Summary

• A vulnerability in the Cisco Mobility Services Engine (MSE) could allow an unauthenticated, remote attacker to log in to the MSE with the default oracle account. This account does not have full administrator privileges.
  
  The vulnerability is due to a user account that has a default and static password. This account is created at installation and cannot be changed or deleted without impacting the functionality of the system. An attacker could exploit this vulnerability by remotely connecting to the affected system via SSH using this account. A successful exploit could allow the attacker to log in to the MSE using the default oracle account.
  
  Cisco has released software updates that address this vulnerability. A workaround that mitigates this vulnerability is available.
  
  This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151104-mse-cred

Affected Products

• Vulnerable Products

  Cisco Mobility Services Engine (MSE) versions 8.0.120.7 and earlier are vulnerable. Administrators can use a command to determine whether a vulnerable version of Cisco MSE is running. Prior to 10.0, the command is getserverinfo. For 10.0 and later, the command is cmxctl version. The following examples show an MSE running versions 8.0.120.1 and 10.2.0:
  
  

  [mse]# getserverinfo 
  
  Health Monitor is running
  
  Retrieving MSE Services status.
  
  MSE services are up, getting the status
  
  
  
  -------------
  
  Server Config
  
  -------------
  
  
  
  Product name: Cisco Mobility Service Engine
  
  Version: 8.0.120.1
  
  Health Monitor Ip Address: 1.1.1.1
  
  High Availability Role: 1
  
  Hw Version: V01
  
  Hw Product Identifier: AIR-MSE-3365-K9
  
  Hw Serial Number: FCH1841V0YL
  
  
  
  [mse]# cmxctl version
  
  ----------------------------------------------------------------------
  
  Build Version   : 10.2.0
  
  Build Time       : 2015-10-19 11:20:06.632222
  
  ----------------------------------------------------------------------

  Products Confirmed Not Vulnerable

  No other Cisco products are currently known to be affected by this vulnerability.

Indicators of Compromise

• The oracle account is a reserved account used for internal MSE operations. This account should not be used for SSH interactive logins. When reviewing authentication, authorization, and accounting (AAA) server log files, if there is an SSH login via the oracle account, this is an indicator that this vulnerability has been exploited on the affected device. The compromise can be determined if there is any output from this command:
  
  

   mse> grep "user oracle" /var/log/secure* | grep "sshd:session"

  
  This command should return no output if the oracle account has not been logged into via SSH.

Workarounds

• The following is a workaround to disable SSH login for the oracle user account on the MSE:
  
  1. Log in to the MSE as user root.
  2. Edit the file /etc/ssh/sshd_config via a text editor. 
  3. Navigate to the bottom of the file and add the following line:
     

  DenyUsers oracle

  
     This instructs the SSH service to not allow SSH logins for the oracle user.
     Note: This change only takes effect after the SSH service is restarted.
  
  4. Save the updated /etc/ssh/sshd_config file.
  5. Restart the SSH service with the service sshd restart command.
  6. To verify that the workaround is properly configured, attempt an SSH login to the MSE as the oracle user. 
      This login attempt should fail with the error <Permission Denied>.  
       

  ssh –l oracle <x.x.x.x>

  
       Try an SSH login to the MSE as the root user. This login attempt should succeed.
     

   ssh -l root <x.x.x.x>

  
  Note: This workaround configuration is persistent and only needs to be applied once.

Fixed Software

• When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
  In all cases, customers should ensure that the devices to upgrade contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
  
  The following advisories are part of the November 2015 Cisco MSE Security Advisory Companion Publications: 
  

  • cisco-sa-20151104-mse-cred
  • cisco-sa-20151104-privmse

  Software Download 
  

  
  The Cisco MSE Static Credential Vulnerability is fixed in all versions after 8.0.120.7. The latest Cisco MSE software can be downloaded from the Software Center on Cisco.com by visiting http://www.cisco.com/cisco/software/navigator.html and selecting:
  
   Products > Wireless > Mobility Services > Mobility Services Engine
  
  

Exploitation and Public Announcements

• The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
  

Source

• Cisco would like to thank security researcher Jeremy Brown and Beyond Security’s SecuriTeam Secure Disclosure (SSD) group for discovering and reporting this vulnerability.

URL

• http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151104-mse-cred

Revision History

• Version	Description	Section	Status	Date
  1.0	Initial public release.	—	Final	2015-November-04

  Show Less