In March of 2018, Aaron Blair from Brisbane based RIOT Solutions, discovered two vulnerabilities in Cisco’s Wide Area Application Services (WAAS) product. The WAAS software version which he found both of these in was v6.2.3c, and the vulnerabilities exist in WAAS Central Manager (CM) and WAEs (Wide Area Application Engines).
The first, CVE-2018-0329, is a hidden, hardcoded, read-only SNMP community string which the administrator is unable to view or disable. The second, CVE-2018-0352, is a local privilege escalation vulnerability which allows a user with the ‘admin’ role to elevate to the root user, normally inaccessible to anybody but Cisco themselves.
CVE-2018-0329 Vulnerabilities Summary
The hardcoded SNMP string can be found in /etc/snmp/snmpd.conf.
This string can not be discovered or disabled without access to the root filesystem, which regular administrative users do not have under normal circumstances.
An unauthenticated, remote attacker could use this string to retreive statistics and system information from the WAAS systems.
Cisco has provided a fix, however requires users to uphold a support contract and/or contact Cisco TAC in order to obtain the fix.
For further detailed technical information on both CVS’s please see:
Aaron Blair’s blog post detailing it all – https://xor.cat/2018/06/07/cisco-waas-multiple-cves/
CVE entries: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0329 & https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0352
Cisco’s security advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-waas-snmp