Cisco released an update that fixes a three-year-old vulnerability in the Telnet code of Cisco AsyncOS, the operating systems used in some of the company’s security appliances.
The flaw affecting the telnetd daemon (CVE-2011-4862) ended up disclosed by the FreeBSD Project back in December 2011. However, earlier this year, researcher Glafkos Charalambous noticed some Cisco security appliances still suffered from the issue.
According to the Cisco advisory, the security hole can end up exploited by a remote, unauthenticated attacker to execute arbitrary code with elevated privileges. The company said all models of the Cisco Web Security Appliance (WSA), the Cisco Email Security Appliance (ESA), and the Cisco Content Security Management Appliance (SMA) running an affected version of AsyncOS suffer from the issue.
“The vulnerability is due to insufficient boundary checks when processing telnet encryption keys. An unauthenticated, remote attacker could exploit this vulnerability by sending malicious requests to a targeted system. If successful, the attacker could execute arbitrary code on the system with elevated privileges,” Cisco said in its advisory.
In a separate advisory published by Charalambous, the researcher said Cisco WSA virtual appliances have the vulnerable telnetd daemon enabled by default. However, Cisco said the Cisco AsyncOS software for Cisco WSA ends up affected only if the System Setup Wizard (SSW) had not been performed. The company said this limits the scope of the vulnerability because the appliance doesn’t fully operate if the SSW has not completed, and the completion of the setup process disables Telnet access.
In the advisory it published in 2011, the FreeBSD Project said telnetd ended up been disabled by default in FreeBSD since August 2001. “[Due] to the lack of cryptographic security in the Telnet protocol, it is strongly recommended that the SSH protocol be used instead,” the FreeBSD Project advised at the time.
Cisco is now giving the same advice to its customers in the workarounds section of its advisory.
“For some versions of Cisco AsyncOS Software for Cisco ESA and Cisco SMA, Telnet is configured on the Management port. Telnet services can be disabled to mitigate this vulnerability. Administrators can disable Telnet by using the administration graphical user interface (GUI) or by using the interfaceconfig command in the command-line interface (CLI). As a security best practice, customers should use Secure Shell (SSH) instead of Telnet,” the company said.
Charalambous’s advisory said the issue went out to Cisco in mid-May 2014, and patches released in late August.
Cisco said Metasploit exploit modules for the vulnerability are available.