Cisco fixed a vulnerability in the “plug-and-play” services component of its Industrial Network Director (IND) that could allow an unauthenticated, remote attacker to access sensitive information on an affected device.
The vulnerability (CVE-2019-1976), one of eight issues Cisco fixed, is because of improper access restrictions on the web-based management interface.
An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to access running configuration information about devices managed by the IND, including administrative credentials.
Cisco released software updates that address this vulnerability, which the networking giant gave a high severity level. There are no workarounds that address this vulnerability, Cisco said in its advisory.
Cisco IND releases earlier than Release 1.6.0 end up affected when plug-and-play services are enabled. Plug-and-play services are not enabled by default.
Cisco IND can function as a plug-and-play server to deploy system-supported network devices with an initial configuration. To enable plug-and-play services, a network administrator must create a plug-and-play profile with the configuration template to be applied and the plug-and-play match criteria, including the device serial number and the optional software image(s). If an administrator does not create a plug-and-play profile on an IND, then the IND does not function as a plug-and-play server.
Cisco released software updates that address the vulnerability. Cisco fixed this vulnerability, which has a CVSS score of 7.5, in Cisco IND releases 1.6.0 and later.
Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability.