CVE-2020-3446
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to log into Cisco NFVIS CLI with administrator privileges using default static passwords. It affects Cisco vWAAS with NFVIS-bundled images on ENCS 5400-W Series and CSP 5000-W Series appliances. Attackers can gain full control of affected devices without any authentication.
💻 Affected Systems
- Cisco Virtual Wide Area Application Services (vWAAS) with Cisco Enterprise NFV Infrastructure Software (NFVIS)-bundled images
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of affected devices, allowing attackers to reconfigure networks, intercept traffic, deploy malware, or use devices as pivot points into internal networks.
Likely Case
Attackers gain administrative access to vulnerable devices, enabling them to modify configurations, disrupt services, or steal sensitive network data.
If Mitigated
With proper network segmentation and access controls, impact is limited to the affected device only, preventing lateral movement.
🎯 Exploit Status
Exploitation requires only network access to the device and knowledge of default credentials, making it trivial for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Cisco Security Advisory for specific patched versions
Vendor Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-waas-encsw-cspw-cred-hZzL29A7
Restart Required: Yes
Instructions:
1. Review Cisco Security Advisory for affected versions. 2. Download and apply the appropriate patch from Cisco. 3. Reboot affected devices after patching. 4. Verify patch installation and functionality.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to NFVIS CLI interfaces using firewall rules or access control lists.
Password Change
allChange default passwords on all user accounts if immediate patching is not possible.
🧯 If You Can't Patch
- Immediately change all default passwords on affected devices
- Isolate affected devices in a separate network segment with strict access controls
🔍 How to Verify
Check if Vulnerable:
Check if device is running affected vWAAS with NFVIS-bundled images on ENCS 5400-W or CSP 5000-W Series appliances. Verify if default passwords are still in use.Check Version:
show version (on Cisco NFVIS CLI)Verify Fix Applied:
After patching, attempt to authenticate with default credentials - should fail. Verify patch version matches Cisco advisory.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful logins from unexpected sources
- Multiple login attempts with default usernames
- Administrative configuration changes from new IP addresses
Network Indicators:
- Unexpected SSH/Telnet connections to NFVIS management interfaces
- Traffic patterns indicating configuration changes or data exfiltration
SIEM Query:
source="cisco_nfvis" AND (event_type="authentication" AND result="success") AND (username IN ["admin", "root", default_accounts])