Attackers Exploit Cisco Switch Issue as Vendor Warns of Yet Another Critical Flaw
Cisco says companies fixing previously known protocol issue should also patch against critical remote-code execution issue.
April 9, 2018
[This story was updated on 4/10/18 with Cisco's comments]
Cisco is urging organizations to immediately address a critical flaw in its network switches running IOS and IOS XE software amid reports of widespread attacks against the devices in several countries.
The company on Monday published a security advisory on the remote code execution flaw (CVE-2018-0171) in the Smart Install function in Cisco IOS and IOS XE software.
Cisco described the flaw — first disclosed March 29 by Embedi — as an issue that could allow an unauthenticated remote attacker to trigger a denial-of-service condition or to execute code of their choice on an affected device. Emedi on March 29 claimed it had found some 250,000 network devices that were vulnerable to the issue.
The RCE flaw is separate from a protocol misuse issue also related to the Smart Install function that Cisco first issued an advisory about on Feb 14, 2017 and has updated a couple of times. It is apparently the protocol misuse issue that attackers have been exploiting in the recent attacks, not the RCE flaw.
However, Cisco has urged organizations to address both issues immediately, citing widespread and ongoing attacks against its switches in multiple countries. "While we have only observed attacks leveraging the protocol misuse issue, recently, another vulnerability in the Cisco Smart Install Client was disclosed and patched," the company said in a blog. "While mitigating the protocol misuse issue, customers should also address this vulnerability."
'Don't Mess With Our Elections'
Reuters over the weekend reported that some 200,000 Cisco switches had been compromised in attacks in multiple countries. Among those impacted were data centers and ISPs in Iran and Russia where the attackers displayed a US flag on the screens of compromised systems with the message, "Don't mess with our elections."
IRNA, Iran's official news agency said the attacks impacted at least 3,500 routers in the country. The agency quoted cybersecurity officials within the country as saying that attackers had tampered with configuration settings on the devices to cause systems to become unavailable.
Cisco had first warned about the protocol misuse issue that the threat actors leveraged in the attacks last February. The company has described the issue as something that attackers can abuse to modify the TFTP server setting to steal and modify configuration files, replace the operating system image, and set up command.
"Although this is not a vulnerability in the classic sense, the misuse of this protocol is an attack vector that should be mitigated immediately," Cisco had noted in an April 5 blog warning about the surge recent attacks targeting the issue.
According to the company, attackers have been using search engines like Shodan to scan for vulnerable devices throughout 2017 and the early part of this year. Though, Cisco has long ago provided instructions on how organizations can find vulnerable routers and mitigate the protocol misuse issue, some 168,000 devices worldwide remain exposed to the issue when Cisco conducted a recent scan. These devices need to be addressed immediately, the company has noted.
Cisco said that several threat actors, including nation-state groups like the Dragonfly campaign targeting western energy firms have been exploiting the protocol issue in widespread attacks in countries. Some of the attacks have targeted critical infrastructure organizations, Cisco has warned.
Update
In an emailed response to questions from Dark Reading, a Cisco spokesperson said the timing of multiple recent advisories on the Smart Install issue may have caused some confusion over what exactly is going on. She confirmed that the recent attacks indeed involve the Smart Install protocol issue and not the Smart Install Denial of Service or Remote Code Execution flaws described in CVE-2018-0171.
"At this time, the Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in these advisories."
Cisco's PSIRT published a document after this Dark Reading report posted, clarifying all the potential issues involving Smart Install with advice on how organizations can determine if they are impacted and what steps need to be taken.
"To ensure their network is protected against issues involving Smart Install, our recommendation for customers not actually using Smart Install is to disable the feature using the 'no vstack' command once setup is complete," she says.
"Customers who do use the feature – and leave it enabled – can use ACLs to block incoming traffic on TCP port 4786 (the proper security control). And additionally, patches for known security vulnerabilities should be applied as part of standard network security management."
So far, there is no evidence that the RCE flaw in Smart Install has been exploited. However, proof-of-concept code for exploiting is available. The vulnerability stems from improper validation of packet data. Attackers can exploit it by sending a specially crafted Smart Install message to a vulnerable device via TCP port 4786 causing the device to reload. Attackers could also exploit the flaw to execute arbitrary code or to cause a denial of service condition, Cisco said.
Prior to Cisco's new post, some security researchers said that the newly revealed flaw appears to be different from the one being exploited.
"This attack took advantage of Cisco’s Smart Install protocol," says Bob Noel, director of strategic relationships and marketing for Plixer. "Organizations were provided guidance that Cisco did not consider this a vulnerability, and therefore no changes would be done to the protocol."
Organizations were instructed to simply turn off the protocol, and those that remain exposed are those who have not done so, he says.
The damage an attacker could do with this would depend on their access privileges. By changing the startup configuration, an attacker could force a reboot of a switch and stop all traffic forwarding. "In a case where an attacker gained full administrative rights to a router/switch, they would be able to change the configuration of the device, add or remove security policies, or make any other changes," Noel says.
Ashley Stephenson, CEO of Corero Network Security, says available evidence suggests attackers would not have needed to exploit the RCE flaw in the recent attacks. "While there is no proof, this was likely accomplished by just misusing the protocol," he says.
The attacks show why it is important for organizations to understand the profile of systems exposed to the Internet. If it is exposed, someone will attempt to compromise it. "There is no excuse for exposing unnecessary ports or services, like TCP 4786 for Cisco Smart Install Client," Stephenson says.
Related Content:
Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.
About the Author
You May Also Like