Cisco patches switches to remove hardcoded credentials

Cisco has issued a patch for its Nexus 3000 series and Nexus 3500 platform switches to remove a hardcoded password for a user account which would allow attackers full remote access.

Cisco Nexus 3000 series switches. Source: vendor

In a security advisory, Cisco said the account "could allow an unauthenticated, remote attacker to log in to the device with the privileges of the root user with bash [command] shell access."

Remote access is possible via Telnet, or by Secure Shell on a specific release of the NX operating system. Serial console access locally is also possible.

Cisco said the account is created during installation on the devices and cannot be changed or removed without affecting system functionality. 

The company suggested administrators disable the Telnet server on the Nexus devices as a workaround and use SSH instead.

However, NX-OS release 6.0(2)A6(1) allows remote access using the hardcoded user credentials. Cisco advised users to upgrade that version to a release with the vulnerability fixed.

Cisco Nexus 3000 switches running Cisco NX-OS Software releases 6.0(2)U6(1), 6.0(2)U6(2), 6.0(2)U6(3), 6.0(2)U6(4), and 6.0(2)U6(5) are vulnerable.

On the Cisco Nexus 3500 Platform switches, Cisco NX-OS Software releases 6.0(2)A6(1), 6.0(2)A6(2), 6.0(2)A6(3), 6.0(2)A6(4), 6.0(2)A6(5), and 6.0(2)A7(1) contain the default user account with the hardcoded password.