Cisco has released 25 security updates yesterday, including a critical patch for Cisco Policy Suite that removes an undocumented password for the "root" account.
This vulnerability, tracked as CVE-2018-0375, has a huge impact due to the nature of the software it was found in.
The Cisco Policy Suite is a complex piece of software available in three editions (for Mobile, WiFi, and BNG [Broadband Network Gateways]) that Cisco sells to ISPs and large corporate clients and which lets network administrators set up bandwidth usage policies and subscription plans for customers/employees.
The software is designed with network-intrusive features that allow it to keep track of individual users, tier traffic, and enforce access policies.
The undocumented root password lets an attacker gain access to this very powerful software and enables him to run malicious operations with root-level access.
As such, the vulnerability received a rare severity score of 9.8 out of a maximum of 10 on the CVSSv3 scale.
Cisco says there are no workarounds or mitigating factors and customers will have to install the patch it issued yesterday to remove the secret password.
The fix is included with Cisco Policy Suite 18.2.0 and all prior versions are considered vulnerable.
Cisco says it found the undocumented root password during internal security audits and all chances are that it may have been left behind during software debugging tests, as most of these incidents end up being.
This is the fifth undocumented password (aka backdoor) that Cisco has removed from its software in the past five months. Cisco removed similar backdoor accounts in software such as the Prime Collaboration Provisioning (PCP), the IOS XE operating system, the Digital Network Architecture (DNA) Center, and the Wide Area Application Services (WAAS) traffic optimizer.
Besides CVE-2018-0375, Cisco patched 24 other security issues, including three others that received a classification of "critical" —CVE-2018-0374, CVE-2018-0376, and CVE-2018-0377— all also affecting the same Cisco Policy Suite software, and all providing "unauthenticated access" for remote attackers.