Tue. Nov 19th, 2019

CVE-2018-0150: Cisco IOS XE Software Static Credential Vulnerability

1 min read

On September 19, Cisco officially issued a notice saying that there is a high-risk vulnerability (CVE-2018-0150) in IOS XE Software. The vulnerability originated from an unrecorded user account with a default username and password and a privilege level of 15. An unauthorized attacker could use this account to remotely connect to an affected device to exploit this vulnerability. Successful exploitation may allow an attacker to log in to the device with privilege level 15 access.

CVSS score

The vulnerability CVSS score is as follows:

CVSS 3.0: 9.8

AV: N/AC: L/PR: N/UI: N/S: U/C: H/I: H/A: H/E: X/RL: X/RC: X

Affected version

  • Cisco IOS XE 16.5.x version < 16.5.2
  • Cisco IOS XE 16.6.x version < 16.6.1
  • Cisco IOS XE running on ISRv

Unaffected version

  • Cisco IOS XE version < 16.x
  • Cisco IOS XE version 16.5.2
  • Cisco IOS XE version 16.6.1

Note: For details on Cisco IOS XE ISRv, please refer to the official description.

Solution

It is recommended that affected users update the upgrade for protection. In addition, the system administrator can use the no username cisco command to remove the default account; or log in to the device to change the password of this default account.

For Cisco ISRv, administrators can remove old packages from the datastore and then perform ISRv packages updates for protection.