Cisco patches critical Smart Install flaw: 8.5 million devices affected.
Cisco is warning customers who use its new Digital Network Architecture (DNA) Center software to install newer releases that address three critical vulnerabilities that can give remote attackers access to enterprise networks.
Cisco over the past few months has rolled out new DNA Center releases that address serious authentication flaws that, it revealed on Wednesday, affect earlier releases.
The first DNA Center release was made available in January 2018, but it and versions up to 1.1.3 are vulnerable to three flaws with a CVSS v3 base score of 10 out of a possible 10, meaning they're as severe as it gets.
Cisco discovered two of the bugs during an internal audit, one of which consisted of undocumented, hardcoded user credentials for the default administrative account of DNA Center.
This bug[1], which is tracked as CVE-2018-0222, could allow a remote attacker who knew the credentials to log in and execute commands with root privileges.
Cisco fixed this in the 1.1.3 release of DNA Center, which arrived in March. Since then it has also released DNA Center 1.1.4 and 1.1.5, so customers on these releases aren't vulnerable.
Earlier this year Cisco similarly posted an advisory for CVSS v3 score-10 flaw[2] affecting ASA several months after releasing fixed versions. One admin criticized Cisco for waiting 80 days[3] to tell customers that fixes were already available.
However, Cisco defended the move on the grounds that it had coordinated the timing of the disclosure with a researcher, which gave it time to put in place protections before more details were revealed.
Cisco also found that DNA Center was