Cisco has released software updates to address a three-year-old vulnerability in the Telnet code of Cisco AsyncOS, the operating systems used in some of the company’s security appliances.
The flaw affecting the telnetd daemon (CVE-2011-4862) was disclosed by the FreeBSD Project back in December 2011. However, earlier this year, researcher Glafkos Charalambous noticed that some Cisco security appliances are still impacted by the vulnerability.
According to the advisory published by Cisco, the security hole can be exploited by a remote, unauthenticated attacker to execute arbitrary code with elevated privileges. The company says all models of the Cisco Web Security Appliance (WSA), the Cisco Email Security Appliance (ESA), and the Cisco Content Security Management Appliance (SMA) running an affected version of AsyncOS are affected.
“The vulnerability is due to insufficient boundary checks when processing telnet encryption keys. An unauthenticated, remote attacker could exploit this vulnerability by sending malicious requests to a targeted system. If successful, the attacker could execute arbitrary code on the system with elevated privileges,” Cisco said in its advisory.
In a separate advisory published by Charalambous on Wednesday, the researcher noted that Cisco WSA virtual appliances have the vulnerable telnetd daemon enabled by default. However, Cisco pointed out that the Cisco AsyncOS software for Cisco WSA is affected only if the System Setup Wizard (SSW) has not been performed. The company says this limits the scope of the vulnerability because the appliance doesn’t fully operate if the SSW has not been completed, and the completion of the setup process disables Telnet access.
In the advisory it published in 2011, the FreeBSD Project noted that telnetd had been disabled by default in FreeBSD since August 2001. “[Due] to the lack of cryptographic security in the Telnet protocol, it is strongly recommended that the SSH protocol be used instead,” the FreeBSD Project advised at the time.
Cisco is now giving the same advice to its customers in the workarounds section of its advisory.
“For some versions of Cisco AsyncOS Software for Cisco ESA and Cisco SMA, Telnet is configured on the Management port. Telnet services can be disabled to mitigate this vulnerability. Administrators can disable Telnet by using the administration graphical user interface (GUI) or by using the interfaceconfig command in the command-line interface (CLI). As a security best practice, customers should use Secure Shell (SSH) instead of Telnet,” the company said.
Charalambous’s advisory shows that the issue was reported to Cisco in mid-May 2014, and patches were released in late August.
Cisco hasn’t said anything about the vulnerability being exploited in the wild against its customers, but it has pointed out that Metasploit exploit modules for the vulnerability are available.