CVE-2018-0294 in FXOS
Summary
by MITRE
A vulnerability in the write-erase feature of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, local attacker to configure an unauthorized administrator account for an affected device. The vulnerability exists because the affected software does not properly delete sensitive files when certain CLI commands are used to clear the device configuration and reload a device. An attacker could exploit this vulnerability by logging into an affected device as an administrative user and configuring an unauthorized account for the device. The account would not require a password for authentication and would be accessible only via a Secure Shell (SSH) connection to the device. A successful exploit could allow the attacker to configure an unauthorized account that has administrative privileges, does not require a password for authentication, and does not appear in the running configuration or the audit logs for the affected device. This vulnerability affects Firepower 4100 Series Next-Generation Firewalls, Firepower 9300 Security Appliance, Nexus 1000V Series Switches, Nexus 1100 Series Cloud Services Platforms, Nexus 2000 Series Fabric Extenders, Nexus 3500 Platform Switches, Nexus 4000 Series Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, UCS 6100 Series Fabric Interconnects, UCS 6200 Series Fabric Interconnects, UCS 6300 Series Fabric Interconnects. Cisco Bug IDs: CSCvd13993, CSCvd34845, CSCvd34857, CSCvd34862, CSCvd34879, CSCve35753.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/28/2023
This vulnerability represents a critical privilege escalation flaw in Cisco's network infrastructure software affecting multiple product lines including firewalls, switches, and fabric interconnects. The issue stems from improper handling of sensitive file deletion during device configuration reset operations, specifically within the write-erase functionality of FXOS and NX-OS software versions. The vulnerability is classified as a local privilege escalation vector since it requires only authenticated access to the device but allows attackers to create unauthorized administrative accounts with elevated privileges. The flaw manifests when administrators execute certain CLI commands to clear device configurations and reload systems, failing to properly purge sensitive account files from the device's filesystem. This creates a persistent backdoor that remains undetected by normal audit mechanisms, as the unauthorized accounts do not appear in running configurations or audit logs.
The technical implementation of this vulnerability involves the failure of the software to properly clean up authentication-related files during configuration reset operations. When an administrator executes commands to clear configuration and reload the device, the system should remove all sensitive account information including password hashes, SSH keys, and administrative access credentials. However, the software leaves behind residual authentication artifacts that can be leveraged to create new administrator accounts without proper authentication requirements. This behavior creates a persistent security weakness that can be exploited by attackers who have already gained administrative access to the device, as they can establish unauthorized accounts that bypass normal authentication mechanisms. The accounts created through this vulnerability are specifically configured for SSH access only, which limits the attack surface but still provides complete administrative control over the affected device.
The operational impact of this vulnerability extends beyond simple unauthorized access to include complete device compromise and potential network infiltration. Since the unauthorized accounts are created without password requirements and remain hidden from audit trails, they provide attackers with persistent access that can evade detection by standard security monitoring systems. The vulnerability affects multiple Cisco product lines including Firepower 4100 series firewalls, Nexus switches across various platforms, and UCS fabric interconnects, making it a widespread concern for organizations relying on Cisco networking equipment. Attackers exploiting this vulnerability could potentially establish long-term access to critical network infrastructure, enabling them to monitor traffic, modify configurations, or use the compromised devices as entry points for further network exploration. The hidden nature of these accounts makes them particularly dangerous as they can persist through device reboots and configuration changes until manually discovered and removed.
Organizations should implement immediate mitigations including applying the latest security patches released by Cisco to address this vulnerability. The affected software versions require specific updates that correct the improper file deletion behavior during configuration reset operations, ensuring that sensitive account information is properly removed when devices are reconfigured. Network administrators should also conduct thorough security audits to identify any unauthorized accounts that may have been created through this vulnerability, particularly focusing on SSH access points and administrative user accounts. Configuration management practices should be enhanced to include regular monitoring of device accounts and authentication logs for suspicious activity. Additionally, organizations should implement network segmentation and access controls to limit the potential impact of compromised devices, ensuring that even if an attacker gains access to one device, they cannot easily move laterally through the network infrastructure. The vulnerability demonstrates the importance of proper file handling and cleanup procedures in security-critical software, aligning with CWE-276 standards for improper file permissions and access control mechanisms. This issue also maps to ATT&CK technique T1078 for valid accounts and T1566 for credential access, highlighting the multi-faceted nature of the threat posed by this vulnerability.