field blank before hitting enter. That flaw however left a door open primarily to local attackers.
Cisco says the bug affects Cisco Elastic Services Controller Software Release 3.0.0, which was released last July. Cisco describes the software as a “Virtual Network Functions Manager (VNFM), which performs lifecycle management of Virtual Network Functions (VNFs).”
It released version 4.0.0 of the software in January. Versions prior to release 3.0.0 are not affected by the vulnerability, according to Cisco.
Cisco also has a patch for a remotely exploitable bug in its Unified Communications Domain Manager that could be used to take control of a vulnerable system.
The product doesn’t securely generate keys during the application setup process, according to Cisco. An attacker could use a known insecure key to attack an application.
“An attacker could exploit this vulnerability by using a known insecure key value to bypass security protections by sending arbitrary requests using the insecure key to a targeted application. An exploit could allow the attacker to execute arbitrary code,” said Cisco.
This flaw also has a CVSS 3.0 score of 9.8 out of 10 and affects all Cisco Unified Communications Domain Manager releases prior to 11.5(2). Cisco has provided a script for admins to test whether devices running the software are vulnerable.
Unlike last month’s severe Adaptive Security Appliance VPN flaw with a CVSS score of 10, these two bugs were found during internal testing so there’s no immediate threat of a third-party researcher divulging details about the bug.