A vulnerability in the Cisco Small Business Switches software could allow an unauthenticated, remote attacker to bypass the user authentication mechanism of an affected device. The vulnerability exists because under specific circumstances, the affected software enables a privileged user account without notifying administrators of the system.
An attacker could exploit this vulnerability by using this account to log in to an affected device and execute commands with full admin rights.
Vendor has not released any update/ patch for the vulnerability yet. However, Cisco suggests the following work-around for this flaw:
“The workaround consists of adding at least one user account with access privilege set to level 15 in the device configuration. The following example shows how to configure an account by using admin as user ID, setting the access privilege to level 15, and defining the password by replacing with a complex password chosen by the user. By adding this user account, the default privileged account will be disabled.
Switch# configure terminal Switch(config)# username admin privilege 15 password <strong_password>
The command show running-config | include privilege 15 will now produce the following output:
Switch# show running-config | include privilege 15 username admin password encrypted privilege 15″