Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:30 PM
Connect Directly

Attackers Exploit Cisco Switch Issue as Vendor Warns of Yet Another Critical Flaw

Cisco says companies fixing previously known protocol issue should also patch against critical remote-code execution issue.

[This story was updated on 4/10/18 with Cisco's comments]

Cisco is urging organizations to immediately address a critical flaw in its network switches running IOS and IOS XE software amid reports of widespread attacks against the devices in several countries.

The company on Monday published a security advisory on the remote code execution flaw (CVE-2018-0171) in the Smart Install function in Cisco IOS and IOS XE software.

Cisco described the flaw — first disclosed March 29 by Embedi — as an issue that could allow an unauthenticated remote attacker to trigger a denial-of-service condition or to execute code of their choice on an affected device. Emedi on March 29 claimed it had found some 250,000 network devices that were vulnerable to the issue.

The RCE flaw is separate from a protocol misuse issue also related to the Smart Install function that Cisco first issued an advisory about on Feb 14, 2017 and has updated a couple of times. It is apparently the protocol misuse issue that attackers have been exploiting in the recent attacks,  not the RCE flaw.

However, Cisco has urged organizations to address both issues immediately, citing widespread and ongoing attacks against its switches in multiple countries. "While we have only observed attacks leveraging the protocol misuse issue, recently, another vulnerability in the Cisco Smart Install Client was disclosed and patched," the company said in a blog. "While mitigating the protocol misuse issue, customers should also address this vulnerability."

'Don't Mess With Our Elections'

Reuters over the weekend reported that some 200,000 Cisco switches had been compromised in attacks in multiple countries. Among those impacted were data centers and ISPs in Iran and Russia where the attackers displayed a US flag on the screens of compromised systems with the message, "Don't mess with our elections."

IRNA, Iran's official news agency said the attacks impacted at least 3,500 routers in the country. The agency quoted cybersecurity officials within the country as saying that attackers had tampered with configuration settings on the devices to cause systems to become unavailable.

Cisco had first warned about the protocol misuse issue that the threat actors leveraged in the attacks last February. The company has described the issue as something that attackers can abuse to modify the TFTP server setting to steal and modify configuration files, replace the operating system image, and set up command.

"Although this is not a vulnerability in the classic sense, the misuse of this protocol is an attack vector that should be mitigated immediately," Cisco had noted in an April 5 blog warning about the surge recent attacks targeting the issue.

According to the company, attackers have been using search engines like Shodan to scan for vulnerable devices throughout 2017 and the early part of this year. Though, Cisco has long ago provided instructions on how organizations can find vulnerable routers and mitigate the protocol misuse issue, some 168,000 devices worldwide remain exposed to the issue when Cisco conducted a recent scan. These devices need to be addressed immediately, the company has noted.

Cisco said that several threat actors, including nation-state groups like the Dragonfly campaign targeting western energy firms have been exploiting the protocol issue in widespread attacks in countries. Some of the attacks have targeted critical infrastructure organizations, Cisco has warned.


In an emailed response to questions from Dark Reading, a Cisco spokesperson said the timing of multiple recent advisories on the Smart Install issue may have caused some confusion over what exactly is going on. She confirmed that the recent attacks indeed involve the Smart Install protocol issue and not the Smart Install Denial of Service or Remote Code Execution flaws described in CVE-2018-0171.   

"At this time, the Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in these advisories."

Cisco's PSIRT published a document after this Dark Reading report posted, clarifying all the potential issues involving Smart Install with advice on how organizations can determine if they are impacted and what steps need to be taken.

"To ensure their network is protected against issues involving Smart Install, our recommendation for customers not actually using Smart Install is to disable the feature using the 'no vstack' command once setup is complete," she says.

"Customers who do use the feature – and leave it enabled – can use ACLs to block incoming traffic on TCP port 4786 (the proper security control). And additionally, patches for known security vulnerabilities should be applied as part of standard network security management."

So far, there is no evidence that the RCE flaw in Smart Install has been exploited. However, proof-of-concept code for exploiting is available. The vulnerability stems from improper validation of packet data. Attackers can exploit it by sending a specially crafted Smart Install message to a vulnerable device via TCP port 4786 causing the device to reload. Attackers could also exploit the flaw to execute arbitrary code or to cause a denial of service condition, Cisco said.

Prior to Cisco's new post, some security researchers said that the newly revealed flaw appears to be different from the one being exploited.

"This attack took advantage of Cisco’s Smart Install protocol," says Bob Noel, director of strategic relationships and marketing for Plixer. "Organizations were provided guidance that Cisco did not consider this a vulnerability, and therefore no changes would be done to the protocol."

Organizations were instructed to simply turn off the protocol, and those that remain exposed are those who have not done so, he says.

The damage an attacker could do with this would depend on their access privileges. By changing the startup configuration, an attacker could force a reboot of a switch and stop all traffic forwarding. "In a case where an attacker gained full administrative rights to a router/switch, they would be able to change the configuration of the device, add or remove security policies, or make any other changes," Noel says.

Ashley Stephenson, CEO of Corero Network Security, says available evidence suggests attackers would not have needed to exploit the RCE flaw in the recent attacks. "While there is no proof, this was likely accomplished by just misusing the protocol," he says.

The attacks show why it is important for organizations to understand the profile of systems exposed to the Internet. If it is exposed, someone will attempt to compromise it. "There is no excuse for exposing unnecessary ports or services, like TCP 4786 for Cisco Smart Install Client," Stephenson says.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/5/2018 | 4:45:18 PM
Switch Issue
If you are getting the switch issue in the Cisco switches then you must have a talk with  Router Supports. They will help you if you face any kind of problem.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/1/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-01
The Web application on Rittal CMC PU III 7030.000 V3.00 V3.11.00_2 to V3.15.70_4 devices fails to sanitize user input on the system configurations page. This allows an attacker to backdoor the device with HTML and browser-interpreted content (such as JavaScript or other client-side scripts) as the c...
PUBLISHED: 2020-10-01
In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g. *-some-suffix) for source principals or namespace fields, callers will never be denied access, bypassing the intended policy.
PUBLISHED: 2020-10-01
Unisys Stealth(core) before 4.0.132 stores Passwords in a Recoverable Format.
PUBLISHED: 2020-10-01
Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Envoy’s setCopy() header map API does not replace all existing occurences of a non-inline header.
PUBLISHED: 2020-10-01
Envoy master between 2d69e30 and 3b5acb2 may fail to parse request URL that requires host canonicalization.