On June 3, 2019, SEC Consult, a consulting firm for the areas of cyber and application security, contacted the Cisco Product Security Incident Response Team (PSIRT) to report the following issues that they found in firmware images for Cisco Small Business 250 Series Switches:
- Certificates and keys issued to Futurewei Technologies
- Empty password hashes
- Unneeded software packages
- Multiple vulnerabilities in third-party software (TPS) components
Cisco PSIRT investigated each issue, and the following are the investigation results:
Certificates and Keys Issued to Futurewei Technologies
An X.509 certificate with the corresponding public/private key pair and
the corresponding root CA certificate were found in Cisco Small Business 250 Series Switches firmware. SEC Consult calls this the “House of Keys.” Both certificates are issued to
third-party entity Futurewei Technologies, a Huawei subsidiary.
The certificates and keys in question are part of the Cisco FindIT Network Probe that is bundled with Cisco Small Business 250, 350, 350X, and 550X Series Switches firmware. These files are part of the OpenDaylight open source package. Their intended use is to test the functionality of software using OpenDaylight routines. The Cisco FindIT team used those certificates and keys for their intended testing purpose during the development of the Cisco FindIT Network Probe; they were never used for live functionality in any shipping version of the product. All shipping versions of the Cisco FindIT Network Probe use dynamically created certificates instead. The inclusion of the certificates and keys from the OpenDaylight open source package in shipping software was an oversight by the Cisco FindIT development team.
Cisco has removed those certificates and associated keys from FindIT Network Probe software and Small Business 250, 350, 350X, and 550X Series Switches firmware starting with the releases listed later in this advisory.
Empty Password Hashes
The /etc/passwd file included in Cisco Small Business 250, 350, 350X, and 550X Series Switches firmware has empty password hashes for the users root and user.
The /etc/passwd file is not consulted during user authentication by Small Business 250, 350, 350X, and 550X Series Switches firmware. Instead, a dedicated alternate user database is used to authenticate users that log in to either the CLI or the web-based management interface of Small Business 250, 350, 350X, and 550X Series Switches.
A potential attacker with access to the base operating system on an affected device could exploit this issue to elevate privileges to the root user. However, Cisco is not currently aware of a way to access the base operating system on these switches.
Future firmware releases will replace the empty hashes with hashed, randomly generated passwords during initial boot.
Unneeded Software Packages
An attacker who gains access to the CLI of the base operating system may be able to misuse the gdbserver and tcpdump packages that are included in Cisco Small Business 250, 350, 350X, and 550X Series Switches firmware as part of the base operating system. Cisco is not currently aware of a way to access this part of the system on these switches.
Future firmware releases will not include the gdbserver and tcpdump packages.