Multiple Vulnerabilities on Cisco Catalyst PON Series Switches (CVE-2021-34795, CVE-2021-40113)

Multiple Vulnerabilities on Cisco Catalyst PON Series Switches (CVE-2021-34795, CVE-2021-40113)

Cisco has announced new updates to address multiple vulnerabilities that exist in Cisco Catalyst PON Series Switches ONT.

Overview

Cisco has announced new updates on Wednesday (November 03, 2021) to address multiple vulnerabilities that exist in Cisco Catalyst PON Series Switches ONT. The patched vulnerabilities include a default credential vulnerability (CVE-2021-34795), an unauthenticated command injection issue (CVE-2021-40113) and an unauthenticated configuration modification flaw (CVE-2021-40112).

Description

Cisco has released new updates for Cisco Catalyst Passive Optical Network (PON) Series Switches Optical Network Terminal (ONT) to address 3 vulnerabilities, 2 of which are rated as critical and one of which is rated as high in severity, according to Common Vulnerability Scoring System (CVSS) severity scale.

The first vulnerability (CVE-2021-34795) is a critical default credential vulnerability that exists in the Telnet service of Cisco Catalyst PON Series Switches ONT. This vulnerability specifically stems from an unintentional debugging credential that exists on the devices. Due to the vulnerability, unauthenticated, remote attackers can establish a Telnet session to the device and log in with the default credential. As a result, attackers could take complete control of the vulnerable devices. Note that, the Telnet connection configuration is disabled by default. Thus, to exploit this vulnerability, the default Telnet connection configuration must have been changed to enabled. To determine whether Telnet access is enabled, on the menu, navigate to Administration > Device Access Settings > Local Telnet.

The second vulnerability (CVE-2021-40113) is another critical vulnerability that could allow unauthenticated, remote attackers to conduct command injection attacks on the affected devices. This vulnerability specifically stems from insufficient validation of user-supplied input on the web-based management interface of the affected switches. Due to the vulnerability, attackers could execute arbitrary commands as the root user on the affected products by sending maliciously crafted requests to the web-based management interface.

The last vulnerability (CVE-2021-40112) is an unauthenticated configuration modification vulnerability that stems from improper HTTPS input validation. Due to the vulnerability, unauthenticated, remote attackers can modify the configuration of the affected products by sending maliciously crafted HTTPS requests to the web-based management interface.

Note that, these vulnerabilities are exploitable remotely unless the Remote Web Management has been configured, as the default configuration allow only local LAN connection to the web management interface. To determine whether the Remote Web Management feature is enabled, on the menu, navigate to Administration > Device Access Settings > Remote Web Management.

These vulnerabilities affect the following Cisco products:

  • Catalyst PON Switch CGP-ONT-1P
  • Catalyst PON Switch CGP-ONT-4P
  • Catalyst PON Switch CGP-ONT-4PV
  • Catalyst PON Switch CGP-ONT-4PVC
  • Catalyst PON Switch CGP-ONT-4TVCW

Impact

An unauthenticated, remote attacker who successfully exploit the default credential vulnerability (CVE-2021-34795) could take complete control of the affected devices by establishing a Telnet session using the default credential (if Telnet connection is permitted in the configuration).

Impact Summary CVE-2021-34975

Category: Default Credentials
CVSS 3.1 Base Score: 10 Critical
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H

An unauthenticated, remote attacker who successfully exploit the command injection vulnerability (CVE-2021-40113) could execute arbitrary commands as root by sending maliciously crafted requests to the web-based management interface.

Impact Summary CVE-2021-40113

Category: Command Injection
CVSS 3.1 Base Score: 10 Critical
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H

An unauthenticated, remote attacker who successfully exploit the configuration modification vulnerability (CVE-2021-40112) could make unauthorized changes on the configuration of the affected devices by sending maliciously crafted HTTPS requests to the web-based management interface.

Impact Summary CVE-2021-40112

Category: Unauthorized Modification
CVSS 3.1 Base Score: 7.5 High
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Solution (Update)

To defend against possible attacks due to these vulnerabilities, the vulnerable products must be updated to the most recent versions, as advised by Cisco.

  • Catalyst PON Switch CGP-ONT-1P: Update to fixed release 1.1.1.14 (from version 1.1).
  • Catalyst PON Switches CGP-ONT-4P, CGP-ONT-4PV, CGP-ONT-4PVC, and CGP-ONT-4TVCW: Update to fixed version 1.1.3.17 (from version 1.1)
Quote by Stephane Nappo

It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.

Stephane Nappo

Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.

References to Advisories, Solutions and Tools

To learn more about security vulnerabilities, you could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?