Cisco warning: Customers should install an update that fixes a high-severity issue affecting Network Assurance Engine (NAE)


If the default admin password is changed, the password does not change at all.

Cisco urges customers to install an update to manage data center networks that fix a serious problem affecting its Network Assurance Engine (NAE).

The bug, tracked as CVE-2019-1688, could allow an attacker to knock out a NAE server and cause a service denial using a NAE password management system flaw.

NAE is an important network management tool for data centers, which helps administrators, evaluate the impact of network changes and prevent application failures.

As Cisco explains, the flaw is due to changes in user passwords from the web management interface to the command-line interface (CLI), leaving the old default password in the CLI. The problem only affects NAE version 3.0(1), so older versions are not affected.

A local attacker can exploit the bug by authenticating the CLI of the affected server with the default admin password. The attacker could view sensitive information from there and download the server.

Cisco NAE Release 3.0 (1a) fixes the bug, but Cisco notes that after upgrading to this version, customers should change the admin password to correctly fix the problem.

Cisco also has a bug workaround that requires changing the default admin password of the CLI. Cisco recommends, however, that customers contact the Technical Assistance Center to enter a secure remote support session with the default password.

The password change must be made for all nodes in the cluster, he notes. Fortunately, the security team at Cisco is not aware of live attacks using the fault found during internal security testing.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.