Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Cisco Fixes 3-Year-Old Vulnerability Affecting Security Appliances

Cisco has released software updates to address a three-year-old vulnerability in the Telnet code of Cisco AsyncOS, the operating systems used in some of the company’s security appliances.

Cisco has released software updates to address a three-year-old vulnerability in the Telnet code of Cisco AsyncOS, the operating systems used in some of the company’s security appliances.

The flaw affecting the telnetd daemon (CVE-2011-4862) was disclosed by the FreeBSD Project back in December 2011. However, earlier this year, researcher Glafkos Charalambous noticed that some Cisco security appliances are still impacted by the vulnerability.

Cisco LogoAccording to the advisory published by Cisco, the security hole can be exploited by a remote, unauthenticated attacker to execute arbitrary code with elevated privileges. The company says all models of the Cisco Web Security Appliance (WSA), the Cisco Email Security Appliance (ESA), and the Cisco Content Security Management Appliance (SMA) running an affected version of AsyncOS are affected.

“The vulnerability is due to insufficient boundary checks when processing telnet encryption keys.  An unauthenticated, remote attacker could exploit this vulnerability by sending malicious requests to a targeted system.  If successful, the attacker could execute arbitrary code on the system with elevated privileges,” Cisco said in its advisory.

In a separate advisory published by Charalambous on Wednesday, the researcher noted that Cisco WSA virtual appliances have the vulnerable telnetd daemon enabled by default. However, Cisco pointed out that the Cisco AsyncOS software for Cisco WSA is affected only if the System Setup Wizard (SSW) has not been performed. The company says this limits the scope of the vulnerability because the appliance doesn’t fully operate if the SSW has not been completed, and the completion of the setup process disables Telnet access.

In the advisory it published in 2011, the FreeBSD Project noted that telnetd had been disabled by default in FreeBSD since August 2001. “[Due] to the lack of cryptographic security in the Telnet protocol, it is strongly recommended that the SSH protocol be used instead,” the FreeBSD Project advised at the time.

Cisco is now giving the same advice to its customers in the workarounds section of its advisory.

Advertisement. Scroll to continue reading.

“For some versions of Cisco AsyncOS Software for Cisco ESA and Cisco SMA, Telnet is configured on the Management port. Telnet services can be disabled to mitigate this vulnerability. Administrators can disable Telnet by using the administration graphical user interface (GUI) or by using the interfaceconfig command in the command-line interface (CLI). As a security best practice, customers should use Secure Shell (SSH) instead of Telnet,” the company said.

Charalambous’s advisory shows that the issue was reported to Cisco in mid-May 2014, and patches were released in late August.

Cisco hasn’t said anything about the vulnerability being exploited in the wild against its customers, but it has pointed out that Metasploit exploit modules for the vulnerability are available. 

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.